Copyright © 2009 Open Geospatial Consortium, Inc. 101 As potentially many clients share the same MUC it is required to ensure privacy preventing to exploit other clients in the MUC.

9.8 Rate the attacks for the Baseline Services

A rating of the attacks that have been identified in the previous sections can be undertaken from different viewpoints: Which attacks does have the most likelihood to be exercised. Which of the attacks does have the highest chance to complete successfully. Which of the attacks has the highest impact. Which of the attacks can be exercised where the attacker cannot be unveiled. Which of the attacks are based on information that can be obtained easily. Which of the attacks require a network compromise or address fraud.

9.8.1 Likelihood to exercise an attack and likelihood of success

For the context of this ER, two different kinds of likelihood are important: the likelihood that an attack can be exercised at all, and the likelihood that an exercised attack is actually successful. In general, it is difficult to estimate the absolute likelihood as it depends on many factors. One factor is how the service implementation works. Therefore, the absolute likelihood for the same attack exercised on different service implementations could be totally different. One good example here is how an SPS creates the task IDs. If it is a strong random number, generated with a very high entropy, the guessing of valid task ids is much harder as if the task IDs are natural numbers in ascending order. Another factor is the correctness and the actuality of the information required to exercise the attack. This becomes in particular important, if the attacker has gathered the information from different sources over a longer time window. For example, the attacker is using task id information from an eavesdropping attack that was running over quite some time. By re- using fetched task ids, a likelihood exists that they are outdated by the time the attack is excercised. Even though it might be impossible to estimate absolute likelihoods for attacks, it sounds reasonable to provide an estimation of relative likelihood between attacks. This estimation can be used to create a kind of ranking between the different attacks. This can be helpful to determine which of the attacks needs to be taken care of first or with which priority and monetary resources. In order to rank the attacks by estimating the relative likelihood among them, one important factor is whether the attacker does have all information at hand by simply reading the service specification or if information gathering is required. For the latter, the likelihood drops the more service interactions are required to obtain all required 102 Copyright © 2009 Open Geospatial Consortium, Inc. information. The likelihood drops dramatically further if interactions to other service are required for the gathering of required information. For example, for all SS actually all OGC Web Services the GetCapabilities request can be submitted by reading the OWS Common specification. The only information required is the service URL, which can often be obtained from a catalogue service or a Google search. But the cancellation of an assignment with the SPS requires knowing a valid task ID. In order to gather a valid task ID, the attacker has to eavesdrop communication with the service with the goal of fetching task IDs. As the attacker cannot know if the wire-taping attack will unveil a task ID at all, an alternative approach might be challenged: By submitting a number of Submit requests to the SPS with invalid parameters, each response will contain a task ID and ―rejected‖. From those responses, the attacker might guess task IDs with a good certainty and start exercising the actual attacks. Another factor is determined by the difficulty of gathering the required information. The easiest way is to read the specification as it is publically available and does contain many examples. If those examples e.g. for task IDs are screenshots from inputoutput from prototype implementations, the attacker has ease of use. If other attacks need to succeed, it is certainly easier to succeed with attacks that do not require compromising the network than attacks that require a specific network configuration tampering.

9.8.2 Impact Discussion