RE: private-sector keystroke logger...
Ben Laurie[SMTP:[EMAIL PROTECTED]] wrote: [EMAIL PROTECTED] wrote: Jay D. Dyson writes: -BEGIN PGP SIGNED MESSAGE- On Tue, 27 Nov 2001 [EMAIL PROTECTED] wrote: Hrm, how about a worm with a built-in HTTP server that installs itself on some non-standard port, say TCP/28462 (to pick one at random)? Craftier still, backdoor an existing service that behaves normally until it receives a few specially-crafted packets, then it opens a high port for direct login or data retrieval. Neither of these will get past a firewall on an uncompromised machine. While I didn't enumerate the service that could be backdoored, I do believe Eric Murray hit the nail on the canonical head when he mentioned that such a beastie could target the firewall's configuration, forcing it to relax its stance enough to allow the automated intrusion agent plenty of latitude to conduct its business. I am assuming a firewall on a separate machine, which simply does not allow incoming connections to the window's boxes, and constrains the outgoing connections. I do not claim that this prevents all covert loss of data, but it constrains the options, and certainly does not permit the described backdoor to work. Yeah right - so it sets up an outgoing connection to some webserver to pass on the info. Firewall that. Cheers, Ben. ...or takes the data of interest (which is generally fairly small), uuencodes it, and sends it in an email or an encrypted usenet posting. Any application which allows in interior machine to send data to the outside creates a potential covert channel. There's a reason why classified machines are airgapped. Peter Trei - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
private-sector keystroke logger...
It's not just the FBI, of course. There are press reports this morning of a new worm, Badtrans.b, that not only leaves behind a Trojan horse, it includes a keystroke logger. Now, that particular leakage isn't a major concern, since it emails the stolen text to an account that's now been shut down, but I'm sure we can all think of other ways to export information like that. --Steve Bellovin, http://www.research.att.com/~smb Full text of Firewalls book now at http://www.wilyhacker.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: private-sector keystroke logger...
Derek Atkins [EMAIL PROTECTED] writes: Hrm, how about a worm with a built-in HTTP server that installs itself on some non-standard port, say TCP/28462 (to pick one at random)? Too easy to detect. Encrypt the key in some key known only to the attacker, and start leaking little bits of it in things like tweaks to tcp timings or selections of tcp client port numbers or initial sequence numbers and such. Very hard to detect something like that with network sniffing. -- Perry E. Metzger[EMAIL PROTECTED] -- NetBSD Development, Support CDs. http://www.wasabisystems.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: private-sector keystroke logger...
Jay D. Dyson writes: On 27 Nov 2001, Derek Atkins wrote: Hrm, how about a worm with a built-in HTTP server that installs itself on some non-standard port, say TCP/28462 (to pick one at random)? Craftier still, backdoor an existing service that behaves normally until it receives a few specially-crafted packets, then it opens a high port for direct login or data retrieval. Neither of these will get past a firewall on an uncompromised machine. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: private-sector keystroke logger...
[EMAIL PROTECTED] wrote: Jay D. Dyson writes: -BEGIN PGP SIGNED MESSAGE- On Tue, 27 Nov 2001 [EMAIL PROTECTED] wrote: Hrm, how about a worm with a built-in HTTP server that installs itself on some non-standard port, say TCP/28462 (to pick one at random)? Craftier still, backdoor an existing service that behaves normally until it receives a few specially-crafted packets, then it opens a high port for direct login or data retrieval. Neither of these will get past a firewall on an uncompromised machine. While I didn't enumerate the service that could be backdoored, I do believe Eric Murray hit the nail on the canonical head when he mentioned that such a beastie could target the firewall's configuration, forcing it to relax its stance enough to allow the automated intrusion agent plenty of latitude to conduct its business. I am assuming a firewall on a separate machine, which simply does not allow incoming connections to the window's boxes, and constrains the outgoing connections. I do not claim that this prevents all covert loss of data, but it constrains the options, and certainly does not permit the described backdoor to work. Yeah right - so it sets up an outgoing connection to some webserver to pass on the info. Firewall that. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: private-sector keystroke logger...
On Tue, 27 Nov 2001, Ben Laurie wrote: Yeah right - so it sets up an outgoing connection to some webserver to pass on the info. Firewall that. Easy, have your firewalling software keep a list of all the connections you allow. Each time a connection to a machine not on the list occurs it asks for permission, if you give it then it goes on the list. Couple this will a sniffer on the outside of the firewall to look for probes. -- Day by day the Penguins are making me lose my mind. Bumper Sticker The Armadillo Group ,::;::-. James Choate Austin, Tx /:'/ ``::/|/ [EMAIL PROTECTED] www.ssz.com.', `/( e\ 512-451-7087 -~~mm-'`-```-mm --'- - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]