Big business at risk as hackers go under cover
A new technique for disguising programs aimed at cracking corporate networks could raise the stakes in the heated battle between hackers and security experts.
During a seminar last week at the CanSecWest conference in Vancouver, British Columbia, a hacker named "K2" revealed a program he created that can camouflage the tiny programs that hackers generally use to crack through system security.
The cloaking technique is aimed at foiling the pattern-recognition intelligence used by many intrusion detection systems, or IDSes, known as the burglar alarms of the Internet. "Trust me, this will blow away any pattern matching," said K2, who would not reveal his real name because he also works as a security consultant.
When a security hole is found on a corporate network, hackers usually will find several ways to exploit it. To manage the onslaught, the makers of intrusion-detection systems continually update their own software to keep track of new variants of an already familiar theme.
Now the balance has changed, K2 said. With a technique called polymorphic coding, attackers could potentially change the code structure enough to fool many intrusion-detection systems -- but not enough to break the initial malicious program. "This is a way to keep the exploits brand-new, all the time," he said.
Reaction to the program among security consultants was mixed. Some downplayed the significance as a typical scenario in the battle between attackers and defenders. "Intrusion detection is an arms race," said Martin Roesch, president of security software start-up SourceFire and the creator of the popular IDS known as Snort. "It is measure, countermeasure."
Roesch has already started to improve Snort against techniques such as K2's. "Rather than a single signature we will have to go with multifaceted rules," he explained.
However, the development has other security experts concerned that, in the time it takes for intrusion-detection system makers to modify their products, online vandals could have a field day. "If (K2's) code is adopted en masse, it could make our lives a pain," said Greg Shipley, director of consulting services for Chicago-based security consulting firm Neohapsis.
Shipley likened today's intrusion-detection system to antivirus scanners, where each tries to match program signatures to a dictionary of malicious code. Like antivirus scanners, the pattern-matching technology is fallible. "If these systems were perfect, the Melissa virus would never have happened," he said. "It's reason No. 577 to patch your servers."
Dragos Ruiu, security consultant and host of the CanSecWest conference, said the program marks only a temporary setback for makers of intrusion-detection systems. "K2 has removed something that could have been a defensive bullet," said Ruiu. "We are back to the point where we are even" with the attackers.
But even K2 doesn't believe the polymorphic technique will spread quickly. Getting everything to work properly is just too difficult, he said.
"It's not really a (script) kiddie application," K2 said, referring to the lowest form of Internet hack. "It requires a lot of skill, and anyone who does have the skill will be the guy to discover the vulnerabilities first."
Take me to the Virus Workshop
The discovery that yet another flaw exists in Microsoft's Internet Explorer, and that Microsoft has had to issue a patch for it, shouldn't be a surprising one. Guy Kewney says -- there's no such thing as a perfect program. Go to AnchorDesk UK for the news comment.
Take me to Hackers
Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.
Let the editors know what you think in the Mailroom. And read other letters.