X

Hackers look to hide communications

A program called NCovert lets people intent on anonymously sending information conceal the source of communications and the data that travels over a network.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
See full bio
Robert Lemos
2 min read
LAS VEGAS--Hackers intent on anonymously sending data across the Internet have a new tool.

A program called NCovert uses spoofing techniques to hide the source of communications and the data that travels over the network--a potential boon to both privacy advocates and hackers, said Mark Loveless, senior security researcher for network protection firm BindView, who unveiled the program Thursday at the Black Hat Briefings security conference here.

"I am not going to beat around the bush," Loveless said. "If you have something to hide, you would use this--so it could help black hats (criminal hackers)."

The technique essentially creates a covert channel for communications by hiding four characters of data in the header's initial sequence number (ISN) field. The header is the part of data packets that tells network hardware and servers how to handle the information. The header also includes source and destination Internet protocol (IP) addresses. Those addresses are used to add anonymity to the communications.

Loveless, known among the security community as "Simple Nomad," said the key to the technique is to forge the source of the IP address to look like the intended recipient of the information, while the destination IP addresses points to another third-party server on the Internet.

The hacker would then send off a data packet to the third-party server with any valid-looking information in the data fields, but the real message would be hidden in four bytes of the ISN field. The packet would contain a message indicating to the third-party server that a computer wants to start a communications session. The server would acknowledge the message, but because of the forged source address, the message would be forwarded on to the recipient.

The technique makes it almost impossible to track where the original message came from, because the data holds only the addresses of the recipient and the third-party server.

The move to the next-generation Internet Protocol, IP version 6, will make it harder to spoof the address of the sender but will allow far more data to be hidden within the headers of the packets, Loveless said.

"There's a lot more room for data in IPV6," he said.