Talk About Evasion
What's new is old and what's old is still news
Security research, like fashion, sometimes gets recycled, restyled, and even rebranded. Take network security evasion and sidejacking attacks, both of which have recently re-emerged with researchers taking new spins on these known threats. Warnings of a new form of network security evasion that was publicized a couple of weeks ago by Stonesoft and backed up by ICSA Labs, as well as a vulnerability alert by CERT Finland, stirred plenty of skepticism among security experts who argued that the attack appears to be merely a rehash of older IDS/IPS evasion research.
But full details of the evasion technique haven't been revealed publicly yet (to give the affected vendors a chance to patch), so there are still plenty of unanswered questions. Stonesoft says its researchers have discovered a new evasion method for targeted attacks that sneaks past network and application security tools, and it can be combined with already-known techniques for evasion, such as HD Moore's previous work on IDS/IPS evasion. They say it's an attack that exploits vulnerabilities inherent in multiple IDS/IPS vendors' products (the names of which also have not been released as yet, either). ICSA Labs says it has tested and verified the attack, and that it can also be used against firewalls, next-generation firewalls, and Web application firewalls.
More Security Insights
- The 12 Critical Questions You Need To Ask When Choosing an AD Bridge Solution
- A New Set of Network Security Challenges
But with scant details and seemingly familiar-sounding evasion themes and techniques, some researchers are convinced it's nothing new. (It didn't help that Stonesoft launched a whole new website dedicated to what it's now calling "advanced evasion techniques," or AET, and a veritable marketing campaign for it.)
One expert on evasion techniques, Bob Walder, founder and former CEO of NSS Labs, concluded that Stonesoft's research is based on extensions of known techniques, not on altogether new evasion techniques. "What Stonesoft has done is taken existing evasion techniques and extended them. In doing this, they have created a few specific evasions I have not used before, but they are still extensions of known techniques," he blogged.
But Moore says he saw some proof that one of the methods Stonesoft researchers came up with was indeed new. The rest resembled existing research, he says.
Stonesoft, meanwhile, is standing its ground amid the backlash. Mark Boltz, senior solutions architect at Stonesoft, says his team did look back at old research done previously on evasion, and that it extended the number of evasion techniques using new combinations. "We're not saying evasions are new or that combining them is new. What's new about this technique is that all prior research only suggests a total of 24 to 36 possibilities that actually work," Boltz says. "The number of possible combinations now with advanced evasion techniques is two to the 180th power ... We found a whole new set of techniques in addition to the known ones. We can combine all new ones with or without the old ones to find a whole range of a larger set of combinations that we never previously thought were possible."
The fact that evasion research is nothing new is the problem, he says. "Everyone has ignored it," he says.
And that's the common thread on both sides of the debate over whether this research is new or not: the evasion problem has been around way too long, no matter who came up with what method to exploit it.
The same is true for sidejacking. The newly released FireSheep tool for hijacking cookies via WiFi takes a new spin on an old attack: Firesheep is an automated, user-friendly tool that can be downloaded and executed by anyone, technical or not. It underscores the problem that SSL is still not widely deployed on popular websites, leaving users open to cookie-jacking.
Sidejacking tools aren't new, of course. Robert Graham wrote one of the first sidejacking tools, Hamster. He says sidejacking might be old, but it's still unfortunately a viable threat that hasn't been resolved.
-- Kelly Jackson Higgins, Senior Editor, Dark Reading Follow Kelly (@kjhiggins) on Twitter: http://twitter.com/kjhiggins