Unix Security - Steganography

[InfoSec News <isn () C4I ORG>]

Sex, Drugs & Technology
By Carole Fennelly

Once upon a time, Rock music was blamed for society's ills. People
were warned about hidden messages in The Beatles' songs. Although I
wasn't much of a Beatles fan, I attentively listened for these
"messages" and somehow still managed to survive those formative years
without joining a Satanic Cult.  Every generation contends with
fear-mongering stories catering to paranoia, and Social Engineering's
effectiveness at manipulating people's views, further illustrated by
the proliferation of bogus virus warnings, has landed cryptography in
the crosshairs.

Tales of child pornographers, pedophiles, and drug dealers using
cryptography to conceal their nefarious activities seeks public
sympathy and calls for government action to curb such criminal
activities. Obviously, anyone using encryption *must* have something
to hide. Commonly heard arguments seemingly assume that anyone using
encryption is hiding criminal activities. This may be true in some
cases, but legitimate reasons also exist for protecting data. For
example, cryptography assures the validity and ownership of encrypted
data. Ironically, the U.S. government's desire for weak cryptographic
systems undermines the validity of evidence found online.

Recent news stories indicate terrorists are leaving hidden messages on
Web sites through the evil science of cryptography. The "breaking
news"  essentially points out that bad guys are streamlining their
operations with computers. Well, duh! I bet they use phones as well!
Adding a more frightening twist, readers learn that "the messages are
scrambled using free encryption programs set up by groups that
advocate privacy on the Internet." Those damn privacy groups....
http://www.cnn.com/2001/TECH/internet/02/06/terrorists.internet.ap/index.html

Yet another story claims these tech-savvy terrorists use
steganography, as well as cryptography, to hide their secret messages.
Steganography is based on the notion of communicating without the
communication being noticeable. The Greeks practiced steganography by
writing messages on couriers' heads. People who intercepted the
couriers, unable to find any messages in their possession, let them
pass.  The receiving General, however, knew where to look. Presumably,
terrorists are embedding their encrypted data in pornographic files
(those immoral terrorists), which are then extracted and deciphered by
the intended recipients. Despite vague references to "unnamed" sources
and "closed door" meetings, no one has made *any* evidence supporting
these claims publicly available. Strangely enough though, the same
computer security company is heavily quoted in both stories.

Law enforcement agencies assert that encryption protects criminals and
hinders police efforts to protect the public.  Jumping on the
opportunity to expand their surveillance activities, authorities
employ such tools as the "Clipper Chip" and Carnivore - the e-mail
spying program. In response to the public?s outcry over privacy, the
FBI is changing the name from "Carnivore" to the less threatening-
sounding, "DCS1000". I feel better already.
http://news.cnet.com/news/0-1005-200-4769965.html?tag=mn_hd

We're supposed to trust our government and believe it is concerned
with our safety; however, law enforcement agencies extend beyond a
single entity, comprising hundreds of thousands of individuals.
Agencies may enforce non-disclosure policies, but agency employees can
still break it. Those considering a career move to the private sector
- not an uncommon occurrence pose a particular risk. Wouldn't
gathering information about future clients and competitors be nice? A
DEA Agent recently charged with selling confidential information to a
private investigation company represents just one of many cases
involving an official abusing his position.
http://www.usdoj.gov/usao/cac/pr2001/007.html
http://www.securityfocus.com/news/142

People fear what they don't understand, and the average person doesn't 
understand anything ending with "-ography". When in doubt, blame 
technology.

About the author(s)
----------------
Carole Fennelly is a partner in Wizard's Keys Corporation, a company 
specializing in computer security consulting. She has been a Unix 
system administrator for almost 20 years on various platforms, and 
provides security consultation to several financial institutions in the 
New York City area. She is also a regular columnist for Unix Insider
(http://www.unixinsider.com). Visit her site (http://www.wkeys.com/) or 
reach her at carole.fennelly () unixinsider com.
________________________________________________________________________

ADDITIONAL RESOURCES

Steganography
http://www.jjtc.com/stegdoc/sec201.html

Rubberhose Project
http://www.rubberhose.org/

BXA's Encryption Web Site
http://www.bxa.doc.gov/Encryption/Default.htm

Cryptography, Encryption and Stenography
http://www.infosyssec.org/infosyssec/cry1.htm

Security, in English 
Bruce Schneier demystifies information security 
http://www.unixinsider.com/jsw/unxsec_nl/swol-12-2000/swol-1201-bookshelf.html

The Ghost in the Machine
http://www.itworld.com/jump/unxsec_nl/www.itworld.com/Man/3914/CIO101599_trendlines_content/

Securing 802.11 wireless LANs
http://www.itworld.com/jump/unxsec_nl/www.itworld.com/Net/2629/ITW1844/

AUDIOCASTS
Interviews on the IT topics you wanted!

Pete FioRito on assessing your security
http://www.itworld.com/jump/unxsec_nl/mithras.itworld.com/media/000719peteFioRito_future.ram

http://www.itworld.com/jump/unxsec_nl/mithras.itworld.com/media/000719peteFioRito_vulnerability-a-56.asx
_________________________________________________________________________

COMMUNITY DISCUSSIONS

Web Security
Delve into the gory technical details of Web security in this 
discussion for security pros (and newbies) of all stripes.
http://www.itworld.com/jump/unxsec_nl/forums.itworld.com/webx?14@@.ee6b67b/127!skip=58
__________________________________________________________________________
PRIVACY POLICY
http://www2.itworld.com/CDA/ITW_Privacy_Policy 
Copyright 2001 ITworld.com, Inc., All Rights Reserved.
http://www.itworld.com

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".