Covert Channels

October 2, 2004

Jeremy sat up slowly. He had fallen asleep at his desk, and the office was deserted with the exception of the cleaning crew.They must have been especially noisy tonight as they awakened him when they came in the front security door. His coworkers had called him crazy when he men- tioned that he would be working this weekend, saying that he had lost his mind and should be out somewhere trying to have some fun. But they apparently just didn’t understand.To Jeremy, this was fun. He hadn’t spent so many years in college studying networking and learning

advanced programming techniques just to ignore the opportunity to expand his skill set. In fact, one of the managers who had interviewed Jeremy inadvertently had admitted to him that one of the primary rea- sons he was given an interview was because he had included a senior course project that had impressed one of the senior technical folks in the department.

Jeremy leaned back in his chair, aching. His neck was sore from having been stretched at such an odd angle. He raised his arms above his head, stretching his back muscles and letting the blood return to his limbs. Glancing at his watch, he saw that it was already 9:13 P.M. It had

been hours since everyone else in the office had left for the day. Neil had stopped by Jeremy’s desk to see how his research was coming along, but he had been overwhelmed and couldn’t even really remember what he had muttered in response to Neil. After some small talk, Neil had eventu- ally meandered away, wishing Jeremy luck on his work.

Two weeks ago, Jeremy had run across an article on the Internet that discussed the possibilities of using covert channels to communicate between two points, undetected. Initially, he had been excited to have a potential clue.The concept of covert channels was foreign to him

there were dozens of possible means of communicating without being noticed.There were cases of text manipulation, where individuals used e- mail or text documents to communicate. He had found information on using network packets themselves to hide dates within and communicate across a network in near real time, without detection.There were even instances where data was hidden inside digital images or audio files. Apparently, he still had a lot to learn on the subject.

But now it was two weeks later, and though Jeremy had spent nearly every day researching covert channels, he was no closer to knowing which ones might be in use. In fact, if he didn’t come up with something soon, he would just ask Neil to pass it up the chain that there were dozens of possible methods out there. Hopefully someone would have some idea of what to do from here. But he wasn’t giving up yet. In fact, he found the idea of covert channels very intriguing. He absently won- dered to himself how many other individuals inside DHS knew there was such a thing and whether anyone considered them a real threat.

Reaching across the table, Jeremy grabbed what had been the leftovers from his dinner, but was now cold and inedible.There was a small cafe- teria downstairs that was open 24 hours a day to accommodate the employees that happened to be there after hours. Normally, he didn’t really care much for the food in the cafeteria, but he seemed to be eating there quite a bit over the last two weeks. He threw the trash into the round, dark gray waste can to the left of his desk. His mind had been completely absorbed in his research lately, so even the little things that normally nagged at him, like eating enough, went ignored a lot of times.

The computer screen displayed the standard DHS screensaver, so Jeremy clicked on his mouse to bring up the login prompt to the system. DHS recently had implemented a required password-protected screensaver func- tion that activated after only a few minutes of inactivity on the system. According to the time, Jeremy estimated that his had been running for about 25 minutes. When the login prompt appeared, he logged in normally and was greeted by his most recent research project, S-tools 4.

S-tools was a freeware program available on the Internet that would allow a user to hide data in a variety of different binary files, including bitmap files (BMP), Graphic Interchange Format (GIF), and standard wave audio files (WAV).The tool hadn’t been maintained in nearly a decade and was one of hundreds Jeremy had found on the Internet. His first search on the Internet had yielded several different archive sites dedi- cated to storing applications that allowed users to create their own

hidden data.The sheer number of programs available had shocked him at first.There were applications available for many different platforms as well, including Windows, DOS, OS/2, Amiga, Java, Linux, and BSD.That was the point at which Jeremy had realized how widespread this concept of hidden communication really was. Some of the tools created different forms of steganography, which allowed the hiding of information in many different binary file formats. Other tools listed would allow a user to create hidden messages inside text documents or inside network traffic. The S-tools 4 application was used to create steganography.

Covert Channels • Chapter 11 131

The tools on these sites were both powerful and sophisticated. S-tools 4 even allowed users to drag and drop interactively with the program, allowing a user to create hidden data within digital images and digital audio files without needing to know how to navigate the user interface. Jeremy selected a picture from a folder on his hard drive and dragged it onto the S-tools interface. He wanted to walked through the process one more time to ensure that he understood how it worked. Jeremy had brought pictures of his various family members from home that would allow him to experiment with more of the tools.

Once the image had been loaded into the S-tools interface, Jeremy noted how the application told the user how much data could be hidden in the carrier file that was loaded. Using the image he had just loaded, there was enough space to hide 274,895 bytes of data. In order to test the various tools, he had created a test text file that he named Jeremy.txt. He would hide his test file in different format carriers and then remove the information again. Selecting the text file, he dragged it onto the top of the carrier image he had already loaded into the software. A small pass- word prompt popped onto the screen.This would be the password used to encrypt the data before it was hidden inside the image.

Covert Channels • Chapter 11 133

Jeremy typed in a password of password and chose to use the default encryption method of IDEA. When he was done, he clicked the OK button and watched as the software processed the information he had given it. After just a few seconds, a new version of his image popped into the S-tools 4 interface with a heading of Hidden.

Clicking the right button on his mouse, Jeremy was able to bring up an alternate menu, allowing him to save his new image with a new file- name. Jeremy picked a name and saved the file to his hard drive.

Hiding 461 Bytes

Jeremy closed out the application when he was done and brought up a command prompt under Windows. He had questions about how the information was hidden and the effect it had on the file size.To compare the size of the two images, he ran the dircommand at the prompt for all the .gif files.The file size had changed dramatically, considering that he had hidden only a simple text file. But without the original file to com- pare to, how would he ever know there was information hidden in the second image?

Covert Channels • Chapter 11 135

Saving New Image

Most of the steganography applications that used image files worked similar to this one. Some of them were capable of hiding information without increasing the file size, and in some cases, the size of the resulting file was actually smaller than the original.There were white papers on the topic all over the Internet that explained the concepts of algorithms. Each tool was written by a different author, and thus used a different algorithm to hide the information inside the carrier. Jeremy expected that some of the applications were more efficient than others because of the algorithm they used and the way they were coded.

But there were other types of covert channels that didn’t actually utilize steganography, per se.Their methods were completely different. One of his favorites had been the manipulation of text and words in a message to create something entirely different. Using these tools, Jeremy could create spam e-mails, full text documents, and even scripts to a fictional play.

The first such tool he found was a spam generator built into a web site that would create a spam-type e-mail from a message a user entered into the web site.The site was called Spam Mimic and was based on an engine published by Peter Wayner in his 1996 book,Disappearing Cryptography.The authors of the web site had created their own spam grammar to be used in the engine and built a web page around the con- cept. Jeremy opened his web browser and typed the address for

www.spammimic.com. Arriving at the page, he clicked the button for

The web page switched to the page created for encoding user mes- sages and Jeremy typed a quick, simple test message.It doesn’t need to be anything complex, just something to test the engine again, he thought to him- self.The entire idea of manipulating words and text in such a way to obscure the real meaning intrigued Jeremy immensely. Words were the most basic form of communication.The ability to continue using words without a huge hit on usability could mean that these types of ciphers were more popular than most people would imagine.

Covert Channels • Chapter 11 137

When Jeremy had finished his short message and pressed the Encode button on the browser window, the browser icon began to spin again before displaying his encoded message.The realism of the spam, at first glance anyway, was amazing. With the sheer numbers of spam that crossed the desktops of Internet users around the world, one more message

would likely be disregarded and ignored completely.There was potential in this method to communicate with multiple numbers of individuals and never be able to track specifically for whom the message was intended. Encoding User Message

Jeremy glanced again at the output and realized that there were dis- tinct patterns within each spam message that was generated. He could assume only that there was a flaw in the design of this particular engine. Scanning the e-mail, he noticed that there were multiple introductory lines and greetings in his message, even though his initial input had been relatively short. But he had to admit to himself that the tool created a genuine enough looking product that most people instantly delete the message.

There was a market for e-mail lists. Companies looking to capitalize a little more from the mailing lists they had gathered were in a position to now sell those lists to anyone they wanted to. Sure, there were some repercussions and some perturbed customers, but the extra revenue in their pocketbook served as a good an incentive as any. Over the last few years, this had resulted in mailing lists that included millions of e-mail addresses that could be bought for relatively little money.

Covert Channels • Chapter 11 139

Jeremy couldn’t help hypothesizing about the potential uses for such a system. Obviously, there were financial incentives for some organizations, but what about a group, like the one he was investigating? What were the possible uses for something like this? His first thought was how inexpen- sive these mailing lists actually were to purchase. A group wanting to hide their communication could simply buy a list from an existing organiza- tion and add their own group member’s e-mail addresses to the list. By entering their message into the Spam Mimic interface, they could create a suitable e-mail that could then be sent to millions of addresses,

including the actual target addresses. Most people would simply ignore the message completely, but those individuals who were already in the know would find some hidden value in the message.

The thought that was frightening to Jeremy was its simplicity. Users on the Internet had already been trained to ignore spam messages. In many cases the e-mails were caught at gateway interfaces that removed potential spam before it ever reached the user. For a few hundred U.S. dollars, anyone could create a mechanism like this for communicating secretly, yet publicly at the same time.

That thought reminded Jeremy of another tool he had downloaded from the Internet,Sam’s Big G Play Maker. Unlike Spam Mimic, this tool was loaded onto a user’s computer under the Windows operating system. And unlike the previous tool, which was intended to mimic the look and feel of a genuine spam e-mail message, the Play Maker software con- verted your message into a script for a play. He closed his web browser and opened his My Computer icon to browse to the new application.

He had installed the software on his D:\ drive and quickly found the start-up icon in the application folder. Double-clicking the icon brought the software to life on his screen instantly.The software was coded into a very small binary executable that apparently used very little memory on the system.

The interface to the software was simple and easy to understand. There were three tabs on the window: one for General, one for

Wordlists, and a third for Equiv.The General tab was easy enough to use, allowing users to input their messages in the left pane of the window, click the double right-arrow button, and view the output in the right pane of the window.The process was supposed to work in a similar fashion when used in the reverse. So if Alice sent Bob an e-mail message with a play script in it, then Bob could cut and paste the script into the right pane and click the double left-arrow button to decode the message. Jeremy had to admit that the idea was a good one, but its implementation was weak. He decided to toy with the tool once more, and entered a short message into the right pane of the window.

Covert Channels • Chapter 11 141

When he had entered his short message, Jeremy clicked the double right-arrow to convert his message into a play.The output was simple, but could pass for a legitimate script assuming no one really spent any time reading the output. A cursory glance at the final product would likely be ignored by the normal user as some extremely boring script written by a coworker with a little too much free time.

Real Test from Jeremy

Jeremy had been so amused by this particular tool that he played with it at length, learning that the tool used nothing more than simple substi- tution to create the final script. Substitution was a relatively weak form of protecting text messages, but especially so with a default equivalency embedded into the tool. But Jeremy had to give kudos to the author of this tool. Instead of embedding a default static list of phrases and words, the user was allowed to customize the settings. Using this function, it would certainly take more time to break the encoded message.Two sepa- rate users only would need to share the same settings used in the tool in order to create more realistic scripts and make them more difficult to rec- ognize. Jeremy clicked from the General tab to the Wordlists tab.

The names would all need to be changed, as any default settings would be immediately recognizable by a true analyst. But changing the names, the preambles, and the actions would help solidify the story line being used in the conversion.Heck, done correctly,Jeremy thought to him- self.You could almost come up with a script that made sense if you put the effort into selecting the right terms and phrases.The tool had limitations, surely, but

Covert Channels • Chapter 11 143

there was also some inherent value with using the tool. He clicked the next tab, Equiv., which defined the equivalency within the tool.The equivalency defined how each character typed into the input pane would be reflected in the output pane. In most cases, the information in the right pane defined the phrases that would be stated by the names stated in the Wordlists tab. Again, it seemed to Jeremy that, if done correctly, the final output script could look legitimate.

But what methods could be used to send these scripts out that

wouldn’t draw so much attention? E-mail was an obvious answer, but if a user was sending large numbers of e-mails containing these scripts, it might draw attention to them.The other, less obvious answer was to use an online forum or USENET newsgroup to communicate the scripts. These types of forums were publicly available, but the traffic would be so disjointed as to discourage too many users. Individuals who had prior information about the channel would be able to download the scripts to their local machines and decode the messages.

Jeremy glanced at his watch; just after 10 P.M.It’s probably time to head