Re: Covert Channels

[Anton Aylward <aja () si on ca>]

On Wed, 2002-10-23 at 17:29, Blue Boar wrote:
> Anton Aylward wrote:
> > On Wed, 2002-10-23 at 16:34, Blue Boar wrote:
> > > The specifics aren't important.  The number of way to implement some 
> > > attacks, and the number of ways to bypass an IDS are also infinite.  
> > I doubt that, but even if it is so, and IDS is limited to the network
> > whereas a convert channel could - as I illustrated - be anything.  It
> > cold be whether I leave my blinds open at night.  in this case, the set
> > of covert channels is transfinite.
>
> If you want to take covert channels outside of the realm of computer 
> networks, there's no reason the concept of an IDS couldn't as well.  The 
> airport x-ray IDS is perfectly capable of detecting the midget-in-luggage 
> attack.

Indeed, if one wants to imagine such things, then one is only limited by
ones imagination.  Which may differ, as the saying goes, from mine.

No, I'm talking about reality.  I'm talking about actual cases of
"espionage".

Mind you, these supposed "detection" mechanisms are iffy.
There was the case, I'm sorry I don't recall names, perhaps someone can
assist me, where a scientist of Chinese ancestry working at a US lab
that at one time did weapons research, was supposed to have stolen
secrets.  In actual fact the computer disk concerned had merely been
misplaced.

If you look at the reality of "leaks" of information, even information
that was sourced on a computer, leaking of a network is small-fry
compared to what actually happens.  Look at the laptops that go missing;
look at the paper that gos missing.  Look at the visitors with
photographic memory" - to reference another thread in the fw-wiz list
;-)


What you're really saying is that since your expertise is technical, you
are going to make this a technical problem so you can solve it.  Sorry,
the world isn't that simple.  This is one of the major flaws in our
approach to information security in general.  The computer, the network,
is just one medium and use of the information.  There are others, lots
of them.  No IDS is going to stop a social engineering attack.  No IDS
is going to stop a key person from going to a competitor and using his
(or her) experience to fast-track development that replicates the "new
widget" there.  (Evidence is that NDAs don't either but that's anther
matter.)

When you're running a company or a R&D lab or something and are
concerned about information leakage, you look at more than just the
network for covert channels.  That's the reality of business.


/anton