– I’ve hidden a secret message in this blog … see if you can find it.
As children we used to delight in sending secret messages to our friends, using secret codes, and sometimes we would hide things in something that only those who knew where to look could find it. Unfortunately, for most of us, we’ve lost that wonderment, also as we grow up we find out that people think we have doing something suspicious if we send secret messages, or our skills in creating these has often gone, as we stick to standard ways of communicating with everyone else.
So when are covert messages actually used … well these days it is likely to be used where there are two suspects (Figure 1), and they are being monitored for all their communications, and the only way they can pass messages to each other is to use a convert channel. So let’s look at some of the ways that this could be done, with very little effort.
The Mess that is the Internet
The Internet was created in a time of main frame computers where users typed-in messages to send emails and even to access Web pages. So when you wanted to send an email you connected to port 25 on the server, and type:
HELO myserver.com MAIL FROM: Fred@home RCPT TO: Bert@home cc: My Message DATA How are you .
which will send the email message to bert@home from fred@home, with the message of “How are you”. The “.” at the end on its own is the pointer that the message has ended, and that it can be sent. You can see that it is a fairly simple method that is used to send something as important as an email, but basically it hasn’t changed, as we are still using the same old protocols that were created all those years ago. In fact … they kinda got the email address wrong, as the orginal proposed structure was based on X.500, which has the top level domain first, such as Domain=uk.ac, Organisation=napier, Organisational Unit=”computing”, which would have given “uk.ac.napier.computing”, but it became standardized almost with the first email that was sent.
The same simplistic method goes for accessing Web pages, where, with the HTTP protocol, a simple “GET” is used to actually get a Web page. For how does that relate to covert messages? Well these simple protocols are full of holes, where they are being used in ways that they were never intended for. So things like Service-Oriented Architectures, are actually built around the original HTTP specification, so that a stateless protocol, actually becomes a way of creating and modifying objects contained within Web accesses.
Covert Channels in IP and TCP
The two great kings of the Internet are IP and TCP. They have done more for humankind than virtually anything else. In terms of knowledge creation and sharing, it is IP and TCP that have supported both the creation of the Internet, and in supporting all the applications that are now used. The figure on the right shows the main field using in IP and TCP, and basically they are the same as the first data packet that was transmitted over the Internet. In IP, there’s the 32-bit IP source and destination address, which has become so successful, that we have no more IP addresses to give it. Any for TCP, there’s the source and destination port, which allows hosts to have many connections at the same time, each of which are unique across the whole of the Internet. It’s an amazing relationship, IP does the grunt work, it stamps the data packets for their destination, and receives them on the other end, but it’s up to TCP to keep a track on them, and make sure that none of them get lost on the way.
So what about covert messages? Well there are so many fields in IP and TCP that do not have a strong use, that can be used for sending covert messages. In Figure 1, I’ve identified the rogues gallery of these, including the Fragment Offset, the TTL field and Identification, for IP, and for TCP, it is the Urgent Point and Data Offset. Each of these can easily support sending secret messages between two people. While most of these fields are unused, obviously the TTL field is used to make sure that the data packet doesn’t traverse the Internet forever, so how can we use that? Well we typically only new 26 characters to send a value, so when generating we take the first value, and then we Exclusive-OR it with the character, from 0 to 25 for each of the characters. So for example, if the TTL is 255 as an initial value the TTL value for an ‘a’ would be:
255 1111 1111 'a ' 0000 0000 Result: 1111 1111 (255)
and for ‘z’
255 1111 1111 'z' 0001 1001 to give 1110 0110 (230)
So hopefully the value will never fall to a point where the TTL of the packet will never reach zero (and be deleted).
The strange thing about IP is that there is quite a bit of variation across its implementation, and the best example is in the identification field. The only requirement is that its can uniquely define IP fragments within a given time window. So some systems just increment this value by 1, from a random starting point (such as with Microsoft Windows, as show on the first diagram in Figure 3), or in Linux (second diagram in Figure 3) which create a random value for each one, or with Solaris, which increments for a while, and then takes a random jump (third diagram in Figure 3). Have a look at these: Windows packets.
You will see the ID field goes:
Identification: 0x1640 (5696) Identification: 0x1641 (5697)
and for Ubuntu: Ubuntu packets.
This is a useful way to determine the operating system for someone monitoring network packets, and is used by security evaluators such as NMAP to guess the operating system type. The field could, though, be used to send covert messages, so the value within it is not checked by intermediate devices, or by the end hosts.
Storage or Timing
There are obviously many ways of sending covert messages. We might as a secret code decide that when we met I would wear a red rose on my lapel. So if I wanted to pass a message to you, an the first letter was an ‘a’, then the binary for this is 0110 0001 (61 in hex), so the first time I would wear a rose (‘1’), then not for the next four times, and then weak it the next two times, and then not for the next time. In this way, as long as no-one noticed I would send a message through our covert channel. Thus we can use either a storage channel – where to add something or not to be place – or we can use a timing challenge where we can change the operation of a resource. This might that I will drive the CPU on a computer to 100% at certain times when I want to pass a 1, or leave it for a 0.
So we an even use normal protocols to do this. For example there is a Connection: Keep Alive field in the HTTP header, which is used to tell the server that the client does not want to break the connection that it has created. This is used, as it reduces the time to access more content on the site. In Figure 4 we can see we can send a 0 when it is present, and a 1 when it is not present. For anyone viewing this communication, everything looks fine, but for the suspects they know where to look to find the hidden message.
Message in pictures
One obvious way to hide message is to put them in another container, such as in a graphics file. For the observer, the image looks fine, but hidden within is a message for the suspects. One way to hide a message is obviously to place it on a layer in the graphic file, and then make it invisible. In the figure we can see that we can add opacity to some text, we can make it less visible, and if we turn it to 100% opacity the user will not see it. This technique works for graphics file which have layers, such as PNG and PSD, but doesn’t work with flattened formats or bit maps, such as with GIF, JPEG, and so on. As with the problems in network protocols, so there are places in graphics files that we can hide things. For example in the GIF format we can have up to 256 24-bit colours (or Red, Green and Blue), which be used in the image. So GIF is a good graphic format when we only have a few colours (such as for icons) but it is not good with photographs, as we are limited in our colour palette. So one place to hide a message is to insert it into the colour table, which might affect a few pixels, the user might not see any changes.
Have a look at the two images on the right hand side, and you will see that a few pixels around the cat have changed, as the colours that these pixels map to, have had their colour changed. Remember that each colour is 24-bits, with 8-bits for red, 8-bits for green and 8 bits for blue. So for “hello” it will change a maximum of two colours in the pixel map. It could do it even more discrete by spreading the message across the least significant bits of the colour table, so that the changes in colour would be minimal, and no user could spot the changes.
The actual format of the file, with the convert message, is:
 47 49 46 38 39 61 64 00 GIF89ad.  55 00 E6 00 00 FF FF FF U.......  F7 F7 F6 F1 F4 F2 EE EE ........  EF E7 E7 E7 E1 E4 E6 DF ........  DE DF D7 DA DD EF CE CE ........  D5 D5 D5 D5 D3 D0 D9 D1 ........  A1 CC CC CC C4 C8 CC 68 .......h  65 6C 6C 6F C0 D1 C6 84 ello....  C0 BF BD BD BB B8 B8 B6 ........  B5 B5 B3 AE AA B1 B6 AB ........  AC AD AB A9 A5 A6 A6 A6 ........  A7 A5 9E AB A8 70 AC 9C .....p..  9F 99 99 99 94 9A A0 8B ........  95 9C 93 92 8E 8C 8D 8A ........  86 8C 96 98 8B 66 90 87 .....f..  82 83 83 83 7A 84 8A CB ....z...  5E 5E FB 48 48 82 7C 73 ^^.HH.|s
Well if someone want to communicate with a convert channel, they will do it, and there’s often little you can do about. What you need to make sure is that, where important, the mechanisms for this are limited. In the next blog I’ll outline other methods. So, as a last little challenge, here’s a sample of some covert messages that we have used to present security to School kids:
Can you find the six secret messages? Hint … look down the lines.
If you want to check … here’s the answers.