BayLISA - July 15, 2004 - Mark Langston's Through a Sniffer Darkly

• Previous message: FWD: Re: [NYSA] A few things related to a job change
• Next message: BayLISA - July 15, 2004 - Mark Langston's Through a Sniffer Darkly
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The meeting started off with Heather asking about distribution of OSes. 
It seems like BayLISA represents a good slice of just about everything. 
That means that you can probably find an expert on just about anything 
within our group.

Jim Dennis mentioned the 4th annual Linux picnic which will be held on 
August 7.  There was a mention as to Jon 'maddog' possibly attending.  It 
will be held at Sunnyvale Baylands Park, Sunnyvale, CA.

Heather also brought up a deal available from ThinkGeek.  Add $50 dollars 
worth of goods to your shopping cart.  Add the "Have you grokked your 
sysadmin" shirt to your cart, and you will get that shirt for free in 
honor of Sys Admin month.

I announced about the services group working on web services, and a new 
management facility for users coming soon.  I also informed people that if 
they wanted to contribute all they had to do was send an email to baylisa. 
Many thanks given to Roy Rapoport who donated the future www.baylisa.org 
home system, _and_ has been responsible for leading the development work 
for the new membership facilities for the website.

Mark Langston began with an introduction.  As Strata was getting tape to 
record the speech, Mark talked about GOSSIP, an Open Source project 
meant for peer to peer reputation management 
(http://sufficiently-advanced.net/), and his job at the SETI Institute. 
This intro material was actually just as interesting as the talk itself 
with a discussion about what the SETI Institute does (and doesn't do like 
SETI at home), and his responsibilities.

His talk about covert communication channels was pretty comprehensive for 
the length of the speech.  Starting with a high level discussion of 
firewalls and IDS, and how data is determined to be good or bad, Mark 
introduced his topic.  I especially liked the phrase 'slow escalation of 
armed race in security' with regards to the race to secure networks and 
data, and the people that want to compromise these links.

Groklaw (http://www.groklaw.net/) was a site that Mark mentioned as being 
a good place to start to read about some of the issues.  EFF 
(http://www.eff.org/) was also mentioned.

Using the software Corundum on a Mac OS X system, Mark showed how a 
message could be easily hidden within a cartoon without any way to detect 
it with the human eye.

Mark explained the idea of chaffing and winnowing, one method of covert 
communications.  Each word in a seperate packet with an integer 
authentication byte.  The authentic words have the even auth byte, so 
anyone can see the entire message but it is obscurred by all the extra 
words which could form messages themselves.

Mark also explained the fact that firewalls with their crispy shells do 
not protect the chewy center, and described how even locked down 
completely he could communicate through the firewall (by affecting the 
logs - 1 way communication).

Inspired by nConvert's idea of hiding data, Mark wrote a program which 
uses UDP instead.  nConvert relies on tcp sequence number, comes from a 
single source, goes to a particular address, and has packets of identical 
length.  This means an IDS can block it.  Mark's software uses the IP 
header field IP_ID as it's ignored although sometimes mangled by certain 
OSes.  It seems like anything that can be randomly added was made random. 
He varies the length, the source address, delays, and the garbage packets. 
Mark demonstrated this software which he had set up on 2 different systems 
at home.

I was really impressed by Mark's presentation in how he built from common 
well known ground of firewalls and IDS to the point of showing his 
software and the data hidden within the actual headers.  I could see how 
with an improved version of Mark's software, anyone within a company could 
compromise any data outwards and how difficult it would be to prevent this 
let alone track down the responsible person.  It highlights the importance 
of companies addressing internal policies with regards to securing data, 
and preventing people from getting access to what they shouldn't have at 
the very least.

The slides should be up on the website soon, and a recording was made of 
the presentation.  Members should contact the board at blw at baylisa.org if 
they want to checkout the tape.

Finally, if someone brings cold beverages next month, I will again bring 
the Krispy Kremes :)

Jennifer

• Previous message: FWD: Re: [NYSA] A few things related to a job change
• Next message: BayLISA - July 15, 2004 - Mark Langston's Through a Sniffer Darkly
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]