Sly new tactic sneaks hackers past security dogs A new hacking technique creates a mechanism for hackers to smuggle attacks past security defences, such as firewalls and intrusion prevention systems. So-called advanced evasion techniques (AET) are capable of bypassing network security defences, according to net appliance security firm Stonesoft, which was the first to …
For only $999.95 plus taxes and shipping, INVISIBLE NINJA GUARD offers 100% protection from all current and future forms of INVISIBLE NINJA. Warning: inferior products do not feature INVISIBLE NINJA GUARD's patented 120 dB klaxon which sounds every 5 minutes to confirm that INVISIBLE NINJAS are NOT able to kill you.
Their warning basically boils down to "existing IDS can't detect exploits obfuscated in new or composite ways". Big deal. Everyone who knew anything about IDS systems have known that since the year dot.
A few years ago, IDS couldn't detect web based attacks where the exploit is encoded in unicode, or hexadecimal notation. Hell, early firewalls couldn't deal with fragmented packets. IDS is, and always has been a 'catch-up' protection like AV.
They do provide some value but they are not as much of a panacea as the various IDS vendors (Stonesoft included) have tried to make them out to be.
System defences can only be fully effective at the same network layer as the thing they are protecting. Encapsulation means that there are many ways of encoding or obfuscating things, so the application layer simply cannot be fully defended from filtering at the network layer.
What's the solution? Until your IDSs do full application protocol decode and analysis and block anything that they can't decode, there will always be scope to encapsulate and obfuscate attacks. Most firewalls now hold and reassemble fragmented packets before forwarding them, throwing away anything that doesn't fit.
I'll also try to ignore how the alarmist press release and PoC (OK, I can forgive the PoC) ignores that firewalls and properly configured servers actually make up much more than 1% of network defences as opposed to their "can bypass 99% of current security devices" claim.
"Until your IDSs do full application protocol decode and analysis and block anything that they can't decode"
Have a look at Secure Computing / McAfee and their Sidewinder/G2/Secure Firewall or whatever they are called these days.
They only allow properly formatted application data through if that's the way you want it.
So if you start tunelling SSH over port 443 (like I do from work to home ;-) ) it would stop it. Luckily my employer hasn't cottoned on to that one yet.
Of course with rigorous rules like that there is always something that breaks the rules that gets added as an exception, which if not handled properly starts to make a mockery of having a firewall.
You can't detect something that you don't know you are looking for... really. Glad this made the news, we'd have never have guessed it otherwise.
This might be useful advice if someone had the answer, but they don't... all they do is wheel out another pattern matching security system thats out of date before they've even cashed your cheque.
Still, at least they've invented a new acronym, I am sure that will play a useful part in executive briefings soon.
For more information check out Stonesoft's site "antievasion.com".
The only bit of real "example" of what they mean is :
"A: Technical: Consider the well known method of packet fragmentation, this alone would be caught. However, if this is combined with random IP options and a manipulation of how data is interpreted on the target, the attacker can successfully deliver a payload containing any attack."
Which means absolutely naff all to me. If a firewall is going to block a fragment, then it doesn't matter what options you put on it, it'll be blocked. If we're talking about a remote exploit, then how can you manipulate how the data is interpreted on the target? If you can affect your target remotely, then you've already hacked in far enough that the target is fubar.
They've fudged the whole issue of explaining these AETs to the community at large :
"Stonesoft is announcing the concept discovery, but it is not providing any details or tools that would arm criminals with the information needed to use these techniques. AETs are complex, and require the resources and funding that average hackers do not typically have"
Those "details" would not only arm the criminals with the attacks but also the world's security people with the defences.
Sounds like the biggest FUD scam for years!
This post has been deleted by its author
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
