Blogger: Pete Lindstrom

On July 8th, Dan Kaminsky of IOActive announced a major DNS “vulnerability” in conjunction with a number of major DNS vendors. The announcement was off the charts in fanfare and attention, but what was the real impact on risk?

First, it is worth noting that this “bug” is more properly classified as a new attack technique invented by Dan. It combines two vulnerabilities that have been well-known for some time – the ability to guess non-random transaction IDs and the use of Additional RRs to insert new entries into the DNS cache. A fix against either of these vulnerabilities also negates the attack itself.

The fundamental question that determines the risk impact revolves around whether it is reasonable to expect fewer or more incidents that use this technique when comparing the period prior to disclosure -- or, more properly, before the date of Dan’s invention of the technique (this also assumes prior art) – with the period after invention/disclosure and into the future. If the disclosure reduces the number of those incidents, then risk is reduced; if the disclosure increases the number of those incidents, then risk is increased.

With that litmus test as our guideline, it is useful to break down the functional elements of risk and look at the impact on threats, vulnerabilities, and consequences (we will cover consequences, then vulnerabilities, and finally threat).

Consequences
Though the consequences are the same before and after disclosure, it is worth discussing the impact here, given that the implication was that the “entire web” could be taken down. The nature of the attack requires the following:

1. An attacker must convince/trick a user into making a DNS request for a domain that doesn’t already exist in their DNS server’s cache. The expectation here is that s/he can be easily tricked into doing this.
2. Then, the attacker must simultaneously attack the DNS server by guessing the transaction ID. According to Kaminsky, the request/attack phase can be done reliably in about 10 seconds.
3. The attack is DNS server-specific. Only users on the same DNS server are affected.
4. Propagation: once the cache is poisoned, anyone requesting that domain will be routed to a malicious server.

Without combining this attack with other attack techniques, there can be three results:

1. Spoofing of a single website for multiple, perhaps many, users using the same DNS server. Presumably, this would be followed by more traditional phishing and malware attacks.
2. Denial-of-service by rerouting traffic from a legitimate site thereby taking potential customers or “eyeballs” away.
3. Denial-of-service be rerouting traffic from a legitimate high volume site to a legitimate low-volume site thereby overloading the servers on the low-volume site.

Because of the point-to-point (user-to-website) nature of the attack, to do something that constitutes “taking over the entire web” is infeasible by a longshot.

The bottom line analysis for the effect on risk due to a change in consequences from pre-invention to post-invention: no change, and therefore no impact.

Vulnerabilities
These vulnerabilities have existed for years, and there have been workarounds for years. Along with this announcement, new patches were introduced in all major DNS server solutions. It is reasonable to assume that many DNS server implementations have been patched, though public accounts have suggested that number is in the 66%-75% range.

Bottom line analysis: the vulnerability level has been reduced, probably significantly, and the affect is positive for risk reduction. If 100% of DNS servers were patched, then overall risk would be reduced for this attack (assuming that there were actual attacks using this technique in the past.)

Threats
The real question regarding risk impact comes in the arena of the less-controllable manipulation of threat. The general threat equation revolves around an attacker’s willingness to attack, based on his/her own cost/benefit analysis that compares the cost to attack to the expected benefits, tempered by the potential for being caught and penalized.

Cost to attack – prior to disclosing the invention, there were likely few, if any attackers with “prior art” that mirrored this technique. It is anybody’s guess how many potential attackers might have figured it out eventually, but they would have had to come from the pool of folks with enough expertise to do so – I am going to guess 500,000 people.

After the disclosure, the hints provided in the press release, the podcast, the sorted stories, and the blog entries made it much easier to figure out. Let’s guess that 5 million people could execute the attack. With automated tools, that number goes up to 50 million.

These numbers are estimates that illustrate the nature of the exercise. You are welcome to fill in your own estimates and come to your own conclusions.

Bottom line analysis: a significant increase in threat and corresponding risk.

Net Effect
The risk manager's challenge is to weigh the decrease in vulnerable systems compared with the corresponding increase in threat, within the context of number of incidents and anticipated future incidents. Given the sheer size differential, it is difficult to conceive of a situation where risk is not increased.

Sometimes it "feels" like someone is taking action for the greater good, when that action actually creates a negative impact for all. For example, it is common for people to believe that raising prices of scarce resources during  times of trouble (e.g. gasoline in the hurricane Katrina aftermath) is unconscionable even though a majority of economists recognize that raising prices actually provides for the greater public good. Vulnerability discovery and disclosure, and attack inventions, might feel like the right thing to do, but the net result is almost always a negative impact.

Blogger: Pete Lindstrom

On July 8th, Dan Kaminsky of IOActive announced a major DNS ???vulnerability??? in conjunction with a number of major DNS vendors. The announcement was off the charts in fanfare and attention, but what was the real impact on risk?

First, it is worth noting that this ???bug??? is more properly classified as a new attack technique invented by Dan. It combines two vulnerabilities that have been well-known for some time ??? the ability to guess non-random transaction IDs and the use of Additional RRs to insert new entries into the DNS cache. A fix against either of these vulnerabilities also negates the attack itself.

The fundamental question that determines the risk impact revolves around whether it is reasonable to expect fewer or more incidents that use this technique when comparing the period prior to disclosure -- or, more properly, before the date of Dan???s invention of the technique (this also assumes prior art) ??? with the period after invention/disclosure and into the future. If the disclosure reduces the number of those incidents, then risk is reduced; if the disclosure increases the number of those incidents, then risk is increased.

With that litmus test as our guideline, it is useful to break down the functional elements of risk and look at the impact on threats, vulnerabilities, and consequences (we will cover consequences, then vulnerabilities, and finally threat).

Consequences
Though the consequences are the same before and after disclosure, it is worth discussing the impact here, given that the implication was that the ???entire web??? could be taken down. The nature of the attack requires the following:

1. An attacker must convince/trick a user into making a DNS request for a domain that doesn???t already exist in their DNS server???s cache. The expectation here is that s/he can be easily tricked into doing this.
2. Then, the attacker must simultaneously attack the DNS server by guessing the transaction ID. According to Kaminsky, the request/attack phase can be done reliably in about 10 seconds.
3. The attack is DNS server-specific. Only users on the same DNS server are affected.
4. Propagation: once the cache is poisoned, anyone requesting that domain will be routed to a malicious server.

Without combining this attack with other attack techniques, there can be three results:

1. Spoofing of a single website for multiple, perhaps many, users using the same DNS server. Presumably, this would be followed by more traditional phishing and malware attacks.
2. Denial-of-service by rerouting traffic from a legitimate site thereby taking potential customers or ???eyeballs??? away.
3. Denial-of-service be rerouting traffic from a legitimate high volume site to a legitimate low-volume site thereby overloading the servers on the low-volume site.

Because of the point-to-point (user-to-website) nature of the attack, to do something that constitutes ???taking over the entire web??? is infeasible by a longshot.

The bottom line analysis for the effect on risk due to a change in consequences from pre-invention to post-invention: no change, and therefore no impact.

Vulnerabilities
These vulnerabilities have existed for years, and there have been workarounds for years. Along with this announcement, new patches were introduced in all major DNS server solutions. It is reasonable to assume that many DNS server implementations have been patched, though public accounts have suggested that number is in the 66%-75% range.

Bottom line analysis: the vulnerability level has been reduced, probably significantly, and the affect is positive for risk reduction. If 100% of DNS servers were patched, then overall risk would be reduced for this attack (assuming that there were actual attacks using this technique in the past.)

Threats
The real question regarding risk impact comes in the arena of the less-controllable manipulation of threat. The general threat equation revolves around an attacker???s willingness to attack, based on his/her own cost/benefit analysis that compares the cost to attack to the expected benefits, tempered by the potential for being caught and penalized.

Cost to attack ??? prior to disclosing the invention, there were likely few, if any attackers with ???prior art??? that mirrored this technique. It is anybody???s guess how many potential attackers might have figured it out eventually, but they would have had to come from the pool of folks with enough expertise to do so ??? I am going to guess 500,000 people.

After the disclosure, the hints provided in the press release, the podcast, the sorted stories, and the blog entries made it much easier to figure out. Let???s guess that 5 million people could execute the attack. With automated tools, that number goes up to 50 million.

These numbers are estimates that illustrate the nature of the exercise. You are welcome to fill in your own estimates and come to your own conclusions.

Bottom line analysis: a significant increase in threat and corresponding risk.

Net Effect
The risk manager's challenge is to weigh the decrease in vulnerable systems compared with the corresponding increase in threat, within the context of number of incidents and anticipated future incidents. Given the sheer size differential, it is difficult to conceive of a situation where risk is not increased.

Sometimes it "feels" like someone is taking action for the greater good, when that action actually creates a negative impact for all. For example, it is common for people to believe that raising prices of scarce resources during  times of trouble (e.g. gasoline in the hurricane Katrina aftermath) is unconscionable even though a majority of economists recognize that raising prices actually provides for the greater public good. Vulnerability discovery and disclosure, and attack inventions, might feel like the right thing to do, but the net result is almost always a negative impact.

I was reading Ellen Messmer's report today about the security incident over at Lending Tree. Yeah, I know another information breach by insiders case, BFD.  But I think there is something different about this one.  From what I am reading this is more a case of corporate espionage than the usual hackers for fraud and financial gain type of deal.  For a long time now we have been hearing from people like Bruce Schneier in this article talk about the front in security moving from dealing with script kiddies working for kicks to organized cybercriminal gangs that are in it for financial gain. Mostly the gain is about identity theft and gaining access to funds fraudulently.

In the Lending Tree case though there was not evidently a motive to use the ill begotten information for identity theft or fraud.  Rather they represented Glengary, Glen Ross leads.  That is the names, contacts and qualifications of people looking for mortgages.  A mortgage company would consider these leads more valuable than gold, more valuable even that gasoline!  So to my mind this is more a case of corporate espionage where a company that is competitive to Lending Tree infiltrated their networks through people, rather than technology to gain access to their corporate crown jewels. 

This sort of stealing your competitors information has been going on for decades, well before computers and cybercrime were around.  However, this is a great example of some things not going out of style.  Obtaining your competitors information is a great motive, computers are just the container where the information is kept.  Sort of like cracking a safe.  It is always easier getting into a safe if you are given the combination, than if you have to crack it yourself. 

Yet another front in the cybercrime war that security folks need to be on guard for!

I was reading Ellen Messmer's report today about the security incident over at Lending Tree. Yeah, I know another information breach by insiders case, BFD.  But I think there is something different about this one.  From what I am reading this is more a case of corporate espionage than the usual hackers for fraud and financial gain type of deal.  For a long time now we have been hearing from people like Bruce Schneier in this article talk about the front in security moving from dealing with script kiddies working for kicks to organized cybercriminal gangs that are in it for financial gain. Mostly the gain is about identity theft and gaining access to funds fraudulently.

In the Lending Tree case though there was not evidently a motive to use the ill begotten information for identity theft or fraud.  Rather they represented Glengary, Glen Ross leads.  That is the names, contacts and qualifications of people looking for mortgages.  A mortgage company would consider these leads more valuable than gold, more valuable even that gasoline!  So to my mind this is more a case of corporate espionage where a company that is competitive to Lending Tree infiltrated their networks through people, rather than technology to gain access to their corporate crown jewels. 

This sort of stealing your competitors information has been going on for decades, well before computers and cybercrime were around.  However, this is a great example of some things not going out of style.  Obtaining your competitors information is a great motive, computers are just the container where the information is kept.  Sort of like cracking a safe.  It is always easier getting into a safe if you are given the combination, than if you have to crack it yourself. 

Yet another front in the cybercrime war that security folks need to be on guard for!

I was out in Colorado today. I filled up with gas before returning the car and paid $3.39 for regular gas.  When I landed in West Palm Beach I had to put gas in my car on the way home and paid $3.49 for regular.  When does this stop?  Is it really going to 4 bucks a gallon soon as they say?  Why stop there, 5, 6 7 bucks a gallon?  What is it going to take for us to finally say enough and do something in this country about getting off the black heroin?

So busy talking about the war, mortgages and the stock market, why aren't any of the major candidates putting out detailed plans on how we are going to move off of oil and gasoline hamster wheel that is a monkey on the back of each and every one of us.  I am fed up and not going to take it anymore!

I was out in Colorado today. I filled up with gas before returning the car and paid $3.39 for regular gas.  When I landed in West Palm Beach I had to put gas in my car on the way home and paid $3.49 for regular.  When does this stop?  Is it really going to 4 bucks a gallon soon as they say?  Why stop there, 5, 6 7 bucks a gallon?  What is it going to take for us to finally say enough and do something in this country about getting off the black heroin?

So busy talking about the war, mortgages and the stock market, why aren't any of the major candidates putting out detailed plans on how we are going to move off of oil and gasoline hamster wheel that is a monkey on the back of each and every one of us.  I am fed up and not going to take it anymore!

I plan on posting about explosives and how they were used in the terrorist attacks tomorrow, but in the mean time, I thought it would be fun to share some of the lessons I learned as a child through trial and error.  First off, a word of warning:   

Do not try any of this at home.  The experiments were done by an idiot.  None of it is legal.  I’m lucky to have my fingers and some of the hair I lost never grew back.  Scar tissue isn’t as strong as regular tissue.

I remember one of the first little experiments I did as a kid involved the lawn mower’s gas can.  Several attempts to use gasoline to replicate those awe inspiring car explosions from action movies failed time and time again.  The only result I could get was a simple fire that often proved difficult to put out. 

It’s kind of funny the safety controls I employed at age 12.  My love of danger was superseded by my desire to live and stay out of trouble.  For example, one of the first things I learned was remote detonation systems.  The first one I employed was a catapult, built from popsicle sticks, a metal spoon, and rubber bands which could launch a cotton ball soaked in alcohol 20 ft.  The catapult itself could even be operated remotely by using a piece of dental floss to release the firing pin.  The way I figured it, I could open a flame a safe distance from my explosive, run to my makeshift bomb shelter (a foxhole), launch the catapult, and wait for the explosion.  My ignition systems advanced over the years to electrical (steel wool, 9V batteries, and phone cord), 12 gauge shotgun shells minus the lead shot, and tracer rounds (regular bullets do nothing, you need an incendiary round). 

My experiments always started with small trial runs. The simple process I employed had numerous benefits, such as teaching me how to construct proper firebreaks, that gravel roads don’t burn but they do throw significant amounts of shrapnel, and why the military loves foxholes.

The first time I got an explosion occurred by accident.  I was very disappointed after another failed experiment.  As I sat there next to an empty gas can waiting for a fire to go out, I was playing with strike anywhere matches on the empty gas can when to my surprise it exploded and launched itself to the other side of the field.  I lost all the hair on my knuckles and had now had a mystery to solve.

I can’t imagine what my dad must have thought when I started asking all these questions, but he explained to me how a combustion engine works.  Either a carburetor or fuel injection systems mix gasoline with oxygen to form a gas which is ignited by a spark plug at specific intervals to propel a car.  He also explained that if a car’s gas tank could explode then it would not be safe to drive.  Without being properly mixed with an oxidant, gasoline does not detonate, but rather it deflagrates, or burns.

Experimenting with a car battery charger, a glass beaker, some balloons, and water was also a source of immense fun.  At the time, I hadn’t taken any chemistry classes and thought I was collecting pure hydrogen in my balloons.  In my mind, I was making mini-Hindenburg’s.  I would take them out to my fort and blow them up.  Those made some nice explosions.  It wasn’t until a later experiment that I learned I was collecting oxygen in addition to hydrogen through electrolysis.

That later experiment occurred when I discovered dad’s acetylene tanks (he’s a jeweler and has a torch for soldering). At first I was disappointed.  Balloons filled with only acetylene barely did anything.  But then I found that if I mixed in some pure oxygen from the other tank in a 2:1 ratio of oxygen to acetylene, you could produce an explosion with a shock wave that could be felt from 50 ft. away.  It literally sounded like a stick of TNT. 

Over the years I grew more and more brave.  I don’t know what my poor parents must have thought.  At age 15, I printed off an anarchist cookbook and unintentionally left before it was done printing.  The printer was simply out of paper, and later that night when dad put some more in, out popped a page on making napalm from gasoline and styrofoam.  They have also never asked me how the metal window screen in my room melted in one corner.  I don’t know how I would have told them it was due to a freak accident when I was making my first accurate time delay fuse using slow burning gunpowder, cardboard strips that were coiled and soaked in wax, and a tuna can.

Looking back at some of the stuff I did from age 10 to 16, I would have made an excellent engineer, scientist, or lawyer.  I built all kinds of things, always figured out how they worked, and argued my way out things that get people sent to Guantanamo :)