lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu Oct  6 15:52:52 2005
From: foofus at foofus.net (foofus@...fus.net)
Subject: Interesting idea for a covert channel or I just
	didn't research enough?

On Thu, Oct 06, 2005 at 10:22:07AM -0400, mudge wrote:
> This type of covert channel has long been used by various governments  
> and organizations (think of clandestine messages being passed to or  
> from agents via personal ads). 

There's one potentially interesting wrinkle to this scheme, though,
that's not mirrored in the generic "hidden-messages-in-a-public-medium"
scenario: the sender can put things into the log, but not see them, 
and the recipient can read things from the log, but writing there
might be of less interest.

I bring this up because the logs generated by the firewall do not 
necessarily reside only on the device that received the sender's 
packets.  With lots of organizations working on centralizing log
events so that they can correlate findings from different platforms,
the ability to control the content of portions of log messages
(say, for example, the source address reported in a syslog message
indicating a dropped packet) could provide a vector for communicating
to highly trusted systems to which one has no direct network access.

I can't send them a packet, in other words, but maybe I can ask
someone on the edge of the network to send them a packet with some
content of my choosing.  

I admit this seems like a somewhat farfetched avenue of attack 
(i.e., if I'm able to install an agent with access to this log data, 
I probably already have whatever level of access I might be after), 
but it seems like an interesting observation nevertheless, and 
somebody sooner or later will probably figure out a way to do 
something interesting with it.  I look forward, at the very least, 
to the inevitable presentation on "video over covert syslog" by Dan
Kaminsky.  :)

--Foofus.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ