Information Security, Network Steganography and Attack, TCP/IP

In this post, we will study the relevant terms like; information security, attack on the network, TCP/IP, and also will discuss briefly a case study.

Introduction

Information security has nowadays become everyone’s need, either directly or indirectly connected to the network environment. 

Various research and development have provided us sophisticated computer systems, networks, and complex software. 

Due to the development of complex and sophisticated systems, different issues arise regarding their security. Security has become one of the hot topics in information security with regular news of data breaches.

One of the modern developments in computer networks has provided us with the TCP/IP stack, which is a group of different communication protocols working through the Internet and other various private communication networks which carry most of the essential services running over the network. 

Virtually all the large networks and protocols like the Internet are designed on TCP/IP protocol suites. 

Different protocols such as IPsec, SSH, SSL, and TLS are used to provide security and privacy across network communications.

According to various research done on TCP/IP by researchers, it was found that TCP/IP was vulnerable to various types of attacks such as IP Spoofing, TCP syn flood attack, Port Scanning, Data hiding, and various others. 

By creating a covert channel in protocols to send confidential data, data hiding in TCP/IP is done. Because of the loopholes present in their design architecture, data hiding in the different protocols is possible. 

Various researches from different sources and sites on this topic are done and data hiding in TCP protocols are shown to demonstrate how hackers can use these systems for Penetration testing and also by cybercriminals to transfer data in an illegal way in the evolving era of digital crime evolution.

Background

The use of data hiding technique has been followed since the period of Ancient Greece. 

The motive for data hiding compared with the past has not changed totally. 

Before the process used to be carried out in an innocently looking cover and was sent to the proper receiver who used to be aware of the information hiding technique. 

The method is carried out in such a way that it could not be detected by third parties. 

The way of communication through the ages has been evolved and so did the techniques of different methods of information hiding has also been upgraded and different methods for secret communication are being used. 

Although the method has been developed the principles of the technique remain the same. 

Among different data hiding techniques like cryptography, watermarking, and steganography, one of the modern techniques in information hiding is network steganography where secret messages are sent with the help of different protocols in the network. This type of operation is mostly known as Covert Channel. 

The idea of a covert channel was first introduced by Lampson in the year 1973 A.D. 

Lampson used to define a covert channel as a channel that is used for the purpose of transferring information only, not intended or designed for the purpose of communications. 

Later, Trusted Computer System Evaluation Criteria (TCSEC) described covert channels as secret communication that allows secret transmission of data and can also harm the policy of security. In 1983 A.D., a covert channel was stated as an entity for transmission of malicious data secretly between different subjects

Covert Channel

The designed communication channel where the transfer of authorized data is done within a network or computer system is known as an overt channel whereas a covert channel is the kind of channel that allows the transfer of information between two systems in a way that breaks the system’s security policy. 

A covert channel is also considered one of the main sub-disciples of Data hiding techniques. 

The exchange of hidden information by individuals is done in an undetectable way under this channel. 

The exploitation of viruses, Trojans, and malicious messages is carried out by covert channels in such a way that it gets undetected even by the firewall or other detection system. 

The covert channel can be identified as a serious kind of vulnerability if it is combined with different sorts of malicious activities. 

The existence of covert channels can be noticed in two different kinds of systems which are stand-alone and network-based systems. 

The secret information is passed between different entities in the stand-alone system and the secret information is transferred between the network in the case of network-based systems.

Classification of Covert Channel

A covert channel is generally classified into different types. Among various covert channels two of them are described below:

Covert Storage Channel 

A covert storage channel is the kind of communication channel that works by placing data in an unexpected location which can be read by another individual or system. 

Involvement of direct/indirect, writing and reading values of the object are done by receiver and sender in this channel. 

It uses memory locations, such as object attributes, their existence, and shared resources for data transmissions. 

This channel is easily implemented which is a greater threat to the system. 

An example of a covert storage channel is an ICMP echo request used to send a ping command between two systems. 

Covert Timing Channel

A covert timing channel is the kind of communication channel that works by modifying the use of resources like manipulating packets, frames, or message timing that may be detected by receivers and can observe and decode the information. 

They can be active if the additional generation of traffic is done and passive if the manipulation of the timing of existing traffic is done. 

They carry information through the arrival interval of packets, rather than carrying the packet contents. 

They are more secure than covert storage channels. 

Port knocking is an example of a timing channel where an individual tries to send data to a remote system secretly which might probe different network ports on that system in a precise order to transmit information slowly.

Covert Channel in TCP/IP Model

The TCP/IP Model consists of five different layers which are comparatively different from the OSI model which has 7 layers. 

The different layers are mentioned below: 

• Application Layer 

The application layer presents unlimited opportunities for delivery of covert data because the covert data can either reside inside the protocols header or can be delivered as a payload. 

The HTTP protocol is a fertile field for embedding covert messages. 

HTTP traffic to pass from internal hosts to Internet Web servers is allowed even by some of the restrictive organizations. 

Costly software is required by HTTP packets for protocol compliance during the inspection which may result in breaking web applications that are necessary for business. 

Confidential messages and videos can be delivered with the help of HTTP GET requests to the browser and desktop sharing applications. 

• Transport Layer 

The reliability of the packet is maintained by Transport Layer. 

In order to be the intended receiver of the covert message, the source IP can be spoofed. 

The critical observation in the TCP layer is a three-way handshake. 

The twelve fields of the TCP header include many which are rarely checked and others that exhibit high randomness. The position of the first-byte segment is identified by a 32-bit TCP sequence number. 

The source IP in this layer can be spoofed and can be used for delivering secret data or wrong information from which it can be known that the Transport Layer is vulnerable and can be used for creating the covert channels.

• Network Layer 

Internet Protocol (IP) and its complement ICMP, IGMP, ARP, and RARP dominate the network layer. Data are transferred in the form of packets across a communication network in the network layer. 

The IPv4 has 23 fields to carry routing, service quality, and fragmentation. 

The 8-bit type of value indicates delay, and throughput and can be used for carrying out covert data. 

According to Craig Rowland's demonstration, the 16-bit IP ID field to uniquely identify datagram fragments can be hijacked and used for delivering confidential information. 

• Physical Layer 

Inside a LAN network, a physical interface like ethernet is highly operational. 

In order to map IP to mac address, the low-level protocol like ARP is operatable in this layer. With the help of ARP, network tunneling can be created inside LAN. 

Data hiding inside a LAN network is provided by a covert channel in ARP. 

Information hiding in ARP is almost undetected because ARP protocols are always operational. 

• Data Link Layer 

Datalink layer header provides only limited benefit in wide-area connection. 

The link-layer header is replaced every time a frame passes through a network device. 

HICCUPS which stands for Hidden Communication System for Corrupted Networks takes advantage of the implementation of data link layer headers in wireless LANs. 

It usurps flexibility and masks messages in wireless traffic that appears corrupted by interference and the message encoded by it can only be decided on its own which is a greater problem in this layer.

Elimination of Covert Channel 

Fully elimination of covert channels has not been proposed to date but it can be reduced to some extent. Some of the ways are listed below: 

• Limiting protocol support 

Limiting protocol support at the switches, routers, gateways, firewalls, and proxies also limits the possible covert channels which helps in reducing the covert communication. 

• Packet Header Mangling 

In order to make packets consistent in their attributes in the traffic, the packets are altered. 

Hence, clearing the unused pointers, reserved bits, and state bits can probably eliminate most of the covert channels. 

Prevention of covert channels can also be done by re-computing the checksums and length fields.

Network Steganography

The hidden communication technique in which legitimate traffic is used as a source for transferring private information secretly over the untrusted network is known as network steganography. 

Its main idea is to hide data in the network protocols header field or payload field or both. 

The detection and extraction of network steganography are very difficult as it is performed inside the tremendous network flow compared to static multimedia steganography such as image steganography. 

 As the technology is evolving day by day and different organizations store their information in the cloud, the use of steganography in networks is also growing rapidly which has been a hot research topic for researchers. 

Network steganography is used for good purposes as well as dark purposes. 

It can be used by network administrators for securing network management-related communication by hiding it from hackers. 

The dark purpose of it is that the terrorist can use this method for secret message transmission using the network protocols over the network channel. 

Hence, it can be said that network steganography is an effective means of communicating secret information in the networks.

Literature Review

Case Study: A penetration case study from IBM X-Force Red

This is a real-time case study related to IBM X-Force Red where one of their Red team was tasked to deliver a malicious payload to network users without alerting the defensive team or setting off the security protocols. During their first attempt, they tried sending a phishing email that was rigged up with the malicious payload in order to check the security level of the defensive side. As expected by the Red Team it was detected by the defensive team using an anti-malware sandbox. 

In their 2nd attempt, Red Team came up with creative thinking and decided to use Mozilla’s Firefox Send (FF Send) which is a legitimate file transfer tool from Mozilla. After that, they needed a side channel in order to coordinate the sending and receiving of data over that channel and also to hide their information from being inspected and detected by the defensive team. The channel they chose for carrying out secret communication was DNS protocol after they created a rogue control server which was named Foxtrot, a mechanism used to carry out communication between any number of the remote agents. After setting all things up the Red Team started pushing the initial payload which passed all the dynamic defenses secretly and helped the Red Team in moving data across intercepting proxies. Execution of commands on the compromised hosts was also done successfully even when the defensive team had security controls and monitoring turned on. 

In this way, Red Team successfully created a covert channel using DNS protocol in the successful delivery of malicious payload without being detected or identified by the defensive team.

Analysis

After the brief study on the above case, many things were analyzed on the attack and how it was carried out successfully. After failing their first attempt by Red Team, during their second attempt, the team used Firefox Send (FF Send) for the secret delivery of the file. FF Send Tool might have been used because it had different good features which allowed large size file up to 1GB for allowance to both send and exfiltrate data in the payload and the tool used would encrypt and decrypt the payload using AES-GCM algorithm directly in the internet browser which was an advantage for the team as they did not need to create the generation and distribution of key for the attack. The use of the Firefox domain was also one of their advantages because the domain is a trusted domain on most organization controls due to which the team did not have to create a fake site that would raise suspicion. The domain can also slip through URL inspection and anti-phishing controls as well as different blacklists that organizations set to capture harmful content coming from rogue resources. 

Similarly, DNS protocol might have been chosen for creating a secret communication channel because DNS has decent packet capacity and a good chance of blending in with legitimate user traffic that would make it easier for the coordination in order to send and receive the confidential information. All the scenario was critically thought out by the members of the Red Team and was applied in real-time which made the attack successful in the delivery of malicious payload by creating the covert channel.

Scenario

Relating to the above case study a similar attack will be created for the secret communication between two devices without alerting any other hosts. Compared with the above case study, the FF Send tool has been used for the transmission of secret files whereas the Netcat tool will be used for the sending and receiving of secret messages between two devices in this attack. In the mentioned case study, DNS protocol has been used as a communication medium whereas TCP protocol will be used as a channel for the medium of communication between the devices in this attack to create a covert channel.