As you might have noticed the look, smell and taste of the monthly ITSecure SecurityFacts e-newsletter is the same. What has changed is our name. We are extremely excited about our new name, m3ip and hope that our new format will provide a better understanding of what our firm can do for you regarding risk mitigation and management consulting.
This informational e-newsletter is intended to raise the level of awareness within the user community. If you deem it to be spam or irrelevant in your environment just send us an email at firstname.lastname@example.org and in the body of the message type in "no mas". We will not take it personally.
This month's topic is about steganography, the art of hiding information by embedding messages within other seemingly harmless messages. After last weeks latest patch from Microsoft regarding the extremely critical .wmf Metafile error handling vulnerability, we think now would be a good time to explain how these types of exploits could be used in a so called "zero-day" scenario using steganography.
Steganography which basically means covered writing, dates back to ancient Greece where common practice consisted of etching messages in wooden tablets. There are numerous steganographic methods that everyone is familiar with, ranging from invisible ink and Morse Code to a hidden message in the last letter of each word of a large body of text and spread across the full spectrum of a radio transmission. With computers and networks, there are many other ways of hiding information, such as:
Hiding files in "plain sight";
Covert channels between hackers and compromised systems;
Hidden text within certain web pages.
Let's take what constitutes a null cipher. If myself and another person had previously agreed that when we correspond by email that just the first letters of our paragraph's words would have meaning, we could decrypt the information that was truly meaningful.
Below is an example that I found on the on-line encyclopedia site, Wikipedia:
From: News Eight Weather: Tonight increasing snow. Unexpected precipitation smothers eastern towns. Be extremely cautious and use snowtires especially heading east. The highway is not knowingly slippery. Highway evacuation is suspected. Police report emergency situations in downtown ending near Tuesday. To: Newt is upset because he thinks he is President.
There are a number of uses for steganography. One of the most widely used applications is for digital watermarking. A watermark historically is the replication of an image, logo or text on paper stock so that the source of the document can be at least partially authenticated. A digital watermark can accomplish the same function. A graphic artist for example, might post sample images on her Web site complete with an embedded signature so that she can later prove her ownership in case others attempt to portray her work as their own. There also is another method or use, which is currently being used by the cracker community. There are several examples that they are using steganography to embed messages for their groups within images that are posted to known web sites.
Steganography is significantly more sophisticated than the examples above suggest, allowing someone to hide significant amounts of information within image and audio files. These forms of steganography often are used in conjunction with cryptography so that the information is doubly protected, first it is encrypted and then hidden so that an individual has to first find the information and then decrypt it.
There you have it. Steganography is a really interesting subject and outside of the mainstream cryptography and system administration that most of us deal with on a daily basis.
To respond to this or previous newsletters or to inquire about an on-site presentation, please feel free to call us at 508-995-4933 or email us at email@example.com.
Got something to add? Send me email.
More Articles by Michael Desrosiers © 2011-05-01 Michael Desrosiers
Anyone who slaps a 'this page is best viewed with Browser X' label on a Web page appears to be yearning for the bad old days, before the Web, when you had very little chance of reading a document written on another computer, another word processor, or another network. (Tim Berners-Lee)