Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/28/2010
08:10 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Talk About Evasion

Security research, like fashion, sometimes gets recycled, restyled, and even rebranded. Take network security evasion and sidejacking attacks, both of which have recently re-emerged with researchers taking new spins on these known threats.

Security research, like fashion, sometimes gets recycled, restyled, and even rebranded. Take network security evasion and sidejacking attacks, both of which have recently re-emerged with researchers taking new spins on these known threats.Warnings of a new form of network security evasion that was publicized a couple of weeks ago by Stonesoft and backed up by ICSA Labs, as well as a vulnerability alert by CERT Finland, stirred plenty of skepticism among security experts who argued that the attack appears to be merely a rehash of older IDS/IPS evasion research.

But full details of the evasion technique haven't been revealed publicly yet (to give the affected vendors a chance to patch), so there are still plenty of unanswered questions. Stonesoft says its researchers have discovered a new evasion method for targeted attacks that sneaks past network and application security tools, and it can be combined with already-known techniques for evasion, such as HD Moore's previous work on IDS/IPS evasion. They say it's an attack that exploits vulnerabilities inherent in multiple IDS/IPS vendors' products (the names of which also have not been released as yet, either). ICSA Labs says it has tested and verified the attack, and that it can also be used against firewalls, next-generation firewalls, and Web application firewalls.

But with scant details and seemingly familiar-sounding evasion themes and techniques, some researchers are convinced it's nothing new. (It didn't help that Stonesoft launched a whole new website dedicated to what it's now calling "advanced evasion techniques," or AET, and a veritable marketing campaign for it.)

One expert on evasion techniques, Bob Walder, founder and former CEO of NSS Labs, concluded that Stonesoft's research is based on extensions of known techniques, not on altogether new evasion techniques. "What Stonesoft has done is taken existing evasion techniques and extended them. In doing this, they have created a few specific evasions I have not used before, but they are still extensions of known techniques," he blogged.

But Moore says he saw some proof that one of the methods Stonesoft researchers came up with was indeed new. The rest resembled existing research, he says.

Stonesoft, meanwhile, is standing its ground amid the backlash. Mark Boltz, senior solutions architect at Stonesoft, says his team did look back at old research done previously on evasion, and that it extended the number of evasion techniques using new combinations. "We're not saying evasions are new or that combining them is new. What's new about this technique is that all prior research only suggests a total of 24 to 36 possibilities that actually work," Boltz says. "The number of possible combinations now with advanced evasion techniques is two to the 180th power ... We found a whole new set of techniques in addition to the known ones. We can combine all new ones with or without the old ones to find a whole range of a larger set of combinations that we never previously thought were possible."

The fact that evasion research is nothing new is the problem, he says. "Everyone has ignored it," he says.

And that's the common thread on both sides of the debate over whether this research is new or not: the evasion problem has been around way too long, no matter who came up with what method to exploit it.

The same is true for sidejacking. The newly released FireSheep tool for hijacking cookies via WiFi takes a new spin on an old attack: Firesheep is an automated, user-friendly tool that can be downloaded and executed by anyone, technical or not. It underscores the problem that SSL is still not widely deployed on popular websites, leaving users open to cookie-jacking.

Sidejacking tools aren't new, of course. Robert Graham wrote one of the first sidejacking tools, Hamster. He says sidejacking might be old, but it's still unfortunately a viable threat that hasn't been resolved.

-- Kelly Jackson Higgins, Senior Editor, Dark Reading Follow Kelly (@kjhiggins) on Twitter: http://twitter.com/kjhiggins Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16123
PUBLISHED: 2020-12-04
An Ubuntu-specific patch in PulseAudio created a race condition where the snap policy module would fail to identify a client connection from a snap as coming from a snap if SCM_CREDENTIALS were missing, allowing the snap to connect to PulseAudio without proper confinement. This could be exploited by...
CVE-2018-21270
PUBLISHED: 2020-12-03
Versions less than 0.0.6 of the Node.js stringstream module are vulnerable to an out-of-bounds read because of allocation of uninitialized buffers when a number is passed in the input stream (when using Node.js 4.x).
CVE-2020-26248
PUBLISHED: 2020-12-03
In the PrestaShop module "productcomments" before version 4.2.1, an attacker can use a Blind SQL injection to retrieve data or stop the MySQL service. The problem is fixed in 4.2.1 of the module.
CVE-2020-29529
PUBLISHED: 2020-12-03
HashiCorp go-slug before 0.5.0 does not address attempts at directory traversal involving ../ and symlinks.
CVE-2020-29534
PUBLISHED: 2020-12-03
An issue was discovered in the Linux kernel before 5.9.3. io_uring takes a non-refcounted reference to the files_struct of the process that submitted a request, causing execve() to incorrectly optimize unshare_fd(), aka CID-0f2122045b94.