How malicious hackers get away with data

Lax oversight of outbound data allows hackers to extricate desirable information

By Paul F. Roberts
October 30, 2006

Talkback

E-mail

Printer Friendly

Reprints

Compromising sensitive networks is only half the battle for malicious hackers or spies. Once they’re on the network, and have the data they want, they must find a way to get it back outside. Unfortunately, malicious hackers have a number of tools at their disposal, and with lax enterprise oversight of outbound data flows, the chances of getting caught using them are slim, according to Rob Murawski, a member of the CERT Coordination Center. Here are a few common techniques for data “exfiltration” — the technique of stealing data and slipping it past the perimeter — presented by Murawksi at the Virus Bulletin 2006 conference:

DOWNLOAD PDF

2006 InfoWorld Security Survey

MORE ON 2006 IT SECURITY

» 2006 InfoWorld Security Survey
» Future-proof your IT security
» Security weapons to fight the next malware war

Using well-known ports: Just because data is going out over a familiar port doesn’t mean its data was meant for that port. Attackers will use common ports such as 80 (HTTP) or 53 (UDP) to send sensitive data outside a network. Administrators should monitor traffic flows through these ports to spot suspicious data leaving the network.

Encrypting data: Wary of getting caught sending data in the clear, many attackers use encryption to mix up the bits before sending them outside the network. Although SSL and symmetric key encryption such as DES are sometimes used to hide the data, many attackers use far simpler XOR or bitwise encryption to disguise their booty. Why? With few admins even noticing the data leaving the network, why waste time with more complex encryption schemes?

Unmonitored protocols: Malicious programs often hide data in obscure Internet protocols that few network admins are looking for. For example, attackers could hide data in ICMP (Internet Control Message Protocol) echo requests — aka “pings” — that are captured and decoded by specially configured systems on the other end.

Throttled data transfers: Monitoring network flows in and out of your network is a great way to spot suspicious activity, but it’s not foolproof. Sophisticated attackers who are aware that you’re monitoring netflows might choose to throttle data transmissions so as not to arouse suspicions.

Hiding data in other traffic: Failing all else, attackers can hide data in normal network traffic — an art known as “steganography.” For example, attackers might pack stolen data into image files or documents that are then sent outside of the network.

Paul F. Roberts is a senior editor at InfoWorld.

Add to:

Digg

Talkback:

comment Post a Comment

MOST COMMENTS

Can you really live without Microsoft Office?

Why San Francisco's network admin went rogue

Mac (in)security: How to secure Macs in business

The birth of the InfoWorld WorldBooks

>> Talkback: Have your say

Do you have the power to resolve technical issues with one call?
Watch this webcast to get an under-the-hood look at a remote support solution that enables the IT organization to be the engine that keeps your end users productive and your company running.

» Click here to view this Webcast

Zombie PCs Are Attacking Your LAN
A recent study showed that malware-infected zombie PCs are now a bigger threat to ISPs and Web infrastructure than DoS attacks. As this brand new IT Strategy Guide explains, an increased use of peer-to-peer techniques by the attackers has made it harder to fight back. Download now, compliments of Verio:

» Click here to download now

- Special Advertising Partners -

WHITE PAPERS

How Does Your IT Help Desk Measure Up? - Today's IT help desks must respond to their companies' growing service needs without increasing their already strained staff...
Best Practices for the Service Desk - According to a recent study only 53 percent of surveyed IT users are satisfied with their help desk support. Download this...
Discover How to Provide Anytime, Anywhere IT Support - Remote employees unduly bogged down with technical problems can mean significant losses in productivity, revenue and satisfaction...
Class of Service: Myths and Misconceptions - There has been much discussion about the benefits of CoS; but, there are also common myths, which unless challenged, can...
Factors to consider when comparing DSL or Cable - As the demand for high-speed access increases, businesses are looking for cost-effective connection options for remote workers...
Getting in Compliance with Government Data Regulations - This Whitepaper explores these standards and regulations-some firmly in place, some emerging, others in the formative stage...

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert

•

Application development

•

•

•

•

•

•

•

Find out when the latest white paper is available:

INFOWORLD MARKETPLACE

Deliver REMOTE SUPPORT Easily. Try WebEx FREE! - DOWNLOAD WEBEX SUPPORT CENTER FREE! Deliver efficient, effective support. CRUSH SUPPORT LOG JAMS!
Migrating to an IP-VPN? XO Can Make It Happen - Learn the five critical success factors with a free whitepaper from XO Enterprise Solutions.
Sign up to TRY WEBEX SUPPORT CENTER FOR FREE! - Get your FULL FEATURED trial here. Share documents and applications, address support challenges.
IP Networks Boost Secure Health Communications - AT&T provides secure communication to keep health care moving forward.
Why a CMDB? - IT best practices (ITIL) have shown the benefits of a CMDB. Click for whitepapers.

» BUY A LINK NOW

How malicious hackers get away with data

MOST COMMENTS

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert

Video

Podcasts

InfoWorld Blogs

Columnists

Find Products and Companies

Resource Center

Sponsored Technology Links

Sponsored Technology Links
Xerox - Experience the colorful side of business at www.frugalcolor.com IBM - Webcast: Take control of your content- leverage MOSS AT&T - Thinking about IMS AT&T - Factors to consider when comparing DSL or Cable AT&T - Going mobile with today's technology AT&T - What to expect from a Technology Assessment. Polycom - Telepresence For The Enterprise GoToMyPC - Research Brief: Providing Secure and Cost-Effective Remote Access HP/Intel - If you don't have enough I/O, your VMs aren't going to go. AppAssure - Keeping the E-Mail Flowing Tripwire - Secure your virtual and physical environments with the same software. CA - Efficient - Flexible - Compliant PGP - Is Your Data Safe? Novell, IBM, and Intel - Solution for Open Virtualization Provides Server Consolidation Curl - IT Guide: Rich Internet Application (RIA) Security Symantec - Whitepaper: Secure, recover, and archive critical information Microsoft - {Open Source} Heroes Happen Here Symantec - Whitepaper: Protecting Microsoft(R) Applications Riverbed - Five Ugly Truths about WAFS and Caching InterSystems - Use Ensemble - quickly create composite applications. Cirba - Advanced Workload Analysis Techniques Rackspace - Go Green Without Sacrificing Server Performance CA - Manage your IT more effectively. AT&T - Measuring mobile productivity		CA - Plan IT better, Manage IT better. AT&T - Refine your company's plan for a Business Disruption Event Cirba - Consolidating Workloads onto Mainframes AT&T - Class of Service: Myths and Misconceptions AT&T - Enhancing security through Quantum Cryptography Riverbed - Wide Area Data Services Microsoft - Microsoft Forefront makes defending your systems easier. Learn how. HP - Explore the interactive whitepaper: Rightsizing Blades for the mid-market. Symantec - Webcast: Beyond AntiVirus AMD - Renowned Engineering Institution Chooses AMD Processor-Based Servers AMD - Watch this flash demo of the Quad-Core AMD Opteron Processor EMC - EMC and VMware help you build your virtualized infrastructure. AMD - HP and Oracle deploy unbreakable computing infrastructure Qwest - Learn how Qwest voice and data solutions can save you time. MKS - The Power of UNIX/Linux on Windows with MKS Toolkit Vision Solutions - Is your smaller organization ready for High Availability? Vision Solutions - Is system maintenance doing more harm than good? HP - NEW HP LaserJet P4014n printer Starting at $699 after $100 IS. HP - HP LaserJet M3035 MFP series Starting at $1,599. SHOP NOW HP - Speed, agility, flexibility - The HP BladeSystem c-Class. Nokia - Restore Your Mobile Devices With One Click Oracle - The Power of Two with SOA and BPM

	HOME NEWS BLOGS PODCASTS VIDEOS TECHNOLOGIES TEST CENTER EVENTS CAREERS	About \| Advertise \| Awards \| RSS \| Contact Us
Copyright © 2008, Reprints, Permissions, Licensing, IDG Network, Privacy Policy, Terms of Service. All Rights reserved. InfoWorld is a leading publisher of technology information and product reviews on topics including viruses, phishing, worms, firewalls, security, servers, storage, networking, wireless, databases, and web services. CIO :: ComputerWorld :: CSO :: Demo :: GamePro :: Games.net :: IDG Connect :: IDG World Expo Industry Standard :: IT World :: JavaWorld :: LinuxWorld :: MacUser :: Macworld :: Network World :: PC World :: Playlist