By Jake Edge
September 1, 2010
Steganography is an ancient method of hiding a message in plain sight. In
the digital age, steganography is often associated with hiding data inside
of a binary file, typically using the low bits of an image or audio file in
such a way that the message makes very little difference in the output.
The Collage
project looks to use steganography in conjunction with sites that host lots
of user-generated content to provide a communication channel that resists
censorship.
As the slides
[PDF] and paper
[PDF] from a recent presentation on Collage describe, there are increasing
attempts to censor internet communications. It is not just repressive
regimes that are guilty of such censorship either, as various democratic
governments are trying—sometimes succeeding—to get into the
game. Existing methods to route around things like the "great firewall of
China" rely on using proxies (e.g. Tor) outside of the censorship wall.
But, proxies are relatively easily identified and blocked. Worse yet,
anyone attempting to use one of the proxies can be identified and punished.
By using sites that regular "law abiding" citizens use on a regular basis,
Collage seeks to appear completely innocuous to the censoring devices. The
specific example used is photo-sharing sites like Flickr. Many people
legitimately browse the photos there, so it will be difficult to determine
that a
particular user may be browsing for photos that contain a steganographic
message. In addition, the sheer number of photos stored on the site make
it difficult for the censors to catalog those that may contain a hidden
message.
It is, essentially, a form of "security through obscurity", but one that
can offer a level of deniability if used properly. If a censored user
frequently visited Flickr for photo uploading and browsing, and only
infrequently used it
to pass messages, it would be difficult to detect by anything other than a
targeted monitoring of that user's traffic. Unlike proxies, there is no
need for anyone to maintain an infrastructure of hosts to handle the
traffic; Flickr,
YouTube, and others are already doing so.
The basic idea is that a simple message is encrypted (using some key agreed
upon separately), then broken into pieces, with erasure coding added
so that the
entire message can be re-assembled from just a subset of the pieces. Those
chunks then get steganographically inserted into multiple photos, which are uploaded to a photo-sharing site.
The project also used a text steganography technique to hide messages in
the text of comments on blogs, YouTube, Twitter, and so on. In either
case, the presence of steganography is likely to be detectable if the
censoring agency tries. But with proper encryption, the actual message
text will not be recoverable. The paper also discusses the use of watermarking
to hide information that may be more easily detected but is hard to remove
without disrupting the containing photo or file.
In order for a message to reach its recipient, though, there needs to be
some way for them to know which of the billions of photos at Flickr
actually contain bits of interest. In addition, the downloads made by the
user must appear to be "normal" tasks that a Flickr user might perform.
The paper outlines a rather elaborate protocol that could be used to map
messages to "deniable tasks" that the recipient must perform. It's a
tricky problem as is acknowledged in the paper:
The challenge, of course, is finding sets of tasks that are deniable, yet
focused enough to allow a user to retrieve content in a reasonable amount
of time.
It is a clever technique, but there are, of course, some pitfalls. The
complexity will make it challenging to use, and automated retrievals may be
difficult to do in a non-suspicious manner. It could also end up pointing
a finger at "innocent" users of a site like Flickr, who unwittingly just
happen to perform the task associated with a Collage message. The paper
notes that risk, but also points out that "organizations can already
implicate users with little evidence".
Essentially Collage is a proof-of-concept that uses off-the-shelf free
software to handle the encryption, encoding, and steganography pieces. So far,
the code for a demonstration client, which downloads a message that the
project stored in Flickr, is available. The web site does not specifically
mention further code releases, but one hopes the code for the sending side
will also become available. There are also some performance
measurements in the paper that show "acceptable" overhead for
sending small, textual messages.
The complexity is daunting, but for those who really need to communicate in
a largely deniable fashion, the Collage technique certainly has some
appeal. It doesn't suffer from some of the obvious "red flags" that arise
when using
Tor or normal encrypted traffic (e.g. SSL/TLS, ssh, GPG), which may make it
disappear into the noise of normal network traffic. Collage, or something
like it, may find a
place in the toolkit of those trying to evade internet censorship.
Comments (2 posted)
Brief items
But of course, an RFID chip allows for far more than that minimal
record-keeping. Instead, it provides the potential for nearly constant
monitoring of a child's physical location. If readings are taken often
enough, you could create an extraordinarily detailed portrait of a child's
school day - one that's easy to imagine being misused, particularly as the
chips substitute for direct adult monitoring and judgment. If RFID records
show a child moving around a lot, could she be tagged as hyper-active? If
he doesn't move around a lot, could he get a reputation for laziness? How
long will this data and the conclusions rightly or wrongly drawn from it be
stored in these children's school records? Can parents opt-out of this
invasive tracking? How many other federal grants are underwriting programs
like these?
--
Rebecca
Jeschke of the EFF
We show that we can observe private activities in the home such as cooking,
showering, toileting, and sleeping by eavesdropping on the wireless
transmissions of sensors in a home, even when all of the transmissions
are encrypted. We call this the Fingerprint and Timing-based Snooping
(FATS) attack. This attack can already be carried out on millions of homes
today, and may become more important as ubiquitous computing environments
such as smart homes and assisted living facilities become more
prevalent. In this paper, we demonstrate and evaluate the FATS attack on
eight different homes containing wireless sensors.
--
Vijay
Srinivasan, John Stankovic, and Kamin Whitehouse (unfortunately, only
the abstract of
the paper is freely available at the site)
Comments (4 posted)
New vulnerabilities
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla |
CVE #(s): | CVE-2010-2756
CVE-2010-2757
CVE-2010-2758
CVE-2010-2759
|
| Created: | August 27, 2010 |
Updated: | September 1, 2010 |
| Description: |
From the Red Hat bugzilla:
An unprivileged user is normally not allowed to view other users' group membership. But boolean charts let the user use group-based pronouns, indirectly disclosing group membership. CVE-2010-2756
Normally, when a user is impersonated, he receives an email informing him that he is being impersonated, containing the identity of the impersonator. However, it was possible to impersonate a user without this notification being sent. CVE-2010-2757
An error message thrown by the "Reports" and "Duplicates" page confirmed the non-existence of products, thus allowing users to guess confidential product names. CVE-2010-2758
If a comment contained the phrases "bug X" or "attachment X", where X was an integer larger than the maximum 32-bit signed integer size, PostgreSQL would throw an error, and any page containing that comment would not be viewable. On most Bugzillas, any user can enter a comment on any bug, so any user could have used this to deny access to one or all bugs. Bugzillas running on databases other than PostgreSQL are not affected. CVE-2010-2759
|
| Alerts: |
|
Comments (none posted)
firefox: denial of service
| Package(s): | Firefox |
CVE #(s): | CVE-2010-1990
|
| Created: | August 30, 2010 |
Updated: | September 1, 2010 |
| Description: |
From the MeeGo advisory:
Mozilla Firefox 3.6.x, 3.5.x, 3.0.19, and earlier, and
SeaMonkey, executes a mail application in situations where an IFRAME
element has a mailto: URL in its SRC attribute, which allows remote
attackers to cause a denial of service (excessive application
launches) via an HTML document with many IFRAME elements.
CVSS v2 Base: 5.0 (MEDIUM)
Access Vector: Network exploitable
|
| Alerts: |
|
Comments (none posted)
gdm: access restriction bypass
| Package(s): | gdm |
CVE #(s): | CVE-2007-5079
|
| Created: | August 27, 2010 |
Updated: | September 1, 2010 |
| Description: |
From the Red Hat advisory:
A flaw was found in the way the gdm package was built. The gdm package was
missing TCP wrappers support on 64-bit platforms, which could result in an
administrator believing they had access restrictions enabled when they did
not. |
| Alerts: |
|
Comments (none posted)
httpd: information disclosure
| Package(s): | httpd |
CVE #(s): | CVE-2010-2791
|
| Created: | August 30, 2010 |
Updated: | October 18, 2010 |
| Description: |
From the Red Hat advisory:
A flaw was discovered in the way the mod_proxy module of the Apache HTTP
Server handled the timeouts of requests forwarded by a reverse proxy to the
back-end server. If the proxy was configured to reuse existing back-end
connections, it could return a response intended for another user under
certain timeout conditions, possibly leading to information disclosure.
|
| Alerts: |
|
Comments (none posted)
kdegraphics: memory corruption
| Package(s): | kdegraphics |
CVE #(s): | CVE-2010-2575
|
| Created: | August 27, 2010 |
Updated: | October 6, 2010 |
| Description: |
From the Ubuntu advisory:
Stefan Cornelius of Secunia Research discovered a boundary error during
RLE decompression in the "TranscribePalmImageToJPEG()" function in
generators/plucker/inplug/image.cpp of okular when processing images
embedded in PDB files, which can be exploited to cause a heap-based
buffer overflow. |
| Alerts: |
|
Comments (none posted)
libgdiplus: arbitrary code execution
| Package(s): | libgdiplus |
CVE #(s): | CVE-2010-1526
|
| Created: | September 1, 2010 |
Updated: | October 6, 2010 |
| Description: |
From the Mandriva advisory:
Multiple integer overflows in libgdiplus 2.6.7, as used in Mono,
allow attackers to execute arbitrary code via (1) a crafted TIFF
file, related to the gdip_load_tiff_image function in tiffcodec.c;
(2) a crafted JPEG file, related to the gdip_load_jpeg_image_internal
function in jpegcodec.c; or (3) a crafted BMP file, related to the
gdip_read_bmp_image function in bmpcodec.c, leading to heap-based
buffer overflows |
| Alerts: |
|
Comments (none posted)
libhx: arbitrary code execution
| Package(s): | libHX |
CVE #(s): | CVE-2010-2947
|
| Created: | August 31, 2010 |
Updated: | October 25, 2010 |
| Description: |
From the Mandriva advisory:
Heap-based buffer overflow in the HX_split function in string.c in
libHX before 3.6 allows remote attackers to execute arbitrary code
or cause a denial of service (application crash) via a string that
is inconsistent with the expected number of fields. |
| Alerts: |
|
Comments (none posted)
libtiff: denial of service
| Package(s): | libtiff |
CVE #(s): | CVE-2010-2443
|
| Created: | August 30, 2010 |
Updated: | January 19, 2011 |
| Description: |
From the MeeGo advisory:
The OJPEGReadBufferFill function in tif_ojpeg.c in
LibTIFF before 3.9.3 allows remote attackers to cause a denial of
service (NULL pointer dereference and application crash) via an OJPEG
image with undefined strip offsets, related to the TIFFVGetField
function.
CVSS v2 Base: 5.0 (MEDIUM)
Access Vector: Network exploitable
|
| Alerts: |
|
Comments (none posted)
mutter-moblin: denial of service
| Package(s): | mutter-moblin |
CVE #(s): | |
| Created: | August 30, 2010 |
Updated: | September 1, 2010 |
| Description: |
From the MeeGo advisory:
The DBus message handling in mutter-moblin was not safe. Crash could
be induced by a simple:
python -c "import dbus; dbus.Interface (dbus.SessionBus ().get_object \
('org.freedesktop.Notifications', '/org/freedesktop/Notifications'), \
'org.freedesktop.Notifications').Notify ('', 0, '', '', '', [''], {}, \
0)"
|
| Alerts: |
|
Comments (none posted)
openssl: denial of service
| Package(s): | openssl |
CVE #(s): | CVE-2010-2939
|
| Created: | August 31, 2010 |
Updated: | January 19, 2011 |
| Description: |
From the Debian advisory:
George Guninski discovered a double free in the ECDH code of the OpenSSL
crypto library, which may lead to denial of service and potentially the
execution of arbitrary code.
|
| Alerts: |
|
Comments (none posted)
opera: multiple vulnerabilities
| Package(s): | opera |
CVE #(s): | CVE-2010-2576
CVE-2010-3019
CVE-2010-3020
CVE-2010-3021
|
| Created: | August 26, 2010 |
Updated: | September 1, 2010 |
| Description: |
From the SUSE advisory:
- CVE-2010-2576: CVSS v2 Base Score: 6.8 (CWE-94):
unexpected changes in tab focus could be used to run programs from
the Internet, as reported by Jakob Balle and Sven Krewitt of Secunia
- CVE-2010-3019: CVSS v2 Base Score: 9.3 (CWE-119):
heap buffer overflow in HTML5 canvas could be used to execute
arbitrary code, as reported by Kuzzcc
- CVE-2010-3020: CVSS v2 Base Score: 5.0 (CWE-264):
news feed preview could subscribe to feeds without interaction, as
reported by Alexios Fakos
- CVE-2010-3021: CVSS v2 Base Score: 4.3 (CWE-399):
remote attackers could trigger a remote denial of service (CPU
consumption and application hang) via an animated PNG image
|
| Alerts: |
|
Comments (none posted)
phpmyadmin: php code execution
| Package(s): | phpmyadmin |
CVE #(s): | CVE-2010-3055
|
| Created: | August 30, 2010 |
Updated: | September 13, 2010 |
| Description: |
From the Debian advisory:
The configuration setup script does not properly sanitise its output
file, which allows remote attackers to execute arbitrary PHP code via
a crafted POST request. In Debian, the setup tool is protected through
Apache HTTP basic authentication by default.
|
| Alerts: |
|
Comments (none posted)
polkit: information disclosure
| Package(s): | polkit |
CVE #(s): | |
| Created: | August 30, 2010 |
Updated: | September 1, 2010 |
| Description: |
From bugs.freedesktop.org:
pkexec is vulnerable to a minor information disclosure vulnerability that
allows an attacker to verify whether or not arbitrary files exist, violating
directory permissions. |
| Alerts: |
|
Comments (none posted)
wireshark: arbitrary code execution
| Package(s): | wireshark |
CVE #(s): | CVE-2010-2994
|
| Created: | September 1, 2010 |
Updated: | April 19, 2011 |
| Description: |
From the Debian advisory:
Several implementation errors in the dissector of the Wireshark network
traffic analyzer for the ASN.1 BER protocol and in the SigComp Universal
Decompressor Virtual Machine may lead to the execution of arbitrary code.
|
| Alerts: |
|
Comments (none posted)
yast2-webclient-patch_updates: installation specific secret key
| Package(s): | yast2-webclient-patch_updates |
CVE #(s): | CVE-2010-1507
|
| Created: | August 26, 2010 |
Updated: | September 1, 2010 |
| Description: |
From the SUSE advisory:
WebYaST generates installation specific secret key
during RPM installation (CVE-2010-1507)
|
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
