StoneBlog.stonesoft.com

According to Sari Kajantie from the Finnish National Bureau of Investigation (NBI) in Helsingin Sanomat, the biggest national newspaper in Finland on 4 August 2011: “It is not the fault of the employee who has opened the attachment, if the hacker can access all company data from a single laptop.”

Companies need to pay much more attention to their internal network activities and traffic. It should not come as a surprise to anybody that individual laptops are compromized. Workstation networks must be separated from the servers by firewalls and intrusion prevention systems; not only by installing these devices, but also by paying attention to rules and monitoring their alerts.

Continue reading »

written by Ari Vänttinen - 939 views \\ tags: Advanced Evasion Techniques, AET, Context and situation awareness, cybersecurity, IT security, risk management, Security, security threat, SMC

Just before the world’s best hackers and network security leaders converged in Las Vegas for Black Hat, Stonesoft spoke with Bill Jackson at Government Computer News. Bill was undoubtedly getting ready for a week of the latest and greatest hacking techniques and vulnerabilities – but he wanted to discuss something different: AETs. Ten months ago, Stonesoft’s discovery of AETs was made public. Bill wanted to know what had happened since then, what was the industry doing, etc. What has happened since then?

Nearly a year after their discovery and disclosure, AETs aren’t exactly “news.” But, the problem hasn’t gone away by any stretch of the imagination. The pcaps of the first 23 AETs discovered are available for public download. The article reminds us that the network security industry – more than ever before – must be kept accountable and proactive.

You can read the article, but the gist is that the network security industry is still lagging behind in their response to the threat of AETs. Only six of about 60 vendors have updated their tools to the first release of 23 AETs. Last winter, 100+ new AETs were disclosed. The reaction? Crickets. Nada. Nothing.

GCN’s coverage of AETs once again pointed out a fatal flaw in network security. Too often, people focus on the new and exciting rather than the persistent, existing challenges that have yet to be solved, as is the case with AETs. The thousands of unexplained attacks that cost companies billions of dollars of year are a red flag. Understanding your vulnerability to these attacks is the first step in protection.

See also the Black Hat Infosec Island video interview for additional coverage of AETs at the event.

written by markb - 582 views \\ tags: evasion, intrusion prevention, security threat

Read what head of Stonesoft´s vulnerability research team says about the challenges in evasion protection.

Dealing with evasions by Olli-Pekka Niemi

written by Ari Vänttinen - 776 views \\ tags: AET, intrusion prevention, network security, risk management, Security, security threat, stonesoft, Tips & Tricks, Training

The recent list of successful cyber attacks is getting longer and more severe, with the IT security landscape changing fast. By now, everyone knows this. Every second some organization is being attacked, and yet the criminals remain untouched. Why? Because they are improving their tools and methods so quickly that the industry and organizations can not keep up. During recent years, the gap between defense and offense has become quite narrow, but seems to be growing again.

Continue reading »

written by Ari Vänttinen - 791 views \\ tags: AET, attacks, IT security, network security, risk management, security governance, security threat

Recently the information security landscape was abuzz over findings from a recent NSS Labs report on firewalls, wherein products were found to be vulnerable to a TCP split handshake attack. This attack concept was based on research by Tod Beardsley and Jin Qian of BreakingPoint Systems.

Normally, TCP is considered to use a “three-way handshake”, where applications start sessions with a SYN, which response is a SYN/ACK, followed by a corresponding ACK from the originator of the session, as outlined in RFC 793. What Beardsley and Qian noticed is that the RFC actually spells out in section 3.3 a four way process, and states that “steps 2 and 3 can be combined in a single message”. Note that although this is the typical way systems handle it, there is no requirement to combine the SYN and ACK of the recipient.

Without getting into the further nitty-gritty details, the bottom line of the research and the recent testing is that stateful network security devices relying on an expected handshake sequence can be fooled into thinking that a connection is originating from a trusted segment instead of from the actual source. Although Stonesoft was not a tested vendor we decided to independently verify StoneGate’s handling of this situation. You can read more about the issue in various articles, such as The CyberJungle, or Government Security News.

Stonesoft’s research team, the Vulnerability Analysis Group tested both the StoneGate IPS and StoneGate Firewall/VPN, using the same BreakingPoint tests as outlined in the research paper. Our initial conclusion is that neither product is affected by this issue. For the StoneGate IPS, a four or five-way handshake will fail to hide the payload (direction) from the IPS, with the four-way flagged as “TCP_Segment-SYN-Unexpected-Reply”, and the five-way scenario [which is also very unlikely in real-world environments] as “TCP_Window_Shrinked”. The four-way handshake situation is not set to terminate by default, but it can easily be set if conditions or policy warrant.

For the StoneGate Firewall/VPN, the behavior is dependent on an Advanced property of the firewall or firewall cluster, whether it operates in loose, normal, or strict mode, and the behavior is further influenced by whether traffic in any given rule is inspected or anti-virus applied. With inspection and anti-virus, attacks in the payload are detected regardless of the handshake mechanism. Loose and normal mode with no additional inspection methods will permit the handshake. Strict mode will drop the connection. In any situation, the StoneGate Firewall/VPN will not be confused as to the origin of the session, so the bottom line is as with all security policies in StoneGate: what is not expressly permitted, is denied.

Stonesoft looks forward to the opportunity to participate in future tests and supports community efforts to drive improved testing of network security systems. Only by bettering testing efforts can we continue to ensure our solutions remain

Network Security. Simplified.

written by markb - 1,363 views \\ tags: information assurance, security threat, stonegate

It’s just a few weeks away! Stonesoft will be at the Black Hat 2010 conference and expo in Las Vegas, Nevada. If you’re going, join us there at booth 33, and learn about our solutions. We’re also featuring the popular StoneGate Hack The Lab event. Trade in your white hat for a black hat for a period and try your hand at hacking into systems in a lab environment.

In addition to Hack The Lab, we’ll also be featuring the StoneGate IPS component of the powerful, award-winning StoneGate network security solution. You can also register to win the VMware-certified StoneGate virtual firewall or IPS for a year for free!

Stay tuned here as well, as we post our security tips for a safe Black Hat computing event, or follow us on Twitter at @Hack_the_Lab and @Stonesoft_US. Or friend us on Facebook.

written by markb - 1,467 views \\ tags: Security, security threat, stonegate

IE 6&7 have remote a vulnerability that is being exploited in the wild right now. There are no patches available. If you use StoneGate IPS with strict policy and have update package 293 activated && policy refreshed, you should be safe. If you don’t, you’d want to make sure that the fingerprint situation HTTP_SS-Microsoft-Internet-Explorer-Invalid-Pointer-Reference-CVE-2010-0806 is in your inspection policy with action “Terminate”.

written by Olli-Pekka Niemi - 1,305 views \\ tags: cve, Security, security threat, Vulnerability

Microsoft has just released the September security bulletins. There are 5 bulletins and all of they are ranked as critical.

The bulletins describe both client- and server side remote code execution vulnerabilities, and for most of these functional exploit code is *likely*, see http://www.microsoft.com/technet/security/bulletin/ms09-sep.mspx

The StoneGate IPS is able to prevent exploits against most of these vulnerabilities, but for example we cannot protect MS09-049, “Vulnerability in Wireless LAN AutoConfig Service Could Allow Remote Code Execution (970710)” as the vulnerability is exposed to wireless network. Luckily, you can install the patches provided alongside the bulletins to fix these vulnerabilities.

But there are also unpatched vulnerabilities threatening your Windows systems.

 Windows Vista, Windows 7 RC and Server 2008 are affected by a  vulnerability in their file sharing service that allows remote code execution.  There are no patches available, but exploits are. See http://www.microsoft.com/technet/security/advisory/975497.mspx

Also the FTP server in IIS 5 and IIS 6 contain vulnerability that can be exploited to cause a denial of service and at least in IIS 5, remote code execution.  And there are no patches available, but exploits are.

The SGIPS Intrusion Prevention System can prevent the attacks against these unpatched vulnerabilities.  

written by Olli-Pekka Niemi - 1,042 views \\ tags: IPS, security threat

Virtual environments are easy to manage in many ways. However, the easiness will bring up some threats that do not exist in physical environments as such. For example, it is not that simple task to take an internal server out from one rack, move it to another rack dedicated for the public Web servers, and plug it into the same DMZ network segment with them. At least you have time to think what you are doing while going through all those steps. Also, such an operation will not go unnoticed by others working in the same machine room with you. In a virtual environment, a server can be destroyed or moved to a wrong network segment within few seconds (by a mistake or in purpose) while your colleagues are working in the same room with their workstations.

As long as human being is involved in the administration processes, there is no way to prevent this kind of mistakes to happen. But the question is how you can detect and possibly minimize the effects of the mistakes.

Continue reading »

written by pentti - 1,290 views \\ tags: security management, security threat, Virtualization

A malicious office document can expose Internet Explorer to attacks even if the Internet Explorer is not your default browser.   Continue reading »

written by Olli-Pekka Niemi - 1,620 views \\ tags: Add new tag, Security, security threat, Vulnerability