Files in modern systems tend to grow faster than Moore's law. It's possible to exfiltrate some information via low bandwidth channels - but the type of information that is of high value is frequently either related to system access or to legacy systems. If one has enough access to create a covert channel, then getting the root password is OBE. Hopefully, legacy systems that are important enough that an adversary might want to send out info about them are not storing that info where a covert channel has external access. There are probably edge cases - but knowing in advance of that situation is unlikely, so one would install a high -bandwidth covert channel by default.
Ray Parks Consilient Heuristician/IDART Program Manager V: 505-844-4024 M: 505-238-9359 P: 505-951-6084 NIPR: rcpa...@sandia.gov SIPR: rcpar...@sandia.doe.sgov.gov (send NIPR reminder) JWICS: dopa...@doe.ic.gov (send NIPR reminder) On Oct 21, 2013, at 1:26 PM, Steve Smith wrote: > Ray - > > Great real-world report... my direct experience in all this is dated by at > least 6 years, but most of it nearly 10 years old now... time flies! > > The only question I have about your response below is about the question of > bandwidth... while *some* important data/secrets are large, many are not... > a leak is a leak, no? And an effective (albeit low bandwidth) covert channel > can leak a LOT over enough time? > > - Steve >> WRT the Covert Channels paper - >> >> Header extensions and IP options are not actually practical channels. >> They sound good but in practice they run afoul of the problem that network >> equipment, particularly routers, process packets in hardware - unless they >> have unusual extensions or IP Options, in which case the packets are thrown >> up to the software layer. That means they will be slower, all through the >> Internet, and they are easily detected. >> >> We've used the IPID trick but not for a cover channel. We wanted to be >> able to distinguish our traffic from actual attackers (use control for red >> teams), so we created an HMAC of the packet and inserted the first few bytes >> into the IPID field. At the target's end, they can use a tool fed from >> tcpdump or other appropriate tool and check whether the IPID bytes match our >> expected value - we use a shared secret salt. >> >> Most of the other tricks are low bandwidth - not really useful for >> gigabytes of information. >> >> The two most commonly used covert channels in current malware are http and >> DNS. The sheer volume of http makes it impractical to catch all requests - >> many typical, public, web-pages include requests to dozens of web-sites >> other than the primary one. The many web-bug tricks and advertising spyware >> activities make this a really large pool of bits in which an adversary can >> hide. We've used the trick of sending data out as DNS lookups against >> customer networks and it works like a charm. We literally showed a security >> manager (later the CISO for the organization) the exfiltration and he didn't >> believe it twice, despite the evidence of displaying the exfiltrated file on >> our external web-site. >> >> I have a copy of the Loki source code (very clean) and sending unrequested >> ICPM echo responses still works in some places. The author of Loki, who >> went by the name Mixter, created another covert channel that simply uses >> alternate IP protocols. Some routers will route any IP protocol by default >> while others will only route those IP protocols explicitly specified. >> >> Ray Parks >> Consilient Heuristician/IDART Program Manager >> V: 505-844-4024 M: 505-238-9359 P: 505-951-6084 >> NIPR: rcpa...@sandia.gov >> SIPR: rcpar...@sandia.doe.sgov.gov (send NIPR reminder) >> JWICS: dopa...@doe.ic.gov (send NIPR reminder) >> >> >> >> On Oct 18, 2013, at 8:27 PM, Steve Smith wrote: >> >>> Forgot to relate the tidbit that motivated me to update the group: >>> >>> The "Covert Channels" reading, which is a very specialized example of >>> Steganography (by my measure) has some very clever ideas in it which I'd >>> never encountered before... all kind of obvious once described but >>> nevertheless quite clever. >>> >>> - Steve >>>> I don't know if anyone (else) is doing the reading for this course.... >>>> >>>> I lagged a bit but am just now catching up... the first 5 readings were >>>> history/law and *very* timely and relevant to the current situation with >>>> the NSA, etc. >>>> >>>> >>>> The following are more technical: >>>> Secure Email >>>> Tor (secure - obfuscated?) Routing >>>> Network Traffic Analysis >>>> Steganography >>>> Covert Channels >>>> Chat (off the record) >>>> ..... >>>> I've done my time working with or studying all of these at a fairly >>>> limited level and found each of the resources offered to be very well >>>> chosen... a good review for me and a good introduction for anyone with >>>> modest technical knowledge. They are also "bite sized"... I find the >>>> reading assignment for each week requiring less than an hour, though one >>>> can use these as a point of departure that could consume a whole week! >>>> >>>> I'm glad to hear that our best and brightest are being taught these things. >>>> >>>> - Steve >>>>> I'm in. A number of journos are interested in/worried about this. >>>>> -tj >>>>> >>>>> >>>>> On Mon, Sep 9, 2013 at 12:30 PM, Steve Smith <sasm...@swcp.com> wrote: >>>>> Cody - >>>>> >>>>> >>>>> I think you just started one (by asking). >>>>> >>>>> I suggest a Google Group for discussion and following the class schedule >>>>> even if we don't have the benefit of lecture and class discussions. >>>>> >>>>> 3 or more is a good number... if Owen's alerting us indicates interest, >>>>> we already have a Quorum!? >>>>> >>>>> - Steve >>>>>> that seems like a very cool reading list. Are you thinking of starting >>>>>> up a reading group? >>>>>> >>>>>> Cody Smith >>>>>> >>>>>> >>>>>> On Mon, Sep 9, 2013 at 10:09 AM, Owen Densmore <o...@backspaces.net> >>>>>> wrote: >>>>>> Another gem from twitter: >>>>>> Ed Felten >>>>>> Preliminary syllabus for my "Surveillance and Countermeasures" seminar: >>>>>> http://ow.ly/oHs9a >>>>>> Retweeted by BrendanEich >>>>>> >>>>>> http://www.cs.princeton.edu/courses/archive/fall13/cos597G/ >>>>>> >>>>>> Sounds fascinating .. and not all tech, lots of history and spy craft. >>>>>> >>>>>> -- Owen >>>>>> >>>>>> >>>>>> ============================================================ >>>>>> FRIAM Applied Complexity Group listserv >>>>>> Meets Fridays 9a-11:30 at cafe at St. John's College >>>>>> to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com >>>>>> >>>>>> >>>>>> >>>>>> ============================================================ >>>>>> FRIAM Applied Complexity Group listserv >>>>>> Meets Fridays 9a-11:30 at cafe at St. John's College >>>>>> to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com >>>>> >>>>> >>>>> ============================================================ >>>>> FRIAM Applied Complexity Group listserv >>>>> Meets Fridays 9a-11:30 at cafe at St. John's College >>>>> to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com >>>>> >>>>> >>>>> >>>>> -- >>>>> ========================================== >>>>> J. T. Johnson >>>>> Institute for Analytic Journalism -- Santa Fe, NM USA >>>>> 505.577.6482(c) 505.473.9646(h) >>>>> Twitter: jtjohnson >>>>> http://www.jtjohnson.com t...@jtjohnson.com >>>>> ========================================== >>>>> >>>>> >>>>> ============================================================ >>>>> FRIAM Applied Complexity Group listserv >>>>> Meets Fridays 9a-11:30 at cafe at St. John's College >>>>> to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com >>>> >>>> >>>> >>>> ============================================================ >>>> FRIAM Applied Complexity Group listserv >>>> Meets Fridays 9a-11:30 at cafe at St. John's College >>>> to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com >>> >>> ============================================================ >>> FRIAM Applied Complexity Group listserv >>> Meets Fridays 9a-11:30 at cafe at St. John's College >>> to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com >> >> >> >> ============================================================ >> FRIAM Applied Complexity Group listserv >> Meets Fridays 9a-11:30 at cafe at St. John's College >> to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com > > ============================================================ > FRIAM Applied Complexity Group listserv > Meets Fridays 9a-11:30 at cafe at St. John's College > to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
smime.p7s
Description: S/MIME cryptographic signature
============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
