{"id":843,"date":"2007-07-31T00:00:00","date_gmt":"2007-07-31T00:00:00","guid":{"rendered":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/2007\/07\/31\/black-hat-how-to-hack-ips-signatures\/"},"modified":"2021-12-30T11:38:15","modified_gmt":"2021-12-30T11:38:15","slug":"black-hat-how-to-hack-ips-signatures","status":"publish","type":"post","link":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/2007\/07\/31\/black-hat-how-to-hack-ips-signatures\/","title":{"rendered":"Black Hat: How to Hack IPS Signatures"},"content":{"rendered":"

Careful, that zero-day signature you just got from your IPS vendor could be used against you: Researchers from Errata Security at Black Hat USA this week will show how an attacker can easily reverse-engineer these zero-day filters that IPS (intrusion prevention system) vendors distribute, and then use them to leverage an attack. Errata CEO Robert Graham and CTO David Maynor will demonstrate this using TippingPoint’s signatures, but Graham says it’s possible to reverse-engineer any IPS vendor’s zero-day signatures. The researchers will show how these signatures basically give an attacker the ammunition to do damage using bugs that wouldn’t have otherwise been known about yet.<\/p>\n","protected":false},"excerpt":{"rendered":"

Graham says it’s no surprise this could be accomplished, but it was a bit of a shock to him that attackers are already using it to their advantage.<\/p>\n

TippingPoint late last month temporarily removed its Zero Day Initiative (ZDI) signature updates for its IPSs after getting the word from Errata on its research. The IPS vendor said it then added more secure storage and delivery to its software and recently released an update with those enhancements.<\/p>\n

Graham says Errata decided to test the ZDI signatures after finding at least two different hacking groups that wrote zero-day attacks using the signature TippingPoint released to patch the hole found in the infamous $10,000 Apple hacking contest at CanSec West earlier this year. Errata used the well known IDA Pro reverse-engineering tool, and also wrote its own tools for decrypting TippingPoint’s signatures.<\/p>\n

Graham says he won’t be releasing the tools: “We want to demonstrate that it can be done… ” He argues that the trouble with these zero-day signatures is they are often used more for marketing purposes so an IPS vendors can show that they “got there” first, but this process instead invites trouble. “We believe, and our customers agree, that providing zero-day filters in advance of vendor announcement of a vulnerability is serving a positive security purpose, in spite of the risk that some point out,” says Terri Forslof, manager of security response for TippingPoint.<\/p>\n

Graham says Errata’s Black Hat briefing session will also include some strategies for this, but the bottom line is vendors cannot protect themselves with software alone. “An important first step would be to compile the signatures at the factory before sending them to the box, rather than shipping the source of their signatures.”<\/p>\n

As for IPS customers, if you’re a high-value target, Graham says, you need to be aware that the bad guys already have these signatures, and they could use them to hit you. It’s simple for an attacker to bypass the IPS altogether: “All they have to do is change a few bytes in the patterns” of the exploit, and they can get right past the IPS.<\/p>\n

http:\/\/www.darkreading.com\/document.asp?doc_id=130313&WT.svl=news2_1<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-843","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/843","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=843"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/843\/revisions"}],"predecessor-version":[{"id":3330,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/843\/revisions\/3330"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=843"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=843"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=843"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}