Steganography - Passing through the defenses

Steganography is still considered to be a part of the obscure tools of secret agents and corporate spies.

However, steganography tools are widely available, and anyone can use them. Most of these tools

But the science of counter-steganography is also advancing. Recently we discovered a great article on defeating steganography in 24-bit images. And it is quite probable that such analysis will find their way in filter systems, like mail and web filters.

This prompted us to analyze how survivable is steganogrpahy?

This also gave us a great reason to publish another set of pictures (albeit cropped) of Lena Söderberg ;) Here is our original image

Proposed Counter-Steganography System
The filter system will need to be cost-effective, minimally intrusive and not prone to error. Since there may be many different steganography alghorithms, the filter system should not try to read such messages. Doing so will require an entire farm of filter servers. Instead, the systems will resort to a much simpler mechanism:

  1. Modify all passing images so that the original hidden data is compromised.
  2. Use only minute changes to images, so that the original user expecting to see an image cannot discern any loss of quality in the image
The Test
In our test, we will be using the Lena
Söderberg test image and we will perform tests using 3 common image enhancement filters. We will hide and open the message using the online tool at Mozaiq.Org

Our operating assumption is that a higher redundancy of the message has a higher chance of survival through a filter. Thus, our test message is the following:
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Phasellus in risus erat
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Phasellus in risus erat
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Phasellus in risus erat
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Phasellus in risus erat
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Phasellus in risus erat

Here is the image of Lena Söderberg with the message included within it

After hiding the message inside the image, we'll pass the image through different enhancement filters and then try to extract the message from the filtered image.

1. Sharpen Filter - The first filter to be tested is the Sharpen Filter. The filter is applied with Sharpness=2. After the application of the filter here is the image and the following message is extracted:

LoremJ� @�: ���Ѽsit�km t� consecf�t* ad piscin� u| tJ|�h s l����G�l�l� �h�z~� 5r�f�v��f�� ��j\)��5KT1��ķQo�s~cΓy?�� ɉ�C�$�� O�4E!L�r_x�߆��Ƥ �� b;��� \G;*W�.=� �1 楄 �M) Z*>֟ " °�N�(��%�J]u� �dRp�s���Χ �
G�?� e-e� E�͹g�� s�s�e�a�D�moF�O[t�h �ˀ2��i� _? � Լ�);c�s� &hD��DF �ͬ�8Q��1T� Cr!�us� �F�j�l߫��M-�_�Y��i�$�DIHQ�u�g����?0Xt�1c�� �ecTS� id_p�̦iG����Q�.�agaa��d��\�� ri u��

2. NF Filter - The second filter to be tested is the NF Filter. The filter is applied with default Alpha=0.30, and Radius=0.35. After the application of the filter here is the image and the following message is extracted:

Lo�eB�ٷs��7,� o_� � � ]t,(;��Rec�(ξrg d�p_sc nw g)�t� �kK�?1� o�nJ�8 �0;֦a �4�Cr� <��` RorLP �W�jd Fol�4ix " v����oo��� �� �i@^���r� l� ����=� l>SsC�nP �ą�v�)��EyC G�� p `8�2��Ʃ&��t��\�Yr�� Is�&t�tD>�%.�pͮǿ ��T �Z� Mha�e&l�s ƾ��`s���Mc

3. Unsharp Mask - The third filter to be tested is the Unsharp Mask. The filter is applied with Radius=1, Threshold=1 and Amount=0.1. After the application of the filter here is the image and the following message is extracted:

Error: The image that you tried to decrypt does not appear to have a message in it. It is possible that you entered the incorrect password. Please try again.

Once an image passes through a filter, any hidden messages will be corrupted. Redundancy in the hidden message helps but only against some types of image manipulation and only at very low levels of the filter.
So, any digital picture retouch filter will damage the hidden message within a steganography image.
Naturally, this conclusion is nothing new - but through this test we can conclude that a small and very visually non-disruptive filter can cause a lot of damage to a steganography image. But it will probably take a serious information theft incident through steganography in order for the vendors to start implementing steganography filters in their content filtering and gateway solutions.

Talkback and comments are most welcome

Related posts
Hiding Information in Plain Sight - Steganography

Hacking Virtual Machines Part 4 - Knowing That the Target is a Virtual Machine

Virtualization is considered to be the new renaissance in computing. Suddenly, all those over sized servers are put to great use by putting multiple Guest OS's on them. But running IT services in a virtualized environment brings a whole host of new opportunities for hackers.

In this article, we'll review the ways an attacker will know that the target is a Virtual Machine

When attacking a virtual machine it is very useful to know that your target is a virtual machine. This is important for the following reasons:

  • Isolation - once you gain access to a virtual machine, there are a number of isolation vulnerabilities that can be attempted
  • Sphere of trust - all virtual machines on the same Host are part of the same sphere of trust
  • Impersonation - in most implementations, virtual machines on the same host communicate with the rest of the network via the same physical NIC. Therefore it is extremely simple to modify the MAC address of the compromised host and attempt to impersonate another host on the network. The network defenses will have a difficult time locating who is the impersonator, since there are multiple virtual machines on the same host
  • Nobody looks at a screen of a VM - Virtual Machines do not have a console screen. So tools that throw feedback on the console (like VNC) do not appear anywhere.

Identifying that you are attacking a virtual machine can happen in two phases:
  1. Before you penetrate the target - identification of a VM can happen if the attacker is on the same LAN, and can therefore investigate the characteristics of the target. You can easily locate a Virtual Machine through the MAC address. You can check a MAC address for it's decriptive name here. Here is the list of MAC addresses that get assigned to Microsoft and VMware Virtual Machines
    • 00-15-05-xx-xx-xx Microsoft Corporation MAC Address
    • 00-0C-29-xx-xx-xx VMware, Inc.
    • 00-50-56-xx-xx-xx VMware, Inc.
    • This approach can fail if the VM Engine has a method of changing it's MAC address to 'seem' like a real host. Most often Realtek MAC addresses are used for this change , but this leads to an inconclusive check.
  2. After you penetrate the target - This is a bit like a 'Catch 22': Once you penetrate the target, you have a lot more options, but all these require that you penetrate the target :). And these are your options:
    • MAC Address - just as the previous approach, you can look at the MAC address. And ofcourse, you can hit the same obstacle - the replaced driver with one that is brought by the VM engine which is inconclusive
    • Attack toolkit checkup - Metasploit, Core Impact and most other serious attack toolkits have a module that checks whether the compromised target is a VM. But these can fail miserably, as is presented on the screenshots below. This is why you need a second opinion.
    • Internal windows tools - there are a whole host of tools that windows brings with itself that can be used to make sure whether you are on a virtual machine. Here are two
    • driverquery - a simple command-line tool that queries all loaded drivers. If a VM Engine driver set is installed, you'll find a lot of reported information as on the screenshot below
    • wmic - WMI command-line tool that can be used to query every possible aspect of a machine. The simplest query is wmic baseboard list which returns excellent information. In a Microsoft Virtualization, you'll see the following string: "Microsoft Corporation Base Board TRUE Virtual Machine" . In a VMware virtualization you'll see the following string: "Intel Corporation Base Board TRUE 440BX Desktop Reference Platform".

Talkback and comments are most welcome

Related posts
Hacking Virtual Machines Part 1 - Sniffing
Hacking Virtual Machines Part 2 - Environments Where Virtualization Lives
Hacking Virtual Machines Part 3 - Crashing unpatched Hyper-V hosts

Hacking Virtual Machines Part 3 - Crashing unpatched Hyper-V hosts

Virtualization is considered to be the new renaissance in computing. Suddenly, all those over sized servers are put to great use by putting multiple Guest OS's on them. But running IT services in a virtualized environment brings a whole host of new opportunities for hackers.

In this article, we'll review the issue of Denial Of Service to a Virtualization enviroment:

One of the most important element of a Virtualization environment is the isolation. Since the host OS and the Guest OS machines run on the same hardware, and none should access each others resources - including memory, CPU time, video memory etc.

A lot of Virtualization implementations fail in proper isolation, and that can allow an attacker to mount different types of successful attacks.

The simplest one is a Denial of Service Attack. The compromised guest generates communication to memory address space attempting to breach the isolation walls and cause corruption of other Guest OS or the Host OS. It is very usual that early versions of a Virtualization platforms have vulnerabilities in the isolation mechanisms.

The following is an example of breach of the isolation wall on an unpatched Windows 2008 Hyper-V.

Please note that this attack only works on a default installation of Windows 2008, with no patches applied.
So all your Virtualizaiton platforms should be fully patched

Talkback and comments are most welcome

Related posts
Hacking Virtual Machines Part 1 - Sniffing
Hacking Virtual Machines Part 2 - Environments Where Virtualization Lives

Brief reminder - The value of a stolen corporate laptop

Laptops have become a commodity. Buying a corporate laptop costs nearly the same as buying a desktop PC.
And corporations love laptops for one simple reason. Laptops are mobile. When you issue laptop to an employee, you encourage him/her to take the work at home. Productivity increases, at no extra cost

But there is a flip side: this same trait of mobility also puts the laptop at risk of theft. Although the mantra of protecting your laptop is long going, there are a lot of companies who do not take this issue seriously. The mindset of managers still needs to be adjusted to present the issue.
Because managers speak the language of money, let's make a simple calculation that shows the impact of how much is your laptop worth:

Total Impact Value = Cv*[(Pl^2/Lv)/ProtL^2]

  • Cv = Company value - Place the value of a company (usually declared in annual reports)
  • Lv = Laptop purchase value (with costs of protection - licenses, encryption, GPS)
  • Pl = Position level of laptop user:
    • 10 - CEO/CFO/CSO
    • 7 - Division Manager
    • 5 - Department Head
    • 2 - Senior Employee
    • 1 - Junior Employee
  • ProtL = Protection Level of Laptop
    • 10 - hardware supported full HDD encryption, biometric, GPS location
    • 7 - hardware supported full HDD encryption, biometrics
    • 5 - Full HDD encryption
    • 1 - password protected Account
This simple calculator can present the financial impact of non-protected laptop. For example, in a company worth 10,000,000 USD, if the CEO's laptop with no encryption is lost, it can cost the company more than 500,000 USD.

Securing a laptop is very well known issue connected to laptops. So when you buy new PC Laptops you may want to invest in a higher value of laptops, in order to provide better protection.

Interesting PC laptops for companies should be devices with security features like
  • Full HDD encryption
  • fingerprint reader, even retina scanner,
  • Trusted Platform Module (TPM) chip (hardware supported encryption).
  • Even GPS tracking can be added to protection, but this is only for the most serious systems

Talkback and comments are most welcome

Related posts

TrueCrypt Full Disk Encryption Review
5 rules to Protecting Information on your Laptop
Windows 7 Full Disk Encryption with Truecrypt

Internal penetration testing – Why your business needs it

Internal penetration testing is a comprehensive security test of all systems related directly and indirectly to your business. This is a particularly thorough form of testing, and often goes outside the ambit of what might usually be expected in web application security testing.

Internal penetration testing, explained

This type of testing effectively imitates the methods used by hackers when attempting to penetrate your security system. There are multiple levels of penetration testing, and security consultants need to adapt the tests to match on-site technology.

Internal penetration testing relates to security vulnerabilities within a system. As distinct from external penetration testing, which probes vulnerabilities in relation to accessibility of sensitive systems from the outside, internal penetration testing deals with vulnerabilities between internal systems.

This is no academic process. A weak point in the system can be used to access multiple parts of that system. Full system security is supposed to have internal, as well as external security safeguards. A person accessing your system through an employee interface or similar routine method may be able to access areas which should be off-limits. Because most systems are typically accessed by a large range of people, it is important to ensure that internal security is watertight.

It is absolutely necessary that your internal security is as good as you can make it, because this is a critical security level with direct access to sensitive information.

Internal penetration testing methods

Security testing includes a range of possible forms of internal access to information. It may for example be possible to access information directly from the business database including personal information, account numbers etc. , or indirectly using a "backdoor" approach through another system or application.

One of the primary problems with internal security is that most companies use off-the-shelf systems and software, many of which have known vulnerabilities. These systems are quite easy for hackers to subvert, particularly if the software hasn't been upgraded or their security updated. Many types of software upgrades are also required patches which may or may not be installed, and the un-patched software can also involve significant security vulnerability.

Security consultants must test each aspect of internal security, and do it very thoroughly. Security checks may include such basics as firewalls, passwords and other seemingly simple issues but you should know that vulnerabilities in these areas can be fatal and seriously compromise system security all by themselves.

Ongoing penetration testing issues

While internal penetration testing and other forms of penetration testing do provide comprehensive checks technology changes rapidly, and so do methods of breaking into security systems. Best practice is to conduct penetration testing once every six months which ensures that security consultants can apply current methodologies to their testing.

Perhaps most importantly, engaging a security consultant for penetration testing is also very useful in getting immediate support and advice when you need it. Even the best IT people only have a limited amount of knowledge in this area, and it's always advisable to get expert assistance in these fields.

This is a guest post by Erik Weisz. Erik is an Australian freelance writer and journalist. He writes extensively in Australia , Canada, Europe, and the US. He’s published more than 500 articles about various topics, including Web Application Security and Penetration Testing

Talkback and comments are most welcome

Related posts
Understanding Penetration Testing Methodology
Minimize Impact of Online Intelligence Searches
Digging for information with Open Source Intelligence
5 Ways to fail a Social Engineering Pen-Test
5 biggest mistakes of information security

Microsoft Patch Disclosure - November 2010

Microsoft has released 3 patches which repair a total of 11 vulnerabilities.

  • 2 patches address Remote Code Execution vulnerabilities
  • 1 patch addresses Elevation of Privilege vulnerabilities.

MS10-087 - Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930)
MS10-088 - Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2293386)


MS10-089 - Vulnerabilities in Forefront Unified Access Gateway (UAG) Could Allow Elevation of Privilege (2316074)

Preventing XSS with Content Security Policy

An individual XSS can be easily remediated with contextual output encoding per the OWASP XSS Prevention Cheat Sheet. Although an individual XSS can easily be addressed, the overall cat and mouse game of effectively ridding an application of XSS can be very difficult. To combat this problem a new security feature, Content Security Policy, has been introduced into the Mozilla Firefox browser.

Content Security Policy (CSP) is an opt-in white list approach for defining what external scripts sources are allowed to execute JavaScript or other content loading code (e.g. iframes) within the page. By eliminating inline scripts and defining a white list of allowed external scripts it is possible to strictly control what JavaScript is executed within the page. In the event that a user injected script into the page via an improperly encoded piece of user controlled data, then Content Security Policy would identify that the JavaScript is not part of the white-listed data and the browser will disregard this unauthorized script.

Here's a basic overview of the CSP process:

  1. Externalize all JavaScript within the pages (e.g no inline script
    tag, no inline JavaScript for onclick or other handling events )
  2. Define the policy for your site and whitelist the allowed domains where the externalized JavaScript is located.
  3. Add the X-Content-Security-Policy response header to instruct the browser that CSP is in use.

Violation Reporting
The violation reporting component is another huge benefit of using CSP that can be enabled by providing a value for the policy-uri field within the site's specific Content Security Policy. In the event content (JavaScript, injected iframe, etc) is not allowed to execute due to CSP, the user's browser will issue a violation report back to the URL specified by the site's CSP. This means that a website owner can receive real time notifications of CSP violations that could be potential XSS attacks.

CSP Enabled Browsers
Content Security Policy is currently supported in Firefox 4. Although CSP is currently supported in only one browser, there are still many reasons to provide CSP support within a website. CSP will provide an added layer of protection to all web site users with a CSP enabled browser. In addition, CSP enabled browsers will also provide violation reporting feedback back to the web site owners in the event an XSS attack is somehow injected into the page. Finally, if CSP is well received then the intent is to formalize this into a standard and push for adoption within other browsers.

More Information

This is a guest post by Michael Coates, a senior application security consultant with extensive experience in application security, security code review and penetration assessments. He has conducted numerous security assessments for financial, enterprise and cellular customers world-wide.
The original text is published on ...Application Security...

Talkback and comments are most welcome

Designed by Posicionamiento Web