SoylentNews is people
SoylentNews
Submitted via IRC for TheMightyBuzzard
Researchers from Fidelis Cybersecurity have discovered a new method of abusing the X.509 public key certificates standard for covert channel data exchange following initial system compromise.
The standard is used in both Transport Layer Security (TLS) and Secure Sockets Layer (SSL) cryptographic Internet protocol implementations, but the manner in which the certificates are exchanged can be abused to hijack them for command and control (C&C) communication, the researchers say.
The X.509 extensions can be used for covert channel data transfer to bypass network protection methods that do not inspect certificate values, the researchers say. To date, no confirmed cases of this technique being abused have been observed, but the widespread use of certificates could put many organizations at risk, Fidelis researchers argue.
To demonstrate their theory, Fidelis Cybersecurity revealed a custom-built framework that serves as proof of concept. However, the researchers point out that detection is possible and that the community can implement protections to identify possible abuse of the covert channel data transfer mechanism.
Source: http://www.securityweek.com/tls-abusing-covert-data-channel-bypasses-network-defenses
(Score: 3, Interesting) by FatPhil on Wednesday February 07 2018, @10:26AM (2 children)
Yeah, that's kind of implicit in the "permitted to communicate with each other" part of the setup. How's that news?
IP-over-TLS would have been a nerdier demonstration of the side channel. I have had to use IP-over-DNS in the past, that's a cool hack. (Until $EMPLOYER realised that in order to actually do my work I'd need to communicate with the outside world, that is. Big corporations are as dumb as they are big.)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Wednesday February 07 2018, @07:27PM
what makes it newsworthy is that your IDS/IPS would show no record of this transaction other than the failed TLS handshake. there's no way to spot this data leaving you network
(Score: 3, Informative) by driverless on Thursday February 08 2018, @04:54AM
Not only that, it's a totally stupid subliminal channel, you've got to create a new certificate and do a completely new TLS handshake for every little bit of data you want to send, completely ignoring the fact that TLS itself is packed full of random data blobs into which you can stuff whatever you want. For starters every single packet has 16 bytes of IV and up to 255 bytes of padding that you can use in whatever way you want. Then in the encrypted content you can send even more data, for example by adding things to encapsulated HTTP headers or whatever you're conveying.
I'm sure someone had some fun playing with this during their lunch break, but puh-leeze...