IDS mailing list archives
Re: Detecting covert data channels?
From: "Eric Hacker" <my.self () erichacker com>
Date: Tue, 17 Jul 2007 12:33:24 -0400
On 13 Jul 2007 17:21:49 -0000, jeremy () deities org <jeremy () deities org> wrote:
The key question here is 'why?'
Perfect. That takes this discussion to where it needs to go. I wish I had said that, and as clearly.
If your goal is detection and forensics... If your goal is to prevent data leakage...
Very good points. Especially about normalization. That is so basic that we often forget it. Still, though, I find it easy enough to come up with application layer channels that detecting the network layer ones is nearly pointless. Preventing them is useful, but one doesn't really need to detect them to come up with the things to normalize in order to protect. Here's an app layer covert channel. Google for a page that you know has two particular unique enough keywords to be ranked highly. Also include some other more common words that the page also includes. When one clicks through google to the page, the web server will get the referrer with the keywords used in the google search. It knows which were the unique keywords and so the extra words are the covert message. Make the target page look like one of those annoying search engine scam sites and it will look normal. -- Eric Hacker, CISSP aptronym (AP-troh-NIM) noun A name that is especially suited to the profession of its owner I _can_ leave well enough alone, but my criteria for well enough is pretty darn high. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
Current thread:
- Re: Detecting covert data channels? jasonj (Jul 12)
- <Possible follow-ups>
- Re: Detecting covert data channels? jeremy (Jul 17)
- Re: Detecting covert data channels? Eric Hacker (Jul 17)
- Re: Detecting covert data channels? Joff Thyer (Jul 17)