Steganography meets VoIP in hacker world

Researchers and hackers are developing tools to execute a new data-leak threat: sneaking proprietary information out of networks by hiding it within VoIP traffic. (A brief history of steganography) Techniques that fall under the category of VoIP steganography have been discussed in academic circles for a few years, but now more chatter is coming from the hacker community about creating easy-to-use tools, says Chet Hosmer, co-founder and Chief Scientist at WetStone Technologies, which researches cybercrime technology and trains security professionals investigating cybercrimes. "There are no mass-market programs yet, but it's on our radar, and we are concerned about it given the ubiquitous nature of VoIP," he says. Steganography in general is hiding messages so no one even suspects they are there, and when done digitally, it calls for hiding messages within apparently legitimate traffic. VoIP steganography conceals secret messages within VoIP streams without severely degrading the quality of calls. For example, secret data can be transferred within .jpg files by using the least significant bits to carry it.

There are more than 1,000 steganographic programs available for download online that can place secret data within image, sound and text files, Hosmer says, and then extract it. Because only the least significant bits are used, the hidden messages have little impact on the appearance of the images the files contain. There are none for VoIP steganography yet, but in the labs, researchers have come up with three basic ways to carry it out. The second is hiding data inside each voice payload packet but not so much that it degrades the quality of the sound. The first calls for using unused bits within UDP or RTP protocols – both used for VoIP - for carrying the secret message. The third method calls for inserting extra and deliberately malformed packets within the VoIP flow.

A variation calls for dropping in packets that are so out of sequence that the receiving device drops them. They will be dropped by the receiving phone, but can be picked up by other devices on the network that have access to the entire VoIP stream. These techniques require compromised devices or conspirators on both ends of calls or a man-in-the-middle to inject extra packets. "It's much more difficult to do and much more difficult to detect," than hiding data within other files, Hosmer says. For example, x86 executables can carry secret messages, according to Christian Collberg, an associate professor of computer science at the University of Arizona and co-author of the book Surreptitious Software. The medium used to carry secret messages is called the carrier, and just about anything can be a carrier. By manipulating the compiler, it can be made to choose one addition operation over another, and that choice can represent a bit in the secret message, Collberg says. "There are lots of choices a compiler makes, and whenever you have a choice, that could represent a bit of information," he says.

One of the newest methods takes advantage of TCP retransmission – known as retransmission steganograpny (RSTEG) - in which sending machines resend packets for which they fail to receive acknowledgements. Even something as broadly used as TCP/IP can be host to steganographic messages. The sending and receiving machines must both be in on the steganography, according to a paper written by a group of Polish researchers headed up by Wojciech Mazurczynk at the Warsaw University of Technology. The resent packet is actually different from the initial packet and contains a steganographic message as the payload. At some point during the transmission of a file, the receiving machine fails to send an acknowledgement for a packet and it is resent.

The receiving machine can distinguish such resent packets and opens up the message, the researchers say. In general, defending against steganography is tough to do because traditional security devices such as firewalls and application firewalls don't detect this type of illicit transfer; a file containing a secret message looks just like a legitimate file. In his blog Crypto-Gram Newsletter, security expert Bruce Schneier dismisses the threat from RSTEG. "I don't think these sorts of things have any large-scale applications," he says, "but they are clever." Mazurczynk and his colleagues have spent a lot of time figuring out new carriers for secret messages, publishing research on embedding them in VoIP and wireless LAN traffic. The best way to combat suspected use of steganography to leak corporate data is to look for the telltale signs - known steganography programs on company computers, says Hosmer. When the steganography program is known, it can be applied to the carrier to reveal the secret message.

On systems where it is found, forensic analysis may reveal files that contained messages and an indication of what data might have been leaked. That message may be in code and have to be decrypted, he says. They can confront the person and take steps to prevent further leaks, Collberg says. In many cases, just knowing that steganography is going on and who is responsible is enough for a business. But businesses can take more active steps such as destroying the secret messages by altering the carrier file. Free programs such as Stirmark for scrambling files enough to destroy steganographic messages are available online.

For instance, if the carrier is an image file, setting all the least significant bits to zero would destroy any messages contained there without significantly changing the appearance of the image, he says. Keith Bertolino, founder of digital forensics start-up E.R. Forensics, based in West Nyack, N.Y., has developed double stegging – inserting stenographic messages within files with the intent of disrupting other stenographic messages that might also be in the files. According to Hosmer, a look at evidence in closed cases of electronic crime found that in 3% of those cases, criminals had steganographic programs installed on their computers. "The fact that these criminals were even aware [of steganography] was a startling surprise to law enforcement agencies," he says. He is waiting to find out if he gets a Small Business Innovation and research (SBIR) grant from the government to pursue turning his steganography jamming technology into a commercial product. Interest in steganography is growing, according to Wetstone Technology's monitoring of six popular steganography applications. That's not a dramatic increase given that the use of Internet-connected computes has gone up in the meantime, but it is still noteworthy, he says.

In 2008, the six combined logged 30,000 downloads per month, up from 8,000 to 10,000 per month about three years ago, Hosmer says. Steganography is not always bad. The watermark is a secret message embedded, for instance, in an image file so if the image is use online, a Web crawler can find it. Technically, steganography is just the same as digital watermarking, but with different intent, Collberg says. Then the creator of the image can check whether the site displaying the image has paid for it or is violating copyright, he says.

Exchange 2010 hits RTM

Microsoft Thursday concluded development on Exchange 2010 and said the new mail server would ship on Nov. 9 at the company's TechEd Conference in Berlin, Germany. In addition, the server is being touted as a hybrid - equally at home as the foundation for a hosted e-mail service or a corporate messaging infrastructure. Exchange alternatives Microsoft Exchange 2010 holds challenges, rewards for IT executives Exchange 2010, which is a 64-bit only server, includes new storage and deployment options, enhanced in-box management capabilities, built-in e-mail archiving, new database clustering, additional hardware options, and a revamped Outlook Web Access client.

The hosted version of Exchange 2010, however, is not expected to ship until May or June 2010. Microsoft already hosts more than 5 million users on Exchange 2010 as part of its Live@Edu program. The company said that the ability to use Exchange as a hosting platform is now built into the product. And end-users are already planning corporate rollouts, including Ford Motor Co. with plans to deploy 100,000 seats.  "Our senior leadership team has signed off on the final code, and it has been sent to our early adopters for one final look before its public release," read a blog post signed by "The Exchange Team". Microsoft has said previously that it has specially architected Exchange 2010 for high-availability and cross-domain integration using techniques such as pairing the server with Windows Server 2008 clustering technology and directory federation features. Lee Dumas, the director of architecture for Azaleos, a provider of remote management services for Exchange and SharePoint, says 2010 has challenges and rewards. "I'm not slamming Exchange, but to achieve the level of [service-level agreements], and dealing with large amounts of data, multiple copies of databases, server roles, and load balancing makes complexity inherent in getting the whole system in place," he says. Network World Lab Alliance member Joel Snyder said in his Exchange 2010 review that corporate users should carefully assess the implications of the new server. "The combination of clustering, replication and low-cost disk support means that reliability and scalability can be based on replicating small, inexpensive servers both within a data center and between data centers.

The rewards, however, will follow for those that heed due diligence, he says. E-mail managers thinking of deploying Exchange 2010 should step back and evaluate closely these new grid-style architectural approaches - and be sure that your Exchange team has adequate time to re-think and re-evaluate commonly held beliefs on how to build large Exchange networks." Exchange 2010 is the first in a wave of new Office products set to ship this year and next. Office 2010, SharePoint Server 2010, Office Communications Manager 2010, Visio 2010 and Project 2010 are slated to ship in the first half of 2010. Follow John on Twitter.

Detailing contingency planning

On Oct. 27, 2009, the National Institute of Standards and Technology (NIST) Information Technology Laboratory (ITL) Computer Security Division (CSD) published Special Publication (SP) 800-34 Revision (Rev) 1, "DRAFT Contingency Planning Guide for Federal Information Systems" and requested comments from readers by Jan. 6, 2010. The official announcement described the SP as follows: SP 800-34 Revision 1 is intended to help organizations by providing instructions, recommendations, and considerations for federal information system contingency planning. The guide defines a seven-step contingency planning process that an organization may apply to develop and maintain a viable contingency planning program for their information systems. Contingency planning refers to interim measures to recover information system services after a disruption. The guide also presents three sample formats for developing an information system contingency plan based on low, moderate, or high impact level, as defined by Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems.

Authors Marianne Swanson, Pauline Bowen, Amy Wohl Phillips, Dean Gallup, and David Lynes include two of the six authors of the June 2002 original version of SP 800-34 (Swanson, Wohl, Lucinda Pope, Tim Grance, Joan Hash and Ray Thomas) and have, as usual for NIST ITL CSD, done a superb job of preparing a framework that lays out a sound basis for business continuity planning (BCP). The 150-page SP begins with an introduction presenting the purpose, scope and audience for 800-34 Rev 1. Page 13 of the PDF file describes the purpose as providing "guidelines to individuals responsible for preparing and maintaining information system contingency plans (ISCP). The document discusses essential contingency plan elements and processes, highlights specific considerations and concerns associated with contingency planning for various types of information system platforms, and provides examples to assist readers in developing their own ISCPs." This document explicitly excludes discussion of disaster recovery. Despite the inclusion of "for Federal Information Systems" in the title, SP 800-34 Rev 1 has a great deal of value for all information assurance and business continuity specialists. The scope is defined as "recommended guidelines for federal organizations"(p 14) and the audience is "managers within federal organizations and those individuals responsible for information systems or security at system and operational levels. Indeed, the authors write, "The concepts presented in this document are specific to government systems, but may be used by private and commercial organizations, including contractor systems." They then list a wide range of specific job titles of people likely to find the document useful, including IT managers, CIOs, systems engineers, and system architects. It is also written to assist emergency management personnel who coordinate facility-level contingencies with supporting information system contingency planning activities."(p 15) However, references to Federal Information Processing Standards (FIPS) in no way prevents the guidelines from serving organizations outside the U.S. federal government. The authors describe the structure of the document clearly as follows (p16): • Section 2, Background, provides background information about contingency planning, including the purpose of various security and emergency management-related plans, their relationships to ISCPs, and how the plans are integrated into an organization's overall resilience strategy by implementing the six steps of the Risk Management Framework (RMF)…. • Section 3, Information System Contingency Planning Process, details the fundamental planning principles necessary for developing an effective contingency capability.

This section presents contingency planning guidelines for all elements of the planning cycle, including business impact analysis, alternate site selection, and recovery strategies. The principles outlined in this section are applicable to all information systems. The section also discusses the development of contingency plan teams and the roles and responsibilities commonly assigned to personnel during plan activation. • Section 4, Information System Contingency Plan Development, breaks down the activities necessary to document the contingency strategy and develop the ISCP. Maintaining, testing, training, and exercising the contingency plan are also discussed in this section. • Section 5, Technical Contingency Planning Considerations, describes contingency planning concerns specific to the information systems listed in Section 1.3, Scope. The nine appendices provide practical templates and checklists of great utility in BCP. There is so much valuable information here that is offered in a structured, clear presentation that every IA professional concerned with BCP should read – and, I hope, comment on – this draft publication. This section helps contingency planners identify, select, and implement the appropriate technical contingency measures for their given systems.

Verizon updates Droid software; Users hope it fixes echo problem

An over-the-air software update to the Droid smartphone started yesterday, but it wasn't clear whether the 14 enhancements address a voice echo problem that hundreds of users complained about in online forums. The enhancements come from Verizon Wireless, Motorola and Google, which is behind the Android operating system that runs on the Motorola Droid. The much-anticipated update went to a "small percentage of handsets" yesterday and the update, identified as ESD56, will be phased in over the next week or so, a Verizon Wireless spokeswoman confirmed early today via e-mail. An update to the Droid Eris smartphone from HTC is "planned but a date has not yet been confirmed," the spokeswoman added.

However, it remains unclear whether the list of official fixes offers any relief to hundreds of customers who have complained of a voice echo heard by recipients of calls made from Droid phones. The Motorola Droid update is based on Google's release of a software developer kit for Android 2.0.2 on Dec. 6. The most noticeable modifications improve the Droid's camera autofocus capability and the phone's voice reception, the spokeswoman added. At least 300 comments at a Motorola online support forum refer to the subject, " Droid phone sound quality is not great ," and most comments refer to audio echo problems noticed by people whom Droid users are calling. Despite the many online complaints of a similar problem from Droid users, he couldn't get Verizon store officials to listen to him, he said. "Each time I returned to the store, now three times, I have been treated increasingly like an Android from out of space until [a recent] Friday when I threw a nutty in the store and screamed out for attention," he wrote. "The techs were clueless." Davis said his son, an engineer at Cisco Systems Inc., helped him decrease the echo somewhat by adjusting the phone's settings so that when the echo shows up, Davis must fidget with the speaker button to lessen the echo. One Motorola Droid user, John Davis, said he has enjoyed all aspects of his Droid except for the phone itself. "Almost from day one there has been an annoying echo primarily with the person on the receiving end," he wrote in an e-mail to Computerworld . Davis, a physician, bought his phone the first day it was available at a Verizon store near Boston.

But Davis was still awaiting the update, which was rumored to start on Dec. 11, but now appears to have started four days earlier. However, the official update documentation says only that one of the 14 improvements is listed as "audio for incoming calls is improved." A separate improvement says that Bluetooth functions are improved with "background echo ... eliminated" but only in reference to Bluetooth usage. Davis said his son believes the update is designed to address the issue, and so do many on an online forum. The full list also includes improvements to OS stability, battery life and camera auto focus. Ironically, many reviewers of the Motorola Droid found it has superlative sound quality , so the echo problem could be a function of networks as well as the Droid, many forum users have noted. Davis said he had no significant problems with his camera, but is still eager to have the update for the camera focus.

A Motorola support forums manager, identified online only as Matt, called attention to the update yesterday with a link to the separate Motorola forum on sound quality, implying that the improvements could help the echo problem. Verizon has noted that to get the free update, the Droid device needs to have 40% or more power available if it's not connected to an external power source and 20% power available to it if connected to a power source. The Verizon spokeswoman did not answer directly whether the updates fix the echo problem, saying only that descriptions of the audio problem on forums are "subjective," but she offered to provide a fuller explanation later.

Google Search Page Gets a New Look

Google has introduced a new version of the search engine's home page, which features a sleek fade-in effect that hides all the elements of the page except the logo, search bar, and the buttons. The rest of the elements of the page, such as links to Gmail, Documents, News, Maps, Shopping, etc., will be revealed with a fancy fade-in effect when you fist move the cursor on the screen. When accessing the main Google search page, you will only see the Google logo (or the doodle of the day) and the super-sized search bar (introduced a few months ago) with the search buttons underneath.

Google's new search homepage is now even less crowded, in comparison to Bing, the competing search engine from Microsoft, which overlays different images under the search bar daily and features search queries of interest. The search company says it tried about ten versions of the fading homepage and chose the current one based on "user happiness metrics". Some of the earlier versions of the fade-in Google homepage had an even more minimalistic approach, with the search buttons hidden at first. The fading Google homepage was first noticed a few months ago, when Google was experimenting with different designs. The final version of the fading homepage is now being introduced to Google home pages around the world. Google also introduced a better format for image search results earlier this week. Google explains in a blog post that it was concerned with the time to first action on the new homepage, which could confuse users initially. "We want users to notice this change... and it does take time to notice something (though in this case, only milliseconds!). "Our goal then became to understand whether or not over time the users began to use the homepage even more efficiently than the control group and, sure enough, that was the trend we observed," the Google team explained.

The new image search layout will show a larger image and additional smaller images alongside. In a previous update in November, Google also introduced Image Swirl, which bring layers of similar images into searches.