Vegan and BeEF clash shows how cyber arms race never stops
Cyber attackers and defenders are caught in a permanent to-and-fro dance, coming up with new solutions that break the last one created by their adversaries.
An example of this never-ending arms race has been demonstrated perfectly by researcher and developer Brian Wallace and the developers of Browser Exploit Framework (BeEF), an open-source attack and penetration testing tool.
Wallace, not satisfied with the fact that the only existing – and very limited – method for detecting BeEF attacks is a Snort rule that can be easily bypassed by tech-savvy attackers that know how to modify the toolkit’s configuration file, decide to create a Google Chrome extension to defeat BeEF (and he called it “Vegan”).
“I decided to build my protection into Chrome browser so I could easily deploy it to devices regardless of the OS, handle HTTPS seamlessly with HTTP and approach the problem from the chokepoint,” he noted.
In the hopes of inspiring other defenders, he described the process he went through in detail in his blog post. In short: he noted BeEF’s specific cookie setting and unsetting behavior, and made the extension block any domain attempts to perform such an action, effectively preventing the browser from being able to communicate with the BeEF panel.
But he added that BeEF developers can easily, if they wished, change the code to avoid detection by the Vegan extension. And so they did, a mere half a day later:
— BeEF (@beefproject) June 26, 2015
“As a security researcher, I wish to maintain the balance between offensive and defensive research, so even smaller defensive projects like this provide a benefit,” Wallace explained his ultimate goal. “If more security researchers worked on open source defensive projects/research, we could, as an industry, tip the scales back into balance.”