The Hindu Business Line : They leave no tell-tale tracks

THIS is one battle that is unlikely to end: intruders bent on hacking companies' security systems and the good guys battling to keep them at bay.Let us take a look at the current corporate scenario.

Most corporates have a perimeter firewall with added intrusion detection system and may be a content manager for e-mail or the Web. The logs are monitored and the corporate has a certification, such as Bs7799.

In such a context, what does a malicious `insider' seek to do? He might merely want to show corporate security managers that he can evade them and, may be, take a piece of source code outside the organisation. Later he wants to establish the capability to be able to go to any site, download any file, be able to communicate with the members of other hacking/cracking communities (which may be on the banned list of content filters) and be able to send files out of the organisation.

This is done through the use of covert channels - passing on communication in a form that is not understood by others except the person sending it and the onereceiving it. In typical spy thrillers, there used to be a concept called the drop box, where the person drops information that would be picked up later by some other person. Spies also communicated through classified ads. Typically the ad says "Want a brilliant, beautiful wife for marriage (202) 31-934-250 Vishnu" posted by a person named `Vasan.' (Both names are fictional).

This could well mean a tunnel access into a server whose IP is 202.31.934.250 with username Vasan (who published the ad) and password Vishnu. These covert channels are not visible to the ordinary user.Now let us see how covert channels are exploited, given that it is impossible to scan printed matter across all sections of a company to crack down on criminal communication.

Covert tunnelling software can be used as a point-to-point messaging system. It uses weaknesses in the TCP IP protocol and hides messages inside the reserved field in TCP IP packets.

When a general digital packet is sent, 64 bytes are `reserved' in TCP/IP (`reserved' anticipating future expansion of a packet's capacity), in anticipation of future use. Hackers can use that space to store messages. At the receiving end, the firewall, which does not test those 64 bytes, would not stop the message.

A good hacker could build his own covert tunnelling system, and hackers inside and outside could use the same program to communicate. How will the corporate firewall, IDS or content filter check this? If the messages are encrypted using a XOR cipher chosen at random, even a Sniffer with hot word scanner might miss them.

Tunnelling proxies and anonymous proxies

The next capability the cracker tries to get is to send and receive mails and browse sites using anonymous proxies so that his real IP might not be visible.

Let us say the malicious user is sending mails. He might first configure his Internet Explorer with a proxy (there are many anonymous proxies available from Internet sites from around the globe). He uses the setting and then sends mails. Even if corporate security managers are able to get a copy of the e-mail, they get the source IP from anonymous proxies and not from the real IP. It now becomes difficult to trace the source. Most anonymous proxies don't give out the log or the real IP. A malicious user could even use anonymous proxy to login to a Web site, and the Web server administrator might not know where the connection is coming from. Some years ago, projects such as triangle boy existed. These were anonymous proxies with SSL enabled on them. Even now there are a few paid tunnels that exist. There are networks of SSL proxies around the globe that offer anonymous browsing, anonymous e-mailing, etc.

Let us say a malicious user gets hold of an SSL proxy. Sitting right in his office, he canestablish a secure tunnel (128 bit SSL) and browse any site, download any file, access any Web mail and send any e-mail. The e-mails sent will not have his real corporate IP, only the SSL tunnel gateway from around the world.

Now the content filter guys might argue that they block all anonymous browsing, e-mails. What they do is they block lists of known sites and keep updating them. But some of these tunnels are truly covert, some maintained by a very small number of hackers whose existence is not known to the content management guys. In paid SSL tunnel networks, they give us lists of IPs, IPs in hex format, and new Web site addresses. Any of these can be used to bypass company firewall and content filter. In the company where I audited, two young programming friends showed me how they wrote their own SSL tunnel on their Web site and accessed the Internet through that.

In another company, programmers told me they blocked port 443 (SSL port), but the proxy tunnels operate on any port. Some SSL Proxies tunnels work on port 80 (http) or higher ports such as 17503 (for that matter, anything).

Steganography and Encryption

Here are two other ways that criminals use to con genuine users.

A Trojan executes as soon as a picture is clicked. In steganography, only the intended recipient knows something exists and can open the encrypted document.

A Trojan horse and steganography are different. A Trojan horse is something where you send a picture. As soon as the recipient opens it, there is an executable component, such as a key logger, a destructive routine that starts executing. In steganography, a message is encrypted and hidden inside a genuine picture. There are many software available on the Internet that can be used to do steganography for e.g.: hide and seek, steganos etc. Some tools encrypt the message and add the message to the picture file. They use many algorithms such as modifying the least bit (similar to the reserved field concept explained earlier) in the picture file or just encrypting and attaching a message after end of file and the like.

How is steganography detected? In case of LSB modification, the picture becomes distorted a bit. If we have an original picture from the Internet, we could compare the two pictures. There are separate software such as Steg Detect and other commercial tools that have a database of steganos signatures and pattern-matching mechanisms to detect steganography.

How do we decrypt what is inside? If we know the tool used for steganos, then we know what algorithm the tool may use and if the encryption is weak we may be able to break the message.

If the encryption is strong, like it is with Blowfish 448 bit, then it is a very difficult process. We need to know the key to decrypt the message. Other mechanisms would need to be deployed to get the key to decrypt the message.

If someone writes his own stegaography program, it is difficult to use a particular tool to detect it.

So it is very important for corporate security managers to keep abreast of latest technologies and hacking techniques, by hiring ethical hackers (who can think laterally).

(The author is Head, Consulting, K7 Computing Pvt Ltd.)