bill’s blog

Steganography is the art of hiding things in plain sight!  The practice dates back to the days of ancient Greece. One story has it that Histaeus, the ruler of Miletus, shaved the head of a slave, and tattooed a message on his scalp and then sent the slave to Greece where the head was shaved and the message delivered. Fast-forward two thousand years to the American Revolution, both the British and American forces made use of invisible inks. They would write a message using special ink on a nondescript piece of paper. When the message got to its intended recipient, a reagent would be used to make the ink (and the message) visible again. Today, through the use of specially designed tools, we can embed messages in common graphics and/or music files. Once the file has been encoded, one can then post the files on a webpage or through some other accessible means and instantly pass along our hidden message.

Much press has been given to using steganographic tools on the Windows platform but does that mean those of us using a Macintosh or Linux distribution are out of luck? Certainly not! This posting will detail out how to encode a jpeg on both the Macintosh platform using an application called Cryptix and then we will look at a command line option of the Linux platform.

Cryptix on OSX

You can download a copy of Cryptix from http://www.rbcafe.com/cryptix. Once downloaded the operation of the encrypting a jpeg is pretty straightforward. Under the Tools pull down menu select Steganography. You have two choices either to use Cryptix’s built in tool or the GUI version of open source tool Outguess. One thing to keep in mind… If you use Cryptix’s built in tool only Cryptix can unlock the secrets embedded in the file that was created. If you need to share with users on other platforms… Outguess GUI is your best bet! Let’s take a look at Cryptix’s built in tool!

In the Key field we added a very simple passphrase. In real life you may want to use something a bit more complex. The message field is where we place the data we were looking to embed in our JPEG. If the message is short typing the message is fairly simple otherwise Cryptix does allow you to paste data into the message field. Next click of the Encrypt button. You will be presented with the following dialogue sheet.

Select the file you wish to embed your data into. Next select a filename for the newly created (or modified) JPEG.

Now you can open the newly created file within an application that can read a .jpg file.

NOTE: A word of caution! The file size of the newly created jpeg was 10X larger than the original file. Additionally, there were some extreme artifacts left after the embedding process. I originally tried to embed Sun Tzu’s Art of War into the file and got some erratic results. I attributed the result due to the amount of data I was trying to embed. However, in the above How-To, the amount of text embedded into the jpeg was minimal! If you look closely at that file, there still some visual artifacts remaining. (See below)

Original JPEG	How-To JPEG	Art of War JPEP

One could over look the artifacts left behind in the how-to JPEG if the original file was not on hand to compare the difference. Additionally, if you were to look at the histograms of all the modified files one could definitely see there are problems with the file. Your results will vary based on how much data you’re trying to embed into and how big the original graphic file is.

Outguess on Ubuntu

Outguess is a command line driven tool. Some find this an obstacle but it is easy to use. The man page for the use outguess is pretty complete with examples.  An online version can be found at http://manpages.ubuntu.com/manpages/gutsy/man1/outguess.1.html.

Installing Outguess on Ubuntu is fairly straightforward. Open Synaptic Package Manager and type outguess.

Once that completes, outguess can be found in /usr/bin. Open a terminal window. NOTE: I placed both the jpeg I wanted to embed with data and the file containing my data into the same directory for simplicy’s sack! Navigate to the dictortory that your files are located in. Enter the following command (please modify the file names based on your files).

root@corusant# outguess -k password -d TopSecretMessage.txt before.JPG after.JPG

The –k flag is the passphase you’re going to use to protect the embedded data. You will need this to extract the data at a late date. The –d flag is the file that contains the data you want to embed in the jpeg. The before.jpg needs to be available before the process begins BUT the after.JPG is created by outguess at the end of the embedding process.

You should see similar output:

Reading before.JPG....
JPEG compression quality set to 75
Extracting usable bits:   181591 bits
Correctable message size: 14684 bits, 8.09%
Encoded 'TopSecretMessage.txt': 1400 bits, 175 bytes
Finding best embedding...
0:   682(47.6%)[48.7%], bias   739(1.08), saved: 2, total:  0.38%
2:   682(47.6%)[48.7%], bias   687(1.01), saved: 2, total:  0.38%
46:  685(47.8%)[48.9%], bias   679(0.99), saved: 1, total:  0.38%
72:  676(47.2%)[48.3%], bias   675(1.00), saved: 3, total:  0.37%
82:  688(48.0%)[49.1%], bias   650(0.94), saved: 1, total:  0.38%
152: 698(48.7%)[49.9%], bias   638(0.91), saved: 0, total:  0.38%
152, 1336: Embedding data: 1400 in 181591
Bits embedded: 1432, changed: 698(48.7%)[49.9%], bias: 638, tot: 180854, skip: 179422
Foiling statistics: corrections: 324, failed: 0, offset: 64.375546 +- 165.386280
Total bits changed: 1336 (change 698 + bias 638)
Storing bitmap into data...
Writing after.JPG....


Congratulation! You’ve just embedded the contents of the file TopSecretMessage.txt into the file after.JPG. The process to retrieve data from after.JPG is just as simple.

root@corusant # outguess -k password -r after.JPG hidden.txt
Reading after.JPG....
Extracting usable bits: 181591 bits
Steg retrieve: seed: 152, len: 175

You now have a file (hidden.txt) that contains the same data that was stored in TopSecretMessage.txt

Resources:

Pierce, D. (2010, February 8th) How To: Smuggle Secret Information with VOIP, Retrieved on March 12th, 2010 from http://www.wired.com/dangerroom/tag/steganography/

Provos N., (2006, January 4), OutGuess – Information, Retrieved on March 12th, 2010 from http://www.outguess.org/info.php

Additional resources:

http://lifehacker.com/230915/geek-to-live–hide-data-in-files-with-easy-steganography-tools

http://www.linkgard.com/security_blog/introduction-to-steganography-and-steganalysis/

Getting up in front of any gathering of people can make many people uncomfortable. In fact, it is often rated as one of the top 10 common phobias people have. This social phobia affects about 15 million American adults, according to the National Institute of Mental Health (livescience.com, 2010). Practice makes prefect. The more you get up in front of people the more comfortable you are with it. That really holds true with anything in life. The more you do something the better you get at doing it.

Preparation for your testimony starts way before you get into the courtroom. It starts the minute you’re actually assigned to the case, whether hired by an attorney or assigned by the jurisdiction you work for. You have to work at getting into a routine or better yet a systematic approach to collecting evidence. If for nothing else but to eliminate mistakes. As with anything have a game plan but allow for enough flexibility to keep from looking at evidence the same old way. Sun Tzu, the legendary Chinese military general and strategist once wrote, “According as circumstances are favorable, one should modify one’s plan (Giles, 2009)”. What Sun Tzu is expressing is that one must be open to change if change does not hurt the ultimate outcome. Attorneys will get to know you, if you’re good. Don’t always rely on the same course of action, change things up. They will have a harder time refuting your methods of collecting evidence.

In studying for my Masters, I am looking to update my skill set… keeping current and furthermore look at a completely new set of skills. This is extremely important for the expert witness. Why? Because lawyers need to discredit you and the evidence you bring to the table. If you’re shown being 10 years behind the times in your learning, lawyers could use that to introduce doubt to the jury.

“Perhaps there are better ways to examine that hard drive Mr. Heese?”

The Federal Rules of Civil Procedures, Rule 26 requires that you provide a report on the evidence you are testifying to. As part of that report you are required to present any published writings you’ve done in the last 10 years. Realize since you are being considered an “expert” witness, it is assumed that you keep current and are completely knowledgeable in the your field of expertise. What better way to keep things honest but to write about the things you know about, let your peers refute or agree with the thing you have to say. Publishing provides for this!

One thing we’re never really prepared for, and most celebrities are either is media attention! Sometimes you’ll get a case that is of particular interest to the public such as the Pete Townsend child molestation case. In 2003 Pete Townsend the guitarist for the rock band The Who was arrested for downloading child pornography from the Internet. At the time, Townsend was placed on the sex offender registry for five years after he admitted using his credit card to view the images (Lisi, 2010). A perfect case for computer forensics specialist! But there is a price to pay. The media is going to want to know if it’s true. You will be bombarded. What you say and do could taint your testimony! The media will try and judge the case in the press. They will distort the truth and your words will be taken out of context.

You should know how the trail process works. Who speaks first? When is it your turn? You should know how to dress. What is appropriate attire? Are jeans and sneakers cool? Should you bring your lab coat? What is the proper etiquette in court? Speak to the jury they are the ones you have to convince. Make eye contact! The fastest way to lose creditability is to look down at the floor when providing an answer. Know what you are going to say but don’t spend a lot of time rehearsing things. Try to keep things simple without minimizing the importance of the testimony you are providing. You have to realize that you are the expert. You need to explain things to the jury on a level they can understand. Computers and the technology they bring to the table are complex. Many people may not be able to grasp the concepts they need to make a knowledgeable decision on guilt or innocence!

Resources:

Conners, S. & Giles, L., (2009, June 15th), The Art of War – Classic Kindle Edition, Chapter 1, Section 17

Lisi, C., (2010, January 28), Pete Townshend targeted as a ’sex offender’ before Super Bowl, Retrieved on March 9th, 2010 from http://www.nypost.com/p/news/national/pete_townshend_targeted_as_sex_offender_3BJDh6zHpMRuPy9pSFfnUL

Unknown, (2010), What Really Scares People: Top 10 Phobias, Retrieved on March 9th, 2010 from http://www.livescience.com/culture/091023-top10-fear-1.html

There is suffering.
Suffering has a cause.
Suffering has an end.
There is a path that leads to the end of suffering.

– Gautama Buddha

For many years I’ve been editing /etc/motd warning unwelcome visitors that they shouldn’t be on my systems. Unfortunately, by the time they see the motd they’re already on my system! SSH has an option to display a banner before a visitor is prompted for a password! Not only is this feature great for warning unwelcome visitors they should stay away… It can also be used as acknowledgment of an acceptable use policy! They have to read the banner before they login!

So what do I have to do to make this work? Read on!

First login into the server you wish to set up the banner for. The configuration files for sshd are all located in /etc! Next you’ll need to create the file that contains the disclaimer. In my case in named it ssh_banner.

Open you favorite text editor and create your login banner file:

sudo vi /etc/sshd_banner

Edit the file however you wish. I have the following:

Unauthorized Access Prohibited!
Authorized users are bound by randomdog.net’s acceptable use policy!

Next you’re going to have to edit the ssd_config file.

sudo vi /etc/sshd_config

The line you are looking for is:

# no default banner path
# Banner path/to/file

Edit it to read

# no default banner path
Banner /etc/sshd_banner

The last thing you need to do is restart the sshd process.
This can either be done by using ServerAdmin Select the server you were working on… then under the settings tab deselect Remote Login (SSH) save and then re-enable.
or on OS X client go to Sharing… then deselect Remote Login save and then re-enable.

You should now see something like this:

columbia:~ billheese$ ssh billheese@10.0.10.10
Unauthorized Access Prohibited!
Authorized users are bound by randomdog.net’s acceptable use policy!
Password:

Many things go into the exchange of information. How is it communicated? How is that information received and most importantly how is that information interpreted? Things such as the person’s tone or their body language or in the case of the written word, what words were chosen and how they were used. Is the wording formal or informal? All of these factors are part of the communication process. It is evident from reading the article that different people may interpret the information in many ways. Clearly and precisely stating you point is extremely important especially when human lives are at stake.

Let’s take a look at what we have learned.

In the case of the Columbia accident, the information that was passed around happened over a long period of time. NASA knew that foam from the external fuel tank breaks free during the launch and could cause damage to the shuttle. NASA failed to take timely measures to correct the problem.

In the case of the Challenger disaster, the engineers at Morton Thiokol had expressed to NASA their concerns for hat the cold could cause the o-rings to fail. The information that was being communicated happened over a very short period of time (less than 24 hours). The engineers didn’t have hard facts and NASA was under pressure to launch.

Now, let’s take a look at another NASA mishap, the Apollo 1 fire. On January 27, 1967, the Apollo 1 astronauts were performing a test and training exercise. During the course of the event a fire broke out in the spacecraft killing all three astronauts. A number of factors were to blame, the 100% oxygen environment, the flammable materials in the cockpit (Velcro) and an inward opening hatch. North American Aviation (the spacecraft’s builder) had argued with NASA officials that these factors could have catastrophic consequences.

It is interesting to note, the only times that we have lost astronauts in their spacecraft; NASA has been at odds with the spacecraft’s manufacturer. No one wants to be blame with death of another human being… so the blame game begins!

During the hearings of the shuttle tragedy, it came to light that two different people had two different opinions on what was being said. The article did not go into any length on who these individuals were and whether or not they worked for NASA or the spacecraft’s manufacturer. It’s important to know about which side of the fence these individuals sat? Without this information an objective third party could draw the wrong conclusions. Clear and precise wording is just as important as what is being said.

Changing corporate culture? Hmmm, now there’s an idea.

Computer data is physically nothing more than ones and zeros; yet the information that those ones and zeros represent can prove to be vastly important. On a very personal level it could represent our life’s saving in a QFD (Intuit Quicken) file or it could be something a little more dramatic such as the design plans of a Blackhawk helicopter! Either way we wouldn’t want to let the information get out into the wrong hands. There are many ways to protect our data, certainly in the case of the Quicken data file, Intuit allows for password protecting the file. Microsoft Office files and Adobe PDFs both have their own password protection schemes. BUT is your data truly safe? In the case of the later two… It’s a fairly trivial task to crack the passwords. So what’s a person to do? Well you could always hide things in plain sight using any number of steganographic tools! BUT all you’re really doing is hiding your data in much the same way a pirates burying their booty! No… want we want (and many governmental agencies need… HELLO VA!) is whole disk encryption. There are many companies that provide encryption scheme for the boot partition… enter a password and boot your computer. This type of protection can get a bit expensive and problematic from an IT management perspective. In fact we really don’t need to encrypt the entire disk… in actuality… we only need to encrypt the partition that contains our data. And for that we don’t need to spend a lot of money! Enter Truecrypt.

Truecrypt is an open source, cross platform disk encryption tool. You can use it to create encrypted files. It will even do traditional boot disk encryption of a Windows partition! But as I mentioned earlier we’re looking to just encrypt a single partition that houses our important data. Truecrypt uses AES-256, Serpent, and Twofish encryption algorithms and it provides plausible deniability! During the Iran-Contra Hearings, Senator Sam Nunn (D-Georgia) provided a perfect definition for plausible deniability…

Everybody I’ve talked to in the intelligence community and around town . . . tells me that the definition of that term is that when you set up plausible deniability for someone . . . they know the facts in question, but they can deny the knowledge, and that the denial is believable.” (Schwartz, 1987)

WOW it doesn’t get any better than that! SO how do we use this tool! First you can download the application from http://www.truecrypt.org/downloads. Once downloaded the first thing I would do is make sure that I indeed downloaded the correct software by validating the PGP key provided by the developers! We’re talking about protecting your trusted data… Take the extra step!

Install the application… Double-click to launch the executable!

We want to encrypt a USB thumb drive with a hidden volume… The default window should look similar to this. 

Click on Create Volume. You’ll be prompted through a bunch of questions. In our case select because we are encrypting an entire USB thumb drive we should be selecting…

Next select because we want plausible deniability select the second option… If it was good enough for Ollie North it’s good enough for me!

You’ll next be asked to select a disk to encrypt. You will be asked to provide the password of an administrator of the system you are working on. This is needed because Truecrypt will eventually be formatting out the disk and this requires administrative permissions.

Select the Encryption and HASH algorithms you prefer…

Select OK and Truecrypt will begin the process of encrypting your thumb drive. This could take some time… In the case of a 2GB thumb drive, this took about 15 minutes.

The one gotcha is that you will need to populate the outer volumes with files that look important NOW! We do this so that if you are forced to compromise the password… when “they” unlock the drive and it will look as if they got what they want. So make those files look good without giving away the farm!

After the process has finished, you will be prompted to create the hidden volume.

Creating the hidden volume is very much similar to the outer volume! You’ll be prompted again to select which encryption and hash algorithms you prefer to use on your hidden partition. Next you’ll be asked how much space to allocate to your hidden partition… In my case I chose to allocate 3/4 of the space in half!

You’ll be asked to select a file system for the hidden volume. In my case I chose FAT as this gaves me the most options with regard to the OSs I can use the thumb drive with!

When the process is finally completed you’ll be presented with the following disclaimer…

Congratulations… You’ve just created you encrypted plausibly deniable USB thumb drive!

Resources:

Schwartz, J., (1987, July 22), PLAUSIBLE DENIABILITY Series: The Iran-Contra Hearings: The Tenth Week of Testimony, The Washington Post