covert channels

Marc SmeetsKPMG IT Advisory

ICT Security & ControlInfoSecurity, November 13, 2008

Marc SmeetsKPMG IT Advisory

ICT Security & ControlInfoSecurity, November 13, 2008

Covert Channels‘Secret’ communication that passes your network security

IT ADVISORY

1

Where will we go today?

About your speaker

What we will be talking about today

What is a covert channel? with quiz

How does a covert channel work? with demo

Implementations in the wild

Were do we go from here?

2

Who I am, what I do and what I like

Marc Smeets

interested in ICT and the security of it, especially networks

MSc. in System and Network Engineering, UvA

KPMG IT Advisory, focused on ICT Security & Control

- ITSEC testing, ITSEC advisory, ITSEC auditing

Fast cars & racing ☺

3

What we will be talking about today

4

Our situation today

Data loss is ‘hot’

Guarding your data is hard … and becomes harder?

USB sticks, ‘lost’ login credentials, wireless access, unknown network entry points, desktop security

Covert channels are not the only thing to think of

… but you should be aware of covert channels

5

Goal of today

“Discuss an interesting technical / hacking topic”

Explain covert channels

What you will learn:

- More insight in what is possible with current techniques

- More insight in what hackers can use

- Insight in the failing of security when solely relying on technical measures

6

What you will not learn

Not the solution to all IT security issues

Not the solution to keep hackers away

No bleeding edge techniques

No sales pitch

7

What are these ‘covert channels’ ?

8

What is it?

“A covert channel is a communication channel that allows a process to transfer information in a manner that violates the system’s security policy.”

- US DoD 1985

Within existing visible, knownand ‘normal’ transport

Ready for a little quiz?Make sure you have an open mind

9

Is this a covert channel?

10

Is this a covert channel?

Stealth ... bad

11

Is this a covert channel?

12

Is this a covert channel?

Visible … good

13

Is this a covert channel?

14

Is this a covert channel?

Unknown … bad

15

Is this a covert channel?

16

Is this a covert channel?

Familiar … good

17

Is this a covert channel?

18

Is this a covert channel?

Ridiculous transport … bad

19

Is this a covert channel?

20

Is this a covert channel?

Normal transport … good (well, perhaps better transport)

21

What is it? (cont.)

Communication and data transport channel

Traffic of a covert channel is- Visible- Within known protocols- Looks like normal traffic

Can be single system (multi level security)

Focus on network based covert channels

22

How does a covert channel work ?

23

How?

Visible + known + normal- Use what you have / can / are allowed to

“Gaps” in common protocols.- Just plain old IP - Just plain old ICMP- Just plain old …

24

How? (Cont.)IP

ID field = 16 bits, should be randomOptions = 24 bits, unnecessary for common situationsPadding = 8 bits, should be all zero

25

How? (Cont.)ICMP

Data = a lot

26

How? (Cont.)DNS

ID = 16 bits, keeps track of queries madeQD = # questions, AN = # resource records in answerNS = # name serv. rec. in answer, AR = # answer All should be adjusted to each other, algorithm needed

27

How? (Cont.)DNS

QNAME = actual query = max length FQDN = 255 bytes - Max 63 octets per labelDNS implementation may ignoreSame for answer

28

Theory : the way to transport data

Encoding : Value vs. Transition Dimension : Spatial vs. Temporal

Value spatial- Represent a letter in bitsTransition spatial- Represent the change from 1234 to 5678

Kitty example: Is there a kitty? Yes = 1Is there a different kitty? Yes = 1

29

Theory : the way to transport data

Encoding : Value vs. TransitionDimension : Spatial vs. Temporal

Value temporal- Represent the arrival of a packetTransition temporal- Represent the transition of arrival of a packet

Kitty example: Is there a kitty this second? Yes = 1Different kitty this second? Yes = 1

30

Theory : characteristics of a covert channel

Path- Direct : end to end- Indirect : proxy or bounce host- Spread : to several end-systems

31

Theory : characteristics of a covert channel (cont.)

Behavior- Active : generate own traffic- Passive : piggyback on traffic of other processes

Efficiency : Space / time

Synchronization? Separate control and data channels?

32

Demo

1. Shell access to a system via HTTP(S)2. Tunneling via DNS

33

Implementations in the wild

34

Current implementations

This is _not_ newA lot of implementations, with easy installers

IPv4 : Covert_tcp, sobIPv6 : V00d00n3t DNS : Ozyman, nstx, DNScatHTTP : firepass, corkscrew, ccttMSN : MSNShellICMP : ptunnel, skeeveVoIP : VoVoIP…

35

Adversary use

Adversaries really use it, but there is so little we knowDDoS tool Stacheldraht (1998) -> ICMP for controlPrettyPark worm (1999) -> IRC

What about the future?Skype API based covert channelsIPv6HTTP(S) still one of the main protocolsTorrent

36

Where do we go from here ?

37

Uncover that channel

It’s all legitimate by RFC!

Protocol implementations should and do allow it

Detect != prevent

38

Uncover that channel (Cont.)

What about the temporal channels…ouch!Covert channels _are_ being used- But do we know which implementations?

39

Uncover that channel (Cont.)

Protocol anomaly detection works

Excessive behavior can be spotted- Continuous pinging - enormous DNS resolving

Various tools have characteristics- DNS tools use TXT records- ICMP tools have specific payload field- Replaying DNS query doesn’t provide the same answer- HTTP(S) should have short requests, long answers

40

Questions ?

Should we abandon perimeter security and focus on security of data?

How about my blackberry?

Can you help me giving insight in my network?

Thank you for your attentionMarc Smeets

smeets.marc@kpmg.nlMobile +31 6 513 66680

41