Re: Detecting covert data channels?

On 13 Jul 2007 17:21:49 -0000, jeremy@xxxxxxxxxxx <jeremy@xxxxxxxxxxx> wrote:
The key question here is 'why?'

Perfect. That takes this discussion to where it needs to go. I wish I
had said that, and as clearly.

If your goal is detection and forensics...

If your goal is to prevent data leakage...

Very good points. Especially about normalization. That is so basic
that we often forget it.

Still, though, I find it easy enough to come up with application layer
channels that detecting the network layer ones is nearly pointless.
Preventing them is useful, but one doesn't really need to detect them
to come up with the things to normalize in order to protect.

Here's an app layer covert channel. Google for a page that you know
has two particular unique enough keywords to be ranked highly. Also
include some other more common words that the page also includes. When
one clicks through google to the page, the web server will get the
referrer with the keywords used in the google search. It knows which
were the unique keywords and so the extra words are the covert
message. Make the target page look like one of those annoying search
engine scam sites and it will look normal.

--
Eric Hacker, CISSP

aptronym (AP-troh-NIM) noun
A name that is especially suited to the profession of its owner

I _can_ leave well enough alone, but my criteria for well enough is
pretty darn high.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------

Relevant Pages

  • Re: Matt Cutts: Google doesnt count keyword or description meta tags in web searches
    ... if all keywords given are relevant for the content of the page give ... position in Google search results is wasted for nothing. ... The advantage of basing the snippet on the content is that ...
    (alt.internet.search-engines)
  • Re: Paging File, can this be moved from the C: partition ??
    ... I was a bit puzzled by your comments about using Google. ... I thought the whole point about newsgroups like this one was for people to ... > Insert the keywords of your problem in Google Search and you might solve ...
    (microsoft.public.windowsxp.general)
  • Re: Check keyword density for URL with https
    ... > with low keyword density beating out a site, in the rankings, that has ... > their site ranking better thataway. ... I had top positions at Google about 1-2 years ago. ... > those keywords when all they are doing is putting up essentially blank ...
    (alt.internet.search-engines)
  • Re: SEO technology for Copyright Patrol?
    ... I submit my top 250 keywords to your web interface. ... which it does not go to google, ... infringement, and are logged at your web-based interface so i can view them. ... Such a tool would need to hammer a search engine quite heavily. ...
    (alt.internet.search-engines)
  • Re: SEO technology for Copyright Patrol?
    ... I submit my top 250 keywords to your web interface. ... which it does not go to google, ... The bot obtains, from a cache, three copies of a customizable ... Such a tool would need to hammer a search engine quite heavily. ...
    (alt.internet.search-engines)
Quantcast