Okay, I know I'm supposed to be studying... and I will get back to my Switching book as soon as I pop off this post (I promise). But, I just couldn't help reading this book. It was sitting on my shelf...calling to me.... (It learned this technique from the chocolate in my fridge.)
On a serious note, it's a really good book. Yes, the title of the book is Hiding In Plain Sight and it's about steganography and the art of covert communications. I devoured this in two days and learned quite a bit from it. No, there are no hidden messages in the pictures on this page. The accompanying CD does have programs and source code, but I have no reason to send anyone a "secret message," no matter how fun it would be... I was much more interested in the methods to detect someone else using this technique to convey messages.
Steganography deals with hiding messages within other mediums. Think of the days of milk and lemon juice ink (invisible ink) that could be read when heated. Now apply that idea to the digital age. We're talking about the unused parts of files - where other files can hide. Think of black text on a black background. The human eye will not see it. The computer will. Imagine a picture of the beach. Now take the pixels and darken them just one shade in certain spots. Your eyes wouldn't notice the difference, but a computer would. And a computer can calculate the one pixel that is different from the ones surrounding it and easily "rebuild" the original message. That's steganography.
I try to keep up with these things. I realize that I have to keep up with as many of the newest technologies as I possibly can. Why? Because the bad guys do.
That's right. The bad guys already know all about this stuff and use it to hide their activities. Meanwhile, only a few top people on the good guys side ever bother to learn about this. How many people have gotten off - scott free - because no one could *prove* that something illegal was going on?
Terrorists use it. Agents of corporate espionage use it. Child porn rings use it. And right under our noses, all these things are going on.
Good encryption is tough to break. We know this. So the good guys monitor the amount and frequency of messages (that they can't read) to be alert for potential attacks. Great...something's going to happen, but we don't know where or what....?!? Ah...so if that's what they're doing to tighten security, the bad guys figure they'll *hide* their messages so we won't even know *when* it's coming...
Corporate espionage - it happens! Companies are stealing your company's secrets and beating you to market with the product. Let that happen a time or ten and see if the company is still around. You won't have to worry about your job being "outsourced" to another country. Your whole company will be under and you will wonder why you don't have a job. Meanwhile, the other company will have the product without having to spend a dime on research and development. And there are governments that are sponsoring this espionage!
And *shudder* child porn rings... The cops go in and arrest the slimeball...confiscate his computer. They search and search - and find quite a few pictures on the computer, but none that are pornographic. There's nothing they can do at that point, but let him go - knowing from all other indications that this guy is a slimeball. Meanwhile there's a ton of child porn on the computer - hidden inside images of the Statue of Liberty or pictures of puppies....
It's a bleak picture. But - imagine how that picture would change if more people were aware of the tools that the bad guys use?
If the people doing the investigations took the time and effort to learn the latest and greatest (like the criminals do)... They could scour the Internet looking for digital dead drops instead of wasting time frisking everyone they think "looks" foreign...or "looks" suspicious.... (define that one, I dare you)
If ordinary people would just take the time to learn a little -- enough to be suspicious when the 10 line Word document for a company cookout (emailed to everyone and their uncle) pops up in their inbox and has a size of 234K. [Hmmmm...you think perhaps there's a message within that message? You think someone among the 361 people that got that message might notice? Perhaps they might report that to their Security Manager?]
What about your local police? You think they know about this stuff? Even on a basic conceptual level? Would they even know enough to contact someone at a higher level to look into it further if a crime involved a computer? Or would they also be naive enough to be forced to let some slimeball go - based on a lack of evidence (that's right under their noses)?
Your network admin and the common user. Well...this site's not all that critical. We don't store anything of value here. We don't have to worry about passwords or hacking. So what if they hack? We'll just restore from backup. So what if someone knows my password? They can't get into anything... (or can they?)
Criminals are just waiting for people like that. People who don't care about security. It makes identity theft much easier. It makes hacking much easier. It's a piece of cake to get into a site that doesn't care about security. And once they're in, they're not going to hack you. They don't want you to know they're there. They want to use your site as a launching pad for other activity. They want to use your name and email account (or one they create for themselves on your server) to create another account on a "free" email server. And then use *that* account to post to a newsgroup. Or use your IP addresses to upload files to another hacked site.
Try convincing the police that it "wasn't you" when your name and email address is all over that stuff... Do they understand anything about identity theft? Do you understand enough to prevent or detect it?
We need more people to understand these things. We need more people to care about security. We NEED those extra sets of eyes and ears to notice these things and we need people to report suspicious activity to people who know how to investigate and handle it. What we don't need are people shutting their eyes, people resistant to learning, and people who will sweep security incidents under the rug to make them "go away."
The bad guys won't go away. And they're getting smarter...
Posted by BlueWolf on July 20, 2003 11:32 AM