On Thu, Oct 06, 2005 at 10:22:07AM -0400, mudge wrote:
This type of covert channel has long been used by various governments
and organizations (think of clandestine messages being passed to or
from agents via personal ads).
There's one potentially interesting wrinkle to this scheme, though,
that's not mirrored in the generic "hidden-messages-in-a-public-
scenario: the sender can put things into the log, but not see them,
and the recipient can read things from the log, but writing there
might be of less interest.
I bring this up because the logs generated by the firewall do not
necessarily reside only on the device that received the sender's
packets. With lots of organizations working on centralizing log
events so that they can correlate findings from different platforms,
the ability to control the content of portions of log messages
(say, for example, the source address reported in a syslog message
indicating a dropped packet) could provide a vector for communicating
to highly trusted systems to which one has no direct network access.
I can't send them a packet, in other words, but maybe I can ask
someone on the edge of the network to send them a packet with some
content of my choosing.
I admit this seems like a somewhat farfetched avenue of attack
(i.e., if I'm able to install an agent with access to this log data,
I probably already have whatever level of access I might be after),
but it seems like an interesting observation nevertheless, and
somebody sooner or later will probably figure out a way to do
something interesting with it. I look forward, at the very least,
to the inevitable presentation on "video over covert syslog" by Dan