Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Yune Sung (yuneCENTER.KISA.OR.KR)
Date: Wed Apr 25 2001 - 07:42:39 CDT
It is like a hide-and-seek play in the security world.
I understand that steganographical tech is improving.
But what I want to say is that even though the most intricate technology
is embeded to stego and covert channel, there might be some common
signatures we can identify beetween hosts.
"Detecting backdoor", a paper by Yin Zhang and Vern Paxson, appoachs
back door intrusion with a delicate look at packets to grab peculiarity of
general back door
communications ; the frequency of small packets, timing character or
TCP/IP Covert channel tool, suggested by Craig Rowland, uses IP ID number,
TCP initial seq. number and TCP ack. seq. number to transfer data in a
manner. But it has a signature that the number mentioned ablove is a
multiple of 256.
I am aware that it can be crafted arbitrarily, but it is hard to change the
number in a completely
Therefore ....covert channel detect can be "yes".
Am I so naive?
KISA, Seoul Korea
"Securing a computer system has traditionally been a battle of wits:
the penetrator tries to find holes, and the designer tries to close them."
--- M. Gosser ---
So...each covert channels also would have its idiosyncrasy;
Dug Song ÀÛ¼º:
> On Wed, Apr 25, 2001 at 09:49:54AM +0900, ¼ºÀ±±â Yune Sung wrote:
> > What I mean is that once we know the tool even used to make a covert
> > channel, the answer can be "yes".
> while this may hold true in practice given the current state of
> steganography, this certainly isn't true from an information-theoretic
> standpoint, if the cover medium admits enough relative entropy:
> and steganography in practice is only getting better. see the new
> techniques Niels Provos uses in Outguess to defend against statistical