Information Security News mailing list archives
Unix Security - Steganography
From: InfoSec News <isn () C4I ORG>
Date: Fri, 16 Feb 2001 05:33:47 -0600
Sex, Drugs & Technology By Carole Fennelly Once upon a time, Rock music was blamed for society's ills. People were warned about hidden messages in The Beatles' songs. Although I wasn't much of a Beatles fan, I attentively listened for these "messages" and somehow still managed to survive those formative years without joining a Satanic Cult. Every generation contends with fear-mongering stories catering to paranoia, and Social Engineering's effectiveness at manipulating people's views, further illustrated by the proliferation of bogus virus warnings, has landed cryptography in the crosshairs. Tales of child pornographers, pedophiles, and drug dealers using cryptography to conceal their nefarious activities seeks public sympathy and calls for government action to curb such criminal activities. Obviously, anyone using encryption *must* have something to hide. Commonly heard arguments seemingly assume that anyone using encryption is hiding criminal activities. This may be true in some cases, but legitimate reasons also exist for protecting data. For example, cryptography assures the validity and ownership of encrypted data. Ironically, the U.S. government's desire for weak cryptographic systems undermines the validity of evidence found online. Recent news stories indicate terrorists are leaving hidden messages on Web sites through the evil science of cryptography. The "breaking news" essentially points out that bad guys are streamlining their operations with computers. Well, duh! I bet they use phones as well! Adding a more frightening twist, readers learn that "the messages are scrambled using free encryption programs set up by groups that advocate privacy on the Internet." Those damn privacy groups.... http://www.cnn.com/2001/TECH/internet/02/06/terrorists.internet.ap/index.html Yet another story claims these tech-savvy terrorists use steganography, as well as cryptography, to hide their secret messages. Steganography is based on the notion of communicating without the communication being noticeable. The Greeks practiced steganography by writing messages on couriers' heads. People who intercepted the couriers, unable to find any messages in their possession, let them pass. The receiving General, however, knew where to look. Presumably, terrorists are embedding their encrypted data in pornographic files (those immoral terrorists), which are then extracted and deciphered by the intended recipients. Despite vague references to "unnamed" sources and "closed door" meetings, no one has made *any* evidence supporting these claims publicly available. Strangely enough though, the same computer security company is heavily quoted in both stories. Law enforcement agencies assert that encryption protects criminals and hinders police efforts to protect the public. Jumping on the opportunity to expand their surveillance activities, authorities employ such tools as the "Clipper Chip" and Carnivore - the e-mail spying program. In response to the public?s outcry over privacy, the FBI is changing the name from "Carnivore" to the less threatening- sounding, "DCS1000". I feel better already. http://news.cnet.com/news/0-1005-200-4769965.html?tag=mn_hd We're supposed to trust our government and believe it is concerned with our safety; however, law enforcement agencies extend beyond a single entity, comprising hundreds of thousands of individuals. Agencies may enforce non-disclosure policies, but agency employees can still break it. Those considering a career move to the private sector - not an uncommon occurrence pose a particular risk. Wouldn't gathering information about future clients and competitors be nice? A DEA Agent recently charged with selling confidential information to a private investigation company represents just one of many cases involving an official abusing his position. http://www.usdoj.gov/usao/cac/pr2001/007.html http://www.securityfocus.com/news/142 People fear what they don't understand, and the average person doesn't understand anything ending with "-ography". When in doubt, blame technology. About the author(s) ---------------- Carole Fennelly is a partner in Wizard's Keys Corporation, a company specializing in computer security consulting. She has been a Unix system administrator for almost 20 years on various platforms, and provides security consultation to several financial institutions in the New York City area. She is also a regular columnist for Unix Insider (http://www.unixinsider.com). Visit her site (http://www.wkeys.com/) or reach her at carole.fennelly () unixinsider com. ________________________________________________________________________ ADDITIONAL RESOURCES Steganography http://www.jjtc.com/stegdoc/sec201.html Rubberhose Project http://www.rubberhose.org/ BXA's Encryption Web Site http://www.bxa.doc.gov/Encryption/Default.htm Cryptography, Encryption and Stenography http://www.infosyssec.org/infosyssec/cry1.htm Security, in English Bruce Schneier demystifies information security http://www.unixinsider.com/jsw/unxsec_nl/swol-12-2000/swol-1201-bookshelf.html The Ghost in the Machine http://www.itworld.com/jump/unxsec_nl/www.itworld.com/Man/3914/CIO101599_trendlines_content/ Securing 802.11 wireless LANs http://www.itworld.com/jump/unxsec_nl/www.itworld.com/Net/2629/ITW1844/ AUDIOCASTS Interviews on the IT topics you wanted! Pete FioRito on assessing your security http://www.itworld.com/jump/unxsec_nl/mithras.itworld.com/media/000719peteFioRito_future.ram http://www.itworld.com/jump/unxsec_nl/mithras.itworld.com/media/000719peteFioRito_vulnerability-a-56.asx _________________________________________________________________________ COMMUNITY DISCUSSIONS Web Security Delve into the gory technical details of Web security in this discussion for security pros (and newbies) of all stripes. http://www.itworld.com/jump/unxsec_nl/forums.itworld.com/webx?14@@.ee6b67b/127!skip=58 __________________________________________________________________________ PRIVACY POLICY http://www2.itworld.com/CDA/ITW_Privacy_Policy Copyright 2001 ITworld.com, Inc., All Rights Reserved. http://www.itworld.com ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Unix Security - Steganography InfoSec News (Feb 18)
- <Possible follow-ups>
- Re: Unix Security - Steganography Blake Thomas M Civ AFRL/IFGB (Feb 22)
- Re: Unix Security - Steganography Curt Bryson (NTI) (Feb 22)