Re: Interesting idea for a covert channel or I just didn't research enough?

[foofus () foofus net]

On Thu, Oct 06, 2005 at 10:22:07AM -0400, mudge wrote:
> This type of covert channel has long been used by various governments  
> and organizations (think of clandestine messages being passed to or  
> from agents via personal ads). 

There's one potentially interesting wrinkle to this scheme, though,
that's not mirrored in the generic "hidden-messages-in-a-public-medium"
scenario: the sender can put things into the log, but not see them, 
and the recipient can read things from the log, but writing there
might be of less interest.

I bring this up because the logs generated by the firewall do not 
necessarily reside only on the device that received the sender's 
packets.  With lots of organizations working on centralizing log
events so that they can correlate findings from different platforms,
the ability to control the content of portions of log messages
(say, for example, the source address reported in a syslog message
indicating a dropped packet) could provide a vector for communicating
to highly trusted systems to which one has no direct network access.

I can't send them a packet, in other words, but maybe I can ask
someone on the edge of the network to send them a packet with some
content of my choosing.  

I admit this seems like a somewhat farfetched avenue of attack 
(i.e., if I'm able to install an agent with access to this log data, 
I probably already have whatever level of access I might be after), 
but it seems like an interesting observation nevertheless, and 
somebody sooner or later will probably figure out a way to do 
something interesting with it.  I look forward, at the very least, 
to the inevitable presentation on "video over covert syslog" by Dan
Kaminsky.  :)

--Foofus.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/