Re: Interesting idea for a covert channel or I just didn't research enough?

[mudge <mudge () uidzero org>]

Good points and I agree with you. It is still, however, a variant on  
'dead-drop' covert channels - which is not a novel class of covert  
communications.

It should also be pointed out that the usage of most logging systems,  
as you describe, provide both storage and timing channels by definition.

cheers,

.mudge


On Oct 6, 2005, at 10:53 AM, foofus () foofus net wrote:

> On Thu, Oct 06, 2005 at 10:22:07AM -0400, mudge wrote:
>
> > This type of covert channel has long been used by various governments
> > and organizations (think of clandestine messages being passed to or
> > from agents via personal ads).
>
> There's one potentially interesting wrinkle to this scheme, though,
> that's not mirrored in the generic "hidden-messages-in-a-public- 
> medium"
> scenario: the sender can put things into the log, but not see them,
> and the recipient can read things from the log, but writing there
> might be of less interest.
>
> I bring this up because the logs generated by the firewall do not
> necessarily reside only on the device that received the sender's
> packets.  With lots of organizations working on centralizing log
> events so that they can correlate findings from different platforms,
> the ability to control the content of portions of log messages
> (say, for example, the source address reported in a syslog message
> indicating a dropped packet) could provide a vector for communicating
> to highly trusted systems to which one has no direct network access.
>
> I can't send them a packet, in other words, but maybe I can ask
> someone on the edge of the network to send them a packet with some
> content of my choosing.
>
> I admit this seems like a somewhat farfetched avenue of attack
> (i.e., if I'm able to install an agent with access to this log data,
> I probably already have whatever level of access I might be after),
> but it seems like an interesting observation nevertheless, and
> somebody sooner or later will probably figure out a way to do
> something interesting with it.  I look forward, at the very least,
> to the inevitable presentation on "video over covert syslog" by Dan
> Kaminsky.  :)
>
> --Foofus.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/