Nixu’s Security Consultant Samuel Lavitt writes his thoughts about advanced evasion techniques.

Tämän viikon paljon puhuttuja tietoturvauutisia on suomalaisen Stonesoftin julkisuuteen tulo uusista kehittyneistä evaasiotekniikoista (advanced evasion techniques). Nixun tietoturvakonsultti Samuel Lavitt kirjoittaa tässä ajatuksiaan tapauksesta. Julkaisemme poikkeuksellisesti kirjoituksen kirjoittajan äidinkielen johdosta englanniksi.

As many are aware, Stonesoft has been making a lot of noise in recent weeks. This week they announced that they have discovered a entire ‘new class’ of vulnerabilities in systems, and launched a large press campaign to get attention to their work. But is there really anything here worthy of attention?

First, what they claim to have found. In summary, they have found that many products are vulnerable to combinations of evasion tactics that are detected when used alone. They stated that they discovered this, and that it is something that is a new threat, a great unknown, and implied that their product has ability beyond that of others in the industry to detect these risks, or at least that they are closer to providing protection. The most telling item about this ‘discovery’ is how it progressed. On July 2, Stonesoft registered the domain name Antievasion.com, the first public start of their marketing push. On October 4th Stonesoft made a financial press release stating they have ‘discovered a new and significant security threat’ that ‘will change the whole network security’, and also ‘open new business opportunities for the company and to have a positive effect on the company’s net sales and profitability’. This was shortly after they announced that the company expects a negative operating result for the year. On October 18th, they made their discovery ‘public’, demonstrating a tool they developed in house to test their own product, and a large marketing campaign around products being ‘anti-evasion ready’, something they developed themselves, rather then any sort of industry standard.

In fact, Stonesoft admits in multiple locations that part of their interest in evasion techniques is their product’s own failures. In a recent NSS Labs test of multiple products across the industry, they preformed worst than some of their competitors, managing to detect only a few commonly used evasion tactics. (The report is available from nsslabs.com for a fee.)

They then state multiple times that these attacks are new, unknown, and that they are among the first if not the first to discover them. They provide a few papers as reference, but no peer-reviewed material, in fact, no actual proof at all beyond a short video snippet and a few PowerPoint slides of their tool.

New or not?

But are these attacks really new? Just a few short minutes of research finds tools that can perform these attacks that have been in use and publicly available. All the tools below are or have been in use, and perform these so called ‘advanced attacks’.

From 1999: Whisker by Rain Forest Puppy - www.wiretrip.net/rfp/txt/whiskerids.html

From 2002: Mutatev2 (mentioned at seclists.org/pen-test/2002/Apr/11)

Mentioned in 1999 on seclist: FTESTER - www.inversepath.com/ftester.html

But beyond that, is this really even relevant? An increasing number of sources online are agreeing that it is not:

Warning About IDS Evasion Greeted by Chorus of ‘Meh’

Advanced Anti Evasion Super Mega Ultra

Stonesoft offers new details on Advanced Evasion Techniques

The truth is, what was discovered is that Stonesoft and others in their industry are always playing catchup with attackers. They are more or less reactive, and trying to add predictive threat detection. If your infrastructure and environment is secure at the endpoints (your servers, routers, and client machines), it does not matter if you have a firewall or IDS. At worst, these attacks can get past your firewall or IDS, but we focus on the security of the actual systems that hold the data.

The firewall and IDS also cannot protect you from a hostile user inside your network, or who has gained access through illegitamate means to your local systems. Evasion or not, those systems are meant to do two things, and only two things:

• They provide a single point you can place filtering at to reduce network load and administrative overhead for the rest of your network.

• They give you a place you can deploy a work-around for vulnerabilities in your environment, reducing the scope from which they can be exploited, while you work towards a long-term fix.

There are far more issues in the environment then a weak IDS or firewall. Yes, they are good devices to have, and they do help greatly against many attacks (in some cases they can even stop distributed denial of services completely at the border to your network, so they do not actually affect your company), but they are just a watchtower protecting what should be the real stronghold, your servers, which is where your real concern is.

Sam Lavitt is a security consultant who was recruited from the United States. He previously has been in an academic program operated in cooperation with various government military and intelligence agencies and has a background in high assurance system design and testing. He also is the maintainer of the public Archive of Information Assurance website.

PCI DSS -standardista on julkaistu eilen versio 2.0. Versio korvaa tämän kansainvälisten korttiyhtiöiden ylläpitämä maksukorttialan turvallisuusstandardin edellisen version 1.2 sekä viime vuonna julkaistun v1.2.1-korjauspäivityksen. Uuden version käyttö on pakollista vuoden 2012 alusta ja sitä saa käyttää vuonna 2011 tehtävissä tarkastuksissa. Standardi tulee olemaan voimassa kolme vuotta entisen kahden vuoden sijaan.

PCI DSS -standardin pääversionumeron kasvattaminen tuntuu ensisilmäyksellä liioittelulta: standardiin on tullut vain kaksi sellaista muutosta, jotka muutoslokissa luokitellaan termillä “evolving requirement” eli aito muutos vaatimukseen. Tarkempi tarkastelu kuitenkin osoittaa, ettei 2.0 ole liikaa, koska useat “tarkennukset” saattavat vaikuttaa hyvinkin merkittävästi sekä teknisesti että taloudellisesti.

Esimerkki mitättömän oloisesta muutoksesta, jolla kuitenkin voi olla suuria vaikutuksia. on vaatimus testi- ja tuotantoympäristöjen tehtävien erottamisesta. Aikaisemmassa standardiversiossa vaatimus oli 6.3.3 ohjelmistokehityksen alla. Uudessa standardissa vaatimus on täsmälleen samoilla sanoilla numerolla 6.4.2, mutta nyt se on muutostenhallinnan alla.

Vanhan standardin puitteissa oli mahdollista tulkita, että eriyttäminen koski vain ohjelmistokehitystä. Täällä Nixussa ei oltu tällaista tulkintaa tehty. Nyt tällaista mahdollisuutta tulkinnaksi ei enää laisinkaan ole ja vaatimus koskee kategorisesti testi- ja tuotantoympäristöjen henkilöstöä.

Nixu on laatinut yhteenvedon uuden standardiversion muutosten vaikutuksista. Yhdeksänsivuinen dokumentti on saatavissa PDF-muodossa Julkaisut-sivultamme.

Myös PA DSS (Payment Application Data Security Standard) eli maksusovelluksien turvallisuudelle asetettavat standardit määrittelevä dokumentti on päivittynyt versioon 2.0. Myös tässä standardissa on kaksi muutosta, jotka kuuluvat PCI-toimielimen mukaan luokkaan “evolving requirement”. Nämä muutokset ovat vaatimus keskitetyn lokituksen tuelle sekä vaatimus haavoittuvuuksien luokittelusta riskipohjaisesti. Muita näkyvimpiä muutoksia on se, että aiemman standardin PCI DSS -viittaukset on korvattu muokatuilla vaatimuksilla varsinaisessa PA DSS -tekstissä.