Black hat IPS reverse engineering poses 'serious threat'

Gartner warns enterprises to be on their guard

Written by Robert Jaques

vnunet.com, 13 Aug 2007

A recently disclosed Black Hat hacker technique for reverse engineering intrusion prevention system (IPS) data poses a “serious risk” for thousands of enterprises, Gartner has warned.

The analyst firm’s warning comes after a speaker at the recent Black Hat Briefings conference in Las Vegas demonstrated a method of reverse-engineering IPS signatures for zero-day vulnerabilities. The demonstration used signatures from 3Com's TippingPoint IPS, but Gartner notes that there is “an implication” that all IPS vendor's signatures are at risk.

Paul E. Proctor, research vice president at Gartner, explained that enterprises use IPS technologies, which interpret external files containing signature definitions, to protect against the exploitation of vulnerabilities. However, when these patterns contain signatures for zero-day vulnerabilities, hackers can use this data to create exploit code based on vulnerabilities for which no protection exists. They can also use the signature file to write an exploit that bypasses the zero-day signature undetected, Proctor warned.

“Reverse-engineering code using interactive disassemblers such as DataRescue's IDA Pro Disassembler & Debugger is now a mainstream hacker activity, and a market has formed for the purchase of zero-day vulnerabilities. The rising value of these vulnerabilities represents a growing threat — both to the integrity of their own IPS protections and in the possibility of their becoming a source of compromised zero-day vulnerabilities — that enterprises should consider in their risk assessments,” Proctor said.

He added that the problem is not unique to TippingPoint IPS. On 22 May 2007, 3Com discontinued shipping Zero Day filters (signatures) in its regular updates. These filters are now available only after the request and the requesting party are verified and a strict nondisclosure agreement is signed.

Enterprises using IPSs from any vendor should, according to Proctor, check with their vendors to determine whether they provide zero-day signatures and, if so, hold them accountable for providing and disclosing protections that are in place for these signatures.

To help protect against this threat, Gartner urges IPS vendors to increase the complexity of reverse-engineering signature files that contain zero-day-vulnerability signatures.

Enjoyed this article? Help spread the word:

Comments

Reader comments for this story
Post your comment Post your comment   What is this?

Also read

White papers

Related jobs

Most read

Most commented

Special Reports

Latest

Spotlight

Richard Atkinson, FD of All England Tennis Court

Profile: Richard Atkinson, FD of All England Tennis Club

As Wimbledon reaches a heady climax, the FD of All...

PwC 10-year anniversary special report

Relive how the controversial mega-merger of Price Waterhouse and Coopers...

Make partner fast with YP

The latest edition of Young Professional features our definitive guide...

Find your next job

Find your next job
  • Solve your clients debt problem with a ClearDebt IVA
Salary Checker

Newsletters

Sign up here for the very latest news delivered to your inbox. Choose from the following options:

Search white papers

Search white papers

Have your say

THE BIG QUESTION: IS YOUR JOB AT RISK?
Has the credit crunch made you fear for your job?
Yes, my company says jobs will go
Maybe, if things get worse, I could be hit
No, business is quite stable

Job of the week

More finance jobs...

Your next job