Security Saturday!
Years ago I wrote an article for a Dutch computer magazine. It was about steganography, the practice of hiding data in other data. This post is going to be a little short, since I am years behind on my study of it. However, it seemed a good idea to bring back this idea. Steganography is used in TOR, when dealing with government firewalls. Methods such as Elligator mask TOR setup messages to look like random traffic. This is a weak form of steganography, but a good real-world example.
In actuality the Elligator setup is used in combination with other steganographic to make a better attempt at hiding the traffic, since random-looking traffic can still be suspect if it is sent openly. We shall leave this alone for now.
A more down-to-earth form of steganography, is the classic example of hiding data in pictures while pretending that the data is actualyl just random camera artifacts. That is a mouth full, it works something like this:
Images on computer screens are typically encoded in RGB (Red, Green, Blue) with every color getting a certain value in the range of [0, 255]. because one pixel has a green, blue and red part that can get a certain intensity, we can mix colors on-screen with these values. For example (0, 255, 255) is a bright yellow pixel, created by means of mixing pure blue and pure green. Another combination, (0, 0, 0), creates a pure black pixel because of the absence of any color.
In most images there are slight variances in the colors. A red sweater might have colors in the range of R[160, 255], G[0, 30], B[0, 30]. This is because of light and shadow in the picture. We can hide data in an image like that by very explicitly setting the value of each value in a pixel. Digital data is encoded in 0 and 1, so we can decide that every even pixel value represents a 0 for our hidden data, and every odd value represents a 1.
Then ,very practically, if we have the secret message 010, and a pixel (98, 122, 99) of a weird brown color we hide our data by saying:
- 98 is okay, even number means 0.
- 122 should be 123 or 121, odd number means 1.
- 99 should be 98 or 100, even number means 0.
We get some choice in if we go one higher or one lower to get the numbers we want, so we can even try to bamboozle possible spies by sometimes choosing to add one, and sometimes choosing to subtract one. Smart adversaries cannot be fooled this way, but having options is definitely nice.
There are more ways to play around with images, and this standard method described above can be found within seconds. There are methods to hide data better, in a more random way but I will not get into it here. Besides images, you can also use certain music formats (so people told me, I did not check). Moreover, many documents and files have meta-data which can be used to hide even more data. Of course, when you know how the data in a certain computer file work, you can usually find a way to hide more data in it.
https://crypto.interactive-maths.com/steganography.html
Steganography is a good way to hide communication that you do not want others to know is even happening. This goes a step further than making sure people do not know what is being said. One can now also hide that something is being said besides the obvious image (or audio file). Even better is when you tweet out a picture (granted that it does not get modified during upload) you can even hide who the message was for. because even if they prove you sent a hidden message, thousands of people saw the regular image and are therefor suspect.
Of course, this is also a way for botnets, virusses, and other bad stuff to hide their bad actions in harmless picture uploads and downloads. In a security management perspective the option of Steganography being at play, turns most traffic into a suspect when experiencing something like data exfiltration (theft) or potential botnet behaviour. This is a reason people say we should not encrypt traffic until after it leaves the company network, since then at least you can see that workstation 3 posted a meme to twitter, and then read the reply to it and then changed its actions.
https://www.sentinelone.com/blog/hiding-code-inside-images-malware-steganography/
But that is a discussion for another time.
There is so much more to this one chapter, but it is so good already!
I had to cut it short because guests arrived, but this should get you started on your own study :)
@calvinrempel Thank you once again for the Theology Tuesday you did, I refer back to it in this one :)
@JamesDerian Congratulations with your Marriage :)
Next time there might (almost certainly) not be a Theology Tuesday, so the official next one will be February 22nd! I have a marriage to attend. As the groom. Our home is still half a project.
Fun times!
Alc and I talk about my book that is now officially finished. This is part 1 of 2. Parts have not been neatly cut. Part two will air 5 minutes after part 1 for coninuity!
Hope you enjoy :)
This is the third corner to have persistent discussions and talks in. I love tech, but especially once it transcends hardware a little. I have two degrees; a bachelor's in Software Engineering and a master's in Information Security Technology. My graduation thesis focused on assembly-level optimizations (that is, one level above the hardware level) and my free subjects were in formal verification. This is why I love programming in the security corner, or maybe it is the other way around.
I started going down the Security path because I early on saw that the world around us would become a dangerous cesspool of badly-implemented and hostile tech. Now I am one of the people that understands the field around that mess :)
So in here you can discuss secure phones, weird programming languages, sad truths about internet-connected fridges. Also about malware, adblockers, and so on and so fort!
A lot of tech talk I do over at the @Lunduke community, where a lot of nerds hang out and it is ...
Much like the reading corner, let's have a music corner! A few rules for this one, since some music can be provocative. I don't mind much but let's keep youtube links with risque thumbnails out of here.
Other music I might also mind. "Do you find that offensive?" might someone ask. Yes, there is some music I choose not to listen on principle, and I walk a thin line there sometimes. But do not worry, I have a wide taste otherwise so feel free to share almost anything :)
Either way, here is the music corner!
Many times when we talk about security, we mean to say "Digital security". In essence we mean to say that our hardware and software that we use stays safe no matter what we do. And even though the ISO27001 standard (and by extension, for example, the NEN7510 standard) make it abundantly clear that security is a people-domain problem, we usually take that as a process-like truth. Meaning, we think that being secure is a matter of regulating people.
The truth is very different. For example, while writing this I am pretty shot. I slept five hours and I an under influence of a bunch of painkillers and some alcohol. Before you ask what I was thinking, let me mention that I have a genetic defect in my spine that I am dealing with right now by taking measured doses of all three (and yes, to get the Bible into this conversation, there is even a biblical ground for the inebriation with alcohol - see proverbs and the letters to Timothy - , although I did not use red wine. But hey, I am still on top of ...
