Perimeter
10/27/2010
04:03 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Talk About Evasion

What's new is old and what's old is still news

Security research, like fashion, sometimes gets recycled, restyled, and even rebranded. Take network security evasion and sidejacking attacks, both of which have recently re-emerged with researchers taking new spins on these known threats. Warnings of a new form of network security evasion that was publicized a couple of weeks ago by Stonesoft and backed up by ICSA Labs, as well as a vulnerability alert by CERT Finland, stirred plenty of skepticism among security experts who argued that the attack appears to be merely a rehash of older IDS/IPS evasion research.

But full details of the evasion technique haven't been revealed publicly yet (to give the affected vendors a chance to patch), so there are still plenty of unanswered questions. Stonesoft says its researchers have discovered a new evasion method for targeted attacks that sneaks past network and application security tools, and it can be combined with already-known techniques for evasion, such as HD Moore's previous work on IDS/IPS evasion. They say it's an attack that exploits vulnerabilities inherent in multiple IDS/IPS vendors' products (the names of which also have not been released as yet, either). ICSA Labs says it has tested and verified the attack, and that it can also be used against firewalls, next-generation firewalls, and Web application firewalls.

But with scant details and seemingly familiar-sounding evasion themes and techniques, some researchers are convinced it's nothing new. (It didn't help that Stonesoft launched a whole new website dedicated to what it's now calling "advanced evasion techniques," or AET, and a veritable marketing campaign for it.)

One expert on evasion techniques, Bob Walder, founder and former CEO of NSS Labs, concluded that Stonesoft's research is based on extensions of known techniques, not on altogether new evasion techniques. "What Stonesoft has done is taken existing evasion techniques and extended them. In doing this, they have created a few specific evasions I have not used before, but they are still extensions of known techniques," he blogged.

But Moore says he saw some proof that one of the methods Stonesoft researchers came up with was indeed new. The rest resembled existing research, he says.

Stonesoft, meanwhile, is standing its ground amid the backlash. Mark Boltz, senior solutions architect at Stonesoft, says his team did look back at old research done previously on evasion, and that it extended the number of evasion techniques using new combinations. "We're not saying evasions are new or that combining them is new. What's new about this technique is that all prior research only suggests a total of 24 to 36 possibilities that actually work," Boltz says. "The number of possible combinations now with advanced evasion techniques is two to the 180th power ... We found a whole new set of techniques in addition to the known ones. We can combine all new ones with or without the old ones to find a whole range of a larger set of combinations that we never previously thought were possible."

The fact that evasion research is nothing new is the problem, he says. "Everyone has ignored it," he says.

And that's the common thread on both sides of the debate over whether this research is new or not: the evasion problem has been around way too long, no matter who came up with what method to exploit it.

The same is true for sidejacking. The newly released FireSheep tool for hijacking cookies via WiFi takes a new spin on an old attack: Firesheep is an automated, user-friendly tool that can be downloaded and executed by anyone, technical or not. It underscores the problem that SSL is still not widely deployed on popular websites, leaving users open to cookie-jacking.

Sidejacking tools aren't new, of course. Robert Graham wrote one of the first sidejacking tools, Hamster. He says sidejacking might be old, but it's still unfortunately a viable threat that hasn't been resolved.

-- Kelly Jackson Higgins, Senior Editor, Dark Reading Follow Kelly (@kjhiggins) on Twitter: http://twitter.com/kjhiggins

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.