The Register® — Biting the hand that feeds IT

Feeds

Sly new tactic sneaks hackers past security dogs

Advanced evasion techniques can bypass network security, warn experts

By John Leyden, 18th October 2010
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

Updated A new hacking technique creates a mechanism for hackers to smuggle attacks past security defences, such as firewalls and intrusion prevention systems.

So-called advanced evasion techniques (AET) are capable of bypassing network security defences, according to net appliance security firm Stonesoft, which was the first to document the approach. Researchers at the Finnish firm came across the attack while testing its security appliance against the latest hacker exploits.

Various evasion techniques including splicing and fragmentation have existed for years. Security devices have to normalise traffic using these approaches before they can inspect payloads and block attacks.

AET take this basic approach to the next level. Traffic is disguised and modified using a variety of evasion techniques in several protocol layers. By bundling IP fragmentation and SMB session mixing together at the same time it's more likely that security defences will correctly handle garbled traffic. And if devices don't recognise combined attacks then it more likely that these assault will make their way past security defences.

AETs are already in circulation on the net as part of targeted attacks and offer a mechanism to bypass network security systems before attacking exposed enterprise servers, according to Stonesoft.

Stonesoft reported its find and sent samples of AETs to Finland's national computer security incident response team (CERT-FI) earlier this month. It also sent samples to ICSA Labs, an independent third-party testing and security product certification division of Verizon Business.

CERT-FI plans to issue an updated advisory on the attack technique later on Monday (18 October). Stonesoft reckons that AETs are a particular problem for firms that still rely on hardware-coded inspection engines, which may be difficult if not impossible to upgrade.

Amichai Shulman, CTO of database security firm Imperva, described the evasion technique as the latest round in the constant cat and mouse game between malicious crackers and security defenders.

"A lot of what attackers are doing today is about evasion at various levels, there is substantial vigilance out there," Shulman commented. ®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (13)
Highly Rated
Rogerborg

INVISIBLE NINJAS May Be Sneaking Up On You At This Very Moment

For only $999.95 plus taxes and shipping, INVISIBLE NINJA GUARD offers 100% protection from all current and future forms of INVISIBLE NINJA. Warning: inferior products do not feature INVISIBLE NINJA GUARD's patented 120 dB klaxon which sounds every 5 minutes to confirm that INVISIBLE NINJAS are NOT able to kill you.

19
0
Mako
Reply Icon

Relevant to my interests.

Please sign me up for your newsletter.

6
0
Anonymous Coward
Anonymous Coward

I[D/P]S has always been mostly useless

Their warning basically boils down to "existing IDS can't detect exploits obfuscated in new or composite ways". Big deal. Everyone who knew anything about IDS systems have known that since the year dot.

A few years ago, IDS couldn't detect web based attacks where the exploit is encoded in unicode, or hexadecimal notation. Hell, early firewalls couldn't deal with fragmented packets. IDS is, and always has been a 'catch-up' protection like AV.

They do provide some value but they are not as much of a panacea as the various IDS vendors (Stonesoft included) have tried to make them out to be.

System defences can only be fully effective at the same network layer as the thing they are protecting. Encapsulation means that there are many ways of encoding or obfuscating things, so the application layer simply cannot be fully defended from filtering at the network layer.

What's the solution? Until your IDSs do full application protocol decode and analysis and block anything that they can't decode, there will always be scope to encapsulate and obfuscate attacks. Most firewalls now hold and reassemble fragmented packets before forwarding them, throwing away anything that doesn't fit.

I'll also try to ignore how the alarmist press release and PoC (OK, I can forgive the PoC) ignores that firewalls and properly configured servers actually make up much more than 1% of network defences as opposed to their "can bypass 99% of current security devices" claim.

4
0

More from The Register

breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
121
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15
Panda-peddlers cuffed for chess gambling gambit
More porridge on the menu for Chinese coders after second offence
13
breaking news
Yes, maybe we should keep hackers in the clink for YEARS, mulls EU
Watch out black hats, they just might throw away the key
39