DOCSLIB.ORG

HTML5 ZERO CONFIGURATION COVERT CHANNELS: SECURITY RISKS and CHALLENGES Jason Farina Mark Scanlon Stephen Kohlmann Nhien-An Le-Khac Tahar Kechadi

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
HTML5 ZERO CONFIGURATION COVERT CHANNELS: SECURITY RISKS and CHALLENGES Jason Farina Mark Scanlon Stephen Kohlmann Nhien-An Le-Khac Tahar Kechadi HTML5 ZERO CONFIGURATION COVERT CHANNELS: SECURITY RISKS AND CHALLENGES Jason Farina Mark Scanlon Stephen Kohlmann Nhien-An Le-Khac Tahar Kechadi School of Computer Science & Informatics, University College Dublin, Ireland. {jason.farina, stephen.kohlmann}@ucdconnect.ie, {mark.scanlon, an.lekhac, tahar.kechadi}@ucd.ie ABSTRACT In recent months, a significant number of secure, cloudless file transfer services have emerged. The aim of these services is to facilitate the secure transfer of files in a peer-to-peer (P2P) fashion over the Internet without the need for centralised authentication or storage. These services can take the form of client installed applications or entirely web browser based interfaces. Due to their P2P nature, there is generally no limit to the file sizes involved or to the volume of data transmitted – these limitations will purely be reliant on the capacities of either end of the transfer. By default, many of these services provide seamless, point-to-point encryption to their users. The cyberforensic consequences of the potential criminal use of such services are significant. The ability to easily transfer encrypted data over the Internet opens up a range of opportunities for illegal use to cybercriminals requiring minimal technical know-how. This paper explores a number of these services and provides an analysis of the risks they pose to corporate and governmental security. A number of methods for the forensic investigation of such transfers are discussed. Keywords: Covert Transfers, Encrypted Data Transmission, Counter-forensics 1. INTRODUCTION share their data with any unauthorised party. While the requirement is ever increasing to Sending anything larger than a small amount send larger volumes of information over the In- of data electronically is still a cumbersome task ternet, the potential for third-party intercep- for many Internet users when reliant on popu- tion/recording of this data has become a common arXiv:1510.00661v1 [cs.CR] 2 Oct 2015 lar online communication methods. Most email story in the general media. Recent leaks from providers will limit the file size of attachments whistle-blowers regarding the degree of surveil- to something in the order of megabytes. Send- lance conducted by large government funded spy- ing larger files usually requires users to upload ing agencies on everyday citizens has pushed the the content to third party storage providers, e.g., topic of cybersecurity into the public realm. In- Dropbox, OneDrive, box.net, etc., and provide a creasingly, Internet users are becoming conscious link to the content to their intended recipients. of their personal responsibility in the protection From a security standpoint, this leaves user vul- of their digital information. This results in many nerable to their communication being intercepted users being discontent with their personal data or duplicated and their data being downloaded stored on these third party servers – likely stored by others. Regarding the security of their data in another jurisdiction. stored on this third-party provider, users must To respond to this demand a number of file ex- blindly trust this third-party to not access or change/transfer services have appeared in recent 1 months facilitating the secure transfer of files 2. BACKGROUND READING in a peer-to-peer (P2P)fashion from point A to In order point B. Most of these services afford the user en- crypted end-to-end file transfer and add an addi- 2.1 Anonymising Services tional level of anonymity compared to regular file Today there are many anonymising services avail- transfer services, e.g., email attachments, FTP or able for communication and data transfer. The file sharing functionality built into most instant popular anonymous browser Tor allows users to messaging clients. The more security conscious explore the Internet without the risk of their loca- users will opt for the cloudless versions of these tion or identity becoming known [Loesing et al., services. Opting for this level of control over per- 2010]. The Tails operating system which works sonal information has upsides and downsides for in conjunction with Tor offers an extra layer of the end user. The upside is that the user has anonymity over traditional operating systems. precise knowledge over who has access to his/her When a user is operating Tails all connections information and what country the data is stored are forced to go through the Tor network and in. The downside comes in terms of reliability. cryptographic tools are used to encrypt the users The data stored or transferred using these ser- data. The operating system will leave no trace of vices is only available if at least one host storing any activity unless explicitly defined by the user. the file is online. The Invisible Internet Project, also known as As with most security or privacy enhancing In- I2P is another anonymous service similar to Tor. ternet services, these services are open to abuse As I2P is designed as an anonymous network by cybercriminals. In effect, the additional level layer users can utilise their own applications on of anonymity and security provided by these ser- the network. Unlike Tor the I2P network traffic vices provides cybercriminals with “off-the-shelf” stays on the network. I2P does not use the tra- counter-forensic capabilities for information ex- ditional IP/Port user identification process but change. Cybercriminal activities such as data instead replaces this process with a location- exfiltration, the distribution of illicit images of independent identifier. This process decouples a children, piracy, industrial espionage, malicious user’s online identity and physical location [Tim- software distribution, and can all be aided by the panaro et al., 2014]. use of these services. Both Tor and I2P provide anonymity to the user with an open network of onion routers. As 1.1 Contribution of this work the network of onion routers is run by volun- teers it is continually growing . The result of For many, the topic of covert channels immedi- this network growth is an increase in anonymity ately brings to mind some form of steganography and privacy for each individual user [Herrmann likely in combination with an Internet anonymis- and Grothoff, 2011]. ing service, such as Tor and I2P. While some work has been conducted on the reverse engi- 2.2 Untrusted Remote Backup neering/evidence gathering of these anonymising The MAIDSafe network is a P2P storage facility P2P proxy services, little work has been done in that allows members to engage in a data stor- the area of online services providing end users age exchange. Each member of the network en- with the ability to securely and covertly transfer ables the use of a portion of their local hard information from peer to peer in an largely unde- drive by other members of the network. In re- tectable manner. This work presented as part of turn the member is given the use of an equiv- this paper examines a number of popular client alent amount of storage distributed across the application and web based services, outlines their network and replicated to multiple locations re- functionality, discusses the forensic consequences ferred to as Vaults. This allows the authorised and proposes a number methods for potentially member access from any location and resilience retrieving evidence from these services. should a portion of the network not be active at 2 any time. All data stored on the network is dedu- fic and data location itself. FreeNet peers, or plicated and replicated in real time with file sig- nodes, store fragments of data in a distributed natures to ensure integrity. In addition the data fashion. The number of times a data item is repli- is encrypted allowing secure storage on untrusted cated is dependant on the demand for that data. remote systems. Authorised access is managed More popular files have more available sources through a two factor authentication (password resulting in better availability and faster access and pin). The use of the MAIDSafe network is times for the requesters. The layered encryp- incentivised through SafeCoin, a cryptocurrency tion of the connections provides an effective de- that members can earn by renting out space or fence against network sniffing attacks and also providing resources such as bandwidth for file complicates network forensic analysis. FreeNet transfers. Other users can earn SafeCoins by par- by default was deployed in OpenNet configura- ticipating in development of the protocol. tion, meaning connections could be made with 2.3 Types of File Transfer Attacks a random set of nodes from all of the FreeNet nodes available. Users can choose to instead use Data exfiltration refers to the unauthorised ac- a DarkNet configuration where only known nodes cess to otherwise confidential, proprietary or sen- are routed through resulting in a small world sitive information. Giani et al. [2006] outlines topology for the network. The choice of OpenNet a number of data exfiltration methods includ- or Darknet is not binary however as the user can ing most regular file transfer methods for “inside choose to employ a mix of both to whatever de- man” attacks, e.g, HTTP, FTP, SSH and email, gree they wish however small world topology with and external attacks including social engineering, random connections may result in inefficiencies. botnets, privilege escalation and rootkit facili- DarkNet routing tables are created using loca- tated access. Detection of most of these meth- tion swapping to populate efficient routes based ods is possible using a combination of firewalls on relative node distance . This feature gave rise and network intrusion detection systems or deep to an attack, Pitch Black, which caused degra- packet inspection [Liu et al., 2009, Sohn et al., dation of DarkNet performance and security by 2003, Cabuk et al., 2009]. tricking the network into moving disproportion- ate amounts of data to individual peers by falsely 2.4 The Deep-Web reporting node distances to corrupt the routes The Deep-web refers to layers of internet services [Evans et al., 2007].
Load more

Recommended publications
  • What Is Peer-To-Peer File Transfer? Bandwidth It Can Use
    sharing, with no cap on the amount of commonly used to trade copyrighted music What is Peer-to-Peer file transfer? bandwidth it can use. Thus, a single NSF PC and software. connected to NSF’s LAN with a standard The Recording Industry Association of A peer-to-peer, or “P2P,” file transfer 100Mbps network card could, with KaZaA’s America tracks users of this software and has service allows the user to share computer files default settings, conceivably saturate NSF’s begun initiating lawsuits against individuals through the Internet. Examples of P2P T3 (45Mbps) internet connection. who use P2P systems to steal copyrighted services include KaZaA, Grokster, Gnutella, The KaZaA software assesses the quality of material or to provide copyrighted software to Morpheus, and BearShare. the PC’s internet connection and designates others to download freely. These services are set up to allow users to computers with high-speed connections as search for and download files to their “Supernodes,” meaning that they provide a How does use of these services computers, and to enable users to make files hub between various users, a source of available for others to download from their information about files available on other create security issues at NSF? computers. users’ PCs. This uses much more of the When configuring these services, it is computer’s resources, including bandwidth possible to designate as “shared” not only the and processing capability. How do these services function? one folder KaZaA sets up by default, but also The free version of KaZaA is supported by the entire contents of the user’s computer as Peer to peer file transfer services are highly advertising, which appears on the user well as any NSF network drives to which the decentralized, creating a network of linked interface of the program and also causes pop- user has access, to be searchable and users.
    [Show full text]
  • File Formats
    man pages section 4: File Formats Sun Microsystems, Inc. 4150 Network Circle Santa Clara, CA 95054 U.S.A. Part No: 817–3945–10 September 2004 Copyright 2004 Sun Microsystems, Inc. 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved. This product or document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this product or document may be reproduced in any form by any means without prior written authorization of Sun and its licensors, if any. Third-party software, including font technology, is copyrighted and licensed from Sun suppliers. Parts of the product may be derived from Berkeley BSD systems, licensed from the University of California. UNIX is a registered trademark in the U.S. and other countries, exclusively licensed through X/Open Company, Ltd. Sun, Sun Microsystems, the Sun logo, docs.sun.com, AnswerBook, AnswerBook2, and Solaris are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc. The OPEN LOOK and Sun™ Graphical User Interface was developed by Sun Microsystems, Inc. for its users and licensees. Sun acknowledges the pioneering efforts of Xerox in researching and developing the concept of visual or graphical user interfaces for the computer industry. Sun holds a non-exclusive license from Xerox to the Xerox Graphical User Interface, which license also covers Sun’s licensees who implement OPEN LOOK GUIs and otherwise comply with Sun’s written license agreements.
    [Show full text]
  • ERDA User Guide
    User Guide 22. July 2021 1 / 116 Table of Contents Introduction..........................................................................................................................................3 Requirements and Terms of Use...........................................................................................................3 How to Access UCPH ERDA...............................................................................................................3 Sign-up.............................................................................................................................................4 Login................................................................................................................................................7 Overview..........................................................................................................................................7 Home................................................................................................................................................8 Files..................................................................................................................................................9 File Sharing and Data Exchange....................................................................................................15 Share Links...............................................................................................................................15 Workgroup Shared Folders.......................................................................................................19
    [Show full text]
  • Transferring Files Using HTTP Or HTTPS
    Transferring Files Using HTTP or HTTPS Cisco IOS Release 12.4 provides the ability to transfer files between your Cisco IOS software-based device and a remote HTTP server using the HTTP or HTTP Secure (HTTPS) protocol. HTTP and HTTPS can now be specified as the targets and source locations in Cisco IOS command-line interface (CLI) commands that use file system prefixes such as the copy command. • Finding Feature Information, page 1 • Prerequisites for Transferring Files Using HTTP or HTTPs, page 1 • Restrictions for Transferring Files Using HTTP or HTTPs, page 2 • Information About File Transfers Using HTTP or HTTPs, page 2 • How to Transfer Files Using HTTP or HTTPs, page 2 • Configuration Examples for the File Transfer Using HTTP or HTTPs, page 9 • Additional References, page 10 • Feature Information for Transferring Files Using HTTP or HTTPS, page 12 Finding Feature Information Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. Prerequisites for Transferring Files Using HTTP or HTTPs To copy files to or from a remote HTTP server, your system must support the HTTP client feature, which is integrated in most Cisco IOS software images.
    [Show full text]
  • IBM I Version 7.2
    IBM i Version 7.2 Networking File Transfer Protocol IBM Note Before using this information and the product it supports, read the information in “Notices” on page 157. This document may contain references to Licensed Internal Code. Licensed Internal Code is Machine Code and is licensed to you under the terms of the IBM License Agreement for Machine Code. © Copyright International Business Machines Corporation 1998, 2013. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents FTP on IBM® i.........................................................................................................1 What's new for IBM i 7.2..............................................................................................................................1 PDF file for File Transfer Protocol................................................................................................................1 Scenarios: FTP..............................................................................................................................................1 Scenario: Transferring a file from a remote host...................................................................................2 Scenario: Securing FTP with SSL............................................................................................................3 Configuration details.........................................................................................................................4 Creating
    [Show full text]
  • UMB Direct File Transfer User Guide
    UMB Direct File Transfer User Guide Contents File Transfer Overview ........................................................................................................................... 1 Support Information ............................................................................................................................... 2 Comparing Transfer Protocols ............................................................................................................... 3 Using FTP .............................................................................................................................................. 4 Transferring Individual Files .................................................................................................................... 5 Transferring Files in Batch ...................................................................................................................... 6 FTP Commands .................................................................................................................................... 7 Using Secure FTP ................................................................................................................................. 8 Working with SFTP Clients ................................................................................................................. 8 Public Key Exchange .......................................................................................................................... 8 SFTP Scripting ..................................................................................................................................
    [Show full text]
  • Getting Started Guide
    Getting Started Guide 1 CS Undergraduate Environment • To log into the CS Undergrad Environment, you need to set up a password that is separate from your WatIAM/Quest password. – Go to https://www.student.cs.uwaterloo.ca/password/ to set up your password. Read the instructions for choosing a password, then type your password into the first box. When you are finished typing in the box, read the message to the right of the box to determine if your password is acceptable according to the requirements. If it is not, you must try again until you get “Looks OK!” Retype your new password in the second box. When you get “Looks OK!" you can save your password by clicking the “Save" button. • Connecting to the Undergrad Environment requires Internet access (and can sometimes be a little slow) but it has several benefits: – Regular (hourly, nightly, weekly) backups of your files. – Required software is pre-installed. – Exact replica of the environment in which our testing system (Marmoset) works. If your submission works in the undergrad environment, it will work on Marmoset. 2 Connecting to the CS Undergraduate Environment 2.1 Linux • If you primarily use Windows, you can still install Linux (e.g. ubuntu) on a second partition of your hard drive. • Most Linux distributions come installed with typical applications that you will need (e.g. vim, ssh, scp). • To log in to the Undergrad Environment: – Open a terminal. – Execute the command ssh -Y [email protected] (replace userid with your university userid not student number e.g.
    [Show full text]
  • Remote Filesystem Event Notification and Processing for Distributed Systems
    ICDT 2021 : The Sixteenth International Conference on Digital Telecommunications Remote Filesystem Event Notification and Processing for Distributed Systems Kushal Thapa†‡, Vinay Lokesh*#, Stan McClellan†§ †Ingram School of Engineering *Dept. of Computer Science Texas State University San Marcos, TX, USA e-mail: ‡[email protected], #[email protected], §[email protected] Abstract— Monitoring and safeguarding the integrity of files networking solutions and architectures allow the users to in local filesystems is imperative to computer systems for many circumvent certain firewall restrictions, thus increasing purposes, including system security, data acquisition, and other complexity while introducing security risks. Here, we leverage processing requirements. However, distributed systems may the well-known network architecture where an Internet- have difficulty in monitoring remote filesystem events even reachable system acts as a middleman to establish a secure, though asynchronous notification of filesystem events on a bidirectional network connection between firewalled devices. remote, resource-constrained device can be very useful. This This approach is not new, however, comprehensive analysis paper discusses several aspects of monitoring remote filesystem of various parameters is difficult to obtain, so we provide some events in a loosely-coupled and distributed architecture. This results and discussion regarding the various configuration paper investigates a simple and scalable technique to enable secure remote file system monitoring using existing Operating options and performance of this architecture. System resident tools with minimum overhead. In Section II of this paper, we describe various tools that are generally used to monitor local filesystem events. We also Keywords— Secure Remote Filesystem Monitoring; Firewall; briefly discuss about Secure Shell Protocol Filesystem Distributed Architecture; Secure Network Communication; SSH; (SSHFS) [9] and Secure Shell Protocol (SSH) [12].
    [Show full text]
  • C Socket File Transfer Example
    C Socket File Transfer Example Tardenoisian and unacknowledged Darth still flittings his tachometers sternward. Is Haleigh always unostentatious and addictive when drew some huntsmanship very hot and annually? Lanose and dissepimental Grover breads so imperatively that Garry stain his squats. The data are sent to socket file transfer mechanisms Tags for File Transfer Using TCP in C Whenever you write and chat message the. Client socket clientsocket socketAFINET SOCKSTREAM 0 if. The parent runs and no way for another socket, but that has very similar to go for connections in c socket file transfer in our server! Here are other data transfer socket file into a connection is. Fork Using fork an it Network ProgrammingBKM AKNPart II getpid vs getppid. Sockets in C behaves like files because a use file descriptors to identify. Parallel TCPIP Socket Server With Multithreading and. File Transfer FTP Using TCP source code in C Network. The dialogue between the client and the server is level like this S for server and C for client. C basic File Transfer TCPIP Programming 0x00sec The. ALWAYS check upon return values of C functions and withhold appropriate an Example read returns the lazy of characters read. Tcp as rcp program execution in c socket in a typical server side initiates connections. The second program is random sample client to test this server Both within these programs are for UnixLinux environments only socketserverc. Depends on the machines Machines with fail fast CPU may do SCP or SFTP faster Otherwise Samba will cancel be faster because it doesn't have to encrypt.
    [Show full text]
  • Ssh – Via Password Syntax: Ssh [-Option1 -Option2 …] User@Remotehost
    Tech Talk – working remotely 20 Nov 2017 ssh – via password syntax: ssh [-option1 -option2 …] user@remotehost Need to remember: username, host address, password ssh – via password syntax: ssh [-option1 -option2 …] user@remotehost Need to remember: username, host address, password ssh – via public key syntax: ssh [-option1 -option2 …] user@remotehost Need to remember: username and host address, not password Need to setup personal keys first, copy them to remote host (typically into remotehost:$HOME/.ssh/authorized_keys) ssh – generate keys syntax: ssh [-option1 -option2 …] user@remotehost Need to remember: username and host address, not password Need to setup personal keys first, copy them to remote host (typically into remotehost:$HOME/.ssh/authorized_keys) ssh – generate keys syntax: ssh [-option1 -option2 …] user@remotehost Need to remember: username and host address, not password Need to setup personal keys first, copy them to remote host (typically into remotehost:$HOME/.ssh/authorized_keys) ssh – copy public key to remote host ssh – via private keys ssh – via private keys ssh – via private keys Still have to rember username and machine name ssh – with a confguration fle Config file locate in: $HOME/.ssh/config („config“ is the name of the file) syntax to log into remote host: ssh host_name Need to remember: host_name (something you choose yourself) ssh – with a confguration fle scp, rsync with confg fle scp, rsync: used to copy files between different machines syntax: scp /path/to/file host_name:/path/to/file scp host_name:/path/to/file /path/to/file same syntax applies to rsync Note that without a config file the syntax is scp user@remotehost:/path/to/file /path/to/file scp, rsync with confg fle scp, rsync with confg fle sshfs – mount a remote disk on your local machine sshfs – can be read as ‚ssh-file-system‘ makes a directory on a hard drive on a remote machine look like a local directory.
    [Show full text]
  • Moving Large Data Sets Over High-Performance Long Distance Networks
    Moving Large Data Sets Over High-Performance Long Distance Networks Stephen W. Hodson, Stephen W. Poole, Thomas M. Ruwart, Bradley W. Settlemyer Oak Ridge National Laboratory One Bethel Valley Road P.O. Box 2008 Oak Ridge, 37831-6164 {hodsonsw,spoole}@ornl.gov,[email protected],[email protected] Abstract—In this project we look at the performance charac- both resilience and performance to analyze the massive data teristics of three tools used to move large data sets over dedicated sets generated by Exascale computer systems. long distance networking infrastructure. Although performance In this project we examine the performance of three data studies of wide area networks have been a frequent topic of interest, performance analyses have tended to focus on network movement tools: BBcp, GridFTP, and XDD. Both BBcp and latency characteristics and peak throughput using network traffic GridFTP are popular data movement tools in the HPC com- generators. In this study we instead perform an end-to-end long munity. However, both tools are intended for a wide audience distance networking analysis that includes reading large data and are not optimized to provide maximum performance. In sets from a source file system and committing large data sets constructing our test bed, we have focused on technologies and to a destination file system. An evaluation of end-to-end data movement is also an evaluation of the system configurations performance constraints that are applicable to Exascale per- employed and the tools used to move the data. For this paper, formance levels. In particular, we have focused on analyzing we have built several storage platforms and connected them with the impacts of distance (i.e.
    [Show full text]
  • CSE 390A Editing and Moving Files Connecting with Ssh the Attu Server
    4/23/2012 Remote Connections: to a linux machine • You’ve seen remote connections to a Linux machine in action ° Departmental attu.cs.washington.edu Linux server ° Can use ssh (or PuTTy ) from anywhere – independent of location CSE 390a and OS Editing and Moving Files Tips for moving files around to/from attu slides created by Marty Stepp, modified by Jessica Miller and Ruth Anderson http://www.cs.washington.edu/390a/ 1 2 Connecting with ssh The attu server command description • attu : The UW CSE department's shared Linux server ssh open a shell on a remote server • connect to attu by typing: ssh attu.cs.washington.edu • Linux/Unix are built to be used in multi-user environments where (or ssh [email protected] if your Linux several users are logged in to the same machine at the same time system's user name is different than your CSE user name) ° users can be logged in either locally or via the network • You can connect to other Linux/Unix servers with ssh ° once connected, you can run commands on the remote server ° other users might also be connected; you can interact with them ° can connect even from other operating systems • Note: There are several computers that respond as attu (to spread load), so if you want to be on the same machine as your friend, you may need to connect to attu2, attu3, etc. 3 4 Options for Moving Files scp – secure copy command description • Basic format: sftp or scp transfer files to/from a remote server scp copyThisFileOrDir newLocation (after starting sftp, use get and put commands) wget download from a URL to a file • To copy myfile from here to my home dir on attu, and call it newfile: curl download from a URL and output to console scp myfile [email protected]:newfile • To copy myfile from my home dir on attu to here: scp [email protected]:myfile .
    [Show full text]