Republished with permission from WatchGuard Technologies, Inc.

WatchGuard


Beware of Back Channels

by David Piscitello, Core Competence, Inc.

Good security administrators read logs, because logs reveal a great many things about how a network is used and abused. Typically, we worry about inbound traffic as the source of network threats, and our firewall rules reflect this -- we block all kinds of inbound traffic. We're more lenient when it comes to outbound traffic from our own users, who reside and work on our trusted networks. We trust these folks to do the right thing or we wouldn’t allow them on the trusted network in the first place, right? Unfortunately, most users don’t fully know what today’s Internet-based applications do, beyond what they see through their browser or client software. And while most Internet applications do pretty much what users expect, many perform surreptitious activities that compromise privacy and security. This article considers applications that use back channels: the risks these present, how to spot them, and how to deal with them. 

What Is a Back Channel?

Simply, a back channel is an outbound connection to a server on the Internet, automatically established by client software running a PC behind your firewall. It can also be as innocuous as some small bit of information ("cookies”) left on a client desktop in an easily accessible location. The purposes of back channel connections and information gathering cookies are numerous, and can be classified as Useful, Questionable, and Evil. Let’s look at examples from each category.

Useful Back Channels

Some applications use back channels to provide a service. The BackWeb InfoCenter that has powered WatchGuard’s LiveSecurity Service uses an encrypted back channel. It periodically initiates a TCP connection on port 443 (HTTPS) to connect to WatchGuard’s LSS server, to see if any new content awaits delivery. 

Another useful back channel: I access my Firebox Control Center Software on my protected network using a secure remote control application from ExpertCity called GoToMyPC. The PC server software I installed sends a TCP connect request on port 8200 to GoToMyPC’s broker every 15 seconds, checking to see if I’m trying to remotely access this protected host. If so, ExpertCity relays encrypted sessions between my protected host and whatever system I happen to be using on the Internet. 

These are good examples (my opinion, of course) of applications that have back channels for useful purposes. Both protect traffic using encryption. Other examples of useful back channels include software that PC manufacturers install to periodically see if software updates are available. The key differentiator for the back channels I mention here is trust – I know what these back channels do, and have decided to trust them in order to accomplish a business goal.

Questionable Back Channels

Many free- and shareware games, music players, Internet utilities, and free versions of certain commercial applications like Eudora Mail and Instant Messenger advertise supported software, or adware. The software’s free to you, but subsidized by merchants who pay to display ad banners in the program window. Passive advertising-supported software in and of itself is not a security worry. But increasingly, such software has been found to gather information about a person, organization, or system without knowledge or permission; this is often dubbed spyware.  

Spyware is a sensitive term, especially to companies like Comet Cursor, Radiate, CyDoor, DoubleClick, Colonize, and others who market this kind of tracking technology. Such companies claim that the software they provide is installed voluntarily, and that they provide detailed privacy disclosure statements. But millions of copies of software with embedded tracking technology are used, and only a small proportion of users are fully aware of what these back channels do or the existence of privacy statements (much less, what the statements disclose). 

The privacy issues with back channel adware are as troubling as dealing with cookies, those potentially nefarious bits of data that are tracked on behalf of e-merchants, et. al. At best, cookies and information collected through back channels may be used to personalize your Web experience; at worst, undisclosed collection of such information is no different from the info- gathering attackers do, with the same potential for misuse. Remember, too, that adware/spyware is an application. Unless you’ve restricted access to your registry and other critical Windows files, it’s tough to confidently state whether an application purporting to be adware is goodware or badware.

Evil Back Channels

An evil back channel application, or badware, is software like a root kit. Root kits are installed by an attacker who has compromised a *NIX system. Root kits vary, but any could be written to automatically open back channels. Zombies of DDOS attack tools like Trinoo (or trin00), TFN, TFN2K, and Stacheldraht don’t strictly open back channels, but they do open channels you definitely don’t want originating from your network! Programs like Back Orifice and NetBus can also provide a remote attacker with a high degree of access and control. As is the case with root kits, BO and NetBus servers can be used as relays for traffic and be programmed to create outbound connections to other hosts the attacker wishes to access.

Users may recognize common hacker tools and viruses by name and instantly realize they are badware. More subtle are viruses such as BackOrifice that run under an innocuous process name like "Explorer." Worse yet are Trojans that overwrite a known, trusted application while presenting themselves as routine software updates. It's hard to know which applications you can really trust.

Take Control

That's why it’s important to identify, monitor and control adware traffic. Adware wants to be neutral, but actually tends to have a negative impact on your system. Your users may be leaking personal as well as system information that you’d prefer to keep in house. There’s also a network performance issue. Traffic from an adware application isn’t very noticeable when emanating from one or two desktops, but many adware applications running on lots of desktops consume more bandwidth than you may be willing to squander.

Back channels are easy to overlook, especially if you've configured your firewall's outbound services to allow ANY: you have lots of ports through which installed badware can push traffic. So how do you deal with back channel applications? 

Take countermeasures at both the desktop and your firewall. First, educate your users regarding privacy, back channel applications, and cookies. Recommend cookie management software or browser plug-ins that users can run to selectively block cookies, to protect themselves from "tracking cookies" (cookies used by tracking technology to help capture user behavior), and to limit the information that browsers reveal to servers. (A good starting point: AdCop.org.) Encourage users to adopt adware detection and removal utilities like Ad-Aware from Spychecker or Steve Gibson’s OptOut. Educate users about safe software installation. Teach them to check applet and executable digital signatures to make sure the updates are authentic.

At your firewall, you have several choices. The first is to block all outbound traffic except applications you know you wish to permit; for example, HTTP/Web and DNS. Since this will stop some of the access your users are used to having, this will definitely make your phone ring, and that's intentional. Have users explain the application they are attempting to use, and justify each port you are expected to open. You can advise users in advance of this action. The notice alone may be enough to eliminate certain applications from your network.

If this approach is too draconian for your organization, then log all outbound allowed traffic over a sufficient period of time that you can obtain a reasonably accurate picture of the ports and servers your users access. Now study your logs. Sally’s using AOL Instant Messenger (port 5190); Dave’s using GoToMyPC (port 8200). I see traffic over port 31337 (Back Orifice) – trouble! Accumulate the port and (optionally) host information, and refine your outbound rules to allow appropriate services but block all others. Not sure what kind of activity happens at each port? You can find out here.

Like dealing with SPAM, blocking adware/spyware is a challenge. Many back channels use ports you don't want to close, such as HTTP port 80 and even DNS port 53! You can view a fairly comprehensive list of ‘spyware’ or download the list from AdCop.org. Post or distribute it to your users, and urge them to pay attention to what they download onto company networks. But take action soon. It's your network; why let someone else control it? ##

Was this article helpful to you? Have a topic in mind you wish we'd write about? Let us know by e-mailing lsseditor@watchguard.com.

Copyright© 2001, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.



Copyright © 1996 - 2001 WatchGuard Technologies, Inc. All rights reserved.
Legal Notice/Terms of Use