Cluster Stego

April 27, 2011

Coincidentally enough after this week’s Definition Monday on steganography, researchers have come up with yet another new stego scheme: this one is based on the cluster fragmentation of particular files on the hard drive. An Open Source implementation is upcoming.

While this doesn’t seem as robust as a system like the (sadly defunct) Linux stegFS project, it’s still a pretty interesting innovation.

Playstation Network Breach

April 27, 2011

Sony is not having a great week. Looks like some “external attacker” has made off with the mother lode of data from the subscription section of Playstation Network.

Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

Seattle Wardriving

April 27, 2011

The police in Seattle have seized a black Mercedes thought to be used for large-scale “wardriving” data theft from area businesses. The owners were cruising around the city, looking for small businesses using vulnerable WEP encryption on their wireless networks, and then intercepting data for later use.

If your company has a wireless network, PLEASE be aware of the security implications of what you’re doing. Wireless isn’t like traditional Ethernet – the radio waves can travel right through the walls into the parking lot or other public space, and simple point-and-click eavesdropping tools make it easy for even a technical neophyte to gather data from a misconfigured network.


April 26, 2011

I assume that you’ve heard at least some of the wailing and gnashing of teeth about iDevices caching location information, allowing for the use of an iPhone or the computer that it syncs to as a record of the owner’s physical movement.

Well, if you would like to see how thorough it is, check out iPhoneTracker. This is a simple application for OS X that will search the hard drive of your computer, find the cached information from an iDevice that’s synced to that computer, and build a map of where you’ve been with it. Ta-da! If you’re using a Windows machine, check out the Linux port iPhoneMap under Cygwin instead.

Definition Monday: Steganography

April 25, 2011

Welcome to Definition Monday, where we define and explain a common technology or security concept for the benefit of our less experienced readers. This week: Steganography.

Steganography, a term derived from the Greek for “covered writing”, refers to techniques for hiding a covert message in an unsuspected object or communication. Historical examples abound – from the ancient Greeks tattooing messages on the scalps of trusted slaves to Boy Scouts using lemon juice as invisible ink to send hidden messages. In the modern parlance, it more often refers to “digital steganography”, the use of computers to embed messages into an innocuous file.

(A couple of vocabulary terms before we continue. “Stego” is a common abbreviation for steganography, both for the sake of brevity and because most spell checkers choke on the full word. The data that is being secretly conveyed is often called the “message” or the “payload”. The file that the message is hidden in is often called the “carrier”.)

It is important to note that there is a subtle difference between encryption and steganography. When two parties are communicating using an encrypted channel, there is still metadata available to an eavesdropper. For example, if you sent me an encrypted email, there would still be definitive proof that your email account was used to send some message to my email account. The purpose of stego, on the other hand, is to hide the fact that any message is being passed at all. If you upload an image with a hidden message embedded in it to your web gallery and then I download it, there is almost no way that anyone would correlate these events.

There are hundreds of different steganography applications available for all major operating systems – for the sake of example, I will look at OpenPuff. OpenPuff is a currently maintained Windows application designed to hide messages in a variety of different carrier types:

  • Images (BMP, JPG, PCX, PNG, TGA)
  • Audio support (AIFF, MP3, NEXT/SUN, WAV)
  • Video support (3GP, MP4, MPG, VOB)
  • Flash-Adobe support (FLV, SWF, PDF)

What this means is that someone can hide up to a quarter-gigabyte of data inside something that appears to be a bitmap or video file, upload it to a common media sharing site like Facebook or Flickr, and have an accomplice download the file and extract the data. And unless your corporate defenses are set up to capture someone uploading data to a social media site – a filter that would no doubt be overwhelmed by false positives in most environments – you would be none the wiser. Especially since OpenPuff is available as a Portable App these days, so it doesn’t even require install rights on the client machine.

Surprisingly, there have been very few cases of steganographic carriers spotted in the wild; lots of speculation about it as a threat, but very little proof. Then again, the point of the technology is to evade notice. Maybe it’s just really good at it.

ASUS Transformer

April 25, 2011

While this isn’t technically a security-related topic, I wanted to pass along a link to this review of the new Android-powered ASUS EEE Transformer tablet. It’s running Honeycomb, much like the Motorola Xoom, but with an optional keyboard dock to turn it into a traditional laptop form factor.

It might be a good time to make sure that your NAC systems and other network infrastructure are capable of handling Android devices – I’m sure this is only the first of many laptop/desktop systems running the OS. It’s not just for phones any more.

Android DHCP Issue

April 20, 2011

Having trouble with misbehaving DHCP client behavior from Android devices? You are not alone. Check out this entry over at the Google bug tracker.

One of the possible culprits is a DHCP lease timer that’s tied to system clock; unfortunately, system clock stops advancing and simply jumps forward when a machine wakes from sleep, so the renewal request is never generated. Nice.

Trusted Identities Redux

April 20, 2011

An interesting analysis of the new “Trusted Identities in Cyberspace” initiative has been posted over at the Miller-McCune web site. It’s a refreshingly frank and clear-eyed assessment of the proposal, and a nice antidote to the manically cheery and optimistic presentation by NIST.

Glue Gun Theft

April 19, 2011

How do you steal hundreds of dollars from someone’s ATM account with nothing more than a five dollar Wal-Mart glue gun?

It’s simpler than you think.

Dropbox Decryption

April 19, 2011

Popular online storage and backup provider Dropbox has changed their terms of service – apparently they want to reserve the right to decrypt the data that you’re storing on their service if the US government asks them to do so.

Independent of how intrusive this must be for non-US users, it’s an interesting reminder of how little control you have over data that resides “in the cloud”. Don’t worry, though. I’m sure that the software and process for decrypting user data is very secure, and complex, and will never be used by an outside intruder or a disgruntled insider. Safe as houses.