AETs and Star Trek at ISSA London event

Opinion by Dan Raywood

The recent ISSA UK event was held aboard the HMS President in London.

The recent ISSA UK event was held aboard the HMS President in London.

Attending the event was Fujitsu's James Gosnold, who reported back for SC Magazine on the day. Opening the event on 12th July was Professor John Walker, whose day-to-day job is cyber security director at Ascot Barclay Group, presenting on ‘AET: Fact or Fiction?'

AETs (Advanced Evasion Techniques) were first encountered in 1992 and Walker recommended looking up work that Fred Cohen and Ralph Burger have done in this area for further reading.

Professor Walker has been talking about this subject for many years and first demonstrated AET at VB93. He described the large attack surface that still exists on current operating systems, and asked the audience to run ‘IExpress' from the command line of their Windows systems and then questioned what place this kind of legacy software has in a modern and secure computing environment.

Perhaps this was a bit of a presentation gimmick designed to shock the audience, as I couldn't find any evidence of security vulnerabilities relating to ‘IExpress'.

Walker articulated very well how malware can be delivered by evading signature-based security monitoring/enforcement systems using techniques that modify the very structure of TCP/IP in order to present unexpected formats to the target.

Some of the techniques mentioned were TCP PAWS elimination, obfuscation and segmentation. The presenter demonstrated a tool (Stonesoft's ‘Predator') that used these techniques to successfully compromise an up-to-date and patched IBM target system. Stonesoft has since launched the Evader testing tool and the Evasion Prevention System (EPS).

As Professor Walker continued to evangelise about the AET threat, he warned of significant press in this area in forthcoming weeks. 

Ira Winkler, who was recently voted in as the new ISSA president, gave the afternoon presentation intriguingly entitled ‘Everything I know about security I learned from Star Trek'.

Winkler talks at 101mph and many of the analogies were lost on this non-Trekkie but I was entertained. The best analogy in relation to the Star Trek movies, I thought was: “Like the Star Trek movie, always wait for the second version of anything”. Amen to that.

Two ‘Dragon's Den' style presentations were also held, which allowed vendors a ten-minute slot to present their technologies. The time rule was strictly enforced by a loud buzzer that cut them off mid-sentence if necessary, particularly amusing when the presenter had seconds to go and was in full flow. Audience members were later asked to vote for the best presenter and best product at the end of the day.

The day closed with a networking session (that would have been out on deck were it not for the rainy British summertime) and allowed for time to meet and discuss the products with the vendors and other members of the UK infosec community. An excellent event, in my opinion, and surely worth the annual ISSA membership in its own right.

Topics:

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events