private-sector keystroke logger...
Trei, Peter
ptrei at rsasecurity.com
Wed Nov 28 11:19:42 EST 2001
> Ben Laurie[SMTP:ben at algroup.co.uk] wrote:
>
> pasward at big.uwaterloo.ca wrote:
> >
> > Jay D. Dyson writes:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > >
> > > On Tue, 27 Nov 2001 pasward at big.uwaterloo.ca wrote:
> > >
> > > > > > Hrm, how about a worm with a built-in HTTP server that
> installs itself
> > > > > > on some non-standard port, say TCP/28462 (to pick one at
> random)?
> > > > >
> > > > > Craftier still, backdoor an existing service that
> behaves normally
> > > > > until it receives a few specially-crafted packets, then it opens
> a high
> > > > > port for direct login or data retrieval.
> > > >
> > > > Neither of these will get past a firewall on an uncompromised
> machine.
> > >
> > > While I didn't enumerate the service that could be backdoored, I
> > > do believe Eric Murray hit the nail on the canonical head when he
> > > mentioned that such a beastie could target the firewall's
> configuration,
> > > forcing it to relax its stance enough to allow the automated
> intrusion
> > > agent plenty of latitude to conduct its business.
> >
> > I am assuming a firewall on a separate machine, which simply does not
> > allow incoming connections to the window's boxes, and constrains the
> > outgoing connections. I do not claim that this prevents all covert
> > loss of data, but it constrains the options, and certainly does not
> > permit the described backdoor to work.
>
> Yeah right - so it sets up an outgoing connection to some webserver to
> pass on the info. Firewall that.
> Cheers,
> Ben.
...or takes the data of interest (which is generally fairly small),
uuencodes it,
and sends it in an email or an encrypted usenet posting.
Any application which allows in interior machine to send data to the outside
creates a potential covert channel. There's a reason why classified
machines
are airgapped.
Peter Trei
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list