Re: Covert Channels

[Frank Knobbe <fknobbe () knobbeits com>]

On Wed, 2002-10-23 at 17:46, Michal Zalewski wrote:
> Do you know what's the correct order a person should view websites in?=)

No, but the order should be pretty much random and unpredictable. But
wouldn't a covert channel add some static element to it? For example if
every Friday, three websites gets visited in the same order, that could
indicate a covert channel, or not? (I know... or a caching proxy server
prefetching in the same sequence every time... that would be a false
positive :)

> No, it's pretty much impossible to detect a good channel like this. When
> you try to go too far and build a model of how user is supposed to behave,
> then:
>
>   - you get more false positives, because users of course aren't
>     computer programs and do not follow your expectations precisely,

Again my point. User - unpredicatble. A negotiated channel -
predictable. User - random, channel - some static elements in
randomness.

> Not really. If there are serious amounts of data being transferred day and
> night, yes. But if it's just a small amount of data sent every two-three
> days by visiting www.homepages.org/~jenny/, and clicking on several
> subpages - how can you tell the backdoor, and not the user, is visiting
> this page from time to time and sending few bytes - such as a new password
> captured with the sniffer? You may say "because those requests would
> differ from what Netscape launched by an user does" - but they do not have
> to be...

Well, if there are repetitive accesses to these pages. I think this
example is probably better picked up by an anomaly IDS. If no one in the
company accesses these websites, but only one host somewhere in a
closet, it may be flagged there.

Argh... my head spins... I just hate to think that this an area that can
not be tackled. I don't like to loose... :)

Later,
Fran

Attachment: signature.asc
Description: This is a digitally signed message part