Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: Interesting idea for a covert channel or I justdidn't research enough?
From: "Paul Melson" <pmelson () gmail com>
Date: Thu, 6 Oct 2005 13:59:56 -0400

-----Original Message-----
I bring this up because the logs generated by the firewall do not
necessarily reside 
only on the device that received the sender's packets.  With lots of
working on centralizing log events so that they can correlate findings
from different 
platforms, the ability to control the content of portions of log messages
(say, for 
example, the source address reported in a syslog message indicating a
dropped packet) 
could provide a vector for communicating to highly trusted systems to
which one has no 
direct network access.

The problem with this type of hiding-in-plain-sight covert channel is that
it is subject to modification between sender and recipient, in this specific
case making the victim the man in the middle.  An aware victim could quickly
become an attacker.  The malware applications of this are moderately
interesting but the implications of this type of communication model in
espionage are extremely interesting.  All sorts of implications and impacts
(for instance, a double agent might intentionally use this type of
communication because it's easily intercepted and modified).  I would guess
that if there is a book on covert channels for spies out there, this is in
the chapter of things NOT to do.


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]