Blogger: Pete Lindstrom

On July 8th, Dan Kaminsky of IOActive announced a major DNS “vulnerability” in conjunction with a number of major DNS vendors. The announcement was off the charts in fanfare and attention, but what was the real impact on risk?

First, it is worth noting that this “bug” is more properly classified as a new attack technique invented by Dan. It combines two vulnerabilities that have been well-known for some time – the ability to guess non-random transaction IDs and the use of Additional RRs to insert new entries into the DNS cache. A fix against either of these vulnerabilities also negates the attack itself.

The fundamental question that determines the risk impact revolves around whether it is reasonable to expect fewer or more incidents that use this technique when comparing the period prior to disclosure -- or, more properly, before the date of Dan’s invention of the technique (this also assumes prior art) – with the period after invention/disclosure and into the future. If the disclosure reduces the number of those incidents, then risk is reduced; if the disclosure increases the number of those incidents, then risk is increased.

With that litmus test as our guideline, it is useful to break down the functional elements of risk and look at the impact on threats, vulnerabilities, and consequences (we will cover consequences, then vulnerabilities, and finally threat).

Consequences
Though the consequences are the same before and after disclosure, it is worth discussing the impact here, given that the implication was that the “entire web” could be taken down. The nature of the attack requires the following:

1. An attacker must convince/trick a user into making a DNS request for a domain that doesn’t already exist in their DNS server’s cache. The expectation here is that s/he can be easily tricked into doing this.
2. Then, the attacker must simultaneously attack the DNS server by guessing the transaction ID. According to Kaminsky, the request/attack phase can be done reliably in about 10 seconds.
3. The attack is DNS server-specific. Only users on the same DNS server are affected.
4. Propagation: once the cache is poisoned, anyone requesting that domain will be routed to a malicious server.

Without combining this attack with other attack techniques, there can be three results:

1. Spoofing of a single website for multiple, perhaps many, users using the same DNS server. Presumably, this would be followed by more traditional phishing and malware attacks.
2. Denial-of-service by rerouting traffic from a legitimate site thereby taking potential customers or “eyeballs” away.
3. Denial-of-service be rerouting traffic from a legitimate high volume site to a legitimate low-volume site thereby overloading the servers on the low-volume site.

Because of the point-to-point (user-to-website) nature of the attack, to do something that constitutes “taking over the entire web” is infeasible by a longshot.

The bottom line analysis for the effect on risk due to a change in consequences from pre-invention to post-invention: no change, and therefore no impact.

Vulnerabilities
These vulnerabilities have existed for years, and there have been workarounds for years. Along with this announcement, new patches were introduced in all major DNS server solutions. It is reasonable to assume that many DNS server implementations have been patched, though public accounts have suggested that number is in the 66%-75% range.

Bottom line analysis: the vulnerability level has been reduced, probably significantly, and the affect is positive for risk reduction. If 100% of DNS servers were patched, then overall risk would be reduced for this attack (assuming that there were actual attacks using this technique in the past.)

Threats
The real question regarding risk impact comes in the arena of the less-controllable manipulation of threat. The general threat equation revolves around an attacker’s willingness to attack, based on his/her own cost/benefit analysis that compares the cost to attack to the expected benefits, tempered by the potential for being caught and penalized.

Cost to attack – prior to disclosing the invention, there were likely few, if any attackers with “prior art” that mirrored this technique. It is anybody’s guess how many potential attackers might have figured it out eventually, but they would have had to come from the pool of folks with enough expertise to do so – I am going to guess 500,000 people.

After the disclosure, the hints provided in the press release, the podcast, the sorted stories, and the blog entries made it much easier to figure out. Let’s guess that 5 million people could execute the attack. With automated tools, that number goes up to 50 million.

These numbers are estimates that illustrate the nature of the exercise. You are welcome to fill in your own estimates and come to your own conclusions.

Bottom line analysis: a significant increase in threat and corresponding risk.

Net Effect
The risk manager's challenge is to weigh the decrease in vulnerable systems compared with the corresponding increase in threat, within the context of number of incidents and anticipated future incidents. Given the sheer size differential, it is difficult to conceive of a situation where risk is not increased.

Sometimes it "feels" like someone is taking action for the greater good, when that action actually creates a negative impact for all. For example, it is common for people to believe that raising prices of scarce resources during  times of trouble (e.g. gasoline in the hurricane Katrina aftermath) is unconscionable even though a majority of economists recognize that raising prices actually provides for the greater public good. Vulnerability discovery and disclosure, and attack inventions, might feel like the right thing to do, but the net result is almost always a negative impact.

Each camera tracks passengers' facial expressions, with the footage then analysed by software to detect developing terrorist activity or potential air rage. Six wide-angle cameras are also positioned to monitor the plane’s aisles, presumably to catch anyone standing by the cockpit door with a suspiciously crusty bread roll.

But since people never sit still on planes, the software's also designed so that footage from multiple cameras can be analysed. So, if one person continually walks from his seat to the bathroom, then several cameras can be used to track his facial movements.

The software watches for all sorts of other terrorist-like activities too, including running in the cabin, someone nervously touching their face or excessive sweating. An innocent nose scratch won't see the F16s scrambled, but a combination of several threat indicators could trigger a red alert.

This pegs the stupid meter. All it will do is false alarm. No one has any idea what sorts of facial characteristics are unique to terrorists. And how in the world are they "testing" this system without any real terrorists? In any case, what happens when the alarm goes off? How exactly is a ten-second warning going to save people?

Sure, you can invent a terrorist tactic where a system like this, assuming it actually works, saves people -- but that's the very invention of a movie-plot threat. How about we spend this money on something that's effective in more than just a few carefully chosen scenarios?

(Unfortunately, the video isn't set up for streaming; in order to view the it, you'll have to download the ten files, then use a fairly recent version of WinZip to concatenate the files.)

I was surprised to read this report by Matt Hamblen in ComputerWorld today that evidently the 3Com, Bain and Huawei deal may be rising from the dead.  3Com adjourned a shareholder meeting today until next Friday to give the parties time to work out a new plan and submit a new plan to those wild and crazy free trade hippies at CFIUS. 

As I have written before CFIUS just does not take kindly foreign companies buying US based security companies, let alone a Chinese company run by a former Peoples Republic Army Officer owning a piece of the action.  However, timing is everything and maybe the parties can take a new angle here.  Spinning out Tipping Point I would imagine has to be a first step in any acceptable plan.  I think the parties can come up with a plan that the government can improve.  To use another cliche, my reason is that necessity is the mother of invention.  At this point and at their current stock price, if 3Com can't figure out a way to get this done, they are in a heap of trouble.  What options do they have? 

Without bringing politics into the equation, I think a healthy 3Com that can compete with Cisco is important.  Taking Tipping Point out of the equation, I don't see what should hold this deal up. I think it will be best for a healthy competitive networking gear marketplace.  The current near monopoly situation in this market is not healthy.  Some of the weak sisters have to be removed and strong competition will result in the industry as a whole improving and the customer will win with better products, cheaper!

I will be watching next Friday to see what happens but I hope they can put something together that works this time!

Intellectual property, a major component of Intellectual Capital, is described in Chapter 4 of IT Governance: Guidelines for Directors. Intellectual property (IP) is a term used to describe certain legal entitlements which are concerned with the protection and usage of recorded media (TV programmes/films/music), written works, names and inventions. IP is usually in the form of:

• a patent,
• a copyright,
• a trademark or
• a design

Every country has its own form of copyright legislation. In the UK, the UK Patent Office provides substantial information about UK intellectual property rights (’IPR’), the Copyright Licensing Agency is a critical resource, and the World Intellectual Property Organization (’WIPO’) “promotes intellectual property throughout the world.” The Handbook of Intellectual Property Management is an excellent reference book on the subject.

Further insights into the many different types of IP and the laws governing them are detailed in the Handbook of European Intellectual Property Management which predominantly covers the world of IP from a European perspective or, if you are looking for a specifically legal manual, then Intellectual Property Law, Fourth Edition provides a worldwide perspective and introduction to the subjects.

Both the books mentioned above are available for immediate despatch from the IT Governance online store. IT Governance have searched the book publishing world exhaustively for the most interesting and highly authoritative books on the many different aspects of IP; these are now readily available in one place for you to purchase. Please read on for more information on IP and the books associated with specific aspects of IP.

Copyright

Copyright is primarily concerned with the right to use a certain piece of information or a particular expression. Its main principle is that it allows the copyright holder to regulate the use of the item protected by copyright.

The most visible sign that an item is protected by copyright is the symbol © which is usually clearly featured on the item in question. However, this symbol has never been legally recognised.

Copyright can be described in simple terms as the ‘the right to copy the item in question’. If you are looking to understand the ins and outs of copyright, then the best book for you to read is A User’s Guide to Copyright, Sixth Edition. This cuts through the jargon to provide both legal and non-legal professionals with a guide to the world of copyright.

The law governing copyright is standardised across the world by treaties such as the Berne Convention. If you are looking to grasp the fundamentals of these copyright treaties and gain interpretive guidance, then the doubly authoritative manual, International Copyright and Neighbouring Rights: The Berne Convention and Beyond, Second Edition, is highly recommended. This is a two book set from Oxford University Press (OUP) which offers highly intelligent insights and guidance into the complex issue of copyright law. Additionally, copies of the most of the major copyright agreements and treaties, such as the Berne and Rome Conventions, are included.

Patents

Patents are generally a set of rights granted to an inventor, or to a person or organisation associated with the inventor, for a fixed period of time. These rights are granted in exchange for disclosure of an invention or idea.

Patents usually grant a period of exclusivity in which the inventor, or associated individuals/organisations, can prevent others from making, using, selling, offering to sell or importing the invention. However, these rights are not the same in all countries.

If you are looking to ascertain the ins and outs of UK and EU patent law then A User’s Guide to Patents, Second Edition provides a thorough understanding of these articles. It also addresses many of the wider public policy issues of patents.

There are many different international agreements and treaties governing how patents are enforced. However, these agreements or treaties are usually enshrined in local laws. The main agreements and treaties governing the use of patents are the Trade Related Aspects of Intellectual Property (TRIPS) Agreement and the Paris Convention for the Protection of Industrial Property. Further information on the TRIPS Agreement in particular can be found in a book called Trade Related Aspects of Intellectual Property Rights: A Commentary on the TRIPS Agreement. This book distils the essence of the TRIPS Agreement making it easily interpretable by the layman as well as the legal professional.

For a more thorough country-by-country approach to the legal aspects of patents and which treaties or agreements are, in effect, within a particular country then International Patent Treaties with Commentary is essential reading. It provides country-by-country information of the particular patent laws operating in that country, as well as providing information on how to maximise your patent rights in that country.

Patent searching can often be a difficult task: you can pay third party organisations to undertake searches for you, or you can do it yourself on websites such as Google Patent Search, the UK Patent Office or the United States Patent and Trademark Office’s website.

If you are looking for tried and tested methods of searching for patents, and don’t want to pay a third party service provider to do searches for you, then the methods conveyed in Patent Searching: Tool & Techniques are essential. Make sure before filing your patent, that one does not exist for an invention similar to your own, and save time and money on third party services by using the methods in this book.

Trademarks

A trademark is a unique and distinctive sign, or indicator of some type, which is used to distinguish a company’s, person’s or legal entity’s products or services from other entities products or services.

Trademarks are usually names, logos, designs, symbols or words. They can also be a combination of all of the previous elements put together.

Trademark rights confer exclusive rights of usage of the trademark within a certain market to licensors. More than one organisation can have rights to use a certain trademark, however the market they can use it in is limited. An example of this would be Apple Music and Apple Computers; the trademark here being an apple symbol.

Further information on the correct usage of trademarks can be found in a highly authoritative manual called Trade Mark Use, which is published by Oxford University Press. This manual clearly describes the correct usage of trademarks and the laws that cover the many different aspects of trademarking.

If you are looking to correctly classify your trademarks in accordance with the Nice Treaty, which is one of the main treaties governing the world trademark system, then International Trademark Classification: A Guide to the Nice Agreement is the essential manual you need. The advice included in this handy desk reference is fully in line with the ninth edition of the Nice Classification.

The above manual is written by a high authoritative author, Jesse N. Roberts who is the administrator of trademark classification at the United States Patent and Trademark Office.

Licensing Intellectual Property

Many organisations choose to license their trademarks, patents and copyrights to third parties for economic and other purposes. However, if you don’t understand the fundamentals of doing so, you can soon find yourself bogged down in a legal mire.

Essentials of Licensing Intellectual Property distils the key information you need to know if your organisation is considering licensing its IP to third party organisations. It demystifies the entire process of IP licensing by providing best-practice processes for every key stage of IP licensing.

Intellectual Property Law

There are many different agreements and treaties governing the many different types of intellectual property. IT Governance have scoured the world of publishing to assemble the best selection of both practical and authoritative books on the subject. Whether you are looking for a book covering the TRIPS Agreement or the Nice Treaty, then you will find it here:

• Intellectual Property Law, 4th Edition
• Holyoak and Torremans: Intellectual Property Law, Fourth Edition
• Contemporary Intellectual Property: Law and Policy
• International Patent Treaties with Commentary
• Trade Related Aspects of Intellectual Property Rights: A Commentary on the TRIPS Agreement
• International Copyright and Neighbouring Rights: The Berne Convention and Beyond, Second Edition (two books)

Creating, Managing and Measuring Intellectual Property

For those who want to go about creating a portfolio of IP, knowing where to start can be very confusing and frustrating. Knowing how to protect IP, which treaties and agreements apply, and understanding the IP management process from creation to fruition are key requirements.

The Handbook of Intellectual Property provides a one-stop resource covering the main aspects of IP. Whichever aspect you are looking for, the information in this book is bound to be of interest to you.

It is often not appreciated how much value the effective management of IP can bring to an organisation. However, this is understandable, as IP is, in itself, intangible. In Tangible Strategies for Intangible Assets, the author provides methods for measuring, realising and managing an organisation’s intellectual property. The methods covered include the Balanced Scorecard approach amongst many others. Sample case studies are given of how the methods in the book have been used successfully, including eBay and Amazon amongst many others.

Source