BayLISA - July 15, 2004 - Mark Langston's Through a Sniffer Darkly
Jennifer Davis
sigje at sigje.org
Wed Jul 21 10:35:34 PDT 2004
The meeting started off with Heather asking about distribution of OSes.
It seems like BayLISA represents a good slice of just about everything.
That means that you can probably find an expert on just about anything
within our group.
Jim Dennis mentioned the 4th annual Linux picnic which will be held on
August 7. There was a mention as to Jon 'maddog' possibly attending. It
will be held at Sunnyvale Baylands Park, Sunnyvale, CA.
Heather also brought up a deal available from ThinkGeek. Add $50 dollars
worth of goods to your shopping cart. Add the "Have you grokked your
sysadmin" shirt to your cart, and you will get that shirt for free in
honor of Sys Admin month.
I announced about the services group working on web services, and a new
management facility for users coming soon. I also informed people that if
they wanted to contribute all they had to do was send an email to baylisa.
Many thanks given to Roy Rapoport who donated the future www.baylisa.org
home system, _and_ has been responsible for leading the development work
for the new membership facilities for the website.
Mark Langston began with an introduction. As Strata was getting tape to
record the speech, Mark talked about GOSSIP, an Open Source project
meant for peer to peer reputation management
(http://sufficiently-advanced.net/), and his job at the SETI Institute.
This intro material was actually just as interesting as the talk itself
with a discussion about what the SETI Institute does (and doesn't do like
SETI at home), and his responsibilities.
His talk about covert communication channels was pretty comprehensive for
the length of the speech. Starting with a high level discussion of
firewalls and IDS, and how data is determined to be good or bad, Mark
introduced his topic. I especially liked the phrase 'slow escalation of
armed race in security' with regards to the race to secure networks and
data, and the people that want to compromise these links.
Groklaw (http://www.groklaw.net/) was a site that Mark mentioned as being
a good place to start to read about some of the issues. EFF
(http://www.eff.org/) was also mentioned.
Using the software Corundum on a Mac OS X system, Mark showed how a
message could be easily hidden within a cartoon without any way to detect
it with the human eye.
Mark explained the idea of chaffing and winnowing, one method of covert
communications. Each word in a seperate packet with an integer
authentication byte. The authentic words have the even auth byte, so
anyone can see the entire message but it is obscurred by all the extra
words which could form messages themselves.
Mark also explained the fact that firewalls with their crispy shells do
not protect the chewy center, and described how even locked down
completely he could communicate through the firewall (by affecting the
logs - 1 way communication).
Inspired by nConvert's idea of hiding data, Mark wrote a program which
uses UDP instead. nConvert relies on tcp sequence number, comes from a
single source, goes to a particular address, and has packets of identical
length. This means an IDS can block it. Mark's software uses the IP
header field IP_ID as it's ignored although sometimes mangled by certain
OSes. It seems like anything that can be randomly added was made random.
He varies the length, the source address, delays, and the garbage packets.
Mark demonstrated this software which he had set up on 2 different systems
at home.
I was really impressed by Mark's presentation in how he built from common
well known ground of firewalls and IDS to the point of showing his
software and the data hidden within the actual headers. I could see how
with an improved version of Mark's software, anyone within a company could
compromise any data outwards and how difficult it would be to prevent this
let alone track down the responsible person. It highlights the importance
of companies addressing internal policies with regards to securing data,
and preventing people from getting access to what they shouldn't have at
the very least.
The slides should be up on the website soon, and a recording was made of
the presentation. Members should contact the board at blw at baylisa.org if
they want to checkout the tape.
Finally, if someone brings cold beverages next month, I will again bring
the Krispy Kremes :)
Jennifer
More information about the Baylisa
mailing list