Small Business Defense – Steganography
- At September 03, 2009
- By Josh More
- In Business Security
0
First of all, I have to stress that this is a good news / bad news situation. The good news is that the vast majority of you have nothing to worry about from steganography. The bad news is that the reason steganography isn’t a threat is that you probably have a great many more holes that are easier for an attacker to exploit.
If an attacker can email out random files, that’s much simpler. If they can burn CDs or write to USB drives (remember that many MP3 players are also USB drives), they could do that. Some data could simply be printed out can carried off. Attackers could also transfer files away directly via many protocols such as HTTP, FTP and SCP.
So, realistically, you only have to worry about steganography if you’ve managed to close off all these other leak vectors. Most businesses haven’t, so the rest of this is probably not of much use to you. If you haven’t, start identifying valid outbound traffic and blocking everything else. That alone will likely take several months. Then come back and read the rest.
The easiest way to prevent steganography is to prevent the sharing out outbound files. This means blocking attachments in email, and severely limiting access to all other websites. This means no eBay, no Flickr, no Facebook. No external websites of any kind. Any site that allows users to post content should be off limit.
This leaves one major vector – public-facing web sites. Luckily, you have control over these, so you can directly manipulate the files. There are tools that can help you identify files that might contain hidden data. They work by mathematically analyzing the files and seeing if they are altered from a “normal” distribution. Another method would be to collect hash signatures for each file, and check for alteration. This does, however, require that you have absolute trust in the person creating the files and depends on the hash algorithms being secure. These days, that may not be such a safe bet.
So, as cool as this technology is, it’s important not to rely entirely upon it. There may be file types it cannot identify or new techniques to hide data. It may be better to configure the web server to only allow certain types of files (such as .jpg and .png files) and then attack the data source directly. Simply alter each image file and randomize the lower order bits. This way, it doesn’t matter if there was steganography in them or not. It’s removed before it goes online.
So, in conclusion, steganography is a real threat, but it is also more difficult to use than many other commonly existing holes in infrastructure. It’s not easy to deal with, and if you have other holes open, it’s probably not worth going after. However, if you can manage to deal with all the other threats, it’s worth considering.
Small Business Attack – Steganography
- At September 02, 2009
- By Josh More
- In Business Security
- 0
Steganography is talked about a lot in the security field, but not much outside of it. Though there are many forms of varying complexity, at it’s core all you need to know that steganography incolves hiding data inside of other data. It is commonly used with pictures, but it can be applied to pretty much any file. Any file that you may need to use in your business could be used as a conduit for other data.
Take, for example, this photo, which is on your website (maybe you sell bone adhesives, I don’t know):
Suppose that you had some top secret data that you wanted to hide (clearly highly confidential):
An attacker could use one of many tools to embed the highly confidential image within the safe one, and most people would be none the wiser. For example:
(For the technically inclined, I used stegotools and the last 2 bits to hide the image. Try it out if you like.)
It’s important to realize that this example is highly contrived. In the real world, attackers can use any file at all and any transport mechanism:
- Logos on a web site
- Press releases emailed out
- Financial documents on CD
If you have any confidential data at all, and any way to communicating with the public, the data can be leaked. How can you protect yourself?
(A thank you goes out to kordite and The Metro Library and Archive for making their images available on under the Creative Commons, and allowing me to make some really bad puns.)
