Firewalls defenseless against new attack technique

Discussion in 'malware problems & news' started by hawki, Oct 18, 2010.

Thread Status:
Not open for further replies.
  1. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,954
    Location:
    DC Metro Area
    "Why are apparently well-defended networks belonging to the government, military and monied corporates falling to large-scale targeted attacks so regularly?

    According to Finnish security vendor Stonesoft, part of the answer could lie with what the company terms ‘Advanced Evasion Techniques’ (AETs), jargon for an obscure class of packet-based probing at the ground level of the TCP/IP stack that firewalls are designed to stop."

    http://news.techworld.com/security/...ss-against-new-attack-security-vendor-claims/

    A new hacking technique creates a mechanism for hackers to smuggle attacks past security defences.

    So-called advanced evasion techniques (AET) are capable of bypassing network security defences, according to net appliance security firm Stonesoft, which was the first to document the approach.

    Researchers at the Finnish firm came across the attack while testing its security appliance against the latest hacker exploits. AETs are already in circulation on the net as part of targeted attacks and offer a mechanism to bypass static network security systems before attacking exposed enterprise servers, such as ERP or CRM systems, and swipe confidential information.

    The new advanced evasion techniques threat category involves simultaneously combining different evasion techniques in several layers of targeted network, thus blindsiding security tools. From descriptions we've seen it might be compared to a sleight of hand rather than a Jedi mind trick. Even so it's still potentially effective.

    http://www.theregister.co.uk/2010/10/18/aet_hack_technique/
     
  2. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Now that it is public knowledge will it be fixed, can it be fixed?

    I remember watching a show on the History Channel about Cyber Espionage.
    The DoD Cyber Inteligence Officer stated, "Firewalls are ineffective, we (the DoD) focus on detecting intrusions into our systems."
     
  3. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,917
    Location:
    U.S.A.
  4. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Last edited: Oct 18, 2010
  5. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,917
    Location:
    U.S.A.
    From the FAQ page:
    First and foremost, let's keep in mind that they are trying to sell a product here: -www.stonesoft.com-
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  7. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Since I don't use a firewall, I am safe then, right ;)

    Sul.
     
  8. katio

    katio Guest

    Thanks for posting the register link up there. If you haven't done so, please read the comment too. They are often quite funny and most importantly a healthy dose of reality check...
    What a load of rubbish. But what's even worse is the "news" reporting on IT, security in particular.
     
  9. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    :thumb: :D :D :D
     
  10. katio

    katio Guest

    Funny thing Stonesoft would have to agree with that.
    Don't run any vulnerable services, if you have to run LAN or net facing services protect them as good as you can by hardening, sandboxing and access control.
    Though a firewall rule that whitelists specific domains/Ip addresses would add some defense in depth and certainly doesn't make you more vulnerable.

    This anti evasion talk is more targeted at NIPS which are often used instead of patching services. Everybody knows this is a flawed method given that it's based on the assumption that your network behind the IPS is secure and trustworthy and that there are no ways to trick the detection.
    The first one is obviously dangerous the second one becomes clear when you think about IDS/IPS like an AV: They can only protect against known threats. But even the oldest virust stays undetected if it uses morphing and encryption and is well designed so it stays under the radar for both signature and heuristic detection.
    If you took a different approach, a policy based proactive approach using a firewall you could make a rule that says:
    Only allow traffic I know and want to reach my services, throw everything else away.
    You can compare that to an anti-executable rule which whitelists applications instead of "enumerating badness" (google it). My analogy isn't perfect but it's some food for thought.

    The thing is, this is nothing new and talk like "we can't tell you what we discovered because that we would help the bad guys" and further in their youtube video "the best solution is one where your IPS can update its "definitions" very fast" is big marketing BS. They don't tell us the root cause and they don't even try to tackle the root cause. Instead they do what the "industry" has been doing: fighting the symptoms (and milking their customers for subscription fees) while telling everyone how they help the whole industry to get the upper hand against the bad guys.
    That's so laughably stupid that I won't have to further comment on that.
     
  11. Syobon

    Syobon Registered Member

    Joined:
    Dec 27, 2009
    Posts:
    469
    don't forget those hacked system use BSD and *NIX flavors and very stable software.
     
Loading...
Thread Status:
Not open for further replies.