WRT the Covert Channels paper - Header extensions and IP options are not actually practical channels. They sound good but in practice they run afoul of the problem that network equipment, particularly routers, process packets in hardware - unless they have unusual extensions or IP Options, in which case the packets are thrown up to the software layer. That means they will be slower, all through the Internet, and they are easily detected.
We've used the IPID trick but not for a cover channel. We wanted to be able to distinguish our traffic from actual attackers (use control for red teams), so we created an HMAC of the packet and inserted the first few bytes into the IPID field. At the target's end, they can use a tool fed from tcpdump or other appropriate tool and check whether the IPID bytes match our expected value - we use a shared secret salt. Most of the other tricks are low bandwidth - not really useful for gigabytes of information. The two most commonly used covert channels in current malware are http and DNS. The sheer volume of http makes it impractical to catch all requests - many typical, public, web-pages include requests to dozens of web-sites other than the primary one. The many web-bug tricks and advertising spyware activities make this a really large pool of bits in which an adversary can hide. We've used the trick of sending data out as DNS lookups against customer networks and it works like a charm. We literally showed a security manager (later the CISO for the organization) the exfiltration and he didn't believe it twice, despite the evidence of displaying the exfiltrated file on our external web-site. I have a copy of the Loki source code (very clean) and sending unrequested ICPM echo responses still works in some places. The author of Loki, who went by the name Mixter, created another covert channel that simply uses alternate IP protocols. Some routers will route any IP protocol by default while others will only route those IP protocols explicitly specified. Ray Parks Consilient Heuristician/IDART Program Manager V: 505-844-4024 M: 505-238-9359 P: 505-951-6084 NIPR: [email protected]<mailto:[email protected]> SIPR: [email protected]<mailto:[email protected]> (send NIPR reminder) JWICS: [email protected]<mailto:[email protected]> (send NIPR reminder) On Oct 18, 2013, at 8:27 PM, Steve Smith wrote: Forgot to relate the tidbit that motivated me to update the group: The "Covert Channels" reading, which is a very specialized example of Steganography (by my measure) has some very clever ideas in it which I'd never encountered before... all kind of obvious once described but nevertheless quite clever. - Steve I don't know if anyone (else) is doing the reading for this course.... I lagged a bit but am just now catching up... the first 5 readings were history/law and *very* timely and relevant to the current situation with the NSA, etc. The following are more technical: Secure Email Tor (secure - obfuscated?) Routing Network Traffic Analysis Steganography Covert Channels Chat (off the record) ..... I've done my time working with or studying all of these at a fairly limited level and found each of the resources offered to be very well chosen... a good review for me and a good introduction for anyone with modest technical knowledge. They are also "bite sized"... I find the reading assignment for each week requiring less than an hour, though one can use these as a point of departure that could consume a whole week! I'm glad to hear that our best and brightest are being taught these things. - Steve I'm in. A number of journos are interested in/worried about this. -tj On Mon, Sep 9, 2013 at 12:30 PM, Steve Smith <[email protected]<mailto:[email protected]>> wrote: Cody - I think you just started one (by asking). I suggest a Google Group for discussion and following the class schedule even if we don't have the benefit of lecture and class discussions. 3 or more is a good number... if Owen's alerting us indicates interest, we already have a Quorum!? - Steve that seems like a very cool reading list. Are you thinking of starting up a reading group? Cody Smith On Mon, Sep 9, 2013 at 10:09 AM, Owen Densmore <[email protected]<mailto:[email protected]>> wrote: Another gem from twitter: Ed Felten Preliminary syllabus for my "Surveillance and Countermeasures" seminar: http://ow.ly/oHs9a Retweeted by BrendanEich http://www.cs.princeton.edu/courses/archive/fall13/cos597G/ Sounds fascinating .. and not all tech, lots of history and spy craft. -- Owen ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com -- ========================================== J. T. Johnson Institute for Analytic Journalism -- Santa Fe, NM USA 505.577.6482(c) 505.473.9646(h) Twitter: jtjohnson http://www.jtjohnson.com<http://www.jtjohnson.com/> [email protected]<mailto:[email protected]> ========================================== ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
