Legitimate Sites as Covert Channels: An Extension to the Concept of Reverse HTTP Tunnels By Errno Jones (errno :dot: jones :at: pure secure :dot: net) STATEMENTS, ASSUMPTIONS, REQUESTS 1. Due to the lack of time, this is a summary. 2. Perhaps a proof-of-concept will follow. 3. If proof-of-concept has been implemented, please share. 4. Familiarity with reverse HTTP tunnels is assumed. THE CROWD The crowd is a safe harbor. It is very easy to hide something when the environment that is used for the covert maneuver contains many other objects of similar design. There exist countless number of sites that let anonymous users post messages, write text in guest books etc. These sites are the crowds. THE COVERT CHANNEL Any site that allows visitors to anonymously post messages and immediately, or without verification, includes it as content can be used to hide data to and from a reverse HTTP tunnel. Rather than connecting and tunneling data to a specified site directly, implement a posting mechanism to hide the communications. THE APPLICATIONS Assume there exist two message boards, A and B, which allow anonymous postings. Assume there exist two software programs, C (client) and S (server), that can post and read data from board A and B, and B and A respectively. C contains unique identifiers X and Y, and runs on network E (external). S contains unique identifiers X and Y, and runs on network I (internal). C posts a message, containing an encoded shell command, on board A with unique identifier X. Intermittently, C also checks board B for unique identifier Y, and if found, reads the message, decodes the contents, and display the output. S intermittently checks board A for unique identifier X, and if found, reads the message, decodes the contents, and runs the shell command. Then, S posts a message, containing the encoded output, to board B with unique identifier Y. THE DATA The data must be hidden. One possibility is to collect large amounts of spam messages, for C, and use the case of the letters as bit patterns, or introduce misspellings at known intervals to encode the data. The subject of the message can contain a unique bit pattern or misspelling that is X. For S, the large amount of text that is needed can be obtained from man pages, strings of programs etc., and modified as in C. CONCLUSION Comments and suggestions are welcome, clarifications available.