Friday, October 29, 2010

Like Lambs To The Slaughter - What Is Firesheep?

As with Advanced Evasion Techniques (AET), Firesheep has garnered significant publicity recently by rejuvenating interest in an old security problem via the creation of a slick new tool. Unlike AETs, however, the tool at the centre of this publicity storm has been released to the general public, for good or ill.

HTTP session hijacking, or "Sidejacking" as it is sometimes called, is nothing new. Papers exist discussing the technique as far back as 2004. Several applications have also been written in the past (Ferret, Hamster, Cookie Monster and FBcontroller to name a few) to take advantage of the technique. However, Eric Butler, a Seattle-based freelance software developer, has rekindled interest in the issue via the release of a simple-to-use Firefox plugin called Firesheep.

Either on its own on a Mac, or coupled with Winpcap (or Ettercap) on a PC, Firesheep can capture traffic on any unsecured wireless network to which you are connected and extract details from session cookies used by any of the web sites configured within the Firesheep application. These cookies are used by web applications such as Twitter or Facebook to register the fact that you have successfully authenticated to the host site. They do not contain your password details, but they do not need to. By using the cookie to piggyback on your unencrypted communication, the attacker running Firesheep can impersonate you and gain access to the application you are using.

It couldn't be easier to use. The attacker just fires it up, turns on packet capture, and waits for the sidebar to populate with account details it has detected on the network. He clicks on your details, and hey presto - he sees on his screen exactly what that you see on yours. And he can interact directly with the host application. He could post status updates on Twitter or Facebook on your behalf, for example. OK, that might not be too serious for some, but for those whose job it is to represent the public face of a major corporation then the potential for mischief is significant.

Should you stop using all public, unsecured wireless networks? Well, no. That would be overkill.

At the end of the day, the real solution is for providers of web applications like Facebook and Twitter to use secure connections for all their operations. In the mean time, there are a number of precautions you could, and should, take, and these (and other key points) are the subject of a research note I have just completed (subscribers only).

Don't forget to follow me on Twitter (@bwalder) to be kept informed of new research. Just don't do it from an unsecured wireless network - you never know who might be watching!

Wednesday, October 27, 2010

AET Update

Stonesoft held a joint publicity exercise with ICSA Labs last night in the form of a live Q&A session via conference call.

It was fairly embarrassing, given that there was a total of three questions (two from the same person which seemed to confuse evasion techniques with actual exploits), and the whole thing was wrapped up after 25 minutes with most of it being taken up by Stonesoft execs repeatedly denying that this was just a publicity stunt (and still no real details).

So, why was it a bust? Lack of interest or lack of understanding?

Well, given the confusion mentioned above, I suspect a lack of understanding, which is worrying. And one reason why I am inclined to forgive Stonesoft this blatant hijacking of the evasion issue, since if it continues to at least raise awareness and force other vendors to take it more seriously in their own testing, then it will have been A Good Thing.

So let me clear up the confusion. Evasion techniques are not, in and of themselves, exploits. Any attacker would need a functioning exploit which is already proven to work against the target host. If the host is unpatched and the in-line defences (IPS/NGFW) have no appropriate signature, the exploit will be successful - game over. If the IPS/NGFW has a signature covering the exploit, then it will be blocked - score one for The Good Guys.

This is where evasions come into play, however. Having noted that his exploit has been blocked, the attacker will then begin to use the same exploit coupled with one or more evasion techniques to disguise the exploit and render it invisible to the IPS/NGFW inspection engine. Chances are, right now, it will then work, since so many IPS engines fare so badly against even the most basic evasion techniques.

Note that if the target host has been patched against the exploit, then no amount of evasion will help. This is the key differentiator here - evasion techniques are only good for "cloaking" and delivering an exploit unmolested past a NGFW or IPS. Once your host system is patched against a particular vulnerability, it is safe (until the next one is discovered!)

Take a look at the most recent NSS Labs IPS Group Test Report to get some idea of which IPS products do well against evasions and which do not. Now this is where Stonesoft is to be commended. Because in trying to fix its own problems it went beyond those tools which are freely available to testers and wondered what would happen if it extended a few of the techniques and combined them. The result was the Predator tool and this latest slew of publicity.

It bears repeating that the criticism levelled at Stonesoft to this point is due to a lack of originality, not lack of seriousness of the problem. In the conference call last night ICSA voiced a very significant qualification - that 9 of the 14 PCAPs Stonesoft provided them to validate the claims had not been seen before in tools which were freely available. In other words, Stonesoft has not invented or discovered a whole new type of evasion technique (as I have already pointed out, I was personally using several of their so-called "new" evasion techniques in public testing over seven years go) - it has, instead, extended and combined existing known techniques to create a new set of problems for NGFW/IPS vendors to solve.

In other words, we are no worse off now than we were before Stonesoft made its claims - but there is still a significant problem which needs addressing. And it is time the IPS industry woke up and addressed this issue. There are products on the market today which have had issues with evasion techniques since the day V1.0 was launched, despite being pulled up time and time again in independent tests.

Which vendors are you considering for your next NGFW/IPS product? Ask them about evasions. Ask them about the Stonesoft AETs. And then make them PROVE they have an answer. In your own network, under your control. Or in an independent test lab under the control of a trusted third party. But NOT in their own labs.

Because the thing is, some vendors don't seem to understand the problem any more than the public at large. If they did, I wouldn't have had to fail the same products, year after year, for the same problem when I was testing these things myself.

As I mentioned previously, I have a research note in the works covering evasion techniques and how they can (and can't) be used against your perimeter defences. Given the level of interest in this subject, I might try to push up the delivery date.

Follow me on Twitter (@bwalder) to be kept informed.

Wednesday, October 20, 2010

Storm In A Teacup? More on Advanced Evasion Techniques (AET)

Following my recent post on the Advanced Evasion Techniques (AET) "discovered" by Stonesoft, I thought I would update you with a few discoveries of my own.

After further investigation it would appear that there is not really that much that is actually new here. Don't get me wrong, there is certainly a threat here, and if there is one good thing that comes out of this it is that a few vendors might start taking evasion testing more seriously than they have in the past.

It appears that Stonesoft went through an independent testing process at the end of last year, failed several of the evasion tests, and started to do some research in order to improve their product. In developing their own tool to help them test, they started "fuzzing" the evasion techniques - an automated process which tries millions of random evasions, both in isolation and in various combinations, in order to find those which work. Bear in mind that it is possible to "evade" a typical TCP/IP stack too, so for an evasion test to be valid, it should allow a previously-detected exploit to bypass and IPS/IDS undetected whilst remaining capable of being reassembled by the target vulnerable host.

What they came up with was a number of new "discoveries", which under closer scrutiny appear to be techniques which have been well known for many years in the testing industry. In particular, they are laying claim to the discovery that layering multiple evasions - particularly evasions from different layers of the protocol stack - can succeed where single evasions will not. Well I know for a fact that this technique - along with around 90% of the others which they are claiming are new, have been in use for 7 years or more in the testing industry. How do I know this? Because I was the one doing it!

As founder and CEO of NSS Labs, I pioneered a range of IPS/IDS/Firewall testing techniques which are still in use today. In particular, I devoted a significant amount of time to the study of evasion techniques and was using many of the "new" Stonesoft AETs - including the all-powerful layering - way back in the naughties. I had to use my own tools back then, developed in-house. That certainly made it a challenge to layer MSRPC fragmentation with TCP segmentation and IP fragmentation in the same attack, but it was doable. And I did it. What IS new from Stonesoft is the fancy Predator tool, which they are not releasing to anyone (sensibly). It is a GUI-driven "One Stop Evasion Shop" and looks a lot nicer than the multiple command line tools I developed....

In addition, one of the "evasions" they have discovered seems to be less of an evasion and more of an exploitation of a particular bug which can be found in some IPS products. Again, part of a data leakage test which I was running against these products some years ago. I am surprised that it is still causing problems for some vendors... but there you go!

There is nothing new under the sun. What Stonesoft has done is taken existing evasion techniques and extended them. In doing this, they have created a few specific evasions I have not used before, but they are still extensions of known techniques. Kudos to them for taking this so seriously - it should do wonders for the security of their IPS and firewall products. Hopefully it will also force other vendors to follow suit and take this more seriously. You, the customer, deserve that at least. There are far too many IPS/IDS products which are still today failing to protect against even the most basic of these techniques (as seen in recent independent tests), let alone the more complex variations Stonesoft is publicising. Signatures are just not enough!

But don't fall for the FUD here... nothing has changed. AETs are not the WMD that will bring our perimeter security to its knees. Yes, they are a serious problem, but no more serious than before Stonesoft launched its publicity drive. Except, of course, that the bad guys are watching too...

Don't forget to follow me on Twitter (@bwalder) to keep up with my blog entries, research notes and random thoughts on wine, coffee, Labradors, golf, life in France and.... oh yes.... security.

Sunday, October 17, 2010

Discovery of Advanced Evasion Techniques (AET) Could Cause Headaches For IPS/NGFW Vendors

The Finnish security company Stonesoft said today it had found new techniques that bypass current security systems and which cyber-criminals could use to gain access to internal protected assets of many companies. Stonesoft said that as a result of the advanced evasion techniques (AETs) "companies may suffer a significant data breach including the loss of confidential corporate information."

Is this another round of hype or is there a genuine threat here?

Well, the bad news is that AETs do appear to exist. However, they are an extension of an existing threat category rather than a new one.

The problem is that a lot of in-line security devices - IPS in particular - don't do that good a job of coping with the basic stuff that is already out there, so this stuff is just going to make things worse!

Why is this a threat? Let's imagine you have something like Stuxnet which is proven to be effective at spreading itself around via remote exploits (amongst other techniques). Hopefully users will patch their systems, but in the mean time, they deploy sigs on their IPS, thinking that gives them additional time to test and roll out patches. It would be a trivial matter to alter Stuxnet to incorporate these evasion techniques, thus prolonging its life (don't forget - many users won't bother patching at all, and many more will delay - we know this is true from experience).

Or, another scenario: I am a cyber criminal with a new exploit for which I paid $5000 and which guarantees 100% ownership of a particular system. This I have tested and verified. So I run it against a public-facing target and find it is ineffective. I can be pretty sure this is as a result of in-line defenses. Do I throw out my $5k investment and move on? Not on your life. I deploy some simple evasion techniques and breeze on through.

For casual hacking by non-tech morons using toolkits and pre-packaged attack tools, evasion techniques are not widely used (though a number of the more advanced/expensive "blackware" tools do include evasion techniques). For those involved in targeted attacks, however, they are in common usage.

Right now Stonesoft has not released any of these tools (thank goodness!) Nor, I have to say, has it been particularly forthcoming in releasing any technical details. It claims that the AETs have been verified as real by independent test labs, but I have yet to see any evidence that this is true beyond a couple of vague quotes and sound bites. This has all the hallmarks of a carefully stage-managed publicity stunt about it.

That does not mean the threat is not real - I have seen the techniques in action and I am convinced they have the potential to cause significant mischief. There is a big difference, however, between watching a carefully managed demo by Stonesoft personnel over a secure link to getting one's hands dirty by testing hands-on. Right now it is possible that the majority of what is deemed "new" could be little more than layering older techniques on top of one another (something I was doing a decade ago to test IDS products). That doesn't make them any less effective, of course, it just means that this particular announcement is more about marketing than security. Once I see some hands-on verification by a trusted third party I will be happier.

I am also convinced that Stonesoft is not the only one to have discovered these flaws. My guess is that this is also just the tip of the proverbial iceberg. If I was making a living out of targeted attacks and cyber crime I would have been keeping these under my hat for a while now - I bet those shady folks are not happy that they are finally out in the open.

Even with the range of evasion tools and techniques currently freely available, however, security vendors have proven themselves incapable of handling even some of the most basic of those techniques. There are products on sale right now that I tested over 5 years ago and which still to this day cannot handle these issues. It is hard to do good TCP stream (and even IP packet) reassembly at high speeds - one major IPS vendor, for example, ships its IPS with all anti-evasion protection turned off by default because it is such a performance hog! It is not too much of a stretch to say that you might as well not bother deploying the thing at all if you are not going to switch them on!

If there is one takeaway from this round of publicity it is that you should make sure that the IDS/IPS/NGFW product you are about to buy or have already installed is resistant to these kinds of evasion techniques - and don't just take the vendor's word for it!

I have a research note in the works covering evasion. Follow me on Twitter (@bwalder) to keep up with announcements of research note releases.

One final point - this stuff is applicable to IDS and in-line protection only (i.e. IPS/NGFW) and does not help bypass good anti-malware scanning or EPP. Defense in depth, folks... defense in depth...