A covert channel is an evasion or attack technique that is used to transfer information in a secretive, unauthorized or illicit manner. A covert channel can be used to extract information from or implant information into an organization. An Internet covert channel is the digital equivalent of a briefcase with a secret compartment that a spy might use to slip sensitive documents past security guards into or out of a secure facility. An attacker can use Internet covert channels to transmit sensitive documents unobserved – in this case, bypassing network security measures rather than bypassing security guards. And just as a spy can use that same secret compartment to conceal a weapon from security guards when entering a secure facility, an attacker can use an Internet covert channels to conceal a cyberweapon, for example, a download of malware from an external server onto a host within an organization’s private network.
Internet covert channels can use conventional Internet protocols in unconventional ways. The channel endpoints – an infected computer and the attacker’s command and control computer – must use this evasion or attack software that recognizes and processes these unconventional techniques. Either a user or malware can install this software, or an attacker can install the software using a remote administration tool (RAT). Internet covert channels are different from encrypted tunnels. They can and do transfer information in plain text, but they’re unobserved. While they do not require encryption methods or keys, certain covert channels employ encryption or other means to obfuscate data.
source https://www.icann.org/news/blog/what-is-an-internet-covert-channel
In computer security, a covert channel is a type of attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy.
A covert channel is so called because it is hidden from the access control mechanisms of secure operating systems since it does not use the legitimate data transfer mechanisms of the computer system (typically, read and write), and therefore cannot be detected or controlled by the security mechanisms that underlie secure operating systems.
Covert channels are exceedingly hard to install in real systems, and can often be detected by monitoring system performance.
Covert channels can tunnel through secure operating systems and require special measures to control. Covert channel analysis is the only proven way to control covert channels.
There are two kinds of covert channels:
- Storage channels - Communicate by modifying a "storage location", such as a hard drive.
- Timing channels - Perform operations that affect the "real response time observed" by the receiver.
Storage Channels — Storage Covert channels encode covert data in the packets themselves (encoded in headers as I mentioned before). Timing (temporal) Channels —Delay between the packets is used to transmit data.
Link to Excellent explanation of covert-channels
Covert Channels are not efficient in terms of throughput. But they are quite good at hiding their presence, hence providing security by obscurity. If a covert channel is detected, it’s very likely to be entirely compromised unless the content is further protected by encryption.
A network protocol is basically a contract between a sender and a receiver, where the sender sends structured information in a format that can be interpreted by the receiver. This ‘structure’ of the information is defined as the ‘network packet’ structure. A packet mainly consists of 3 parts which are called the header, data, and an optional trailer. Firewalls and Intrusion Detection Systems (IDS) are particularly interested in the data section of a packet as it carries the actual payload of the transmission.
Video links on Covert channels
No comments:
Post a Comment