About Us | Search | FAQ | Contact Us
The new age of hacking
Why conventional IT security must change or die
Conventional security methods have from the outset been focused on protecting corporations from external attack. The perception that the threat was only from the outside has alarmed companies into introducing expensive technologies to reduce both their visibility and vulnerability to the outside world. Over time, more and more technology has evolved to guard against obscure techniques, resulting in a range of incompatible and sometimes conflicting tools almost exclusively aimed at preventing external hacking attempts.
The complexity and diversity of today's operating systems, networks and applications has created thousands of vulnerabilities, some discovered, most not. Astonishingly only a few technically competent people in the world have the ability to use these techniques, in the limited defence of which organisations are spending almost their entire security budget.
Without question, large organisations do have to protect themselves from these attacks. Smaller companies, however, are being forced to buy into this expensive technology in order to protect themselves from a minority, who are probably not even aware they exist.
More importantly, as most of these vulnerabilities have not been discovered, no one can be sure that they are actually secure, as there is a never-ending battle between the hardened hacker and security companies trying to outwit each other.
The most common technology being developed to protect corporations is that of sniffing the network i.e. examining every packet of information ( in some cases not even that ) around the network, then trying to analyse it as quickly as possible for known threats. The increase in the performance of hardware and networks, and the use of cryptography, place severe limitations on security technologies, which are having to make difficult decisions on what they need to process and what they have to ignore.
It is self evident, therefore, that this method for detecting threats using network analyses is now out of date, by virtue of being not only inaccurate, but also vulnerable to false positives and open to attack and abuse.
A recently developed hacking technique is to send network information using ACK segments only. This technique allows the transmission of information directly, undetected, through even the most popular firewalls. But that is only the tip of the iceberg. At Infosec 2001 at Olympia in May, we warned the industry about the growing use of S.T.A.T tools ( Security Targeted Attack Tools).
Developers of network based intrusion systems developed tools to test their detection capabilities by automating and emulating external hacking signatures. These methods have now become public domain, enabling hackers to send waves of false attacks aimed at flooding and disabling security products, thus rendering them ineffective.
The first of these to surface was the so-called Stick threat, initially a Linux program which attacks the intrusion detection system (IDS) by sending hundreds of fake threat signatures across the network in order to flood the security tool.
Then, on Friday 11th May 2001, our research team discovered a new type of trojan that was designed to attack the very security products that were being used to detect it. Not only did it bring to a halt firewalls, but also virus checkers and even EXE blockers. These tools can also prevent people installing security software in the first place. These new hacking techniques are being largely ignored by the industry either through the lack or research or, more likely, lack of a solution.
These new trojans (Super Trojans) cannot only remove security products, but they also have the ability to change themselves to avoid detection. The latest process used to target victims is not by sending an email or wrapping the threat to another file but by embedding active code into web sites.
The simple process of browsing a web site is enough to infect the visitors with these new dangerous Super Trojans. Just imagine if the Microsoft homepage, Yahoo or Amazon were to be targeted - millions of users could be compromised or even attacked without their knowledge. We have even seen an example of this code, which will wipe clean any machine that browses a vulnerable site.
In recent weeks we have seen a proliferation of a new type of threat, which utilises a technique known as SMTP tunnelling. This enables the threat to communicate to the hacker using the standard email protocol so it goes unseen through several layers of security products.
Over the last few years we have been monitoring in detail the increasing amount of new categories of threats available from the Internet, This is where the risk to corporate security is the greatest. This is due to the ease of acquisition and use of these tools, enabling anyone with basic computer literacy to circumvent / exploit conventional security methods.
Our in-depth research shows that there are currently over 265 separate categories of threat to the corporate security infrastructure or corporate reputation. Surprisingly, existing security technologies cover only a few of these categories.
One of the biggest concerns for all organisations should be the theft of their data by external and more importantly internal users. Tools which hide confidential information in other seemingly harmless files, and which can then be sent out via email, are a major concern. This technique is called digital steganography and it is a cause for alarm that so few companies, even security companies, are unaware of it.
We have recently discovered a refinement on this technique known as SPAM steganography where a user can pass a confidential document through a piece of software which then generates a SPAM email, which can be emailed outside the organisation. Tools which examine email content will see these emails as a junk email. The presence of easy-to-use tools on a network should be of high concern as confidential information, such as blueprints and IPR's, can be leaked outside the company and go unchallenged.
A popular technique used by most conventional security products is the use of hashing to detect threats (hashing is the technique of building a mathematical formula, which represents the threat exactly and which is then used to detect the threat on a network). There is a single, fundamental flaw in this approach. It is too accurate.
A .00001% change in a threat's code will enable it to go undetected. We have seen an increase in self-modifying trojans that exploit this technique to their advantage. This technique is used to bypass one of the most common forms of threat detection used by many security vendors today.
We have studied companies' concerns about security technology in a diverse range of market sectors and have identified the main failures in current solutions.
Issue - Time delays in updating threat databases
n Current security is reactive not proactive. Companies are currently having to wait hours and sometimes days to obtain an update to protect them, during this window threats are spreading like wildfire through their systems.
n Updates should be on demand and customers should have the ability to add known threats to the detection engine of any security products on the fly.
n The process of updating products should be automated so that no user intervention is required.
Issue -Security companies only focusing on 'news relevant' threats
n Too much time is being spent on the inclusion of 'news relevant' threats (threats that have been reported recently in the news). A more thorough approach should be the constant, proactive discovery and addition of all categories of threats.
n Data should come from diverse multiple sources not just the vendor security company. In fact a collaborative approach where by a world wide central repository of threats is contributed to by all active customers. These threats should then be verified and updated to all connected customers.
Issue - Tools which only detect the known threats from a known threat list
n This has been a problem for security vendors for a while now. Most vendors rely totally on a limited internal database of known threats, which means that new unseen threats go completely undetected. This is reactive security.
n What is required is proactive security; detecting the generic capabilities of threats using multiple methodologies in order to detect the unknown, which are threats by virtue of their behaviour not their known fingerprint.
n The need to detect unseen or changed executables on the network is paramount. A range of suspicious capabilities such as the ability to talk IP, and the presence of a hidden FTP server or keyboard logger should be examined.
Security vendors and corporate users alike must understand that these types of hidden threats can only be discovered by a generic process . Organisations can no longer afford to be reliant purely on the detection of a few known threats.
Issue - Resource
usage or degradation in network or system performance
n Scan complete IT systems before the user has even logged in
n Increase system performance and not cause an overhead
n Discover and report on downloaded tools which cause heavy system usage
n Detect denial of service tools, or music / video or mass downloading tools which cause major network traffic
Issue - Only
security companies have the ability to add to the product
n Users should have the ability to drag and drop any threat into their security product and have it instantly added to its internal threat database.
n The ability to add programs for auditing or for adding out of date or vulnerable programs.
n The ability to see if a user has restored a backup, which has downgraded the security patches.
Heavy training required or the increasing cost of trained staff through higher costs to employer
n Security tools should be installable and configurable easily without expensive external consultancy
n The users should not have to be security experts
n Users should have the ability for information about security breaches to be reported automatically to management.
Dedicated hardware / service and support to run the products
n All too many products today require dedicated, supported hardware platforms to run. These have to be maintained, and monitored which adds extra cost and time to implementing solutions.
Stability of the software when they bind to low level resources
n One of the most annoying features of cutting edge products is that most of them, in some way interfere with or bind to the operating system itself, often causing the infamous 'blue screen of death'. Security should be invisible to the end user, in terms of both network and resource usage.
Use of simple
cryptography to hide threats
n The presence of any encryption tools should be monitored
n Users in companies should not be able to download and use unauthorised encryption or compression techniques as these could be used against the company's best interests.
Use of simple
wrapping tools or hex editors to avoid detection
n In order to demonstrate how surprisingly easy it is to avoid detection, we recently changed single bytes in a file with the result that the threat evaded even the most popular virus checkers.
n Generic detection is required to find the presence of wrappers, binders and other tools of concealment.
n The use of active content web based threats is set to become the de facto standard of global threat distribution. Conventional security focuses too much on the detection of these individual threats rather than blocking the highlevel distribution technique used by these threats.
in fingerprinting databases
n We estimate that any security product, in order to be future proof, will need to be able to deal with tens of millions of fingerprints in the longer term rather than the tens of thousands they currently address.
n This has to be done without impacting system performance and hindering productivity.
n The Internet is a big place and will continue to proliferate. Fingerprinting techniques will increasingly only be useful to identify an exact threat, whilst generic methods will become mandatory to effect a comprehensive solution.
With the inbuilt capability, which modern attack tools have to change their appearance at will, or to pass straight through traditional security measures, a new methodology is required, which will identify problems on a generic basis and, in effect, recognise the unknown or never-before-seen.
Going one stage further, this new methodology will need to be user empowered, so that businesses can become proactive in the fight against the biggest crime wave yet encountered in the history of mankind.
Finally, with a new armory, easily configurable to their discrete requirements, corporations will for the first time be able to protect their most valuable assets, their secrets and copyrights, by simply instructing their security tool to protect them.
Pie in the sky or Utopia? The plain fact is that the mischievous few are utilising technology advances at a far faster rate than the guardians of our security. Things can change and they will have to change; and change fast.
|Home | About Us | Search | FAQ | Contact Us|