Get APLawrence.com by RSS
Steganography
Michael DesrosiersAs you might have noticed the look, smell and taste of the monthly ITSecure SecurityFacts e-newsletter is the same. What has changed is our name. We are extremely excited about our new name, m3ip and hope that our new format will provide a better understanding of what our firm can do for you regarding risk mitigation and management consulting.
This informational e-newsletter is intended to raise the level of awareness within the user community. If you deem it to be spam or irrelevant in your environment just send us an email at mdesrosiers@m3ipinc.com and in the body of the message type in "no mas". We will not take it personally.
This month's topic is about steganography, the art of hiding information by embedding messages within other seemingly harmless messages. After last weeks latest patch from Microsoft regarding the extremely critical .wmf Metafile error handling vulnerability, we think now would be a good time to explain how these types of exploits could be used in a so called "zero-day" scenario using steganography.
Steganography which basically means covered writing, dates back to ancient Greece where common practice consisted of etching messages in wooden tablets. There are numerous steganographic methods that everyone is familiar with, ranging from invisible ink and Morse Code to a hidden message in the last letter of each word of a large body of text and spread across the full spectrum of a radio transmission. With computers and networks, there are many other ways of hiding information, such as:
Hiding files in "plain sight";
Covert channels between hackers and compromised systems;
Null ciphers;
Hidden text within certain web pages.
Let's take what constitutes a null cipher. If myself and another person had previously agreed that when we correspond by email that just the first letters of our paragraph's words would have meaning, we could decrypt the information that was truly meaningful.
Below is an example that I found on the on-line encyclopedia site, Wikipedia:
From:
News Eight Weather: Tonight increasing snow. Unexpected precipitation
smothers eastern towns. Be extremely cautious and use snowtires especially
heading east. The highway is not knowingly slippery. Highway evacuation
is suspected. Police report emergency situations in downtown ending near
Tuesday.
To:
Newt is upset because he thinks he is President.
There are a number of uses for steganography. One of the most widely used applications is for digital watermarking. A watermark historically is the replication of an image, logo or text on paper stock so that the source of the document can be at least partially authenticated. A digital watermark can accomplish the same function. A graphic artist for example, might post sample images on her Web site complete with an embedded signature so that she can later prove her ownership in case others attempt to portray her work as their own. There also is another method or use, which is currently being used by the cracker community. There are several examples that they are using steganography to embed messages for their groups within images that are posted to known web sites.
Steganography is significantly more sophisticated than the examples above suggest, allowing someone to hide significant amounts of information within image and audio files. These forms of steganography often are used in conjunction with cryptography so that the information is doubly protected, first it is encrypted and then hidden so that an individual has to first find the information and then decrypt it.
Below is a great website for more information on this subject:
http://www.petitcolas.net/fabien/steganography/stego_soft.html
There you have it. Steganography is a really interesting subject and outside of the mainstream cryptography and system administration that most of us deal with on a daily basis.
To respond to this or previous newsletters or to inquire about an on-site presentation, please feel free to call us at 508-995-4933 or email us at mdesrosiers@m3ipinc.com.
Regards,
Michael Desrosiers
Founder
m3ip, Inc.
We Manage Risk, So You Can Manage Your Business
(O)508-995-4933
(C)774-644-0599
mdesrosiers@m3ipinc.com
http://www.m3ipinc.com
Enter your email address for automatic notification of new posts here
(be sure to whitelist 'feedburner.com' if you use spam filtering)
| Views for this page | ||||
|---|---|---|---|---|
| Today | This Week | This Month | This Year | Overall |
| 2 | 9 | 17 | 17 | 2,727 |
/MDesrosiers/steganography.html copyright January 2006 Michael Desrosiers All Rights Reserved
Have you tried Searching this site?
Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.
SCO, OpenServer, UnixWare, software, servers, security, networks, installation, administration, troubleshooting, maintenance, Watchguard, firewalls, VPNs, e-mail. Visit us at Open Systems Computing and www.go2unix.com.
http://www.schewanick.com SCO Unix, Solaris, Linx (various), PHP, MySQL, Apache, uniBasic, dL4, Perl, System Administration and more....
larryi@ccamedical.com SCO OS5, Debian Linux, RedHat Linux, MySQL, Apache, AJAX development using dXport/dL4/Unibasic, Windows Connectivity, Sharing Resouces, Automation, Shell Scripting
Click here to add your comments