Re: Detecting covert data channels?

["Eric Hacker" <my.self () erichacker com>]

On 13 Jul 2007 17:21:49 -0000, jeremy () deities org <jeremy () deities org> wrote:
> The key question here is 'why?'

Perfect. That takes this discussion to where it needs to go. I wish I
had said that, and as clearly.

> If your goal is detection and forensics...
>
> If your goal is to prevent data leakage...

Very good points. Especially about normalization. That is so basic
that we often forget it.

Still, though, I find it easy enough to come up with application layer
channels that detecting the network layer ones is nearly pointless.
Preventing them is useful, but one doesn't really need to detect them
to come up with the things to normalize in order to protect.

Here's an app layer covert channel. Google for a page that you know
has two particular unique enough keywords to be ranked highly. Also
include some other more common words that the page also includes. When
one clicks through google to the page, the web server will get the
referrer with the keywords used in the google search. It knows which
were the unique keywords and so the extra words are the covert
message. Make the target page look like one of those annoying search
engine scam sites and it will look normal.

--
Eric Hacker, CISSP

aptronym (AP-troh-NIM) noun
A name that is especially suited to the profession of its owner

I _can_ leave well enough alone, but my criteria for well enough is
pretty darn high.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------