By Peter Tippett and Russ Cooper

There is a huge amount of angst, discussion, testing and endless worry about the “new DNS vulnerability” whose existence was published a few weeks ago concurrent with a coordinated patch release. Its dastardly “vulnerability” or “threat scenario” will be disclosed in full in early August. The worry is that, once fully disclosed, the unprepared world will be at risk—or at least large portions will be—and whole new categories of exploit will suddenly be possible…or something like that.

Let’s get out a few facts, and then discuss some hypothetical attacks. We’ll assume the extremes and see just how a very old and well-understood vulnerability might behave differently if, for example, a simple cache poisoning attack tool or technique were released. [For a primer on DNS look here. For a primer on DNS Cache Poisoning look here.]

(more…)

by Dave Kennedy

Implementations of the Domain Name Servers (DNS) protocol may leave systems vulnerable to DNS cache poisoning attacks. Last week many incident response teams, along with software and hardware vendors, issued security bulletins and patches to reduce this risk. Cache poisoning attacks are almost as old as the DNS system itself. Enterprises already protect and monitor their DNS systems to prevent and detect cache-poisoning attacks. There has been no increase in reports of cache poisoning attacks and no reports of attacks on this specific vulnerability. DNS is infrastructure. Infrastructure must be trusted, and it must be perceived as trustworthy. (more…)

By Wade Baker

Our 2008 Data Breach Investigations Report presents statistics on the percentage of breaches involving outsiders, insiders and partners (73%, 18%, and 39% respectively). Public reaction to these statistics runs the gamut from revulsion to revelry. This is especially true with respect to the relatively low percentage of breaches tied to insiders. Some seem to think we’ve blasphemed the sacred doctrines of our trade handed down from on high long ago. Others are glad to see their oft-ridiculed beliefs finally vindicated by objective data. Many in the middle are cautious about drawing conclusions, and are unsure what to make of the statistics.

Which reaction is appropriate? We won’t weigh in on that question; we’ll stick to providing data rather than dictating the reactions of others. We would, however, like to address the underlying questions fueling such reactions – whether these statistics are bogus, biased or believable.
(more…)

Symantec’s Hon Lau recently published a blog post titled “Patch Management – Speed is of the Essence.” You may know that we also recently published a blog post titled “Patching Conundrum”, in which we discussed how our studies had convinced us that patching too fast can be a “bad thing™.”

Hon Lau said, “It is this gap between the availability of patches and their application that is creating a window of opportunity for would-be attackers.”

Well, really, it isn’t. The “window of opportunity” begins when the vulnerable version of whatever is actually installed and/or implemented, and lasts until a non-vulnerable version is installed, or until the product stops being used. Nothing terribly significant occurs once a patch is released, unless you fear “Automatic Patch-Based Exploit Generation” (APEG). Hon Lau seems to.

(more…)