tag:blogger.com,1999:blog-4088979.post2595259992591091886..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Analyzing Protocol Hopping Covert Channel ToolRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-4088979.post-36442658241987801682008-04-28T10:52:00.000-04:002008-04-28T10:52:00.000-04:00Hi, I am the author of the PHCC paper. I've just a...Hi, I am the author of the PHCC paper. I've just added your comment about the FTP port 20 bug in the paper (I also fixed the typo you found). Poorly I currently don't have the time to fix this tool since I am busy working on another research project and some books.<BR/><BR/>Nevertheless I still think PHCC are very hard to detect using encryption (I don't plan to add encryption to this explicity called "simple" proof of concept code) and an improved micro protocol message ID field (see updated part of the paper). I also think that collecting _all_ data in a network is a too huge amount of data propably nobody will take care about (which company will pay the forensics that will investigate the garbage data?)<BR/><BR/>But you're right: The detection of the PHCC implemented by phcct is easy to detect but it wasn't the target to do something different in this proof of concept code.<BR/><BR/>Anyway, I am happy to see that you invested the time to understand the concept of a PHCC and read the paper!<BR/><BR/>regards<BR/>Steffen WendzelSteffen Wendzelhttps://www.blogger.com/profile/14464989642710367636noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-84896512255215932342007-11-20T08:45:00.000-05:002007-11-20T08:45:00.000-05:00Shannon,Is this a trick question? Build or buy a ...Shannon,<BR/><BR/>Is this a trick question? Build or buy a box that can handle it. If you don't think it can be done a visit to the vendor expo at <A HREF="http://www.telestrategies.com/ISS/cfs_wash.htm" REL="nofollow">ISS World</A> will be enlightening.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-23149458847340462892007-11-20T01:44:00.000-05:002007-11-20T01:44:00.000-05:00While full content is nice for some environments, ...While full content is nice for some environments, how would you propose someone in an environment where a steady >400 mbit flow of traffic capture full flows?The Mindful Misanthropehttps://www.blogger.com/profile/09025413587644515946noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-84426703713881990162007-11-15T12:01:00.000-05:002007-11-15T12:01:00.000-05:00Great demo Richard !Laurent G.Great demo Richard !<BR/>Laurent G.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-73532698171381127542007-11-15T10:17:00.000-05:002007-11-15T10:17:00.000-05:00John,Oh sure, I agree. That's why I said "I expec...John,<BR/><BR/>Oh sure, I agree. That's why I said "I expect to see additional iterations of this tool and technique." Encryption is already on the way.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-61303150157906026752007-11-15T10:13:00.000-05:002007-11-15T10:13:00.000-05:00Richard, If the message had been encrypted and t...Richard,<BR/><BR/> If the message had been encrypted and then sent via covert channel, the analysis would be inconclusive. All you'd know is that encrypted packets were sent using the covert channel. While you are pointing out the logical flaw in the tool's author's assumption, it wouldn't take much to correct the flaw and obscure the conversation making a definitive analysis almost impossible. As a proof of concept it's a pretty nice demonstration. And you did a nice demonstration of the power of NSM.<BR/><BR/>Thank you,<BR/><BR/>Johnjbmoorehttps://www.blogger.com/profile/09751110750712243573noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-77746580808065199932007-11-14T23:36:00.000-05:002007-11-14T23:36:00.000-05:00Jonathan, fixed -- thanks.Jonathan, fixed -- thanks.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-40742792418944293762007-11-14T22:45:00.000-05:002007-11-14T22:45:00.000-05:00The discussion is interesting - thanks.FYI: there'...The discussion is interesting - thanks.<BR/><BR/>FYI: there's a space in the link to the logged traffic.Unknownhttps://www.blogger.com/profile/00715454252688689313noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-13286516169796540182007-11-14T21:16:00.000-05:002007-11-14T21:16:00.000-05:00I read the paper yesterday... but your analysis an...I read the paper yesterday... but your analysis and demonstration of concepts is excellent!<BR/><BR/>Covert channels don't have to do this sort of thing... gray-world cooking with covert channels, ncovert, nushu, and my "call home through call home" ideas could easily be implemented so that these sorts of detection schemes would not work. It gets worse when you start talking about man-in-the-browser covert channels.drehttps://www.blogger.com/profile/17414510788948258195noreply@blogger.com