Perimeter
10/28/2010
08:10 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Talk About Evasion

Security research, like fashion, sometimes gets recycled, restyled, and even rebranded. Take network security evasion and sidejacking attacks, both of which have recently re-emerged with researchers taking new spins on these known threats.

Security research, like fashion, sometimes gets recycled, restyled, and even rebranded. Take network security evasion and sidejacking attacks, both of which have recently re-emerged with researchers taking new spins on these known threats.Warnings of a new form of network security evasion that was publicized a couple of weeks ago by Stonesoft and backed up by ICSA Labs, as well as a vulnerability alert by CERT Finland, stirred plenty of skepticism among security experts who argued that the attack appears to be merely a rehash of older IDS/IPS evasion research.

But full details of the evasion technique haven't been revealed publicly yet (to give the affected vendors a chance to patch), so there are still plenty of unanswered questions. Stonesoft says its researchers have discovered a new evasion method for targeted attacks that sneaks past network and application security tools, and it can be combined with already-known techniques for evasion, such as HD Moore's previous work on IDS/IPS evasion. They say it's an attack that exploits vulnerabilities inherent in multiple IDS/IPS vendors' products (the names of which also have not been released as yet, either). ICSA Labs says it has tested and verified the attack, and that it can also be used against firewalls, next-generation firewalls, and Web application firewalls.

But with scant details and seemingly familiar-sounding evasion themes and techniques, some researchers are convinced it's nothing new. (It didn't help that Stonesoft launched a whole new website dedicated to what it's now calling "advanced evasion techniques," or AET, and a veritable marketing campaign for it.)

One expert on evasion techniques, Bob Walder, founder and former CEO of NSS Labs, concluded that Stonesoft's research is based on extensions of known techniques, not on altogether new evasion techniques. "What Stonesoft has done is taken existing evasion techniques and extended them. In doing this, they have created a few specific evasions I have not used before, but they are still extensions of known techniques," he blogged.

But Moore says he saw some proof that one of the methods Stonesoft researchers came up with was indeed new. The rest resembled existing research, he says.

Stonesoft, meanwhile, is standing its ground amid the backlash. Mark Boltz, senior solutions architect at Stonesoft, says his team did look back at old research done previously on evasion, and that it extended the number of evasion techniques using new combinations. "We're not saying evasions are new or that combining them is new. What's new about this technique is that all prior research only suggests a total of 24 to 36 possibilities that actually work," Boltz says. "The number of possible combinations now with advanced evasion techniques is two to the 180th power ... We found a whole new set of techniques in addition to the known ones. We can combine all new ones with or without the old ones to find a whole range of a larger set of combinations that we never previously thought were possible."

The fact that evasion research is nothing new is the problem, he says. "Everyone has ignored it," he says.

And that's the common thread on both sides of the debate over whether this research is new or not: the evasion problem has been around way too long, no matter who came up with what method to exploit it.

The same is true for sidejacking. The newly released FireSheep tool for hijacking cookies via WiFi takes a new spin on an old attack: Firesheep is an automated, user-friendly tool that can be downloaded and executed by anyone, technical or not. It underscores the problem that SSL is still not widely deployed on popular websites, leaving users open to cookie-jacking.

Sidejacking tools aren't new, of course. Robert Graham wrote one of the first sidejacking tools, Hamster. He says sidejacking might be old, but it's still unfortunately a viable threat that hasn't been resolved.

-- Kelly Jackson Higgins, Senior Editor, Dark Reading Follow Kelly (@kjhiggins) on Twitter: http://twitter.com/kjhiggins Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.