At 09:08 PM 6/2/01 -0700, John Young wrote:
>There have been questions about DIRT's fulfilling its
>promises in the past, and that it may be nothing more
>than a version of Back Orifice being peddled to clueless
>governments who think restricting the product to gov
>means the product is hot shit.
>
>Much of this came out in the past as noted here. What
>I found intriguing was the new firewall transgression feature.
>Whether this feasible and what could be done to prevent
>firewall spoofing if it is feasible.
John, firewalls could be useless against a Back Orifice type
program [1] that leaks via intentional, predictable firewall holes (e.g.,
if you have web access then TCP port 80 is likely a hole).
That's why firewalls aren't very impressive to many readers here,
they are only part of the usual 'security in depth' (ie, layers
of insulation and armor, some passive, some reactive).
If there were *no* holes in your firewall, you'd
simply unplug the machine from the net.
A trojan could send data in valid HTML, in what
looks like normal browsing, to defeat the high-end 'stateful' firewalls
that look inside the data and monitor the transaction for kosherness.
Essentially the trojan is using steganography. Think secret ink
writings on blank pages of your passport. The passport gets you
out the door, but the content is not detected.
You can *detect* trojan traffic by sniffing your own net for traffic
that you knew wasn't supposed to be there (e.g., that wasn't human
initiated browsing).
You could detect & stop trojan traffic *to collector machines* by
explicitly OK'ing
each IP address you connected to, assuming you could trust those machines
and didn't trust
anything else. When you see an attempt to connect to
covert.collection.pigs.r.us
(or more likely, just an IP address you don't recognize), don't approve it.
But if the Adversary is Carnivoring your traffic from outside your
firewall, a clever trojan could still encode info into (bogus) urls on the
hosts that
you *do* let your machine try to connect to. To catch this, your friends
at trusted_other_host.org would have to tell you that they've been seeing
bogus url requests, or you'd have to explicity OK each and every outgoing
URL, even to trusted hosts.
[1] or trojan employees, who have more covert communication channels
available.
Generally, insider jobs are killers, and a trojan is an insider.
.....
"I think people have not quite gotten their hands around the
speed at which information can be disseminated online. "
-Monica Lewinsky, LATimes 9 may 01
http://www.latimes.com/business/columns/celebsetup/lat_monica010510.htm
