This document discusses steganography, which is a method of hiding secret messages within other files or data streams. It provides definitions and examples of different types of steganography, including static steganography which hides messages in digital files, and dynamic steganography which hides messages in protocols like TCP/IP packets as they are transmitted over the internet. The document also discusses uses of steganography, such as watermarking to track copyrighted content, and concerns about potential terrorist use of steganography over the internet through covert channels. Detection of hidden messages, called steganalysis, and technology to help law enforcement monitor covert communications are also mentioned.
Audio Steganography Using Discrete Wavelet Transformation (DWT) & Discrete Co...iosrjce
IOSR Journal of Computer Engineering (IOSR-JCE) is a double blind peer reviewed International Journal that provides rapid publication (within a month) of articles in all areas of computer engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in computer technology. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
Steganography Technique of Sending Random Passwords on Receiver’s Mobile (A N...IOSR Journals
Abstract: Steganography is the art of hiding the fact that communication is taking place, by hiding information
in other information. There are many application of Steganography with different carrier file format. Here we
perform Steganography Technique with sending OTP on receiver mobile, which is one of the best secured
technique in current scenario. This technique is hiding file information into image with OTP password that is
only known by receiver. And can decrypt using that OTP only this is pure Steganography. Pure Steganography
means that there is none prior information shared by two communication parties. We are not sharing OTP
information by two communication parties. So this is more secure than other technique.
Key Words : Steganography, OTP, ICT, Password, IP, UDP, SIHS, LSB.
Steganography is a technology used since years for the communication of messages secretly. These secret messages are put inside honest carriers. Carriers can be digital images, audio files, video files and so on. The limitation in sending concealed longer messages has been overcoming by the inclusion of video files as carriers. Popular internet services such as Skype, BitTorrent, Google Suggest, and
WLANs are targets of information hiding techniques. Nowadays, plotters are not only using the carriers but also the protocols for communication that regulate the path of the carrier through the Internet. This technique is named Network Steganography.
Steganography using Interpolation and LSB with Cryptography on Video Images -...Editor IJCATR
Steg
nography is the most common term used in
the IT industry, which specifically means, "covered writing" and is derive
d
from the Greek language. Steg
nography is defined as the art and science of invisible communication i.e. it hides the existence of the
communication between the sender and the rece
iver. In distinction to Cryptography, where the opponent is permitted to detect,
interrupt and alter messages without being able to breach definite security grounds guaranteed by the cryptosyst
em, the prime
objective of Steg
nography is to conceal messages
inside other risk
-
free messages in a manner that does not agree to any enemy to even
sense that there is any second message present. Nowadays,
it is an emerging area which is used for secured data transmission over any
public medium such as internet. In th
is research a novel approach of image
steg
nography
based on LSB (Least Significant Bit)
insertion and cryptography method for the lossless jpeg images has been projected. This paper is comprising an application wh
ich
ranks images in a users library on the
basis of their appropriateness as cover objects for some facts. Here, the data is matched to an
image, so there is a less possibility of an invader being able to employ steganalysis to recuperate the data. Furthermore, th
e application
first encrypts the da
ta by means of cryptography and message bits that are to be hidden are embedded into the image using Least
Significant Bits insertion technique. Moreover, interpolation is used to increase the density
A brief over overview of steganographical security techniques and how it has been applied, is applied and will continue to be applied in maintaining confidentiality between two communication parties
The peer-reviewed International Journal of Engineering Inventions (IJEI) is started with a mission to encourage contribution to research in Science and Technology. Encourage and motivate researchers in challenging areas of Sciences and Technology.
Audio Steganography Using Discrete Wavelet Transformation (DWT) & Discrete Co...iosrjce
IOSR Journal of Computer Engineering (IOSR-JCE) is a double blind peer reviewed International Journal that provides rapid publication (within a month) of articles in all areas of computer engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in computer technology. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
Steganography Technique of Sending Random Passwords on Receiver’s Mobile (A N...IOSR Journals
Abstract: Steganography is the art of hiding the fact that communication is taking place, by hiding information
in other information. There are many application of Steganography with different carrier file format. Here we
perform Steganography Technique with sending OTP on receiver mobile, which is one of the best secured
technique in current scenario. This technique is hiding file information into image with OTP password that is
only known by receiver. And can decrypt using that OTP only this is pure Steganography. Pure Steganography
means that there is none prior information shared by two communication parties. We are not sharing OTP
information by two communication parties. So this is more secure than other technique.
Key Words : Steganography, OTP, ICT, Password, IP, UDP, SIHS, LSB.
Steganography is a technology used since years for the communication of messages secretly. These secret messages are put inside honest carriers. Carriers can be digital images, audio files, video files and so on. The limitation in sending concealed longer messages has been overcoming by the inclusion of video files as carriers. Popular internet services such as Skype, BitTorrent, Google Suggest, and
WLANs are targets of information hiding techniques. Nowadays, plotters are not only using the carriers but also the protocols for communication that regulate the path of the carrier through the Internet. This technique is named Network Steganography.
Steganography using Interpolation and LSB with Cryptography on Video Images -...Editor IJCATR
Steg
nography is the most common term used in
the IT industry, which specifically means, "covered writing" and is derive
d
from the Greek language. Steg
nography is defined as the art and science of invisible communication i.e. it hides the existence of the
communication between the sender and the rece
iver. In distinction to Cryptography, where the opponent is permitted to detect,
interrupt and alter messages without being able to breach definite security grounds guaranteed by the cryptosyst
em, the prime
objective of Steg
nography is to conceal messages
inside other risk
-
free messages in a manner that does not agree to any enemy to even
sense that there is any second message present. Nowadays,
it is an emerging area which is used for secured data transmission over any
public medium such as internet. In th
is research a novel approach of image
steg
nography
based on LSB (Least Significant Bit)
insertion and cryptography method for the lossless jpeg images has been projected. This paper is comprising an application wh
ich
ranks images in a users library on the
basis of their appropriateness as cover objects for some facts. Here, the data is matched to an
image, so there is a less possibility of an invader being able to employ steganalysis to recuperate the data. Furthermore, th
e application
first encrypts the da
ta by means of cryptography and message bits that are to be hidden are embedded into the image using Least
Significant Bits insertion technique. Moreover, interpolation is used to increase the density
A brief over overview of steganographical security techniques and how it has been applied, is applied and will continue to be applied in maintaining confidentiality between two communication parties
The peer-reviewed International Journal of Engineering Inventions (IJEI) is started with a mission to encourage contribution to research in Science and Technology. Encourage and motivate researchers in challenging areas of Sciences and Technology.
While transferring a file from one point to another through Intranet and Internet we need more file secure concepts. Ordinary, file Encryption-Decryption Concepts, which are readily available in java examples are easily captured by middle way itself. So we need more security combination. This project helps to send a file from one place to another in a secured manner. Firstly the target file is encrypted and it is embedded into an audio or video or any media file. The resultant file will be protected by a password. This resultant media file is not changed in its original format and it can be run in the player, we can’t find any encrypted data inside it. This format will be sent through net. In the destination point it will be retrieved only by our software and giving the relevant password. So it is highly secured.
A Study of Various Steganographic Techniques Used for Information Hidingijcses
The art of information hiding has received much attention in the recent years as security of information has
become a big concern in this internet era. As sharing of sensitive information via a common communication
channel has become inevitable, Steganography – the art and science of hiding information has gained
much attention. We are also surrounded by a world of secret communication, where people of all types are
transmitting information as innocent as an encrypted credit card number to an online-store and as
insidious as a terrorist plot to hijackers. Steganography derives from the Greek word steganos, meaning
covered or secret, and graphy (writing or drawing) [1]. Steganography is a technology where modern data
compression, information theory, spread spectrum, and cryptography technologies are brought together to
satisfy the need for privacy on the Internet. This paper is an attempt to analyse the various techniques used
in steganography and to identify areas in which this technique can be applied, so that the human race can
be benefited at large.
APPLICATION OF DATA HIDING IN AUDIO-VIDEO USING ANTIN FORENSICS TECHNIQUE FOR...ijiert bestjournal
Steganography is the art of covered or hidden text message. The purpose of steganography is covert com munication- to hide the existence of a secret message from a th ird party. This paper is intnded as a high-level te chnical introduction to steganography for those unfamiliar with the field. It is directed at forensic computer examiners who need a practical understanding of steganography wit hout study into the mathematical,although referenc es are provided to many of the ongoing research for the pe rson who needs or wants additional detail covered b y audio- video file. Although in this paper gives a historic al context for steganography,the significance is o n digital applications use anti Forensics technique,focusing on hiding information in online audio and video fi les. Examples for tools of software that employ steganography to hide data inside of audio-video file as well as sof tware to detect such hidden files will also be presented. Suitable algorithm such as LSB is used for image steganograp hy suitable parameter of security and authentication is like PS NR,histogram are obtained at transmitter\sende and receiver side which are exactly identical,hence data security ca n be increased. This paper focus on the idea of com puter anti forensics technique and its use of video steganogra phy in both investigative and security manner.
With computers having GHz of processing speed, information / data either stored or in
transmission has become more and more vernalable to hostile eavesdropping, theft,
wiretapping etc. This urges us to devise new data hiding techniques to protect and secure data
of vital significance. Steganography is a method of securing data by obscuring the contents in
another media (called Cover) in which it is saved / transmitted. This doctorial thesis proposal will
present a new Steganographic Technique for hiding data in (ASCII) text files together with its
Software implementation, a research area in Steganography which is considered as
toughest among all, to address.
One of the reasons that intruders can be successful is that most of the information they acquire from a system is in a form that they can read and comprehend. Intruders may reveal the information to others, modify it to misrepresent an individual or organization, or use it to launch an attack. One solution to this problem is, through the use of Steganography. Steganography is a technique of hiding information in digital media. In contrast to cryptography, it is not to keep others from knowing the hidden information but it is to keep others from thinking that the information even exists. In this review paper we will understand what Steganography, Cryptography is and what are the advantages of using them? In last we will discuss our goal of this paper that what types of techniques worked on video Steganography?
Steganography and Its Applications in SecurityIJMER
ABSTRACT: Steganography is the dark cousin of cryptography, the use of codes. While cryptography provides privacy,
steganography is intended to provide secrecy. Steganography is a method of covertly communicating. Steganography is a
process that involves hiding a message in an appropriate carrier for example an image or an audio file. The carrier can then
be sent to a receiver without anyone else knowing that it contains a hidden message. This is a process, which can be used for
example by civil rights organizations in repressive states to communicate their message to the outside world without their
own government being aware of it. In this article we have tried to elucidate the different approaches towards implementation
of Steganography using ‘multimedia’ file (text, static image, audio and video). Steganalysis is a newly emerging branch of
data processing that seeks the identification of steganographic covers, and if possible message extraction. It is similar to
cryptanalysis in cryptography. The technique is ancient emerging monster that have gained immutable notice as it have
newly penetrated the world of digital communication security. Objective is not only to prevent the message being read but
also to hide its existence.
Keywords: Carrier, Privacy, Secrecy, Steganalysis, Steganography
IJERA (International journal of Engineering Research and Applications) is International online, ... peer reviewed journal. For more detail or submit your article, please visit www.ijera.com
A brief over overview of steganographical security techniques and how it has been applied, is applied and will continue to be applied in maintaining confidentiality between two communication parties
Review paper on Data Security using Cryptography and Steganographyvivatechijri
One of the major problems faced by this digital world is Data Security. Data Security plays an important role in the field of information technology. As there are large advancements in internet technology, there has been huge text as well as multimedia data transfer over the internet. The communication channel available for data transfer from the transmitter to receiver is highly insecure. As the security of electronic data is a major issue and to achieve high security and confidentiality, the public and the private sectors use different kinds of techniques and methods to protect the data from unauthorized users. Cryptography and Steganography are the most popular and widely used technologies for security. Cryptography is the art of hiding information by encryption and steganography is a technique to hides data in the cover medium. Cryptography hides the readable and meaningful contents of the data. And the existence of the data is hidden by the Steganography technique.
For increase network security of messages sent on
internet the steganography is mostly preferred. To transmit data
secretly steganography is used in open system environment. In
this paper discussed the reviews of image steganography and the
general framework of image steganography using different
method. Steganography is nothing but art of hide information
behind the other information without leaving remarkable track
on original message.
While transferring a file from one point to another through Intranet and Internet we need more file secure concepts. Ordinary, file Encryption-Decryption Concepts, which are readily available in java examples are easily captured by middle way itself. So we need more security combination. This project helps to send a file from one place to another in a secured manner. Firstly the target file is encrypted and it is embedded into an audio or video or any media file. The resultant file will be protected by a password. This resultant media file is not changed in its original format and it can be run in the player, we can’t find any encrypted data inside it. This format will be sent through net. In the destination point it will be retrieved only by our software and giving the relevant password. So it is highly secured.
A Study of Various Steganographic Techniques Used for Information Hidingijcses
The art of information hiding has received much attention in the recent years as security of information has
become a big concern in this internet era. As sharing of sensitive information via a common communication
channel has become inevitable, Steganography – the art and science of hiding information has gained
much attention. We are also surrounded by a world of secret communication, where people of all types are
transmitting information as innocent as an encrypted credit card number to an online-store and as
insidious as a terrorist plot to hijackers. Steganography derives from the Greek word steganos, meaning
covered or secret, and graphy (writing or drawing) [1]. Steganography is a technology where modern data
compression, information theory, spread spectrum, and cryptography technologies are brought together to
satisfy the need for privacy on the Internet. This paper is an attempt to analyse the various techniques used
in steganography and to identify areas in which this technique can be applied, so that the human race can
be benefited at large.
APPLICATION OF DATA HIDING IN AUDIO-VIDEO USING ANTIN FORENSICS TECHNIQUE FOR...ijiert bestjournal
Steganography is the art of covered or hidden text message. The purpose of steganography is covert com munication- to hide the existence of a secret message from a th ird party. This paper is intnded as a high-level te chnical introduction to steganography for those unfamiliar with the field. It is directed at forensic computer examiners who need a practical understanding of steganography wit hout study into the mathematical,although referenc es are provided to many of the ongoing research for the pe rson who needs or wants additional detail covered b y audio- video file. Although in this paper gives a historic al context for steganography,the significance is o n digital applications use anti Forensics technique,focusing on hiding information in online audio and video fi les. Examples for tools of software that employ steganography to hide data inside of audio-video file as well as sof tware to detect such hidden files will also be presented. Suitable algorithm such as LSB is used for image steganograp hy suitable parameter of security and authentication is like PS NR,histogram are obtained at transmitter\sende and receiver side which are exactly identical,hence data security ca n be increased. This paper focus on the idea of com puter anti forensics technique and its use of video steganogra phy in both investigative and security manner.
With computers having GHz of processing speed, information / data either stored or in
transmission has become more and more vernalable to hostile eavesdropping, theft,
wiretapping etc. This urges us to devise new data hiding techniques to protect and secure data
of vital significance. Steganography is a method of securing data by obscuring the contents in
another media (called Cover) in which it is saved / transmitted. This doctorial thesis proposal will
present a new Steganographic Technique for hiding data in (ASCII) text files together with its
Software implementation, a research area in Steganography which is considered as
toughest among all, to address.
One of the reasons that intruders can be successful is that most of the information they acquire from a system is in a form that they can read and comprehend. Intruders may reveal the information to others, modify it to misrepresent an individual or organization, or use it to launch an attack. One solution to this problem is, through the use of Steganography. Steganography is a technique of hiding information in digital media. In contrast to cryptography, it is not to keep others from knowing the hidden information but it is to keep others from thinking that the information even exists. In this review paper we will understand what Steganography, Cryptography is and what are the advantages of using them? In last we will discuss our goal of this paper that what types of techniques worked on video Steganography?
Steganography and Its Applications in SecurityIJMER
ABSTRACT: Steganography is the dark cousin of cryptography, the use of codes. While cryptography provides privacy,
steganography is intended to provide secrecy. Steganography is a method of covertly communicating. Steganography is a
process that involves hiding a message in an appropriate carrier for example an image or an audio file. The carrier can then
be sent to a receiver without anyone else knowing that it contains a hidden message. This is a process, which can be used for
example by civil rights organizations in repressive states to communicate their message to the outside world without their
own government being aware of it. In this article we have tried to elucidate the different approaches towards implementation
of Steganography using ‘multimedia’ file (text, static image, audio and video). Steganalysis is a newly emerging branch of
data processing that seeks the identification of steganographic covers, and if possible message extraction. It is similar to
cryptanalysis in cryptography. The technique is ancient emerging monster that have gained immutable notice as it have
newly penetrated the world of digital communication security. Objective is not only to prevent the message being read but
also to hide its existence.
Keywords: Carrier, Privacy, Secrecy, Steganalysis, Steganography
IJERA (International journal of Engineering Research and Applications) is International online, ... peer reviewed journal. For more detail or submit your article, please visit www.ijera.com
A brief over overview of steganographical security techniques and how it has been applied, is applied and will continue to be applied in maintaining confidentiality between two communication parties
Review paper on Data Security using Cryptography and Steganographyvivatechijri
One of the major problems faced by this digital world is Data Security. Data Security plays an important role in the field of information technology. As there are large advancements in internet technology, there has been huge text as well as multimedia data transfer over the internet. The communication channel available for data transfer from the transmitter to receiver is highly insecure. As the security of electronic data is a major issue and to achieve high security and confidentiality, the public and the private sectors use different kinds of techniques and methods to protect the data from unauthorized users. Cryptography and Steganography are the most popular and widely used technologies for security. Cryptography is the art of hiding information by encryption and steganography is a technique to hides data in the cover medium. Cryptography hides the readable and meaningful contents of the data. And the existence of the data is hidden by the Steganography technique.
For increase network security of messages sent on
internet the steganography is mostly preferred. To transmit data
secretly steganography is used in open system environment. In
this paper discussed the reviews of image steganography and the
general framework of image steganography using different
method. Steganography is nothing but art of hide information
behind the other information without leaving remarkable track
on original message.
Cryptography is where security engineering meets mathematics.The field of studyrelated to encoded
information comes from Greek word for ”secret writing” is cryptography.The art and science of hiding information
by embedding it in some otherdata is Steganography. The secret communication is carried through many
sourceslike image, audio and video files. This technique mainly proposes data hiding by embeddingthe message of
interest using geometric style of cryptographic algorithm,thus providing high security. Wavelet transform
algorithms are used to perform preprocessing of images.
Keywords —Cryptography, Steganography, Geometrical way of embedding, Wavelet transforms,DCT
A Robust Technique to Encrypt and Decrypt Confidential Data within Imageinventionjournals
International Journal of Engineering and Science Invention (IJESI) is an international journal intended for professionals and researchers in all fields of computer science and electronics. IJESI publishes research articles and reviews within the whole field Engineering Science and Technology, new teaching methods, assessment, validation and the impact of new technologies and it will continue to provide information on the latest trends and developments in this ever-expanding subject. The publications of papers are selected through double peer reviewed to ensure originality, relevance, and readability. The articles published in our journal can be accessed online.
Steganography using Interpolation and LSB with Cryptography on Video Images-A...Editor IJCATR
Stegnography is the most common term used in the IT industry, which specifically means, "covered writing" and is derived
from the Greek language. Stegnography is defined as the art and science of invisible communication i.e. it hides the existence of the
communication between the sender and the receiver. In distinction to Cryptography, where the opponent is permitted to detect,
interrupt and alter messages without being able to breach definite security grounds guaranteed by the cryptosystem, the prime
objective of Stegnography is to conceal messages inside other risk-free messages in a manner that does not agree to any enemy to even
sense that there is any second message present. Nowadays, it is an emerging area which is used for secured data transmission over any
public medium such as internet. In this research a novel approach of image stegnography based on LSB (Least Significant Bit)
insertion and cryptography method for the lossless jpeg images has been projected. This paper is comprising an application which
ranks images in a users library on the basis of their appropriateness as cover objects for some facts. Here, the data is matched to an
image, so there is a less possibility of an invader being able to employ steganalysis to recuperate the data. Furthermore, the application
first encrypts the data by means of cryptography and message bits that are to be hidden are embedded into the image using Least
Significant Bits insertion technique. Moreover, interpolation is used to increase the density
Secure Message Transmission using Image Steganography on Desktop Basedijtsrd
The rapid increase in our technology has made easier for us to send and receive data over internet at most affordable way. There are many transmission medias like emails, facebook, twitter, etc” ¦ which led way for the intruders to modify and misuse the information what we share over the internet. So in order to overcome these kinds of issues many methods has been implemented such as Cryptography, Steganography and Digital watermarking to safeguard our data transmissions in a most prominent way. In this paper, hiding text inside a digital image using Stegano tool for secure data transmissions has been described. Sidharth Sai S | N. Priya "Secure Message Transmission using Image Steganography on Desktop Based" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-1 , December 2020, URL: https://www.ijtsrd.com/papers/ijtsrd38067.pdf Paper URL : https://www.ijtsrd.com/computer-science/computer-security/38067/secure-message-transmission-using-image-steganography-on-desktop-based/sidharth-sai-s
Adaptive Steganography Based Enhanced Cipher Hiding Technique for Secure Data...iosrjce
IOSR Journal of Computer Engineering (IOSR-JCE) is a double blind peer reviewed International Journal that provides rapid publication (within a month) of articles in all areas of computer engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in computer technology. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
Summarising Snowden and Snowden as internal threatClubHack
A quick lookback at snowden's revelation and also lookign at snowden as an insider threat
*This presentation end abruptly because during the talk it ends as food for thought and kickstart of next session*
Fatcat Automatic Web SQL Injector by Sandeep KambleClubHack
What is FatCat Sql injector: This is an automatic SQL Injection tool called as FatCat.
Fatcat Purpose? : For testing your web application and exploit your application into more deeper.
FatCat Support:
1)Mysql 5.0
FatCat Features?
Union Based Sql Injection
Error Based Sql Injection
MOD Security Bypass (WAF)
The Difference Between the Reality and Feeling of Security by Thomas KurianClubHack
The paper shall focus on the following:
The paper shall focus on the following:
1) Introduction to the problem: Focus on “security awareness”, not “behavior”
2) Real life case study of why a US$100, 000 “security awareness” project failed
a. Identifying the human component in information security risks
b. Addressing the human component using “awareness” and “behavior”
strategies
4) Sample real-life case studies where quantifiable change has been observed
Original research and Publications
The talk is modeled on the methodology HIMIS (Human Impact Management for Information
Security) authored by Anup Narayanan and published under “Creative Commons,
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...ClubHack
NFC or the Near Field Communication allows cell phones to perform specified actions whenever they detect NFC tags or signals from other NFC enabled device. Most of the recent phones including Samsung Galaxy S3, Nokia Lumia 610, Blackberry Bold etc have NFC enabled with them. NFC even helps enterprise/payment gateways to ease up users actions, such as connecting to a wifi, setting a bookmark, making payments etc.
Gone are the days of sending Android malware links through URL or attachments. In this talk, we will be showing how an attacker could steal the private and sensitive information from one’s phone and even perform malicious actions on user’s phone, using NFC as an attack vector. NFC attack vectors come in two forms : Active(setting attacker’s phone as a proxy between victim’s smartphone and the payment terminal) and Passive(using NFC tags).For our demonstrations, we would be creating malicious NFC tags which when detected by any smartphone(NFC enabled) would steal sensitive informations from the phones (without the users knowledge) as well as trick user to install malicious applications to his phone. Thereafter, we would also be talking about how an attacker could get in close proximity of another NFC-enabled phone, get a remote shell on the victim’s phone and compromise the phone’s security. We would also be discussing how viral an NFC attack could go in future, if proper security measures are not enforced.
Smart grids is an added communication capabilities and intelligence to traditional grids,smart grids are enabled by Intelligent sensors and actuators, Extended data management system,Expanded two way communication between utility operation system facilities and customers,Network security ,National integration ,Self healing and adaptive –Improve distribution and transmission system operation,Allow customers freedom to purchase power based on dynamic pricing ,Improved quality of power-less wastage ,Integration of large variety of generation options.
We have seen the more complex and critical infrastructure the more vulnerable they are. From the Year of 1994 we have seen lots of incidents where SmartGrid were Hacked the latest and booming incident was Stuxnet Worm which targeted Nuclear Power System of Iran and Worldwide.There are different types of Attacks we will see. Security needed for Smart Grid.
Legal Nuances to the Cloud by Ritambhara AgrawalClubHack
This presentation highlights the key legal risks and their implications in cloud computing. Cloud is inherently multi-jurisdictional, encompassing, remote hosting and processing of the data. This gives rise to multiple legal issues including security and privacy of the data, IP Rights, data portability, contractual limitations, risk mitigation and jurisdictional disputes.
As the cloud involves remote hosting and data accessibility by multiple parties, security and privacy remains the biggest concern for the companies. Businesses should look at issues ranging from physical location of the data centers, protection of the data against any adversity and intrusion, and access rights management.
The cloud servers are often located in different countries, which results in trans- border Data Flow. Each country has its own set of legal rules and regulations regarding data protection and privacy policies and the same can bring in complications in form of conflicting laws and jurisdictional disputes. Issues pertaining to IP rights, trade secrets and ownership of the data placed in the cloud require utmost attention. Termination and exit clauses are critical to the contract in the clouds. Interoperability of the data in the event of termination of services of a vendor is an important aspect to be considered in the contracts.
Infrastructure Security by Sivamurthy HiremathClubHack
With the development of technology, the interdependence of various infrastructures has increased, which also enhanced their vulnerabilities. The National Information Infrastructure security concerns the nation’s stability and economic security. So far, the research in Internet security primarily focused on securing the information rather than securing the infrastructure itself.
The pervasive and ubiquitous nature of the Internet coupled with growing concerns about cyber attacks we need immediate solutions for securing the Internet infrastructure. Given the prevailing threat situation, there is a compelling need to develop Hardware redesign architectures, Algorithms, and Protocols to realize a dependable Internet infrastructure. In order to achieve this goal, the first and foremost step is to develop a comprehensive understanding of the security threats and existing solutions. These attempts to fulfil this important step by providing classification of Security attacks are classified into four main categories: DNS hacking, Routing table poisoning, Packet mistreatment, and Denial-of-Service attacks. We are generally discussing on the existing Infrastructure solutions for each of these categories, and also outline a methodology for developing secured Nation.
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanClubHack
Today there is a flood of tools to help with the automation of active scanning and exploitation of web applications. Once you move beyond these two functions the flood reduces down to a trickle. Vulnerability hunting is a fine art that requires a knack for seeing hidden patterns and connections. Tests like hidden parameters guessing are seldom performed by even skilled testers because of the time and effort involved in preparing for and performing them. When was the last time you identified a piece of sensitive data hidden in plain sight because it was hex encoded in to a very inconsequential looking string?
Do you enumerate all possible avenues for stored XSS in an application? A lot of times checks are missed because there is no good tooling available to perform them effectively and efficiently. HAWAS is the tool you have been missing for a long time now. It is an open source tool that is designed for hybrid analysis. It performs automated passive analysis of a web application with no input from the user for some cases and with specific application specific input for some other cases. Based on the initial set of findings the user can perform further checks from within HAWAS. HAWAS will help you hugely increase your test coverage with very little additional effort.
Hacking and Securing iOS Applications by Satish BomissttyClubHack
iOS applications share common set of classes and highly depends on the operating system solutions for data communication, storage and encryption. Solely depending on the Apple implementation made them less complex but it affects security of the applications. Though iOS comes with a great set of security features like code signing, ASLR, DEP, sand boxing and Data Protection, all of them are subject to attack. Relying only on the iOS security could lead to demise the sensitive data stored within the application when the iOS is compromised. Application security can be improved by understanding the weaknesses in the current implementation and incorporating own code that work better.
The presentation illustrates several types of iOS application attacks like run time manipulation, custom code injection, SSL session hijacking and forensic data leakage. It gives an insight into the iOS Keychain & data protection API and explains the techniques to circumvent it. The presentation will provide guidelines and suggests best practices for secure iOS application development.
Critical Infrastructure Security by Subodh BelgiClubHack
Industrial Automation & Control Systems are an integral part of various manufacturing & process industries as well as national critical infrastructure. Concerns regarding cyber-security of control systems are related to both the legacy nature of some of the systems as well as the growing trend to connect industrial control systems to corporate networks. These concerns have led to a number of identified vulnerabilities and have introduced new categories of threats that have not been seen before in the industrial control systems domain. Many of the legacy systems may not have appropriate security capabilities that can defend against modern day threats, and the requirements for availability and performance can preclude using contemporary cyber-security solutions. To address cyber-security issues for industrial control systems, a clear understanding of the security challenges and specific defensive countermeasures is required. The session will highlight some of the latest cyber security risks faced by industrial automation and control systems along with essential security controls & countermeasures.
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaClubHack
With the increased in security awareness it’s very difficult to compromise the network/workstation, as most of network administrator put very restrictive firewalll policy for incoming network traffic i.e. allow only traffic for http/https service and antivirus software can easily detect any virus/worm infected file. This talk is about content type attack that cannot be blocked at network perimeter/firewall and undetectable by antivirus. The discussion also includes demonstration of attack vector to compromise the system. At last it includes analysis of malicious file used to compromise the system.
Abstract of the paper;Cross site scripting (XSS) attacks are considered one of the most dangerous attacks. When an application accepts un-validated user inputs and sends it back to the browser without validation, it provides attackers with an opportunity to execute malicious scripts in victim users’ browsers. By using this attack vector, malicious users can hijack user accounts, deface websites, carry out phishing attacks etc .XSS shell is a cross domain tool to carry out XSS attack in more controlled manner. It is used to setup a channel between attacker and victim’s browser and controlling the victim’s browser.
It gives me immense pleasure to tell you that from 06-02-10 to 06-02-12 our magazine has completed two successful and rejoicing years. We at ClubHack are super excited! I hope you people are enjoying the magazine and would continue doing so it in the coming future too. We enjoy making this for you all.It is said that “A lot can happen over a cup of coffee”. We experienced this amazing moment over a cup of coffee when we had the idea of starting a hacking magazine and it now it has come all this way… :). 2 years looks small when we look back.For this incredible success we at ClubHack would like to thank all our readers, volunteers and authors for giving us such unbelievable support. As we want to keep up the growth and progress therefore we request you all to keep throwing in articles, suggestions, support and your love!
Coming to this issue we have Network Security in Tool Gyan which will put light on how to set up a secured network, Who wants to be a Millionaire in Tool Gyan, check out yourself of what exactly its all about ;)TOR in Mom's guide for all those who thought 'It sounds very complicated to use, I’m not a hacker! I can’t use it!' by our Author- Federico from Italy.
From this month’s issue we plan to start a new section on secure coding. This section will essentially focus on good coding practices and snippets to mitigate various vulnerabilities. To begin with we have an article on PHP based RFI/LFI vulnerability. I hope you will like reading it. We also have some cool articles on XSS attacks, ROT decoding and Matriux section.
Do send us your feedback on abhijeet@chmag.in this will help us improve further.
There was a time when mobile phones were of the size of a shoe and had no features other than calling and sms and at that time I used to play the game - Snake on my dads phone :p Now as the time has passed we have reached the age of smart phones which are capable of doing lot of stuff and world wide web of application causing serious concern where an attacker can use this platform to steal data. This issue of CHMag is dedicated Mobile/Telecom Hacking and Security.
The coverpage of this December issue was released at ClubHack 2011, India’s Pioneer International Hacking Conference held last week. Talking about ClubHack Conference, if you missed ClubHack here are the presentations available at - http://www.slideshare.net/clubhack and videos at http://www.clubhack.tv/event/2011/
We recently released CHMag's Collector's Edition Volume II. If you wish to buy the Collectors Editions (vol1 – from issue 1 to 10 & vol2- from issue 11 to 20), please write back to us: info@chmag.in. As of now its on demand printing.
Like the game - Snake, I have played lots of other games too which have reflected in the previous coverpages I have designed and yes I promise another awesome coverpage based on a game on the theme of android security which would be the theme for an upcoming issue, for which send in your articles to info@chmag.in
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
3. Issue 28 – May 2012 | Page - 3
Notwithstanding, both steganography and
Steganography Over cryptography can stand on their own
Covert Channels independent of the other. Cryptography
encodes a message in plain sight that cannot
be read with normal efforts. Steganography
hides the information so outsiders are not
Steganography and aware of its presence. It travels under the
Cryptography nose of the common man.
Definition of Steganography
Security and privacy have been a concern
for people for centuries. Whether it is Steganography is a method of hiding a
private citizens, governments, military, or message. Steganography comes from the
business, it seems everyone has information Greek words (στεγανο-ς, γραφ-ειν) or
that needs to be kept private and out of the steganos and graphein which means
hands of unintended third parties. “covered writing”. (SINGH 5) When using
Information wants to be free but it is steganography, the goal is not necessarily to
necessary to keep information private. That make a message unreadable, but to hide the
need has come about because governments fact that a message even exists. The hidden
have sensitive information, corporations message is placed within the data
send confidential financial records, and boundaries of a digital file such as an email,
individuals send personal information to mp3 music file, mp4 movie file,
others and conduct financial transactions spreadsheet, MS Word document, text file,
online. Information can be hidden so it pdf file, et. al. Any third party could look at
cannot be seen. The information can also be or listen to the digital file that the message
made undecipherable. This is accomplished is hiding in and not be aware that the
using steganography and cryptography. hidden message is present. When the
These two processes are closely related. digital file reaches the intended party, the
While cryptography is about protecting the recipient should have the knowledge
content of a message, steganography is necessary to extract the hidden message
about concealing the very existence of the from the digital file.
message itself. They can be combined
together to provide double protection.
4. Issue 28 – May 2012 | Page - 4
Steganography simply works this way: Steganography can be covertly implemented
further in the timing channels of
1. Start with a secret message using a information varied by the fourth dimension
previously agreed upon algorithm of time, or the side channels, such as the
insert the secret message into a power bursts that our appliances and
cover object creating the stego televisions subsists upon or the concurrent
object. magnetic waves that emanate from various
2. Then the stego object is sent to the to household and commercial devices. These
the receiver. are some of the covert channels of physical
3. The receiver accepts the stego object. hardware.
4. The receiver extracts the hidden
message using the agreed upon Steganography and the Internet
algorithm.
Dynamic steganography can accomplished
Present Day Steganography over the Internet using the medium referred
to as the covert channels. Network
Steganography preceded cryptography. steganography is a method of hiding data in
Before mankind was able to encode normal data transmissions on the modern
messages with cryptography, messages network of the Internet. These methods of
would be hidden with steganographic hiding can be used for good or nefarious
means. It would be hidden in wax tables, purposes, legal or illegal activities,
under soldier’s hair, or with invisible ink. unapproved or sanctioned processes. Any
Today, hiding of data with steganography interception by a rival of the owner of this
can be performed within the static medium hidden data, also known as stego-data,
of the new digital technologies: pictures, could compromise the sending entity, cause
video and audio files, Word documents, a loss of information and resources and lead
Powerpoint documents, Excel spreadsheets, to its downfall. There must be a good
movie files, et. al. Almost any digital file on reason to go to such trouble and effort to
a hard drive can have information hide data using these surreptitious
embedded into it without any apparent techniques. Today, sending messages
presence. This is static steganography and electronically is a common mode of
it occurs on the bit/byte level. Taking this a conveyance. Email, web documents, video,
further step and one not apparent to the audio, file-transfer protocol, attachments
layman, data can also be hidden in the such as legal documents are all used over
medium of the Internet, the layer that the the Internet to exchange information. With
data flows over, in the packets that travel increasingly fast processors, intercepting,
from computer to computer, over twisted detecting and deciphering messages has
pair, Ethernet and optical connections, become easier, which means more secure
through firewalls and routers, from network means of hiding information is necessary to
to network, untouched by the fingers of any overcome any detection. There are many
telegrapher or data technician, in the unique and creative methods of securing
electrical current that flows over the power communications with steganography and its
transmission lines. This is dynamic close relative: cryptography.
steganography. This is the covert channel of
the Internet.
5. Issue 28 – May 2012 | Page - 5
Covert Channels location on the network. It’s here, now it’s
there. If small amounts of insignificant bits
In these modern and technologically or bytes are replaced, the effect on the
sophisticated times, using covert channels moving vessel file should be fairly
has become a means of transmitting unnoticeable to the casual viewer or
information securely. How widespread its listener. (WAYNER 155) If the byte count
use is not known. A covert channel is a of the file changes, detection can be less
communication channel that allows two difficult to attain. Performing a checksum
cooperating processes to transfer on the file will raise a flag and possible give
information in a manner that violates the up the embedding. The ability to detect the
system's security policy. (BERG) For hidden data is next to impossible as the data
instance, Internet appliances such as two streams over the wires in the midst of the
routers could use these covert channels to billions of bits that now pass. All Internet
pass information between themselves. This traffic would have to be monitored for
information could be instructions to the hidden data, perhaps an insurmountable
other appliance to use an alternate path, task.
redo the last transaction, or increase the
speed of transmission. There are many The World Wide network of the Internet is
methods available to enhance and guide the the perfect medium for steganography to
ongoing and orderly operational exchange occur. Data can be hidden in web pages and
of packets. the embedded images that pass over the
Internet, a relatively easy task to perform
Lampson introduced the concept of and perhaps just as easy to examine. An
covert channels in 1973. (LAMPSON 613) even more surreptitious and unique way to
It is a means of communication that is not hide messages would be in the unused fields
part of the original design of the system. of the TCP/IP packet headers. The
(LLAMAS) It could even be said that a operation of the Internet runs on the
covert channel is a security flaw. It is a part Transmission Control Protocol and Internet
of a program or system that can cause the Protocol (TCP/IP). The fields in the TCP/IP
system to violate its security requirements. packet header help guide the movement as
It can be an electronic means of sending and they hop across the Internet and coordinate
hiding messages. (OWENS) Covert the reassembly of these packets when they
channels can be a means of taking any reach their destination. These packets hold
normal electronic communications and all the overt data that travels over the
adding some secret element that does not Internet: web pages, ftp data, video and
cause noticeable interference to the original audio, email, images and pictures. These
item such as a picture, sound file or other Internet packets are directed to their
digital communication medium. (WAYNER destination by the information contained in
152) the fields of the header at the beginning of
each packet. Because packets are so small,
Covert channels occur in two states: static
only 1024 bytes, it takes many, many
or dynamic. There is the static hiding of
separate packets to convey all the
data in electronic files sitting on a hard
information in a webpage or in any digital
drive. When hiding data in a timing
file. Unless specifically monitored with
channel, the difference is that the data is
specific software or hardware, most users
dynamic, moving and always changing its
6. Issue 28 – May 2012 | Page - 6
are not aware of the packets nor do they (COLLBERG) One example of utilizing
ever see them. Inside the packet are data watermarking is to embed a digital
frames where slices of the data reside. signature in a printed document for
These data slices make up over 80 per cent verifying authenticity. This signature is
of each TCP/IP packet. Until they reach made up of information such as the serial
their destination, the packets are number, the model and manufacturer of the
incomplete and fragmented. Sometimes printer used, date of document printing,
packets get lost and must be retransmitted. and author of the document. This
A handshake and acknowledgement information is inserted into the initial
initiates a session, then a sending and characters of each page of a document. This
receiving of packets occurs like a dance, steganographic function, unknown to many,
each participant performing their next step. is a common feature of many printers used
When they reach their ultimate destination, today on a daily basis. (MIKKILINENI)
the packets are finally reordered and Music files sold over iTunes are also
reassembled. The sheer volume of the encoded with watermarks that identify the
Internet and the great number of the simple purchaser and host computer where the
network packets guarantees that covert audio files were purchased. This allows
messages can be hidden in the unused them to be used by the rightful purchaser
header fields of the packets containing all while preventing the illegal transfer of these
transmitted information. It’s not as files to others. Apple’s iTunes software
granular as a molecular layer. Ross examines the sound files on iPods and uses
Anderson said: “For covertness reasons, the hidden authorization codes to
you'd probably want to hide your traffic in authenticate and allow legitimate use of
traffic that's very common." purchased music files. Similarly, DVDs
(MCCULLAGH) Nothing is more common issued to members of the Academy of
than the ubiquitous Internet TCP/IP packet. Motion Picture Arts and Sciences are
tracked with watermarks to combat piracy
Uses of Steganography through media source identification.
Steganography, in the form of media It has also been suggested that sending
watermarking and fingerprinting, has been information requested by users in mobile
found to be useful for legitimate commercial banking system can be made more safe and
applications. Applications of steganography secure through the practice of
include not only covert communications, steganography. The indirect sending of
but it can enable the tracing of the original information increases the security for users
source of pirated, stolen and illegal copies of in mobile-banking system. (SHIRALI-
protected books, audio or video files. SHAHREZA)
Watermarking provides the ability to
identify these copied files. The uses and methods to hide data are
many and will continue to grow and expand.
In a typical application of image The imagination of men and the many
watermarking, some message is encoded technical methods and rules of science will
imperceptibly embedded into the host file only put limits on how data will be dealt
like a copyright notice identifying the with while traveling under our noses. The
intellectual property owner or rightful user. need to hide that data will be always present
7. Issue 28 – May 2012 | Page - 7
as the exploits and attacks increase to more and more as Homeland Security “cries
uncover and decipher information that does wolf” louder and louder. Steganographic
or does not belong to the hacker. and encryption software is so powerful that
it’s usage and export is regulated by law. It’s
This is not to say that steganography cannot usage can allow criminals, malcontents, and
be used for good. The user of any tool, a terrorists in addition to lawful actors to
corporation or terrorist, will determine operate and communicate through public
whether the steganographic purpose is good channels practically unfettered. Such
or evil. Enslaved peoples can also use these software and encryption algorithms are
tools to get their story out to the free world. categorized as weapons and cannot be
Using cryptography and steganography, exported outside the nation’s borders.
people who have freedom of information There are many free and Open Source
and speech are now able to receive the software packages available to anyone who
stories and tales of others who do not, those wishes to hide data. Recent terrorist
who should be able to enjoy the inalienable activity has been tentatively linked to the
rights that belong to all humans. The recent likely occurrence of steganography and is
Arab spring in Algeria, Tunisia, and Egypt seen by the usual governmental agencies as
has been attributed to use of the Internet to a likely method of sending covert
overcome corrupt political regimes and information. (KELLEY) With the wide use
silence political dictators and despots. and abundance of the many powerful and
Steganography can keep people free. free Open Source steganographic and
cryptographic tools on the Internet, law
Terrorism on the Internet
enforcement authorities should and do have
serious concerns about detection of
It is an invisible arms race. (GOTH) There
questionable material and information
are often reports in the news of use of the
through web page source files, images,
Internet by terrorist groups operating
audio, and video and other medium. No
within the U.S. Many of these encrypted
doubt there is more effective in-house
digital messages might be passed by way of
software developed by corporations and
covert channels, embedded within other
governmental agencies to accomplish
innocent-looking files or in the covert
undetectable steganography.
channels that hide next to the overt pathway
of the Internet. (MANEY) A covert channel Steganalysis and Detection
is typically used when the participants know
that they are being monitored in the usual Stegananalysis is described as the process of
mainstream and mundane communications detection and identification of hidden stego-
channels of snail mail, financial records, data. There are many issues to be
telephone calls and even electronic mail. considered when studying steganographic
The huge bandwidth of the world’s largest systems. While steganography deals with
network of the Internet offers an alternate the various techniques used for hiding
medium of covert channels from snail and information, the goal of stegananalysis is to
email, and messaging for transport of detect and/or estimate the presence of any
hidden data. potentially hidden information. This has to
be done with little or no knowledge about
The process of using the Internet for
the unknown steganographic algorithm
terrorist activities has been in the news
8. Issue 28 – May 2012 | Page - 8
used to hide the message in the original implementation of CALEA was to assure law
cover-object, if it does exist. enforcement's ability to conduct lawfully
authorized electronic surveillance while
One way to track Internet steganography preserving public safety and the public's
would be to develop Internet appliances that right to privacy. Technology can provide
have the capability to detect embedded the necessary tools that law enforcement
documents in cover data in the data packet agencies must have to detect questionable
field and anomalies in any other packet activities. Such agencies such are the FBI,
header field. Packet analysis is also the NSA and the CIA must be able to detect
performed using packet sniffers programs, questionable activities by both domestic and
such as tcpdump, OmniPeek, and international malcontents. There do not
Wireshark. They capture raw network data exist rooms where real individuals listen to
over the wire. (SANDERS) calls manually as there were during the
early years of wiretapping telephone calls
Specialized hardware devices are, in fact
for J. Edgar Hoover. There does exist
available, but are not openly marketed to
certain specialized computers in server
the general public and only available to
rooms that do the automated interception,
approved users such as law enforcement
monitoring, and collection of data. There is
and Homeland security agencies. These
occasional eavesdropping and wiretapping
devices go beyond the capability and
of lawful citizens, participants in the
functionality of normal routers, firewalls
and intrusion detection systems. These political process, and others who may be in
violation of the serious legal guidelines
appliances are only available to law
society refers to a laws. The mandate of the
enforcement agencies and operate under the
Federal law of Homeland Security and
radar. These are called wardens and add to
specific court orders authorizes wiretapping
the cybersecurity defenses already available.
of phone calls or monitoring of Internet
There are three types of wardens: traffic. Such activities require and authorize
specialized equipment be placed on the
1. A passive warden can only spy on main network pipeline of broadband
the channel but cannot alter any Internet access providers (ISPs) and voice
messages; over Internet protocol (VOIP) providers to
2. An active warden is able to slightly do that legal privacy override of examining
modify the messages, but without electronic transmissions of all types.
altering the semantic context; Internet service providers and
3. A malicious warden may alter the telecommunications carriers must assist law
messages without impunity. enforcement in executing electronic
(CRAVERS) surveillance pursuant to court order or
other lawful authorization.
CALEA
In October 1994, Congress took action to
protect public safety and ensure national
security by enacting the Communications
Assistance for Law Enforcement Act of 1994
or CALEA. The objective of the
9. Issue 28 – May 2012 | Page - 9
Hiding Data in the Unused Header secret message, which could be, for
Fields of the TCP/IP Packets example, a password sniffed by malicious
software running on a compromised
One possible steganographic method is to machine.
use the network and transport layers of the
A covert channel can be very hard to detect.
TCP/IP protocol suite. These layers are
That’s the idea. The packets used for
normally unavailable to not only the
carrying the message can appear innocuous
common Internet user but also the average
and beyond suspicion. The idea of a covert
system or network administrator. One
channel seems very simple and unique, but
approach, for data hiding is to utilize the
it must be carefully implemented so as to
unused fields in TCP/IP packet header to
not disturb normal user operations. Just as
transmit a stego-message. Accomplishment
covert channels can be implemented using
of this method would require specialized
superior computing power so can detection
modification of certain Internet appliances,
be implemented to intercept and prevent
such as routers, filters, and firewalls within
such surreptitious activity. Stealth
the existing network hardware and
technology is one of the methods used by
infrastructure. The treatment of these fields
attackers to hide their malicious actions
by Cisco and Nortel routers is unknown.
after a successful break-in. Taking
There are no guarantees that this data
surreptitious control of a computer or
would remain unaltered through its path
system, installation of backdoors, planting
from its initial transmission to its receipt at
of a rootkit, alteration of the system’s
its intended destination. This would have to
operating system is an example of using
be affirmed and tested for maintenance of
chained exploits that work together.
the data in its unaltered and undisturbed
(WHITAKER) Rootkits can modify the
state as it moves over any network.
operating system to insert a kernel module
Protocols and operational safeguards would
that can perform further exploits such as
have to be established to guarantee the
steganography or a coordinated denial-of
availability of data hiding at the TCP/IP
service attack (DDOS). (TROST) There are
protocol suite. (AHSAN) Someone thought
different approaches to detection and can be
this capability was useful because they
supported using Open Source software on
patented the process (U.S. Patent Office,
the receiving server. (RUTKOWSKA) This
Patent No: US007415018B2 Aug `9.2008).
involves detecting this kind of activity while
The process of steganography over TCP/IP
continuing to identify and develop new
is patentable under current patent law
offensive techniques to combat the new
guidelines. Useful or not, this capability can
steganographic technique.
be dangerous in the wrong hands.
Comprehensive National Cybersecurity
One example of hiding data in a covert
Initiative
channel uses software for crafting
stegenographic data to be placed in certain Further government action has been
unused header fields of the Internet mandated recently. In May 2009, President
transport data packet. This software uses Obama accepted the recommendations of
fields such as the Initial Sequence Number the Cyberspace Policy Review. The
(ISN) or other appropriate field in the Comprehensive National Cyber security
packet header. The new ISNs will carry the
10. Issue 28 – May 2012 | Page - 10
Initiative (CNCI), launched by President parsing network traffic. Directing data
George W. Bush in detailed those between portions of a network is the
recommendations. President Obama primary purpose of a router. Therefore, the
determined that the CNCI and its associated security of routers and their configuration
activities should evolve to become key settings is vital to network operation. In
elements of a broader, updated national addition to directing and forwarding
U.S. cyber security strategy. These CNCI packets, a router may be responsible for
initiatives will play a key role in supporting filtering traffic, allowing some data packets
the achievement of many of the key to pass and rejecting mal-formed or suspect
recommendations of President Obama’s packets. This filtering function is a very
Cyberspace Policy Review. The CNCI important responsibility for routers; it
initiatives are designed to help secure the allows them to protect computers and other
United States in cyberspace. network components from illegitimate or
hostile traffic.
The existing EINSTEIN 2 capability enables
analysis of network flow information to Intelligent Support Systems for Lawful
identify potential malicious activity while Interception, Criminal Investigation, and
conducting automatic full packet inspection Intelligence Gathering (ISS), holds
of traffic entering or exiting U.S. wiretapping conferences and seminars for
Government networks for malicious activity the law enforcement community, military,
using signature-based intrusion detection governmental agencies and homeland
(IDS) technology. A planned EINSTEIN 3 security agencies. One featured company,
initiative will expand these capabilities to Packet Forensics, was marketing Internet
foster safety and security on the wires, spying boxes to the feds at a recent ISS
heading off any covert activities that may conference. (SINGL) The web site of Packet
intrude on the nation’s communication Forensics lists the products available from
channels. The goal of EINSTEIN 3 is to the company, though some pages are
identify and characterize malicious network restricted to authorized law enforcement
traffic to enhance cyber security analysis, and intelligence organizations only. These
situational awareness and security response. protected pages must describe defense and
(NAKASHIMA) The government created the intelligence applications and hardware
Internet as part of a DARPA project over platforms too sensitive to release details to
forty years ago. Its usage was expanded for the public. Generally, these Internet
commercial use and to include the general appliances automate the processes that
public in the 90s. The appropriate agencies allow observation and collection of data on
need to guarantee a mature Internet with Internet traffic and/or phone calls when
the ability to deter and turn away any given the legal authority by either court
malicious attacks, exploits, or intrusions. order or mandate provided by legal statute
EINSTEIN 3 is part of this effort. to do so. They can forward captured packets
for storage and further analysis later by a
Network appliances and system designed for extreme DPI. These
steganalysis detection Internet appliances perform lawful
interception, investigative analysis and
Network appliances such as routers and intelligence gathering, stealthily, while
firewalls play a large role in handling and protecting the privacy rights and civil
11. Issue 28 – May 2012 | Page - 11
liberties of the law-abiding users of the
Internet. (SINGL) These appliances can
handle a large number of surveillance
requests while heading off any and all
possible terrorist exploits before they occur.
These appliances can record and collect the
evidence needed to convict the guilty. These
devices perform deep packet inspection,
searching for thousands of different strings
deep inside each packet. These products
are highly recommended to officials so
digital communication traffic can be
scanned and examined. SSL encryption is
built into web browser software and
protects our web traffic. Such traffic cannot
normally be decrypted and read by any
packet-sniffing tool. SSL encryption is
designed to protect users data from regular
eavesdropping. Such SSL encryption is not Deep Packet Inspection
safe from the products of Packet Forensics
and other powerful tools. They most likely Of billions of messages that roam the
will be able to overcome and decrypt most Internet, there must exist some messages
SSL algorithms. These devices provide for that are malicious, containing worms or
regulatory compliance such as required by viruses, malware or spyware, which
CALEA, and comply with lawful intercept organized criminals, and terrorists utilize to
requirements and meet the essential needs commit cybercrimes. Here, deep packet
of law enforcement. Such devices can be inspection (DPI) comes to the rescue, since
part of a packet processing and network it allows monitoring and filtering of packets
compliance platform. These particular wherever they happen to pass. DPI can also
appliances can be linked together in closed meet other objectives in security, and legal
networks called darknets to collect and compliance. This technology enables
share real-time network intelligence. instant, ubiquitous monitoring of everything
Packet Forensics products are subject to the that travels the Internet.
export control laws administered by the
United and may not be exported outside the DPI is the next surveillance application that
US without prior Federal government enters society unnoticed and available for
approval. Two of the products available for use by authorities to combat crime, even
viewing on the web site of Packet Forensics before it happens. Security and traffic
(www.packetforensics.com) are LI-5B and cameras, miniature cameras, directional
PF.LI-2 (next picture). microphones, automated face and number-
plate recognition, data mining, and profiling
add to all the technologies used by Big
Brother to watch over its citizenry. Ours is
a database society with a great increase of
data generation, processing, and storage
12. Issue 28 – May 2012 | Page - 12
needs. DPI captures data for later are being collected and processed and why.
examination and diverts it for messaging This does not mean that the government
and analysis. This capability adds to the can have a phishing trip and examine all
tools in the government surveillance toolkit traffic. Only specific individuals or
uses as a beneficial observer. corporations can their traffic examined.
The courts have deemed profiling illegal on
Once broadband providers and other numerous times. Independent authorities
companies embrace DPI, they can monitor should regularly review and check whether
and select passing traffic much more the government uses its powers correctly
sophisticatedly than by merely scanning and legitimately.
header information. This capacity can
prove of great benefit to law enforcement Data protection is a key element. The legal
agencies and intelligence services, using its framework for data protection has become
existing investigation powers to enlist the outdated. The assumption of preventing
assistance of broadband providers. data processing as much as possible is no
Particularly relevant is that DPI allows for longer valid in the current networked
real-time monitoring, and hence facilitates a database society. Large-scale data
preventative approach as opposed to the collection and correlation is inevitable
retroactive approach that law enforcement nowadays, and the emergence of DPI serves
traditionally used. to emphasis this. Instead of focusing data
protection on prevention in the data
DPI adds to the trend that broader groups of collection stage, it should rather be focused
unsuspected citizens are under surveillance: on better utilization of the data. Data
rather than investigating relatively few protection is valuable not so much to
individuals on the basis of reasonable enhance privacy, but to ensure transparency
indications that they have committed a of government and non-discrimination.
crime, more people, including groups, are
nowadays being watched for slight While data protection can serve to regulate
indications of being involved in potential the use of data, it remains to be discussed
crimes. This is profiling of the masses. The whether DPI should be allowed for
movie Minority Report illustrated the use of government use in the first place. Here,
data to predict the likelihood of a crime other elements of privacy come to the fore:
occurring in the near future to justify the protection of the home, family relations,
pre-emptive arrest of un-guilty parties. The and personal communications. These
explosion of data generation, inspection, elements are likely to be infringed by DPI.
and storage enable the government to Since privacy is a core, though not
collect and use significantly more data about specifically stated, constitutional value to
citizens. This increase is not only safeguard citizens’ liberty and autonomy in
quantitative but also qualitative. a democratic constitutional state, DPI
should be critically assessed. The common
More checks and balances are required to man is king of his castle and its borders
safeguard citizen rights and privacy. The should not be violated. DPI could be
increased government powers needs to be accepted as a necessary addition to the
balanced by additional checks and investigative tools used by law enforcement
safeguards. Citizens must know which data already if used properly. The power of DPI
13. Issue 28 – May 2012 | Page - 13
to run roughshod over the rights of the script kiddies, or unscrupulous broadband
suspected requires a fundamental providers. The good guys must deploy
rethinking of what legal protection is cryptographic technologies to protect the
afforded here. Society needs substantial general public. But DPI can also be
new checks and balances to counter-balance perceived as a bad thing and a possible
the increase in government power over its threat to the privacy of individuals. It is
citizens. (JAAP-KOOPS) clear that DPI is potentially dangerous tool.
(WILSON) The solution to the problem of
The company Phorm uses DPI to peek into Internet privacy is not just legislation
the web surfing habits of end users in order making snooping illegal, but the industry-
to serve targeted advertising. (PHORM) It wide adoption of cryptography by default.
is suspected that the National Security Nothing will protect our privacy or security
Agency has inserted sophisticated DPI from deep packet inspection than
equipment into the network backbone of the encryption. (SOGHOIAN)
Internet so that it can sweep up huge
volumes of domestic emails and Internet Broadband providers increasingly use deep
searches. While privacy activists and packet inspection technologies (DPI) that
computer geeks are up in arms, the vast examine consumers’ online activities and
majority of Internet users either don’t seem communications in order to tailor
to care or don’t fully understand what is advertisements to their unique tastes.
happening. Users of Google’s free Gmail email service
find that the advertisements in the right side
Without encryption, e-commerce wouldn’t reflect to contents of their email. Friends
be possible. The cryptographic technology find the same is true with Facebook. It’s no
of SSL is built into every web browser. The wonder that privacy concerns remain
security of Amazon, EBay, PayPal, and every despite the assurances that this data is not
online bank depends upon the consumer to collected and sold. Nothing prevents
being able to make purchases and conduct providers from simply altering their
transactions over the Internet confidently policies. DPI operates invisibly.
and securely. Broadband providers can collect our online
communications and sell them and their
Most web surfers do not realize how much contents, including medical data and private
of their information flows nakedly over the correspondence, to employers, insurance
network, nor how easy it is for others to companies, credit bureaus, and landlords.
snoop on their web surfing. The They could become powerful data brokers of
predecessor of the Internet, the Arpanet was our online communications.
once a happy safe place, in the 60s and 70s,
when the first packets were sent between Another concern is the government’s ability
government contractors and research to subpoena the digital surveillance of a
institutions. Those early hundreds of person’s online life from broadband
participants knew each other well and providers. Consumers deserve to be heard
trusted each other. It is no longer the case. before the disclosure of such information to
It is the wild west, unbridled and without a the governmental agencies or commercial
sheriff to keep us safe. There are evil forces entities. The courts have held that DPI can
out there, be they hackers, spies, under-age violate individual’s important property or
14. Issue 28 – May 2012 | Page - 14
liberty interests. It’s a taking of privacy, as the toll booth. There is software,
if their house was being searched. legitimate, and illegal, Open Source,
Consumers may choose to curtail their shareware and freeware, and for free and for
online communications rather than give up sale, available for the performance of packet
their personal data. This would chill the capture. Such freeware or shareware such
development of our ideas and free speech. Open Source software includes Wireshark
(ethereal), Metasploit or Nmap.
Broadband providers hide notice of their
deep packet inspection practices in the Packet Crafting
densely worded legalese of the privacy
policy boilerplate. If some providers switch Packet crafting describes the art of creating
to an opt-in approach or reject DPI entirely, and generating packets that can contain
consumers still cannot totally control the stego-data. Packet crafting can be done
use of DPI technologies by those with whom using the same software used for both
they communicate. Governments should legitimate purposes and the illegal and
ban the use of DPI for commercial benefit unauthorized reasons. Network
and create a “Do Not Track” list to protect administrators create and use such software
consumers. Broadband providers should be tools to test network devices such as routers,
required to disclose their data collection firewalls, intrusion detection devices and to
practices. DPI can be used for constructive audit network protocols and correct weak
purposes such as to combat spam, without implementations of network configurations.
compromising consumer rights and privacy. Thus one must create packets and insert
(CITRON) and alter data in specific fields. The packets
must be sent onto the network at one
Data is always in one of two states: at rest or location. Then the packets must be
in motion. Data is at rest on a hard drive of intercepted and decoded and the content
a single computer. Data is safe when the must be analyzed and interpreted. Whether
host computer and its network connections or not these packets were rejected or
are secure from intruders. Data can be allowed to flow through a network is noted.
secured further by encrypting it. Data that Vulnerabilities to exploits must be found
is in motion is traveling over a network. and eliminated to protect data and
This traveling data makes many hops and information residing on servers and
travels through numerous subnets, network personal computers.
appliances, routers and IDS in its passage.
This gives numerous instances of
interception or capture of the TCP/IP Conclusion
packets at possible weak security points.
The process of packet capture is turning There exists a hidden level of
data in motion into data at rest by grabbing communications where data can be sent and
data that is moving across a network link received under the noses of the common
and storing it for parsing and examination. man. These covert channels exists unknown
It can be compared to the use of cameras by to the layman and can be used to protect
toll roads to verify the vehicle is assigned to electronic communications. This Internet
the transponder in that car by capturing the exploit exists to be used for good or bad.
license plate as the vehicle passes through Until this channel is blocked it will exist to
15. Issue 28 – May 2012 | Page - 15
be used by anyone willing to utilize this http://dl.acm.org/citation.cfm?coll=GUIDE&dl
capability. =GUIDE&id=362389 .
Llamas, D, et. al. An Evaluation Framework for
Bibliography the Analysis of Covert Channels in the TCP/IP
protocol suite. University of St.
Andrews,Scotland, UK.
Ahsan, Kamran. Covert Channel Analysis and
Data Hiding in TCP/IP . MS thesis. University
Maney, Kevin. Bin Laden’s Messages Could Be
of Toronto, 2002. 15 Mar. 2009 http://gray-
Hiding In Plain Sight. USA Today
world.net/papers/ahsan02.pdf .
December 19, 2001.
Wesley Professional, 2005.
http://www.usatoday.com/life/cyber/ccarch/20
01/12/19/maney.htm .
Berg, S. Glossary of Computer Security Terms.
USA, National Computer Security Center, 1998.
McCullagh, Declan, "Secret Messages Come in
.Wavs." Wired.com. Wired News, 20 Feb. 2001.
Citron, Danielle Keats; “The Privacy
Web. 11 Feb. 2012.
Implications of Deep Packet Inspection”;
<http://www.wired.com/print/politics/law/new
http://dpi.priv.gc.ca/index.php/essays/the-
s/2001/02/41861>.
privacy-implications-of-deep-packet-inspection/
.
Mikkilineni, Aravind K.; Chiang, Pei-Ju; Chiu,
George T.-C.; Allebach, Jan P.; Delp, Edward J.;
Collberg, C. S., Thomborson, C., and Townsend,
“Data Hiding Capacity and Embedding
G. M. 2007. Dynamic graph-based software
Techniques for Printed Text Documents”.
fingerprinting. ACM Trans. Program. Lang. Syst.
29, 6 (Oct. 2007), 35. DOI=
Nakashima, Ellen; “White House declassifies
http://doi.acm.org/10.1145/1286821.1286826 .
outline of cybersecurity program”; Washington
Post; March 3, 2010.
Craver, J. S., “On Public-Key Steganography in
the Presence of an Active Warden,” Proc. 2nd
Owens, Mark. A Discussion of Covert Channels
Int’l. Wksp. Information Hiding, Apr. 1998, pp.
and Steganography. InfoSec Reading Room.
355–68 .
SANS Institute. 19 Mar. 2002.
http://www.sans.org/reading_room/whitepaper
Goth, G. "Steganalysis Gets past the Hype."
s/covert/a_discussion_of_covert_channels_an
IEEE Distributed Systems Online 6.4 (2005): 2.
d_steganography_678 .
Web.
"The Phorm Files - The Register." The Phorm
Jaap-Koops, Bert; “Deep Packet Inspection and
Files - The Register. The Register, 29 Feb. 2008.
the Transparency of Citizens”;
Web. 05 Mar. 2012.
http://dpi.priv.gc.ca/index.php/essays/deep-
<http://www.theregister.co.uk/2008/02/29/ph
packet-inspection-and-the-transparency-of-
orm_roundup/> .
citizens .
Rutkowska , Joanna. “The Implementation of
Kelley, Jack. Militants wire Web with links to
Passive Covert Channels in the Linux Kernel”;
jihad. USA TODAY.
invisiblethings.org .
www.usatoday.com/news/world/2002/07/10/w
eb-terror-cover.htm .
Sanders, Chris. Practical Packet Analysis: Using
Wireshark to Solve Real-world Network
Lampson, Butler W. “A Note on the Confinement
Problem”; Xerox Palo Alto Research Center .
16. Issue 28 – May 2012 | Page - 16
Problems. San Francisco: No Starch, 2008.
Print.
Shirali-Shahreza, Mohammad. "Improving
Mobile Banking Security Using Steganography."
International Conference on Information
Technology (ITNG'07). (23007): Print.
Singel, Ryan; “Law Enforcement Appliance
Subverts SSL”;
http://www.wired.com/threatlevel/2010/03/pa
cket-forensics ; March 24, 2010 .
Singh, Simon. The Code Book: The Science of
Secrecy from Ancient Egypt to Quantum
Cryptography. New York: Anchor Books, 1999.
Soghoian, Christopher; “Deep Packet Inspection
– Bring It On”;
http://dpi.priv.gc.ca/index.php/essays/deep- Hal Wigoda
packet-inspection-%E2%80%93-bring-it-on/ . hal.wigoda@gmail.com
Trost, Ryan. Practical Intrusion Analysis:
Hal Wigoda is an IT professional of
Prevention and Detection for the Twenty-first
over 40 years of experience. Hal
Century. Upper Saddle River, NJ: Addison-
Wesley, 2010. Print. currently specializes in Security of
Open Systems and Mobile Devices.
Wayner, Peter. Disappearing Cryptography:
Information Hiding: Steganography &
Watermarking. 2nd edition. Burlington, MA:
Morgan Kaufmann, 2008. Print
Whitaker, Andrew, Keatron Evans, and Jack B.
Voth. Chained Exploits: Advanced Hacking
Attacks from Start to Finish. Upper Saddle
River, NJ: Addison-Wesley, 2009. Print.
Wilson, Carol. "DPI: The Good, the Bad, the
Stuff No One Talks about." Penton Media, Inc.,
2008. Web. 2011.
<http://www.connectedplanetonline.com/iptv/
0718_dpi>.
18. Issue 28 – May 2012 | Page - 18
Kautilya
possibilities and quirks it could be a really
Introduction nice pwnage device.
One liner about Kautilya - Kautilya is a
toolkit which makes it easy to use USB During a penetration test, you generally do
Human Interface Device (like Teensy++), in not have enough time to learn how to
breaking into a system. Now let’s program a device. Although, programming
understand what does that mean. Teensy is really easy (that is why I am able
to do it ;)), it would be wonderful if someone
First let’s understand Teensy++ (I will use program a tool which gives a ready to use
Teensy for Teensy++ from now on). It is a payload for Teensy. This is exactly what
USB HID which could be used as a Kautilya is designed for. You just need to
programmable keyboard, mouse, joystick select a few options and a sketch is
and serial monitor. What could go wrong? generated which could be then compiled
Imagine a programmable keyboard, which and uploaded to the device. Kautilya is
when connected to a system types out written in Ruby and is named after
commands pre-programmed in it. It types Chanakya.
faster than you and makes no mistakes. It
can type commands and scripts and could As of this writing it contains twenty
use an operating system against itself, that payloads for Windows 7 and three for Linux
too in few seconds. If you can program the (tested on Ubuntu 11).
device properly keeping in mind most of the
19. Issue 28 – May 2012 | Page - 19
Force Browse
This payload opens up a hidden instance of
Internet Explorer and browses to the user
provided URL. An ideal use case could be
hosting an exploit of msf or a hook of BeEF
on the given URL. The payload is able to
execute on a normal user privilege and is
very silent.
Screenshot 1: Kautilya version 0.2.2
Using Kautilya in a Pen test
Here is the step by step process (assuming
you have a Teensy with you):
1) Download Kautilya Screenshot 2: Generating a payload using
2) Select your payload, select options Kautilya
and an output payload will be
generated.
3) Compile and upload this payload to
Teensy using Arduino +
Teensyduino. (A step by step guide
on installation and configuration of
Arduino could be found on my blog )
4) Connect the device to victim, either
directly if you have physical access
or by using Social Engineering.
5) Enjoy the pwnage :)
Let’s have a look at some of the payloads
which could be helpful in a Pen Test.
Screenshot 3: Compile and load the payload
to Teensy
20. Issue 28 – May 2012 | Page - 20
Assuming you are able to connect the device Connect to a hotspot and executed
by some means to the victim. Below is what code
a victim will see on his desktop. Note the
This payload connects to a hotspot
small command window which writes dark
controlled by you (assuming you are the
blue on black background.
attacker), downloads a meterpreter exe in
text format, converts it back to executable
and executes it. The testing of this payload
was done using a HTC Android phone and
kWS web server on the phone. You need to
manually convert the executable to text
format using a powershell script
exetotext.ps1 in the extras directory of
Kautilya. This script exetotext.ps1 is based
on a blog by Matt at his blog exploit
Monday.
Screenshot 4: Victim desktop
After a few seconds if you look at your
msfconsole.
Screenshot 6: Using the "connect to hotspot
and execute code" payload
This payload is ideal for a scenario when
there is a restricted or no internet
connection on the victim and you are
reasonably near to the victim. A drawback of
this payload is the victim will get
disconnected from other existing WiFi
networks. The output of this payload will be
same as above under default behavior. You
can easily modify this payload as per the
needs and it could be used for much more.
Screenshot 5: A meterpreter session
21. Issue 28 – May 2012 | Page - 21
Is this a real threat?
This is a question I am asked many times
during my talks about Kautilya, is this a real
threat? Yes. If you are doing pen testing
even for few months, you will feel a need of
something which could be used without
actually exploiting something. You would
love using the features and built in tools to
pwn a system as this raises less or no flags.
How to use this in a pen test is up to your
wisdom, use it actively by connecting ii to an
unattended system during internal pen tests
or hide the device inside mouse or pen drive
Nikhil Mittal
etc for Social Engineering attacks.
nikhil_uitrgpv@yahoo.co.in
Conclusion Nikhil Mittal is a hacker, info sec
researcher and enthusiast. His area of
As long as those defending the systems and
interest includes penetration testing,
those breaking the systems do not realize
attack research, defence strategies and
the risk pwning a system using HID will be
post exploitation research.
very easy. I have never seen any
environment where HIDs are blocked He specializes in assessing security risks
during large number of Penetration Tests at secure environments which require
which I have carried out for clients of my novel attack vectors and "out of the box"
firm PricewaterhouseCoopers. No approach. He has worked extensively on
countermeasure or antivirus flags it as a using HID in Penetration Tests and
threat. Some company marketed that they powershell for post exploitation. He is
can do it, but it turned out to be false . USB creator of Kautilya, a toolkit which
HID threats are here to stay. makes it easy to use Teensy in
penetration tests. He has spoken/trained
at Clubhack’10, Hackfest’11, Clubhack’11,
Black Hat Abu Dhabi’11, Troopers’12,
PHDays’12 Shakacon’12, GrrCon’12 and
Black Hat Europe’12.
22. Issue 28 – May 2012 | Page - 22
HTTPS (Hyper between client and browser is encrypted
using SSL.
Text Transfer SSL works at the transport layer of
Transmission Control Protocol/Internet
Protocol Secure) Protocol (TCP/IP), which makes the
protocol independent of the application
layer protocol functioning on top of it. SSL
is an open standard protocol and is
Introduction supported by a range of both servers and
Hypertext Transfer Protocol (HTTP) is a clients.
protocol where communication happens in
clear text. To ensure authenticity, SSL works in three phases:
confidentiality and integrity of messages Authentication - Authentication
Netscape designed HTTPS protocol. checks the server who they claim
Hypertext Transfer Protocol Secure they are.
(HTTPS) is a combination of the Hypertext Encryption - Encryption with the
Transfer Protocol (HTTP) with the SSL key exchange creates a secure tunnel
(Secure socket layer)/TLS (Transport layer and doesn't allow unauthorized
security) protocol. It provides encrypted person to make sense of data.
communication and secure identification of Integrity - Checks that any
a network web server. unauthorized system cannot modify
the encrypted data.
HTTPS encrypts and decrypts the page
SSL handshake uses asymmetric and
requests and page information between the
symmetric encryption. Asymmetric
client browser and the web server using a
encryption is used to share the session keys
secure Socket Layer (SSL). HTTPS by
and symmetric key algorithm is used for
default uses port 443 as opposed to the
data encryption
standard HTTP port of 80. URL's beginning
with HTTPS indicate that the connection
23. Issue 28 – May 2012 | Page - 23
Asymmetric encryption has a lot of
overhead so not feasible to use for entire
session.
24. Issue 28 – May 2012 | Page - 24
Client first requests a HTTPS session to
server, then server sends back Certificate
which has its public key embedded in it.
Only server has access to this private key no
one else.
Now client authenticates certificate against
list of known root CAs (If a CA is
unknown/self-signed, then browser gives
user an option to accept certificate at user's
risk). Client will then create a session key
which only he knows and will encrypt it with
the public key received from the server and
then it will send across the internet to the
server. Server will decrypt that session key
with its private key. Now server and client
both know the session key.
Rohit Parab.
Once the SSL handshake is completed and
rohit.parab9@gmail.com
session key is exchanged with the
asymmetric encryption. Now the rest of the
session is encrypted with the symmetric
He is the Bachelor of Computer Science.
session key.
He is Freelancer Software Developer and
Independent Security Researcher
We use symmetric encryption because its
(Mumbai Area).
quicker and uses less resources. Symmetric
encryption is used to encrypt the session
data.
25. Issue 28 – May 2012 | Page - 25
SECTION 66C - SOME OF THE INCIDENTS
PUNISHMENT FOR The CEO of an identity theft
protection company, Lifelock, Todd
IDENTITY THEFT Davis's social security number was
exposed by Matt Lauer on NBC’s
Today Show. Davis’ identity was
Introduction used to obtain a $500 cash advance
The term identity theft was coined in 1964. loan.
However, it is not literally possible to steal Li Ming, a graduate student at West
an identity so the term is usually interpreted Chester University of Pennsylvania
with identity fraud or impersonation. faked his own death, complete with a
Identity Theft is a form of stealing forged obituary in his local paper.
someone's identity by pretending to be Nine months later, Li attempted to
someone else typically in order to access obtain a new driver’s license with the
resources or obtain credit and other benefits intention of applying for new credit
in that person's name. cards eventually.
PUNISHMENT FOR IDENTITY THEFT
Whoever, fraudulently or dishonestly
makes use of the electronic signature,
password or any other unique identification
feature of any other person, shall be
26. Issue 28 – May 2012 | Page - 26
punished with imprisonment of either Acts covered (1) dishonestly
description for a term which may extend to /fraudulently
three years and shall also be liable to fine using someone’s
with may extend to rupees one lakh. electronic
signature/passwor
d or any other
Comments unique
This section applies to cases where identification
someone who dishonestly or fraudulently feature
does the following – (2) dishonestly
makes use of electronic signature of retaining stolen
any other person, or computer resource
makes use of password of any other or communication
person, or device
makes use of any other unique Investigation Police officer not below
identification feature of any other authorities the rank of Inspector
person. Controller of Certifying
Authorities or a person
Illustration authorised by him
Vivek and Rajan were business partners. Relevant courts Judicial Magistrate First
Few months back they had a fight over Class Court of Session
some issues and then parted their ways. Cognizable/Baila Yes/Yes
Vivek opened a new firm which into the ble
same line of business as of Rajan. In next
few months Vivek took over most of the
Rajan’s clients.
Disgruntled by this, Rajan decided to take
revenge. Rajan managed a fake ID proof and
addresses proof in the name of Vivek and
applied for a digital signature certificate. He
then digitally signed documents and emails
to enter into electronic contract on Vivek’s Sagar Rahurkar
name and solicited his clients by presuming mailto:contact@sagarrahurkar.com
to be Vivek.
Sagar Rahurkar is a Law graduate, a
Rajan can be held liable under this section. Certified Fraud Examiner (CFE) and a
certified Digital Evidence Analyst.
He specializes in Cyber Laws, Fraud
examination, and Intellectual Property
Law related issues. He has conducted
exclusive training programs for law
enforcement agencies like Police,
Income Tax.
27. Issue 28 – May 2012 | Page - 27
So, the onus is on the developer to ensure
Don’t Get Injected that the application’s integrity and
reliability is preserved.
– Fix Your Code SQL Injection: An Example
When I began doing security review for web Consider the below login page which accepts
applications, one common issue that I a username and password and lets the user
encountered was ‘SQL Injection’. log in.
Developers used to pose several questions at
me saying that their software is secure as
they had followed several measures to
mitigate this insidious issue.
The main mitigation adopted was to use
Stored Procedures or input validation.
While this does reduce certain type of
Injections, It doesn’t prevent all. In this
article, I will explain what SQL Injection is
Let’s assume that the below query is
and what one can do to prevent it. executed when one tries to log on to the
database.
SQL Injection:
In this case, the query would look like:-
SQL Injection attacks occur in all database
driven web applications. There is a risk in SELECT * FROM USERS WHERE
every web application that accepts an end USERNAME=’celia’ AND PASSWORD
user’s input and uses it to send database =’password’;
queries to an underlying database. A hacker
can manipulate the user input and send While a naïve user would only provide the
malicious queries to the database. The correct password and proceed to access the
impact could range from stealing user’s business functionality of the application, a
information, taking control of the server to hacker wouldn’t. Now, consider the same
complete wipe out of the database. form but with input shown as below.
28. Issue 28 – May 2012 | Page - 28
SQL Parameterized Queries:
Never use string concatenation to build your
queries dynamically. Always use place
holders or parameterized statements to
build your queries. An example is given
below.
String query = "SELECT * FROM
This is how the query will take shape now. USERS WHERE username=? And
password=? ";
SELECT * FROM USERS WHERE PreparedStatement prepStmt =
USERNAME=’1’ or 1=1--’ AND PASSWORD con.prepareStatement(query);
=’password’ prepStmt.setString(1, username);
prepStmt.setString(2, password);
As you would see, this will let the user login
ResultSet rs =
even when he doesn’t know the username
prepStmt.executeQuery();
and password. This is a very simple case of
SQL Injection.
An argument when passed through the
above statement, will be automatically
Mitigation:
escaped by the JDBC driver.
The steps suggested here are absolutely
Stored Procedures:
needed if you want to mitigate SQL
Injection. They are not just
Stored procedures by themselves do not
recommendation.
help in mitigating SQL Injection. By using a
stored procedure, type checking is
Always validate your input for the
automatically available for the parameters.
right size, format, type and range.
Hence, when one uses this method in
Use SQL parameterized Queries
combinating with parameterized
Use Stored Procedures statements, one can minimize SQL injection
Give the least minimum privilege to to a great level. Consider the same SQL
the database user account that is written as a procedure call.
executing the queries.
CallableStatement stmt =
Input Validation: conn.prepareCall("{call
SELECT_USER (?,?)}");
It is very important for your application that stmt.setString(1, username);
it should know what input to expect, what stmt.setString(2, password);
data type it can contain, the format of its stmt.execute();
input and the minimum and maximum
lengths. Though it is bit difficult/time The procedure that executes in the back end
consuming to implement these validations might look similar to below.
for all input fields, it is a fool proof approach
if you want your application to be reliable
for a long time.
29. Issue 28 – May 2012 | Page - 29
create or replace procedure SELECT or the minimum required privilege
SELECT_USER( user IN varchar2, to use the application. This will prevent the
pass IN varchar2, userid OUT database getting corrupted or wiped out
NUMBER,tablename IN varchar2) IS should an attack occur.
BEGIN
SELECT USERID from users where So, Start following these simple
username =user and requirements in your applications and you
password=pass; can be sure that you wouldn’t have a
Commit; security consultant coming to you and
END; asking you to fix your code.
One point to note here is to not use exec
@sql or dynamic sql inside a stored Celia
procedure. If one does that, the advantage Celia has been with Infosys for the past 5
of using stored procedure is reduced and years and has been associated with
SQL Injection will be possible. Check out Internet Application Security since
the below vulnerable code. This code does August 2010. Her expertise includes
make the use of Stored Procedures but uses Product Development, Secure Code
dynamic SQL. This code is still vulnerable to Development, Penetration Testing and
SQL Injection. Secure Code Analysis. She is a Certified
Ethical Hacker and is currently engaged
create or replace procedure
in application security consulting.
SELECT_USER( user IN varchar2, pass IN
varchar2, userid OUT NUMBER,tablename
IN varchar2) IS
BEGIN
@query= ' SELECT * FROM USERS
WHERE ' ||
'username = '''|| user ||
'AND password = ''' ||
password || '''';
Exec @query;
Commit;
END;
Likewise, Stored Procedures should be used
in conjunction with input validation. Just
because type checking is done, it doesn’t
mean that one can get away without
validating their user input.
Minimum Privilege:
Last but not the least, always ensure that the
database user executing the queries has only