New Covert Channel Discussion Group

Hi list,

since I already quit my webspace and since there is some activity on 
this list, I set up a discussion group at google groups:

Announcement:
http://groups.google.de/group/covert-channel-research/browse_thread/thread/f14a72b765719961

I also updated the posting:
http://www.wendzel.de/?sub=showpost&blogid=1&postid=183

The group itself can be found here:
http://groups.google.de/group/covert-channel-research

The mail address of the new group is:
covert-channel-research@...

The subject prefix '[covertchan]' is the same.

Feel free to subscribe/read/post to it.

With best regards

Steffen

Port Knocker

Hi,

I forgot I was on this list! I wrote a PortKnocking implementation in
Perl a couple of weeks back. It's basic but it works - thought you
guys might be interested in a simple script that does it:
http://jdlawrie.co.uk/scripts/PortKnocker.txt

Let me know if you have any feedback, suggestions, or want to
contribute to it (I'll move it to github if anyone does).

--
James Lawrie

(unknown)

authorized to use 'zoggified@...' in 'mfrom' identity
(mechanism 
'ip4:209.85.128.0/17' matched)) receiver=basicbox1.server-home.net; 
identity=mfrom; envelope-from="zoggified@..."; 
helo=mail-ey0-f179.google.com; client-ip=209.85.215.179
[209.85.215.179])
	by basicbox1.server-home.net (Postfix) with ESMTP id A7CC6958070
	for <covertchan@...>; Tue, 28 Sep 2010 21:50:56
+0200 (CEST)
-0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
         d=gmail.com; s=gamma;
         h=domainkey-signature:received:received:message-id:date:from
          :user-agent:mime-version:to:subject:references:in-reply-to
          :content-type:content-transfer-encoding;
         bh=KVT/IJD2ldWI3nTVJlCNHqmCb7JyA2ZWT3QjqrJOo6A=;
b=Q8VB89A0/0Z6zRzM0o1lgKck45tw579eSnK07A/Gqiu/Bm4Pu09RLfDmrumItQCqtv
L+ehv5/xRTqgE3MDVJ8GaGvz7IJ0gXwHJxEW1r5xYAO5CDoXLysPBHM6Ka18pE+iRaUO
          EDcFpjgcBbEPuNHzwDVOIk5niqlTkrXJaiWTY=
DomainKey-Signature: a=rsa-sha1; c=nofws;
         d=gmail.com; s=gamma;
h=message-id:date:from:user-agent:mime-version:to:subject:references
          :in-reply-to:content-type:content-transfer-encoding;
b=tq0zOWdK8nRIjD2jnIPNAE6aN0t54m5UjP8o/jGZfNgI4JgGYojeJRFReegl6Waz0N
jZfQnmMvD/w+hcA5rknZIDMaWEKGh/mRoSzjbnbb0ivfPbkvEC1f2Gk8NlpEVy0Wn/Sm
          u9Rz6wcCCQU85TVkCsN7tekh8nem6o+Kv8N38=
u9sm10982219eeh.11.2010.09.28.12.50.53
         (version=SSLv3 cipher=RC4-MD5);
         Tue, 28 Sep 2010 12:50:54 -0700 (PDT)
Message-ID: <4CA2471A.5090102@...>

Covert Channel Mailinglist Shutdown

[2nd try, this time with a correct subject, sorry for the duplicate]

Hi @ll,

I currently receive lots of annoying spam for approval to this
mailinglist, and since there was no real traffic for a long time on this
mailing list, I will close it. I also quit with my ISP so I will lose
the mailing list nevertheless.

Thank you for participating.

With best regards

Steffen Wendzel

covertchan@...: Approval required:

Hi @ll,

I currently receive lots of annoying spam for approval to this
mailinglist, and since there was no real traffic for a long time on this
mailing list, I will close it. I also quit with my ISP so I will lose
the mailing list nevertheless.

Thank you for participating.

With best regards

Steffen Wendzel

covertchan@...: Approval required:

Begin forwarded message:

Date: Fri, 19 Mar 2010 14:29:34 +0100 (CET)
From: owner-covertchan@...
To: covertchan-approval@...
Subject: BOUNCE covertchan@...: Approval
required:     

>From owner-covertchan-1390@...  Fri
Mar 19 14:29:34 2010
Return-Path: <owner-covertchan-1390@...>
Delivered-To: covertchan-1390@...
Received-SPF: pass (gmx.net: 213.165.64.20 is authorized to use 'cdp_xe <at> gmx.net' in 'mfrom' identity
(mechanism 'ip4:213.165.64.0/23' matched)) receiver=basicbox1.server-home.net;
identity=mfrom; envelope-from="cdp_xe@..."; helo=mail.gmx.net; client-ip=213.165.64.20
Received: from mail.gmx.net (mail.gmx.net [213.165.64.20])
	by basicbox1.server-home.net (Postfix) with SMTP id 134EB958047
	for <covertchan@...>; Fri, 19 Mar 2010 14:29:34
+0100 (CET)
Received: (qmail invoked by alias); 19 Mar 2010 13:29:32 -0000
Received: from pD95EBFE1.dip.t-dialin.net (EHLO koschka) [217.94.191.225]
  by mail.gmx.net (mp006) with SMTP; 19 Mar 2010 14:29:32 +0100
X-Authenticated: #10360708
X-Provags-ID: V01U2FsdGVkX18jeuJtSw4j2vQszKNu2TCpPnVnPGTDy3jYFMRxXO
	L8CaunjtXYym70
Date: Fri, 19 Mar 2010 14:29:30 +0100
From: Steffen Wendzel <cdp_xe@...>
To: covertchan@...
Subject: Covert Channel Speech, Sa, March 27, 2010.
Message-Id: <20100319142930.0dc83d37.cdp_xe@...>

Article "Protocol Channels" from Hakin9 Magazine

Hi list members,

I just want to inform you that I uploaded the PDF file of my latest article
"Protocol Channels" from Hakin9 6/09. Protocol channels are a kind of covert
channels and very difficult to detect. You can find the paper here:
  => http://www.wendzel.de/?sub=showpost&blogid=3&postid=257

A full and detailed description of protocol channels is available in my
diploma thesis (but in german only). You can find all papers here:
  => http://www.wendzel.de/?sub=publ

Feedback is always welcome!

With best regards

Steffen Wendzel

--

-- 
Mit freundlichen Grüßen

Dipl.-Inf. (FH) Steffen Wendzel

Web: http://www.wendzel.de
     http://www.linux-openbook.de

Speech on Covert Channels

[since the last msg included garbage, here is a 2nd try ;)]

Hi covert channel list,

I just want to inform you that I will hold a speech about protocol
channels and protocol hopping covert channels on Sun, Sep. 06, 2009 in
Darmstadt, Germany at MRMCD0x8:

http://mrmcd0x8.metarheinmain.de/fahrplan/events/3344.de.html

with best regards

Steffen

--

-- 
Steffen Wendzel
www.wendzel.de

Uploaded my Diploma Thesis about Protocol (Hopping Covert) Channels and Header Structure Changing

Hi covertchan list,

I just uploaded my Diploma Thesis[1] that focuses on 3 covert channel
topics. It is poorly written in german but maybe there are some people
here who can read german. For all others I uploaded a new version of the
'Protocol Channel' paper what focuses on chapter 2.2 of my thesis[2].
A more detailed article written in english will follow in Hakin9 05/09 or
06/09 [3]. I will announce that on the list again. I will try to write
an english summary of header structure changing (HSC) within the next
days too. HSC is a new technique to prevent covert storage channels
within network packet headers by randomizing the header structure after
a packet normalization.

[1] Diploma Thesis topic is: 'Protokollwechsel zur Realisierung von
Covert Channels und Header-Strukturveränderungen zur Vermeidung von
Covert Channels'.

[2] Protocol Channels.
Abstract:
    Covert channel techniques are used by attackers to transfer hidden
data. There are two main categories of covert channels: timing channels
and storage channels. This paper introduces a new storage channel tech-
nique called protocol channels. A protocol channel switches one of at least
two protocols to send a bit combination to a destination. The main goal
of a protocol channel is that the packets sent look equal to all other usual
packets of the system what makes a protocol channel hard to detect.

[3] will be listed on hakin9.org/en within the next months.

You can find both pdf files here: http://www.wendzel.de/?sub=publ

Re: Conferences on CC

Hi Erik,

the next upcoming confernce including a CC topic is the 11th Information
Hiding conference in Darmstadt, Germany, June 7-10, 2009.

http://www.ih09.tu-darmstadt.de/

You are maybe also interested in the Hack.lu 2009 (http://2009.hack.lu/)

-Steffen

On Wed, 20 May 2009 15:43:59 -0400 "Erik Brown (RIT Student)" <etb0874 <at> rit.edu> wrote:

: List,
: 
: I was wondering if covert channels are discussed much at security or other
: type of conferences.  In doing my research it seems like a lot of the papers
: are from IEEE or ACM.  So if anyone knows of any upcoming conferences on
: covert channels, please email them to the list.  They don¹t have to be
: restricted to USA or Europe.
: 
: - Erik Brown
: 

Delineating the field of covert channels