Data leak protection advice: Covert channels could be funneling data out of your company

The latest in our series of articles from MSc graduates at Royal Holloway, University of London focuses on how covert channels on a legitimate network can leak data undetected.

Could information be flowing into or out of your organisation without you knowing? It is the nightmare that haunts any security professional today.

And yet, there are plenty of techniques around that enable data to bypass the most watchful security set-up and to travel over covert channels that conceal their very existence. And if you think you are safe because you use digital certificates, think again – those very certificates could be carrying secret data without your knowledge.

This is the subject of the latest in our series of articles from recent MSc graduates at Royal Holloway College. The author, Carlos Scott, works as part of the security monitoring team at Vodafone, and says he chose to look at the problem because of its sheer complexity.

"The thing with network covert channels is that the possibilities are endless, due to the wide array of network protocols in use today," he says. "However, because they rely on legitimate communications, they become more effective the more trusted is the underlying legitimate traffic."

The article is an invaluable introduction to the subject for anyone wanting to find out about the various ways in which covert channels can be set up and run. Scott also discusses ways of detecting and preventing covert channels.

He explains that covert channels can be used by criminals to suck information out of an organisation, and also to support terrorist activity. While encryption can offer confidentiality, it does to hide the existence of the traffic. With covert channels, by contrast, the aim is to stay below the radar of anyone trying to monitor it.

The full title of Scott's thesis (which can be reached from a link at the end of the article) is 'Network Covert Channels: Review of current state and analysis of viability of use of X.509 certificates for covert communications'.

His thesis is that digital certificates, which most people regard as a guarantee of security, could actually provide hackers with a means of transmitting data unseen.

"When searching for a subject for my thesis, I reflected for a short while on what network traffic or protocol is perceived as being trusted, and digital certificates were the natural answer, as they imply trust themselves," he says. "I then basically looked for ways to misuse the trust placed on digital certificates to piggyback 'untrusted' or malicious communications, which you can find in the article."

Scott's article uncovers some of the many techniques that hackers use to hide their presence, and then focusing down specifically on the problem of digital certificates.

And he says the research has taught him the value of vigorous testing: "I firmly believe that looking for and finding flaws is the way to improve systems, as I consider not looking for them is a sign of complacency and slows down progress. That is particularly true in the infosec area."

To see Carlos Scott's article Read this PDF document by Carlos Scott on Covert channels and data leak protection

Read more on Hackers and cybercrime prevention