I was recently asked to redo the permissions on 5TBs worth of data. There were inherited permissons that conflicted with the users new requirements… it was just a mess! I figured the best way to deal with this was to start from scratch… remove all ACLs and start fresh.
The easiest way I’ve found to do this is…
sudo chmod -R -N ./*
Steganography is the art of hiding things in plain sight! The practice dates back to the days of ancient Greece. One story has it that Histaeus, the ruler of Miletus, shaved the head of a slave, and tattooed a message on his scalp and then sent the slave to Greece where the head was shaved and the message delivered. Fast-forward two thousand years to the American Revolution, both the British and American forces made use of invisible inks. They would write a message using special ink on a nondescript piece of paper. When the message got to its intended recipient, a reagent would be used to make the ink (and the message) visible again. Today, through the use of specially designed tools, we can embed messages in common graphics and/or music files. Once the file has been encoded, one can then post the files on a webpage or through some other accessible means and instantly pass along our hidden message.
Much press has been given to using steganographic tools on the Windows platform but does that mean those of us using a Macintosh or Linux distribution are out of luck? Certainly not! This posting will detail out how to encode a jpeg on both the Macintosh platform using an application called Cryptix and then we will look at a command line option of the Linux platform.
Cryptix on OSX
You can download a copy of Cryptix from http://www.rbcafe.com/cryptix. Once downloaded the operation of the encrypting a jpeg is pretty straightforward. Under the Tools pull down menu select Steganography. You have two choices either to use Cryptix’s built in tool or the GUI version of open source tool Outguess. One thing to keep in mind… If you use Cryptix’s built in tool only Cryptix can unlock the secrets embedded in the file that was created. If you need to share with users on other platforms… Outguess GUI is your best bet! Let’s take a look at Cryptix’s built in tool!
In the Key field we added a very simple passphrase. In real life you may want to use something a bit more complex. The message field is where we place the data we were looking to embed in our JPEG. If the message is short typing the message is fairly simple otherwise Cryptix does allow you to paste data into the message field. Next click of the Encrypt button. You will be presented with the following dialogue sheet.
Select the file you wish to embed your data into. Next select a filename for the newly created (or modified) JPEG.
Now you can open the newly created file within an application that can read a .jpg file.
NOTE: A word of caution! The file size of the newly created jpeg was 10X larger than the original file. Additionally, there were some extreme artifacts left after the embedding process. I originally tried to embed Sun Tzu’s Art of War into the file and got some erratic results. I attributed the result due to the amount of data I was trying to embed. However, in the above How-To, the amount of text embedded into the jpeg was minimal! If you look closely at that file, there still some visual artifacts remaining. (See below)
 |
 |
 |
| Original JPEG | How-To JPEG | Art of War JPEP |
One could over look the artifacts left behind in the how-to JPEG if the original file was not on hand to compare the difference. Additionally, if you were to look at the histograms of all the modified files one could definitely see there are problems with the file. Your results will vary based on how much data you’re trying to embed into and how big the original graphic file is.
Outguess on Ubuntu
Outguess is a command line driven tool. Some find this an obstacle but it is easy to use. The man page for the use outguess is pretty complete with examples. An online version can be found at http://manpages.ubuntu.com/manpages/gutsy/man1/outguess.1.html.
Installing Outguess on Ubuntu is fairly straightforward. Open Synaptic Package Manager and type outguess.
Once that completes, outguess can be found in /usr/bin. Open a terminal window. NOTE: I placed both the jpeg I wanted to embed with data and the file containing my data into the same directory for simplicy’s sack! Navigate to the dictortory that your files are located in. Enter the following command (please modify the file names based on your files).
root@corusant# outguess -k password -d TopSecretMessage.txt before.JPG after.JPG
The –k flag is the passphase you’re going to use to protect the embedded data. You will need this to extract the data at a late date. The –d flag is the file that contains the data you want to embed in the jpeg. The before.jpg needs to be available before the process begins BUT the after.JPG is created by outguess at the end of the embedding process.
You should see similar output:
Reading before.JPG....
JPEG compression quality set to 75
Extracting usable bits: 181591 bits
Correctable message size: 14684 bits, 8.09%
Encoded 'TopSecretMessage.txt': 1400 bits, 175 bytes
Finding best embedding...
0: 682(47.6%)[48.7%], bias 739(1.08), saved: 2, total: 0.38%
2: 682(47.6%)[48.7%], bias 687(1.01), saved: 2, total: 0.38%
46: 685(47.8%)[48.9%], bias 679(0.99), saved: 1, total: 0.38%
72: 676(47.2%)[48.3%], bias 675(1.00), saved: 3, total: 0.37%
82: 688(48.0%)[49.1%], bias 650(0.94), saved: 1, total: 0.38%
152: 698(48.7%)[49.9%], bias 638(0.91), saved: 0, total: 0.38%
152, 1336: Embedding data: 1400 in 181591
Bits embedded: 1432, changed: 698(48.7%)[49.9%], bias: 638, tot: 180854, skip: 179422
Foiling statistics: corrections: 324, failed: 0, offset: 64.375546 +- 165.386280
Total bits changed: 1336 (change 698 + bias 638)
Storing bitmap into data...
Writing after.JPG....
Congratulation! You’ve just embedded the contents of the file TopSecretMessage.txt into the file after.JPG. The process to retrieve data from after.JPG is just as simple.
root@corusant # outguess -k password -r after.JPG hidden.txt
Reading after.JPG....
Extracting usable bits: 181591 bits
Steg retrieve: seed: 152, len: 175
You now have a file (hidden.txt) that contains the same data that was stored in TopSecretMessage.txt
Resources:
Pierce, D. (2010, February 8th) How To: Smuggle Secret Information with VOIP, Retrieved on March 12th, 2010 from http://www.wired.com/dangerroom/tag/steganography/
Provos N., (2006, January 4), OutGuess – Information, Retrieved on March 12th, 2010 from http://www.outguess.org/info.php
Additional resources:
http://lifehacker.com/230915/geek-to-live–hide-data-in-files-with-easy-steganography-tools
http://www.linkgard.com/security_blog/introduction-to-steganography-and-steganalysis/
In an odd twist of faith, risk assessment and encryption follow many of the same principles. It’s about indentifying what the data is worth and the putting a value to it. Once that is done, protecting the data becomes a matter of pain threshold. In other words, what can we afford to lose and how much will it cost use to protect it. In encryption the principle in effect is… How long will it take someone to crack the encryption and will the data still be valuable when they do. It is tricky to assess pain threshold as everyone feels like his or her data is the most important to the organization. Certainly trade secrets and financials rate high on the pain threshold index. BUT what about creative artwork? It depends. Is time to market critical? Or is there a feature set that will put your organization far in front of the competition? These are all questions that need to be answered before one can determine the worth of the data being protected.
Ultimately, if you want to deploy a technology it’s up to you to determine the ROI and present it to the holders of the purse strings. It’s up to you to convince them that what you’re trying to do is worth the investment.
ROI (or Return on Investment) is the key to the budgeting for any project particularly so in IT. We are a cost center in most organization. That doesn’t have to be. While we may spend dollars with the implementation of a project, we also are instrumental in saving the company money. Sometimes what seems like a mundane request from an end-user such as “The colors in this printer doesn’t match the other printer” can lead to a cost savings of over 3.4 million dollars a year in overall printing costs. Wish I saw some of that… maybe a small vacation… perhaps! Other projects have a much more expensive ticket to admission and being able to justify the cost is something you need to be equipped to deal with.
Spending on an Intrusion Detection System is tough. Why? Because there are no real hard up-front savings. IDSs need to be pitched as an insurance policy. You never know when you’re going to need it but when you do you’ll be glad you have it. PKI, and most encryption for that matter, works on the principle that it will take more time to crack the encryption than the information protected is good for. In his book, Time Based Security, author Winn Schwartau applies this concept to Intrusion Detection. If the time that protection mechanisms can withstand attack exceeds the time it takes to detect and effectively respond to attack, then a system can be secured (Schwartau, 1999).
Resources:
Schwartau, W., (1999), Time Based Security, Interpact Press
Project Management is an art form and anyone that tells you differently… Well let’s just say we all have our own opinions. The best-laid plans are just that plans. They are not steadfast nor have outside influences acted upon those plans. Projects are always in a state of flux until completed. And then even when you think they are done… well let’s just say some projects never end (especially in IT). The pioneers of modern project management, Henry Gantt (who gave us the Gantt charts) and Henri Foyol (who introduced the 5 stages of project development) are the fundamental tools used by any project coordinator. The author of the textbook takes Foyol’s basic principle and modifies them to meet the needs of someone rolling out an IDS.
Foyol’s five basic stages are:
Using these steps as a guideline merely sets the stage for a successful project. Without following these basic steps you may complete your project but I guarantee it won’t be as easy as it could have been.
Gantt charts are an excellent was of tracking a project. Both MS Project and ACE FastTrack allow for the setting of milestones. I personally use FastTrack and one of the really cool features of this program is its ability to push back other milestones based on missed deadlines. All projects get behind at some point (humans can’t predict when someone is going to be out sick). Seeing how one task is dependent on another is a valuable tool. There are many variables in life… many of which we can’t control. On the other hand… many things we can. It is the balancing of these two that lead to the meeting of deadlines. This makes me think back to Kennedy’s promise to put a man of the Moon by 1970. The deadline was established! However since no one had ever under took a project of this magnitude… It was incredibly difficult to budget and plan man-hours to accomplish the project. The contractors knew enough about their businesses to be able to balance what they knew with the unknown and unexpected AND they managed to make Kennedy’s dream a reality 5 months before the deadline. How’s that for project management?
Another wonderful malware day… Well not exactly, but a beautifully executed social engineering attack! Today a lot of my users called to say that they were getting emails from friends asking them to join tagged. A classic phishing attack and I can’t tell you how many people fell for it! In this case it wasn’t as bad as some of the ones asking for bank PINS & passwords but it’s another example of people not using common sense! Now I can’t say for certain what information they asked for but one should never give any person information.
The information age has made the exchange of data common place. Many of the things like our social security number and mother’s maiden name are so freely available that credit card companies already know the answers before you ever speak with them.
http://www.consumerfraudreporting.org/phishing_Tagged_dot_com.php
It seems that this particular scam has been circulating since 2007. SO my big question is why did it get past DefenderSoft? So for all you network admins out there the lesson learned is there is a big difference between companies that offer SPAM protection.
Password enumeration while not related to phishing should be mentioned.
A couple of things to keep in mind is never just click and email link and expect that is brings you to the site that is advertised in the email. When signing up at legitimate social networking sites be careful of allowing them access to your address book.
Luckily for me… a lot of the emails came from other employees so they were able to verify that the email was a scam.
ETHERAPE is an excellent “real-time” network-monitoring tool. It allows you the ability to see how your network is being utilized! The first time you start up Etherape you’ll know immediately what you are looking at. The larger the line the more traffic you’re seeing. Etherape separates out different types of traffic by color making it very easy to see which services of traffic are used the most relative to one another. Lastly, you can see which host is send verses, which is receiving the data. This is very important information. It will allow you to see whether the traffic is normal or not. For instance… Normally with http traffic, the server should be sending the vast majority of traffic out onto the wire. HTTP requests are far smaller then the actual content the server is putting out. However, if this is reversed and you see huge amounts of traffic coming in… and people are complaining they can’t get to the site… you may be the target of a Denial of Service attack! Simple yes BUT it does take a lot of the guesswork out of the troubleshooting process.
One nice feature to Etherape is that it has the ability to play back dump files. This comes in handy when you’re trying to analyze something that is happening when you’re not there to watch it. The down side to this is that there is no control over the speed of playback (therefore you’re watching packets fly by in real time). Ouch! Etherape doesn’t do much but what it does do it does nicely!
WIRESHARK like tcpdump uses the same libpcap library. So to that end you can make use of the same filters to capture/show only the traffic that relates to your specific area of concentration. Very often we are looking at a specific problem. It is always good to see the bigger picture and to that end one should be capturing all traffic at first to eliminate all variables (sometimes your traffic it simply being dropped). That would point you in a very different direction than if your packets were getting to the intended host but you were getting the wrong/inappropriate information back. Sometimes a machine will host many different services. You may want to filter out all traffic except the service that you’re having problems with. This is the sort of thing that filters would be great at. So let’s take a look at libpcap filters…
Let’s say we have a user who cannot log into their computer. Authentication is being provided from a server running Mac OSX v10.5. Their home directory also resides on the same host. The key thing here is that this user is trying to login from their Mac to an OpenDirectory server! There are a bunch of tools that you can use such as ping, traceroute, dscl, kinit and nslookup! BUT sometimes they can be deceiving! Based on the above info we need to make sure we are capturing traffic on the following ports: 53 for DNS, 88 for Kerberos, 389 for LDAP.
The first thing we could try is:
port 53
This will yield the results of a DNS query! OK yes you could do that using nslookup or dig… BUT those tools will not tell you how or what a host is sending for lookups. What is the query string that the host is sending? Perhaps you didn’t send the FQDN or better still the host is getting hung up on multiple search domains. DNS can be finicky!
Next filter…
port 88 and host 192.168.1.15
We know our KDC resides at 192.168.1.15 and Kerberos runs on port 88 by default. The granting of tickets should only yield 4 packets. If you’re seeing more than that perhaps the wrong password is being sent. We added the host IP address to make sure that we are actually seeing the right server. Additionally by looking through the packets we can make sure the Kerberos DOMAIN is being sent correctly.
One other really nice feature to Wireshark is that you can apply these same files to all the data already capture (whether it’s still in/tmp or in a pcap file).
TCPDUMP is a command line utility that enables an administrator (or anyone with certain sudo rights) to capture network traffic. It allows for the remote collection of packets (assuming you have access to a remote host). GUI based applications need to sit on the same wire as the traffic you’re trying to collect. This is not always possible especially if the network segment you’re trying to access is halfway across the globe. At a very basic level one can simply enter the following at a command prompt:
tcpdump -n -w ~/Desktop/dump_filename
(The –n flag tells tcpdump not to perform name lookups… No need to add erroneous packets for something you, as an administrator should already know! The –w tells tcpdump that you want to write the output to a file rather than STDOUT.)
NOTE: If you have more than one network interface, you will need to tell tcpdump which to use. This can be done by using the –i flag followed by the device number (en0, en1, etc.).
Keep in mind that when you tell tcpdump to write to file, you will not be returned to a command prompt until to tell tcpdump to exit. You should however see something similar to:
tcpdump: listening on en1, link-type EN10MB (Ethernet), capture size 96 bytes
You can exit tcpdump by pressing ‘^C’.
SO… Let’s look at one more tcpdump:
tcpdump -i en1 -vvv -n -w ~/Desktop/dump_filename_`date +%Y%m%d%H%M%S`.pcap
What have I done? Well we already know about the –I flag, the –n flag, and the –w flag. The –vvv makes sure that tcpdump capture the most it can (verbose capture). Sometimes you want to just see the connections other times you want to see what was sent. I’ve also added the date and time to the filename.
WOW… I played with Legos growing up and we’d try to make weapons… Especially after Star Wars came out! We never came close to anything like this!
