Perimeter
10/28/2010
08:10 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Talk About Evasion

Security research, like fashion, sometimes gets recycled, restyled, and even rebranded. Take network security evasion and sidejacking attacks, both of which have recently re-emerged with researchers taking new spins on these known threats.

Security research, like fashion, sometimes gets recycled, restyled, and even rebranded. Take network security evasion and sidejacking attacks, both of which have recently re-emerged with researchers taking new spins on these known threats.Warnings of a new form of network security evasion that was publicized a couple of weeks ago by Stonesoft and backed up by ICSA Labs, as well as a vulnerability alert by CERT Finland, stirred plenty of skepticism among security experts who argued that the attack appears to be merely a rehash of older IDS/IPS evasion research.

But full details of the evasion technique haven't been revealed publicly yet (to give the affected vendors a chance to patch), so there are still plenty of unanswered questions. Stonesoft says its researchers have discovered a new evasion method for targeted attacks that sneaks past network and application security tools, and it can be combined with already-known techniques for evasion, such as HD Moore's previous work on IDS/IPS evasion. They say it's an attack that exploits vulnerabilities inherent in multiple IDS/IPS vendors' products (the names of which also have not been released as yet, either). ICSA Labs says it has tested and verified the attack, and that it can also be used against firewalls, next-generation firewalls, and Web application firewalls.

But with scant details and seemingly familiar-sounding evasion themes and techniques, some researchers are convinced it's nothing new. (It didn't help that Stonesoft launched a whole new website dedicated to what it's now calling "advanced evasion techniques," or AET, and a veritable marketing campaign for it.)

One expert on evasion techniques, Bob Walder, founder and former CEO of NSS Labs, concluded that Stonesoft's research is based on extensions of known techniques, not on altogether new evasion techniques. "What Stonesoft has done is taken existing evasion techniques and extended them. In doing this, they have created a few specific evasions I have not used before, but they are still extensions of known techniques," he blogged.

But Moore says he saw some proof that one of the methods Stonesoft researchers came up with was indeed new. The rest resembled existing research, he says.

Stonesoft, meanwhile, is standing its ground amid the backlash. Mark Boltz, senior solutions architect at Stonesoft, says his team did look back at old research done previously on evasion, and that it extended the number of evasion techniques using new combinations. "We're not saying evasions are new or that combining them is new. What's new about this technique is that all prior research only suggests a total of 24 to 36 possibilities that actually work," Boltz says. "The number of possible combinations now with advanced evasion techniques is two to the 180th power ... We found a whole new set of techniques in addition to the known ones. We can combine all new ones with or without the old ones to find a whole range of a larger set of combinations that we never previously thought were possible."

The fact that evasion research is nothing new is the problem, he says. "Everyone has ignored it," he says.

And that's the common thread on both sides of the debate over whether this research is new or not: the evasion problem has been around way too long, no matter who came up with what method to exploit it.

The same is true for sidejacking. The newly released FireSheep tool for hijacking cookies via WiFi takes a new spin on an old attack: Firesheep is an automated, user-friendly tool that can be downloaded and executed by anyone, technical or not. It underscores the problem that SSL is still not widely deployed on popular websites, leaving users open to cookie-jacking.

Sidejacking tools aren't new, of course. Robert Graham wrote one of the first sidejacking tools, Hamster. He says sidejacking might be old, but it's still unfortunately a viable threat that hasn't been resolved.

-- Kelly Jackson Higgins, Senior Editor, Dark Reading Follow Kelly (@kjhiggins) on Twitter: http://twitter.com/kjhiggins Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.