Security
Thwarting internet censors with Collage
Steganography is an ancient method of hiding a message in plain sight. In the digital age, steganography is often associated with hiding data inside of a binary file, typically using the low bits of an image or audio file in such a way that the message makes very little difference in the output. The Collage project looks to use steganography in conjunction with sites that host lots of user-generated content to provide a communication channel that resists censorship.
As the slides [PDF] and paper [PDF] from a recent presentation on Collage describe, there are increasing attempts to censor internet communications. It is not just repressive regimes that are guilty of such censorship either, as various democratic governments are trying—sometimes succeeding—to get into the game. Existing methods to route around things like the "great firewall of China" rely on using proxies (e.g. Tor) outside of the censorship wall. But, proxies are relatively easily identified and blocked. Worse yet, anyone attempting to use one of the proxies can be identified and punished.
By using sites that regular "law abiding" citizens use on a regular basis, Collage seeks to appear completely innocuous to the censoring devices. The specific example used is photo-sharing sites like Flickr. Many people legitimately browse the photos there, so it will be difficult to determine that a particular user may be browsing for photos that contain a steganographic message. In addition, the sheer number of photos stored on the site make it difficult for the censors to catalog those that may contain a hidden message.
It is, essentially, a form of "security through obscurity", but one that can offer a level of deniability if used properly. If a censored user frequently visited Flickr for photo uploading and browsing, and only infrequently used it to pass messages, it would be difficult to detect by anything other than a targeted monitoring of that user's traffic. Unlike proxies, there is no need for anyone to maintain an infrastructure of hosts to handle the traffic; Flickr, YouTube, and others are already doing so.
The basic idea is that a simple message is encrypted (using some key agreed upon separately), then broken into pieces, with erasure coding added so that the entire message can be re-assembled from just a subset of the pieces. Those chunks then get steganographically inserted into multiple photos, which are uploaded to a photo-sharing site.
The project also used a text steganography technique to hide messages in the text of comments on blogs, YouTube, Twitter, and so on. In either case, the presence of steganography is likely to be detectable if the censoring agency tries. But with proper encryption, the actual message text will not be recoverable. The paper also discusses the use of watermarking to hide information that may be more easily detected but is hard to remove without disrupting the containing photo or file.
In order for a message to reach its recipient, though, there needs to be some way for them to know which of the billions of photos at Flickr actually contain bits of interest. In addition, the downloads made by the user must appear to be "normal" tasks that a Flickr user might perform. The paper outlines a rather elaborate protocol that could be used to map messages to "deniable tasks" that the recipient must perform. It's a tricky problem as is acknowledged in the paper:
It is a clever technique, but there are, of course, some pitfalls. The
complexity will make it challenging to use, and automated retrievals may be
difficult to do in a non-suspicious manner. It could also end up pointing
a finger at "innocent" users of a site like Flickr, who unwittingly just
happen to perform the task associated with a Collage message. The paper
notes that risk, but also points out that "organizations can already
implicate users with little evidence
".
Essentially Collage is a proof-of-concept that uses off-the-shelf free
software to handle the encryption, encoding, and steganography pieces. So far,
the code for a demonstration client, which downloads a message that the
project stored in Flickr, is available. The web site does not specifically
mention further code releases, but one hopes the code for the sending side
will also become available. There are also some performance
measurements in the paper that show "acceptable
" overhead for
sending small, textual messages.
The complexity is daunting, but for those who really need to communicate in a largely deniable fashion, the Collage technique certainly has some appeal. It doesn't suffer from some of the obvious "red flags" that arise when using Tor or normal encrypted traffic (e.g. SSL/TLS, ssh, GPG), which may make it disappear into the noise of normal network traffic. Collage, or something like it, may find a place in the toolkit of those trying to evade internet censorship.
Brief items
Security quotes of the week
New vulnerabilities
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla | CVE #(s): | CVE-2010-2756 CVE-2010-2757 CVE-2010-2758 CVE-2010-2759 | ||||||||
| Created: | August 27, 2010 | Updated: | September 1, 2010 | ||||||||
| Description: | From the Red Hat bugzilla:
An unprivileged user is normally not allowed to view other users' group membership. But boolean charts let the user use group-based pronouns, indirectly disclosing group membership. CVE-2010-2756 Normally, when a user is impersonated, he receives an email informing him that he is being impersonated, containing the identity of the impersonator. However, it was possible to impersonate a user without this notification being sent. CVE-2010-2757 An error message thrown by the "Reports" and "Duplicates" page confirmed the non-existence of products, thus allowing users to guess confidential product names. CVE-2010-2758 If a comment contained the phrases "bug X" or "attachment X", where X was an integer larger than the maximum 32-bit signed integer size, PostgreSQL would throw an error, and any page containing that comment would not be viewable. On most Bugzillas, any user can enter a comment on any bug, so any user could have used this to deny access to one or all bugs. Bugzillas running on databases other than PostgreSQL are not affected. CVE-2010-2759 | ||||||||||
| Alerts: |
| ||||||||||
firefox: denial of service
| Package(s): | Firefox | CVE #(s): | CVE-2010-1990 | ||||
| Created: | August 30, 2010 | Updated: | September 1, 2010 | ||||
| Description: | From the MeeGo advisory:
Mozilla Firefox 3.6.x, 3.5.x, 3.0.19, and earlier, and SeaMonkey, executes a mail application in situations where an IFRAME element has a mailto: URL in its SRC attribute, which allows remote attackers to cause a denial of service (excessive application launches) via an HTML document with many IFRAME elements. CVSS v2 Base: 5.0 (MEDIUM) Access Vector: Network exploitable | ||||||
| Alerts: |
| ||||||
gdm: access restriction bypass
| Package(s): | gdm | CVE #(s): | CVE-2007-5079 | ||||||||
| Created: | August 27, 2010 | Updated: | September 1, 2010 | ||||||||
| Description: | From the Red Hat advisory:
A flaw was found in the way the gdm package was built. The gdm package was missing TCP wrappers support on 64-bit platforms, which could result in an administrator believing they had access restrictions enabled when they did not. | ||||||||||
| Alerts: |
| ||||||||||
httpd: information disclosure
| Package(s): | httpd | CVE #(s): | CVE-2010-2791 | ||||||||||||||||
| Created: | August 30, 2010 | Updated: | October 18, 2010 | ||||||||||||||||
| Description: | From the Red Hat advisory:
A flaw was discovered in the way the mod_proxy module of the Apache HTTP Server handled the timeouts of requests forwarded by a reverse proxy to the back-end server. If the proxy was configured to reuse existing back-end connections, it could return a response intended for another user under certain timeout conditions, possibly leading to information disclosure. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
kdegraphics: memory corruption
| Package(s): | kdegraphics | CVE #(s): | CVE-2010-2575 | ||||||||||||||||||||||||||||||||
| Created: | August 27, 2010 | Updated: | December 1, 2013 | ||||||||||||||||||||||||||||||||
| Description: | From the Ubuntu advisory:
Stefan Cornelius of Secunia Research discovered a boundary error during RLE decompression in the "TranscribePalmImageToJPEG()" function in generators/plucker/inplug/image.cpp of okular when processing images embedded in PDB files, which can be exploited to cause a heap-based buffer overflow. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
libgdiplus: arbitrary code execution
| Package(s): | libgdiplus | CVE #(s): | CVE-2010-1526 | ||||||||||||||||||||||||||||
| Created: | September 1, 2010 | Updated: | January 6, 2014 | ||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory:
Multiple integer overflows in libgdiplus 2.6.7, as used in Mono, allow attackers to execute arbitrary code via (1) a crafted TIFF file, related to the gdip_load_tiff_image function in tiffcodec.c; (2) a crafted JPEG file, related to the gdip_load_jpeg_image_internal function in jpegcodec.c; or (3) a crafted BMP file, related to the gdip_read_bmp_image function in bmpcodec.c, leading to heap-based buffer overflows | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
libhx: arbitrary code execution
| Package(s): | libHX | CVE #(s): | CVE-2010-2947 | ||||||||||||||||||||||||||||||||
| Created: | August 31, 2010 | Updated: | October 25, 2010 | ||||||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory:
Heap-based buffer overflow in the HX_split function in string.c in libHX before 3.6 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a string that is inconsistent with the expected number of fields. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
libtiff: denial of service
| Package(s): | libtiff | CVE #(s): | CVE-2010-2443 | ||||||||||||
| Created: | August 30, 2010 | Updated: | January 19, 2011 | ||||||||||||
| Description: | From the MeeGo advisory:
The OJPEGReadBufferFill function in tif_ojpeg.c in LibTIFF before 3.9.3 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an OJPEG image with undefined strip offsets, related to the TIFFVGetField function. CVSS v2 Base: 5.0 (MEDIUM) Access Vector: Network exploitable | ||||||||||||||
| Alerts: |
| ||||||||||||||
mutter-moblin: denial of service
| Package(s): | mutter-moblin | CVE #(s): | |||||
| Created: | August 30, 2010 | Updated: | September 1, 2010 | ||||
| Description: | From the MeeGo advisory:
The DBus message handling in mutter-moblin was not safe. Crash could be induced by a simple:
python -c "import dbus; dbus.Interface (dbus.SessionBus ().get_object \
('org.freedesktop.Notifications', '/org/freedesktop/Notifications'), \
'org.freedesktop.Notifications').Notify ('', 0, '', '', '', [''], {}, \
0)"
| ||||||
| Alerts: |
| ||||||
openssl: denial of service
| Package(s): | openssl | CVE #(s): | CVE-2010-2939 | ||||||||||||||||||||||||||||||||||||||||
| Created: | August 31, 2010 | Updated: | January 19, 2011 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
George Guninski discovered a double free in the ECDH code of the OpenSSL crypto library, which may lead to denial of service and potentially the execution of arbitrary code. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
opera: multiple vulnerabilities
| Package(s): | opera | CVE #(s): | CVE-2010-2576 CVE-2010-3019 CVE-2010-3020 CVE-2010-3021 | ||||||||
| Created: | August 26, 2010 | Updated: | September 1, 2010 | ||||||||
| Description: | From the SUSE advisory: - CVE-2010-2576: CVSS v2 Base Score: 6.8 (CWE-94): unexpected changes in tab focus could be used to run programs from the Internet, as reported by Jakob Balle and Sven Krewitt of Secunia - CVE-2010-3019: CVSS v2 Base Score: 9.3 (CWE-119): heap buffer overflow in HTML5 canvas could be used to execute arbitrary code, as reported by Kuzzcc - CVE-2010-3020: CVSS v2 Base Score: 5.0 (CWE-264): news feed preview could subscribe to feeds without interaction, as reported by Alexios Fakos - CVE-2010-3021: CVSS v2 Base Score: 4.3 (CWE-399): remote attackers could trigger a remote denial of service (CPU consumption and application hang) via an animated PNG image | ||||||||||
| Alerts: |
| ||||||||||
phpmyadmin: php code execution
| Package(s): | phpmyadmin | CVE #(s): | CVE-2010-3055 | ||||||||||||||||
| Created: | August 30, 2010 | Updated: | September 13, 2010 | ||||||||||||||||
| Description: | From the Debian advisory:
The configuration setup script does not properly sanitise its output file, which allows remote attackers to execute arbitrary PHP code via a crafted POST request. In Debian, the setup tool is protected through Apache HTTP basic authentication by default. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
polkit: information disclosure
| Package(s): | polkit | CVE #(s): | |||||
| Created: | August 30, 2010 | Updated: | September 1, 2010 | ||||
| Description: | From bugs.freedesktop.org:
pkexec is vulnerable to a minor information disclosure vulnerability that allows an attacker to verify whether or not arbitrary files exist, violating directory permissions. | ||||||
| Alerts: |
| ||||||
wireshark: arbitrary code execution
| Package(s): | wireshark | CVE #(s): | CVE-2010-2994 | ||||||||||||||||||||||||||||
| Created: | September 1, 2010 | Updated: | April 19, 2011 | ||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Several implementation errors in the dissector of the Wireshark network traffic analyzer for the ASN.1 BER protocol and in the SigComp Universal Decompressor Virtual Machine may lead to the execution of arbitrary code. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
yast2-webclient-patch_updates: installation specific secret key
| Package(s): | yast2-webclient-patch_updates | CVE #(s): | CVE-2010-1507 | ||||
| Created: | August 26, 2010 | Updated: | September 1, 2010 | ||||
| Description: | From the SUSE advisory: WebYaST generates installation specific secret key during RPM installation (CVE-2010-1507) | ||||||
| Alerts: |
| ||||||
Page editor: Jake Edge
Next page:
Kernel development>>