Vulnerability Development mailing list archives
Re: Covert Channels
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 23 Oct 2002 17:53:58 -0500
On Wed, 2002-10-23 at 17:46, Michal Zalewski wrote:
Do you know what's the correct order a person should view websites in?=)
No, but the order should be pretty much random and unpredictable. But wouldn't a covert channel add some static element to it? For example if every Friday, three websites gets visited in the same order, that could indicate a covert channel, or not? (I know... or a caching proxy server prefetching in the same sequence every time... that would be a false positive :)
No, it's pretty much impossible to detect a good channel like this. When you try to go too far and build a model of how user is supposed to behave, then: - you get more false positives, because users of course aren't computer programs and do not follow your expectations precisely,
Again my point. User - unpredicatble. A negotiated channel - predictable. User - random, channel - some static elements in randomness.
Not really. If there are serious amounts of data being transferred day and night, yes. But if it's just a small amount of data sent every two-three days by visiting www.homepages.org/~jenny/, and clicking on several subpages - how can you tell the backdoor, and not the user, is visiting this page from time to time and sending few bytes - such as a new password captured with the sniffer? You may say "because those requests would differ from what Netscape launched by an user does" - but they do not have to be...
Well, if there are repetitive accesses to these pages. I think this example is probably better picked up by an anomaly IDS. If no one in the company accesses these websites, but only one host somewhere in a closet, it may be flagged there. Argh... my head spins... I just hate to think that this an area that can not be tackled. I don't like to loose... :) Later, Fran
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- RE: Covert Channels, (continued)
- RE: Covert Channels Omar Herrera (Oct 23)
- RE: Covert Channels Cade Cairns (Oct 24)
- Re: Covert Channels Roland Postle (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Message not available
- Message not available
- Re: Covert Channels Anton Aylward (Oct 23)
- Re: Covert Channels Blue Boar (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Re: Covert Channels Frank Knobbe (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Re: Covert Channels Michal Zalewski (Oct 23)
- Re: Covert Channels Frank Knobbe (Oct 23)
- Re: Covert Channels Anton Aylward (Oct 23)
- Re: Covert Channels Roland Postle (Oct 24)
- RE: Covert Channels Omar Herrera (Oct 23)