HTML5 ZERO CONFIGURATION COVERT CHANNELS: SECURITY RISKS and CHALLENGES Jason Farina Mark Scanlon Stephen Kohlmann Nhien-An Le-Khac Tahar Kechadi

HTML5 ZERO CONFIGURATION COVERT CHANNELS: SECURITY RISKS and CHALLENGES Jason Farina Mark Scanlon Stephen Kohlmann Nhien-An Le-Khac Tahar Kechadi

HTML5 ZERO CONFIGURATION COVERT CHANNELS: SECURITY RISKS AND CHALLENGES Jason Farina Mark Scanlon Stephen Kohlmann Nhien-An Le-Khac Tahar Kechadi School of Computer Science & Informatics, University College Dublin, Ireland. {jason.farina, stephen.kohlmann}@ucdconnect.ie, {mark.scanlon, an.lekhac, tahar.kechadi}@ucd.ie ABSTRACT In recent months, a significant number of secure, cloudless file transfer services have emerged. The aim of these services is to facilitate the secure transfer of files in a peer-to-peer (P2P) fashion over the Internet without the need for centralised authentication or storage. These services can take the form of client installed applications or entirely web browser based interfaces. Due to their P2P nature, there is generally no limit to the file sizes involved or to the volume of data transmitted – these limitations will purely be reliant on the capacities of either end of the transfer. By default, many of these services provide seamless, point-to-point encryption to their users. The cyberforensic consequences of the potential criminal use of such services are significant. The ability to easily transfer encrypted data over the Internet opens up a range of opportunities for illegal use to cybercriminals requiring minimal technical know-how. This paper explores a number of these services and provides an analysis of the risks they pose to corporate and governmental security. A number of methods for the forensic investigation of such transfers are discussed. Keywords: Covert Transfers, Encrypted Data Transmission, Counter-forensics 1. INTRODUCTION share their data with any unauthorised party. While the requirement is ever increasing to Sending anything larger than a small amount send larger volumes of information over the In- of data electronically is still a cumbersome task ternet, the potential for third-party intercep- for many Internet users when reliant on popu- tion/recording of this data has become a common arXiv:1510.00661v1 [cs.CR] 2 Oct 2015 lar online communication methods. Most email story in the general media. Recent leaks from providers will limit the file size of attachments whistle-blowers regarding the degree of surveil- to something in the order of megabytes. Send- lance conducted by large government funded spy- ing larger files usually requires users to upload ing agencies on everyday citizens has pushed the the content to third party storage providers, e.g., topic of cybersecurity into the public realm. In- Dropbox, OneDrive, box.net, etc., and provide a creasingly, Internet users are becoming conscious link to the content to their intended recipients. of their personal responsibility in the protection From a security standpoint, this leaves user vul- of their digital information. This results in many nerable to their communication being intercepted users being discontent with their personal data or duplicated and their data being downloaded stored on these third party servers – likely stored by others. Regarding the security of their data in another jurisdiction. stored on this third-party provider, users must To respond to this demand a number of file ex- blindly trust this third-party to not access or change/transfer services have appeared in recent 1 months facilitating the secure transfer of files 2. BACKGROUND READING in a peer-to-peer (P2P)fashion from point A to In order point B. Most of these services afford the user en- crypted end-to-end file transfer and add an addi- 2.1 Anonymising Services tional level of anonymity compared to regular file Today there are many anonymising services avail- transfer services, e.g., email attachments, FTP or able for communication and data transfer. The file sharing functionality built into most instant popular anonymous browser Tor allows users to messaging clients. The more security conscious explore the Internet without the risk of their loca- users will opt for the cloudless versions of these tion or identity becoming known [Loesing et al., services. Opting for this level of control over per- 2010]. The Tails operating system which works sonal information has upsides and downsides for in conjunction with Tor offers an extra layer of the end user. The upside is that the user has anonymity over traditional operating systems. precise knowledge over who has access to his/her When a user is operating Tails all connections information and what country the data is stored are forced to go through the Tor network and in. The downside comes in terms of reliability. cryptographic tools are used to encrypt the users The data stored or transferred using these ser- data. The operating system will leave no trace of vices is only available if at least one host storing any activity unless explicitly defined by the user. the file is online. The Invisible Internet Project, also known as As with most security or privacy enhancing In- I2P is another anonymous service similar to Tor. ternet services, these services are open to abuse As I2P is designed as an anonymous network by cybercriminals. In effect, the additional level layer users can utilise their own applications on of anonymity and security provided by these ser- the network. Unlike Tor the I2P network traffic vices provides cybercriminals with “off-the-shelf” stays on the network. I2P does not use the tra- counter-forensic capabilities for information ex- ditional IP/Port user identification process but change. Cybercriminal activities such as data instead replaces this process with a location- exfiltration, the distribution of illicit images of independent identifier. This process decouples a children, piracy, industrial espionage, malicious user’s online identity and physical location [Tim- software distribution, and can all be aided by the panaro et al., 2014]. use of these services. Both Tor and I2P provide anonymity to the user with an open network of onion routers. As 1.1 Contribution of this work the network of onion routers is run by volun- teers it is continually growing . The result of For many, the topic of covert channels immedi- this network growth is an increase in anonymity ately brings to mind some form of steganography and privacy for each individual user [Herrmann likely in combination with an Internet anonymis- and Grothoff, 2011]. ing service, such as Tor and I2P. While some work has been conducted on the reverse engi- 2.2 Untrusted Remote Backup neering/evidence gathering of these anonymising The MAIDSafe network is a P2P storage facility P2P proxy services, little work has been done in that allows members to engage in a data stor- the area of online services providing end users age exchange. Each member of the network en- with the ability to securely and covertly transfer ables the use of a portion of their local hard information from peer to peer in an largely unde- drive by other members of the network. In re- tectable manner. This work presented as part of turn the member is given the use of an equiv- this paper examines a number of popular client alent amount of storage distributed across the application and web based services, outlines their network and replicated to multiple locations re- functionality, discusses the forensic consequences ferred to as Vaults. This allows the authorised and proposes a number methods for potentially member access from any location and resilience retrieving evidence from these services. should a portion of the network not be active at 2 any time. All data stored on the network is dedu- fic and data location itself. FreeNet peers, or plicated and replicated in real time with file sig- nodes, store fragments of data in a distributed natures to ensure integrity. In addition the data fashion. The number of times a data item is repli- is encrypted allowing secure storage on untrusted cated is dependant on the demand for that data. remote systems. Authorised access is managed More popular files have more available sources through a two factor authentication (password resulting in better availability and faster access and pin). The use of the MAIDSafe network is times for the requesters. The layered encryp- incentivised through SafeCoin, a cryptocurrency tion of the connections provides an effective de- that members can earn by renting out space or fence against network sniffing attacks and also providing resources such as bandwidth for file complicates network forensic analysis. FreeNet transfers. Other users can earn SafeCoins by par- by default was deployed in OpenNet configura- ticipating in development of the protocol. tion, meaning connections could be made with 2.3 Types of File Transfer Attacks a random set of nodes from all of the FreeNet nodes available. Users can choose to instead use Data exfiltration refers to the unauthorised ac- a DarkNet configuration where only known nodes cess to otherwise confidential, proprietary or sen- are routed through resulting in a small world sitive information. Giani et al. [2006] outlines topology for the network. The choice of OpenNet a number of data exfiltration methods includ- or Darknet is not binary however as the user can ing most regular file transfer methods for “inside choose to employ a mix of both to whatever de- man” attacks, e.g, HTTP, FTP, SSH and email, gree they wish however small world topology with and external attacks including social engineering, random connections may result in inefficiencies. botnets, privilege escalation and rootkit facili- DarkNet routing tables are created using loca- tated access. Detection of most of these meth- tion swapping to populate efficient routes based ods is possible using a combination of firewalls on relative node distance . This feature gave rise and network intrusion detection systems or deep to an attack, Pitch Black, which caused degra- packet inspection [Liu et al., 2009, Sohn et al., dation of DarkNet performance and security by 2003, Cabuk et al., 2009]. tricking the network into moving disproportion- ate amounts of data to individual peers by falsely 2.4 The Deep-Web reporting node distances to corrupt the routes The Deep-web refers to layers of internet services [Evans et al., 2007].

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    16 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us