User: Password:
Subscribe / Log in / New account


Thwarting internet censors with Collage

By Jake Edge
September 1, 2010

Steganography is an ancient method of hiding a message in plain sight. In the digital age, steganography is often associated with hiding data inside of a binary file, typically using the low bits of an image or audio file in such a way that the message makes very little difference in the output. The Collage project looks to use steganography in conjunction with sites that host lots of user-generated content to provide a communication channel that resists censorship.

As the slides [PDF] and paper [PDF] from a recent presentation on Collage describe, there are increasing attempts to censor internet communications. It is not just repressive regimes that are guilty of such censorship either, as various democratic governments are trying—sometimes succeeding—to get into the game. Existing methods to route around things like the "great firewall of China" rely on using proxies (e.g. Tor) outside of the censorship wall. But, proxies are relatively easily identified and blocked. Worse yet, anyone attempting to use one of the proxies can be identified and punished.

By using sites that regular "law abiding" citizens use on a regular basis, Collage seeks to appear completely innocuous to the censoring devices. The specific example used is photo-sharing sites like Flickr. Many people legitimately browse the photos there, so it will be difficult to determine that a particular user may be browsing for photos that contain a steganographic message. In addition, the sheer number of photos stored on the site make it difficult for the censors to catalog those that may contain a hidden message.

It is, essentially, a form of "security through obscurity", but one that can offer a level of deniability if used properly. If a censored user frequently visited Flickr for photo uploading and browsing, and only infrequently used it to pass messages, it would be difficult to detect by anything other than a targeted monitoring of that user's traffic. Unlike proxies, there is no need for anyone to maintain an infrastructure of hosts to handle the traffic; Flickr, YouTube, and others are already doing so.

The basic idea is that a simple message is encrypted (using some key agreed upon separately), then broken into pieces, with erasure coding added so that the entire message can be re-assembled from just a subset of the pieces. Those chunks then get steganographically inserted into multiple photos, which are uploaded to a photo-sharing site.

The project also used a text steganography technique to hide messages in the text of comments on blogs, YouTube, Twitter, and so on. In either case, the presence of steganography is likely to be detectable if the censoring agency tries. But with proper encryption, the actual message text will not be recoverable. The paper also discusses the use of watermarking to hide information that may be more easily detected but is hard to remove without disrupting the containing photo or file.

In order for a message to reach its recipient, though, there needs to be some way for them to know which of the billions of photos at Flickr actually contain bits of interest. In addition, the downloads made by the user must appear to be "normal" tasks that a Flickr user might perform. The paper outlines a rather elaborate protocol that could be used to map messages to "deniable tasks" that the recipient must perform. It's a tricky problem as is acknowledged in the paper:

The challenge, of course, is finding sets of tasks that are deniable, yet focused enough to allow a user to retrieve content in a reasonable amount of time.

It is a clever technique, but there are, of course, some pitfalls. The complexity will make it challenging to use, and automated retrievals may be difficult to do in a non-suspicious manner. It could also end up pointing a finger at "innocent" users of a site like Flickr, who unwittingly just happen to perform the task associated with a Collage message. The paper notes that risk, but also points out that "organizations can already implicate users with little evidence".

Essentially Collage is a proof-of-concept that uses off-the-shelf free software to handle the encryption, encoding, and steganography pieces. So far, the code for a demonstration client, which downloads a message that the project stored in Flickr, is available. The web site does not specifically mention further code releases, but one hopes the code for the sending side will also become available. There are also some performance measurements in the paper that show "acceptable" overhead for sending small, textual messages.

The complexity is daunting, but for those who really need to communicate in a largely deniable fashion, the Collage technique certainly has some appeal. It doesn't suffer from some of the obvious "red flags" that arise when using Tor or normal encrypted traffic (e.g. SSL/TLS, ssh, GPG), which may make it disappear into the noise of normal network traffic. Collage, or something like it, may find a place in the toolkit of those trying to evade internet censorship.

Comments (2 posted)

Brief items

Security quotes of the week

But of course, an RFID chip allows for far more than that minimal record-keeping. Instead, it provides the potential for nearly constant monitoring of a child's physical location. If readings are taken often enough, you could create an extraordinarily detailed portrait of a child's school day - one that's easy to imagine being misused, particularly as the chips substitute for direct adult monitoring and judgment. If RFID records show a child moving around a lot, could she be tagged as hyper-active? If he doesn't move around a lot, could he get a reputation for laziness? How long will this data and the conclusions rightly or wrongly drawn from it be stored in these children's school records? Can parents opt-out of this invasive tracking? How many other federal grants are underwriting programs like these?
-- Rebecca Jeschke of the EFF

We show that we can observe private activities in the home such as cooking, showering, toileting, and sleeping by eavesdropping on the wireless transmissions of sensors in a home, even when all of the transmissions are encrypted. We call this the Fingerprint and Timing-based Snooping (FATS) attack. This attack can already be carried out on millions of homes today, and may become more important as ubiquitous computing environments such as smart homes and assisted living facilities become more prevalent. In this paper, we demonstrate and evaluate the FATS attack on eight different homes containing wireless sensors.
-- Vijay Srinivasan, John Stankovic, and Kamin Whitehouse (unfortunately, only the abstract of the paper is freely available at the site)

Comments (4 posted)

New vulnerabilities

bugzilla: multiple vulnerabilities

Package(s):bugzilla CVE #(s):CVE-2010-2756 CVE-2010-2757 CVE-2010-2758 CVE-2010-2759
Created:August 27, 2010 Updated:September 1, 2010
Description: From the Red Hat bugzilla:

An unprivileged user is normally not allowed to view other users' group membership. But boolean charts let the user use group-based pronouns, indirectly disclosing group membership. CVE-2010-2756

Normally, when a user is impersonated, he receives an email informing him that he is being impersonated, containing the identity of the impersonator. However, it was possible to impersonate a user without this notification being sent. CVE-2010-2757

An error message thrown by the "Reports" and "Duplicates" page confirmed the non-existence of products, thus allowing users to guess confidential product names. CVE-2010-2758

If a comment contained the phrases "bug X" or "attachment X", where X was an integer larger than the maximum 32-bit signed integer size, PostgreSQL would throw an error, and any page containing that comment would not be viewable. On most Bugzillas, any user can enter a comment on any bug, so any user could have used this to deny access to one or all bugs. Bugzillas running on databases other than PostgreSQL are not affected. CVE-2010-2759

Fedora FEDORA-2010-13072 bugzilla 2010-08-20
Fedora FEDORA-2010-13086 bugzilla 2010-08-20

Comments (none posted)

firefox: denial of service

Package(s):Firefox CVE #(s):CVE-2010-1990
Created:August 30, 2010 Updated:September 1, 2010
Description: From the MeeGo advisory:

Mozilla Firefox 3.6.x, 3.5.x, 3.0.19, and earlier, and SeaMonkey, executes a mail application in situations where an IFRAME element has a mailto: URL in its SRC attribute, which allows remote attackers to cause a denial of service (excessive application launches) via an HTML document with many IFRAME elements. CVSS v2 Base: 5.0 (MEDIUM) Access Vector: Network exploitable

MeeGo MeeGo-SA-10:12 Firefox 2010-08-03

Comments (none posted)

gdm: access restriction bypass

Package(s):gdm CVE #(s):CVE-2007-5079
Created:August 27, 2010 Updated:September 1, 2010
Description: From the Red Hat advisory:

A flaw was found in the way the gdm package was built. The gdm package was missing TCP wrappers support on 64-bit platforms, which could result in an administrator believing they had access restrictions enabled when they did not.

CentOS CESA-2010:0657 gdm 2010-08-27
Red Hat RHSA-2010:0657-02 gdm 2010-08-26

Comments (none posted)

httpd: information disclosure

Package(s):httpd CVE #(s):CVE-2010-2791
Created:August 30, 2010 Updated:October 18, 2010
Description: From the Red Hat advisory:

A flaw was discovered in the way the mod_proxy module of the Apache HTTP Server handled the timeouts of requests forwarded by a reverse proxy to the back-end server. If the proxy was configured to reuse existing back-end connections, it could return a response intended for another user under certain timeout conditions, possibly leading to information disclosure.

Gentoo 201206-25 apache 2012-06-24
rPath rPSA-2010-0060-1 httpd 2010-10-17
CentOS CESA-2010:0659 httpd 2010-08-31
Red Hat RHSA-2010:0659-01 httpd 2010-08-30

Comments (none posted)

kdegraphics: memory corruption

Package(s):kdegraphics CVE #(s):CVE-2010-2575
Created:August 27, 2010 Updated:December 1, 2013
Description: From the Ubuntu advisory:

Stefan Cornelius of Secunia Research discovered a boundary error during RLE decompression in the "TranscribePalmImageToJPEG()" function in generators/plucker/inplug/image.cpp of okular when processing images embedded in PDB files, which can be exploited to cause a heap-based buffer overflow.

Gentoo 201311-20 okular 2013-11-28
Slackware SSA:2010-240-03 kdegraphics 2010-08-30
Fedora FEDORA-2010-13661 kdegraphics 2010-08-27
Fedora FEDORA-2010-13629 kdegraphics 2010-08-27
Mandriva MDVSA-2010:162 kdegraphics4 2010-08-26
Ubuntu USN-979-1 kdegraphics 2010-08-27
SUSE SUSE-SR:2010:018 samba libgdiplus0 libwebkit bzip2 php5 ocular 2010-10-06
openSUSE openSUSE-SU-2010:0691-1 okular 2010-10-04

Comments (none posted)

libgdiplus: arbitrary code execution

Package(s):libgdiplus CVE #(s):CVE-2010-1526
Created:September 1, 2010 Updated:January 6, 2014
Description: From the Mandriva advisory:

Multiple integer overflows in libgdiplus 2.6.7, as used in Mono, allow attackers to execute arbitrary code via (1) a crafted TIFF file, related to the gdip_load_tiff_image function in tiffcodec.c; (2) a crafted JPEG file, related to the gdip_load_jpeg_image_internal function in jpegcodec.c; or (3) a crafted BMP file, related to the gdip_read_bmp_image function in bmpcodec.c, leading to heap-based buffer overflows

Gentoo 201401-01 libgdiplus 2014-01-04
openSUSE openSUSE-SU-2010:0665-1 mono 2010-09-23
Fedora FEDORA-2010-13698 libgdiplus 2010-08-30
Fedora FEDORA-2010-13695 libgdiplus 2010-08-30
Mandriva MDVSA-2010:166 libgdiplus 2010-08-31
Ubuntu USN-993-1 libgdiplus 2010-09-29
SUSE SUSE-SR:2010:018 samba libgdiplus0 libwebkit bzip2 php5 ocular 2010-10-06

Comments (none posted)

libhx: arbitrary code execution

Package(s):libHX CVE #(s):CVE-2010-2947
Created:August 31, 2010 Updated:October 25, 2010
Description: From the Mandriva advisory:

Heap-based buffer overflow in the HX_split function in string.c in libHX before 3.6 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a string that is inconsistent with the expected number of fields.

Ubuntu USN-994-1 libhx 2010-09-29
Fedora FEDORA-2010-13155 libHX 2010-08-20
Fedora FEDORA-2010-13127 libHX 2010-08-20
Fedora FEDORA-2010-13155 pam_mount 2010-08-20
Fedora FEDORA-2010-13127 pam_mount 2010-08-20
Mandriva MDVSA-2010:165 libHX 2010-08-30
openSUSE openSUSE-SU-2010:0723-1 libHX 2010-10-14
SUSE SUSE-SR:2010:019 OpenOffice_org, acroread/acroread_ja, cifs-mount/samba, dbus-1-glib, festival, freetype2, java-1_6_0-sun, krb5, libHX13/libHX18/libHX22, mipv6d, mysql, postgresql, squid3 2010-10-25

Comments (none posted)

libtiff: denial of service

Package(s):libtiff CVE #(s):CVE-2010-2443
Created:August 30, 2010 Updated:January 19, 2011
Description: From the MeeGo advisory:

The OJPEGReadBufferFill function in tif_ojpeg.c in LibTIFF before 3.9.3 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an OJPEG image with undefined strip offsets, related to the TIFFVGetField function. CVSS v2 Base: 5.0 (MEDIUM) Access Vector: Network exploitable

Gentoo 201209-02 tiff 2012-09-23
MeeGo MeeGo-SA-10:27 libtiff 2010-09-03
MeeGo MeeGo-SA-10:20 libtiff 2010-08-03

Comments (none posted)

mutter-moblin: denial of service

Package(s):mutter-moblin CVE #(s):
Created:August 30, 2010 Updated:September 1, 2010
Description: From the MeeGo advisory:

The DBus message handling in mutter-moblin was not safe. Crash could be induced by a simple:

python -c "import dbus; dbus.Interface (dbus.SessionBus ().get_object \
('org.freedesktop.Notifications', '/org/freedesktop/Notifications'), \
'org.freedesktop.Notifications').Notify ('', 0, '', '', '', [''], {}, \
MeeGo MeeGo-SA-10:18 mutter-moblin 2010-08-03

Comments (none posted)

openssl: denial of service

Package(s):openssl CVE #(s):CVE-2010-2939
Created:August 31, 2010 Updated:January 19, 2011
Description: From the Debian advisory:

George Guninski discovered a double free in the ECDH code of the OpenSSL crypto library, which may lead to denial of service and potentially the execution of arbitrary code.

Gentoo 201110-01 openssl 2011-10-09
MeeGo MeeGo-SA-10:28 openssl 2010-09-03
Slackware SSA:2010-326-01 openssl 2010-11-22
SUSE SUSE-SR:2010:021 mysql, dhcp, monotone, moodle, openssl 2010-11-16
openSUSE openSUSE-SU-2010:0952-1 openssl 2010-11-16
openSUSE openSUSE-SU-2010:0951-1 openssl 2010-11-16
Ubuntu USN-1003-1 openssl 2010-10-07
Pardus 2010-119 openssl 2010-09-03
Mandriva MDVSA-2010:168 openssl 2010-09-01
Debian DSA-2100-1 openssl 2010-08-30

Comments (none posted)

opera: multiple vulnerabilities

Package(s):opera CVE #(s):CVE-2010-2576 CVE-2010-3019 CVE-2010-3020 CVE-2010-3021
Created:August 26, 2010 Updated:September 1, 2010

From the SUSE advisory:

- CVE-2010-2576: CVSS v2 Base Score: 6.8 (CWE-94): unexpected changes in tab focus could be used to run programs from the Internet, as reported by Jakob Balle and Sven Krewitt of Secunia

- CVE-2010-3019: CVSS v2 Base Score: 9.3 (CWE-119): heap buffer overflow in HTML5 canvas could be used to execute arbitrary code, as reported by Kuzzcc

- CVE-2010-3020: CVSS v2 Base Score: 5.0 (CWE-264): news feed preview could subscribe to feeds without interaction, as reported by Alexios Fakos

- CVE-2010-3021: CVSS v2 Base Score: 4.3 (CWE-399): remote attackers could trigger a remote denial of service (CPU consumption and application hang) via an animated PNG image

Gentoo 201206-03 opera 2012-06-15
SUSE SUSE-SR:2010:016 yast2-webclient-patch_updates, perl, openldap2, opera, freetype2/libfreetype6, java-1_6_0-openjdk 2010-08-26

Comments (none posted)

phpmyadmin: php code execution

Package(s):phpmyadmin CVE #(s):CVE-2010-3055
Created:August 30, 2010 Updated:September 13, 2010
Description: From the Debian advisory:

The configuration setup script does not properly sanitise its output file, which allows remote attackers to execute arbitrary PHP code via a crafted POST request. In Debian, the setup tool is protected through Apache HTTP basic authentication by default.

Gentoo 201201-01 phpmyadmin 2012-01-04
Debian DSA-2097-2 phpmyadmin 2010-09-11
Mandriva MDVSA-2010:163 phpmyadmin 2010-08-30
Debian DSA-2097-1 phpmyadmin 2010-08-29

Comments (none posted)

polkit: information disclosure

Package(s):polkit CVE #(s):
Created:August 30, 2010 Updated:September 1, 2010
Description: From

pkexec is vulnerable to a minor information disclosure vulnerability that allows an attacker to verify whether or not arbitrary files exist, violating directory permissions.

MeeGo MeeGo-SA-10:14 polkit 2010-08-03

Comments (none posted)

wireshark: arbitrary code execution

Package(s):wireshark CVE #(s):CVE-2010-2994
Created:September 1, 2010 Updated:April 19, 2011
Description: From the Debian advisory:

Several implementation errors in the dissector of the Wireshark network traffic analyzer for the ASN.1 BER protocol and in the SigComp Universal Decompressor Virtual Machine may lead to the execution of arbitrary code.

Gentoo 201110-02 wireshark 2011-10-09
SUSE SUSE-SR:2011:007 NetworkManager, OpenOffice_org, apache2-slms, dbus-1-glib, dhcp/dhcpcd/dhcp6, freetype2, kbd, krb5, libcgroup, libmodplug, libvirt, mailman, moonlight-plugin, nbd, openldap2, pure-ftpd, python-feedparser, rsyslog, telepathy-gabble, wireshark 2011-04-19
openSUSE openSUSE-SU-2011:0010-2 wireshark 2011-01-12
SUSE SUSE-SR:2011:001 finch/pidgin, libmoon-devel/moonlight-plugin, libsmi, openssl, perl-CGI-Simple, supportutils, wireshark 2011-01-11
SUSE SUSE-SR:2011:002 ed, evince, hplip, libopensc2/opensc, libsmi, libwebkit, perl, python, sssd, sudo, wireshark 2011-01-25
openSUSE openSUSE-SU-2011:0010-1 wireshark 2011-01-04
Debian DSA-2101-1 wireshark 2010-08-31

Comments (none posted)

yast2-webclient-patch_updates: installation specific secret key

Package(s):yast2-webclient-patch_updates CVE #(s):CVE-2010-1507
Created:August 26, 2010 Updated:September 1, 2010

From the SUSE advisory:

WebYaST generates installation specific secret key during RPM installation (CVE-2010-1507)

SUSE SUSE-SR:2010:016 yast2-webclient-patch_updates, perl, openldap2, opera, freetype2/libfreetype6, java-1_6_0-openjdk 2010-08-26

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds