Download - Covert Channels
Marc SmeetsKPMG IT Advisory
ICT Security & ControlInfoSecurity, November 13, 2008
Marc SmeetsKPMG IT Advisory
ICT Security & ControlInfoSecurity, November 13, 2008
Covert Channels‘Secret’ communication that passes your network security
IT ADVISORY
1
Where will we go today?
About your speaker
What we will be talking about today
What is a covert channel? with quiz
How does a covert channel work? with demo
Implementations in the wild
Were do we go from here?
2
Who I am, what I do and what I like
Marc Smeets
interested in ICT and the security of it, especially networks
MSc. in System and Network Engineering, UvA
KPMG IT Advisory, focused on ICT Security & Control
- ITSEC testing, ITSEC advisory, ITSEC auditing
Fast cars & racing ☺
4
Our situation today
Data loss is ‘hot’
Guarding your data is hard … and becomes harder?
USB sticks, ‘lost’ login credentials, wireless access, unknown network entry points, desktop security
Covert channels are not the only thing to think of
… but you should be aware of covert channels
5
Goal of today
“Discuss an interesting technical / hacking topic”
Explain covert channels
What you will learn:
- More insight in what is possible with current techniques
- More insight in what hackers can use
- Insight in the failing of security when solely relying on technical measures
6
What you will not learn
Not the solution to all IT security issues
Not the solution to keep hackers away
No bleeding edge techniques
No sales pitch
8
What is it?
“A covert channel is a communication channel that allows a process to transfer information in a manner that violates the system’s security policy.”
- US DoD 1985
Within existing visible, knownand ‘normal’ transport
Ready for a little quiz?Make sure you have an open mind
21
What is it? (cont.)
Communication and data transport channel
Traffic of a covert channel is- Visible- Within known protocols- Looks like normal traffic
Can be single system (multi level security)
Focus on network based covert channels
23
How?
Visible + known + normal- Use what you have / can / are allowed to
“Gaps” in common protocols.- Just plain old IP - Just plain old ICMP- Just plain old …
24
How? (Cont.)IP
ID field = 16 bits, should be randomOptions = 24 bits, unnecessary for common situationsPadding = 8 bits, should be all zero
26
How? (Cont.)DNS
ID = 16 bits, keeps track of queries madeQD = # questions, AN = # resource records in answerNS = # name serv. rec. in answer, AR = # answer All should be adjusted to each other, algorithm needed
27
How? (Cont.)DNS
QNAME = actual query = max length FQDN = 255 bytes - Max 63 octets per labelDNS implementation may ignoreSame for answer
28
Theory : the way to transport data
Encoding : Value vs. Transition Dimension : Spatial vs. Temporal
Value spatial- Represent a letter in bitsTransition spatial- Represent the change from 1234 to 5678
Kitty example: Is there a kitty? Yes = 1Is there a different kitty? Yes = 1
29
Theory : the way to transport data
Encoding : Value vs. TransitionDimension : Spatial vs. Temporal
Value temporal- Represent the arrival of a packetTransition temporal- Represent the transition of arrival of a packet
Kitty example: Is there a kitty this second? Yes = 1Different kitty this second? Yes = 1
30
Theory : characteristics of a covert channel
Path- Direct : end to end- Indirect : proxy or bounce host- Spread : to several end-systems
31
Theory : characteristics of a covert channel (cont.)
Behavior- Active : generate own traffic- Passive : piggyback on traffic of other processes
Efficiency : Space / time
Synchronization? Separate control and data channels?
34
Current implementations
This is _not_ newA lot of implementations, with easy installers
IPv4 : Covert_tcp, sobIPv6 : V00d00n3t DNS : Ozyman, nstx, DNScatHTTP : firepass, corkscrew, ccttMSN : MSNShellICMP : ptunnel, skeeveVoIP : VoVoIP…
35
Adversary use
Adversaries really use it, but there is so little we knowDDoS tool Stacheldraht (1998) -> ICMP for controlPrettyPark worm (1999) -> IRC
What about the future?Skype API based covert channelsIPv6HTTP(S) still one of the main protocolsTorrent
37
Uncover that channel
It’s all legitimate by RFC!
Protocol implementations should and do allow it
Detect != prevent
38
Uncover that channel (Cont.)
What about the temporal channels…ouch!Covert channels _are_ being used- But do we know which implementations?
39
Uncover that channel (Cont.)
Protocol anomaly detection works
Excessive behavior can be spotted- Continuous pinging - enormous DNS resolving
Various tools have characteristics- DNS tools use TXT records- ICMP tools have specific payload field- Replaying DNS query doesn’t provide the same answer- HTTP(S) should have short requests, long answers
40
Questions ?
Should we abandon perimeter security and focus on security of data?
How about my blackberry?
Can you help me giving insight in my network?
Thank you for your attentionMarc Smeets
[email protected] +31 6 513 66680