Dragan on Security

Michal Wegrzyn informed me about new and interesting project on http://vsl.sourceforge.net/.  That is new steganographic tool. Name of tool is Virtual Steganographic Laboratory (VSL). It is a graphical block diagramming tool that allows complex using, testing and adjusting of methods both for image steganography and steganalysis. VSL provides friendly GUI along with modular, plug-in architecture. Tool is very similar to CrypTool which has been described on this blog here.

VSL screenshot

Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message. That is a form of “security through obscurity”. The word steganography is of Greek origin and means “concealed writing”. Generally, messages will appear to be something else: images, articles, or some other covertext. It may be considered as kind of invisible ink between the visible lines of a private letter.

The advantage of steganography, over cryptography alone, is that messages do not attract attention to themselves. Plainly visible encrypted messages will arouse suspicion, and may in themselves be incriminating in countries where encryption is illegal. Therefore, whereas cryptography protects the contents of a message, steganography can be said to protect both messages and communicating parties.

Virtual Steganographic Laboratory (VSL) is simple, easy to use software for steganography, steganalysis and watermarking. It gives scientists and students a powerful tool for conducting wide range of experiments involving different types of message embedding, diverse attacks (employing image processing algorithms) and steganalysis with the use of popular methods. Due to its use of generics (and few other features) it requires at least Java 1.5 (5.0).

Primary interface of the VSL is a graphical block diagramming tool and a customizable set of block modules. VSL uses dynamic invocation, so any new module can be created, added and used along without recompilation of the application.  Many steganographic applications are usually command-line tools or very simple GUIs which consist of one chosen method. VSL provides framework for complex yet simple to arrange experiments and methods testing. It can use many methods simultaneously and everyone can add a new one.

I see this as very promising project and will continue to watch its progress.

It might happen even in middle of worlds’ financial crisis. We should wait and see. Or not just wait, you can really contribute to new search engine. To contribute, you should just install free software and use it. The name is Edgios and software is in Alpha stage.

Edgios already have got lot of publicity on Web sites and discussion forums. It is a large-scale distributed search ‘cloud’ that offers higher-quality search results. Users participate in the cloud by downloading the Edgios personal search software, and connecting that software to the net.

Recent discussion on one of most important developers’ forums in Serbia raised many questions about Edgios. Some of participants questioned idea, concept, and many raised privacy and security concerns as well. Also, it seems that many people are scared by Google and Yahoo and have no courage to question their solutions and to start something what may compete with big ones. It can be successful or not, but it is worth a try at least, especially if you have famous Venture Capital to back your ideas. If that is one who backed Skype it is then more serious.

Some of question raised in discussion are: Is it secure? Is it safe? Authors say:

Yes! That’s exactly the point. By having the Edgios personal search client on your computer, you’re in control of what you share and what you keep private. Traditional search engines keep much more information than you might expect, and they hang onto it for a long time. With Edgios, you’re in control.

I would add: do you know what Google or other search engines know about you already? Have you asked yourself that question?

Here are some facts grabbed from Edgios Web site about company:

Edgios is a US company, based in Palo Alto, CA. The company is backed by Draper Fisher Jurvetson (DFJ), a premier Venture Capital firm based in Menlo Park, CA. DFJ shares with Edgios a passion for distributed computing, having backed Skype, the most successful P2P startup to date. Edgios has additional offices in Portland, OR, and in Serbia.

About founder:

The company has very strong connections with Serbia, having been founded by Dr. Borislav Agapiev, who grew up in Belgrade before moving to the US in 1985. The technology that makes Edgios possible has been developed entirely in Serbia, by a team of extremely talented and bright young developers. The entire team is proud of demonstrating that world-class search technology can be developed in Serbia, relying on the deep talent pool of local developers.

Edgios is Dr. Agapiev’s second search startup. He was also the founder of Vast.com, a San Francisco-based search engine for online classifieds. Vast.com is a leader in the online classifieds market, reaching millions of customers in the US and worldwide, having as partners and customers several large US companies. From its start, Vast.com has also been relying on Serbian engineers for technology development and innovation.

About search mechanism:

Edgios does not use a centralized search index of the Web, located in a massive data center, fed by an algorithmic ‘crawler’. Instead, it has an index that’s built by users, for users, and it employs a fully distributed index residing in memory and on the disks of computers that are part of the search cloud. The power of a fully decentralized, distributed search system is dependent on the number of its users. We believe that with just a few hundred thousand users that the Edgios search cloud is capable of surpassing conventional search engines, in terms of freshness, depth, and quality of search results.

It will be interesting to watch progress of this story and to be part of story, why not?

Interesting list on Virtual Hosting Blog » The Privacy Toolbox: 100 Guides and Resources for Keeping Your Personal Information Safe, categorized into:

• Articles
• Blogs
• Resources
• Applications
• Organizations
• Tips
• Guides
• Books

This list might be of great help.

In recent post on this blog, I described some of StumbleUpon privacy risks. BBC Technology News now have article about privacy problem related to Facebook, another social networking tool. Under title Facebook faces privacy questions they talk that Facebook is to be quizzed about its data protection policies by the Information Commissioner’s Office. It says:

The investigation follows a complaint by a user of the social network who was unable to fully delete their profile even after terminating their account.

Currently, personal information remains on Facebook’s servers even after a user deactivates an account.

Facebook has said it believes its policy is in “full compliance with UK data protection law”.

We will see how this will be solved. Anyway, social networking come to its dark side because of increasing number of security and privacy problems.

Hackers target browsers as possible nests for attack to user systems. Having in mind average Internet users and surfers and their (our) lack of caution while surfing and visiting various Web sites, there are very good chances and possibility for various exploits.

Interesting article about Adobe Reader which affects Windows XP SP2 with IE7 and Adobe Reader 8.1, 8.0 and 7 appeared at ZDNet blog. Petko D. Petkov wrote very interesting article browser rootkits at GNUCITIZEN. Joanna Rutkowska also wrote article about this problem on her blog. Joanna’s article has been inspired by Petkov’s.

I will quote here some of Petko D. Petkov’s ideas.

The rootkit author can take on many different strategies. The following listing shows some of the things that are possible:

• Obscure browser extensions – the most common place a rootkit may exploit. The extension will be visible to the system and the user but at the same time will remain hidden by tricking the user into believing that it is an important browser component.
• Hidden browser extensions – rootkits masters can hide the presence of malicious extensions from the user. This is the default behavior of Internet Explorer components. Firefox extensions can also be made hidden by suppling a special field with the value of true in the Install manifest file.
• Backdoored install base – the rootkit can simply infect common browser components that are already in place. Firefox, for example, is shipped with browser.jar located in the application folder. This JAR archive contains the default Firefox GUI interface and all basic components, all written in XUL and JavaScript. Rootkit masters can simply smuggle their own JavaScript into browser.xul part of browser.jar and as such root the default GUI.
• 3rd-party rootkits – browsers are complicated piece of software which interacts with many 3td-party components such as Adobe PDF and Flash. These technologies can be easily rooted as well. In terms of Adobe Reader and Acrobat, the rootkit master can simply copy a simple JavaScript file inside the PDF script auto run folder. Every time the victim opens a PDF, the rootkit will execute which, as a result, will grant control to the attacker. In terms of Adobe Flash, the rootkit master can weaken the Flash settings to allow certain external sites to perform restricted operations circumventing the plugin security policies. Let’s not forget that rootkit masters can simply register additional browser plugins which will hook on important browser hooks.
• Extension of an extension rootkits – these types of rootkits take a form of an extension for a browser extension (i.e. userscripts for Greasemonkey). They can be trivially installed and can hook on external XSS proxies from where they can be controlled. 

Joanna says:

Petko in his post gives several ideas of how browser-based malware could be created and I’m sure that we will see more and more such malware in the near future (I would actually be surprised if it didn’t exist already). His main argument for creating “Browser Rootkits” is that they would be “closer to the data”, which is, of course, undisputable.

The other argument is the complexity of a typical browser like e.g. Firefox or Internet Explorer. It seems like we have a very similar situation here to what we have with “classic” operating systems like e.g. Windows. Windows is so complex that nobody (including Microsoft) can really spot all the sensitive places in the kernel where a rootkit might “hook” – thus it’s not possible to effectively monitor all those places. We have a similar problem with Firefox and IE because of their extensible architecture (think about all those plugins, add-ons, etc) – although we could examine the whole memory of firefox.exe process, we still would not be able to decide whether something bad is there or not.

Nice reading for those interesting in Internet security and privacy. It is likely that much more is to come on this topic very soon.

Plain and simple video about Google search privacy at YouTube (here) and Google’s privacy policy.

The second and great article in Economist’s series looks at the new technologies for collecting personal information, and the dangers of abuse: Civil liberties: surveillance and privacy | Learning to live with Big Brother.

Conclusion starts with interesting subtitle and says:

Boiling the frog

If the erosion of individual privacy began long before 2001, it has accelerated enormously since. And by no means always to bad effect: suicide-bombers, by their very nature, may not be deterred by a CCTV camera (even a talking one), but security wonks say many terrorist plots have been foiled, and lives saved, through increased eavesdropping, computer profiling and “sneak and peek” searches. But at what cost to civil liberties?

Privacy is a modern “right”. It is not even mentioned in the 18th-century revolutionaries’ list of demands. Indeed, it was not explicitly enshrined in international human-rights laws and treaties until after the second world war. Few people outside the civil-liberties community seem to be really worried about its loss now.

That may be because electronic surveillance has not yet had a big impact on most people’s lives, other than (usually) making it easier to deal with officialdom. But with the collection and centralisation of such vast amounts of data, the potential for abuse is huge and the safeguards paltry.

Ross Anderson, a professor at Cambridge University in Britain, has compared the present situation to a “boiled frog”—which fails to jump out of the saucepan as the water gradually heats. If liberty is eroded slowly, people will get used to it. He added a caveat: it was possible the invasion of privacy would reach a critical mass and prompt a revolt.

Ordinary users of search engines, bank portals, e-commerce sites usually don’t care about all various data that these keep about Web site visitors in order to learn more about their behavior, habits and preferences.

In article Barclays Manipulates Online Sales there is one explanation how they collects and uses data about visitors. Also, they have couple of words about what Google do when you install Google toolbar.

It is also well known that other site owners are collecting information about site visitors. Sometimes it is told to users clearly, sometimes less clearly and sometimes not. Advice is: be careful.

This sounds unbelievable but document marked as strictly confidential, Ericsson Interception Management System Manual is available for free download from Internet. I don’t know is that obsolete document or valid, but anyway it is very surprising that you can obtain document from Internet. I learned about this through an article in IEEE Spectrum related to Greek telephone tapping scandal.

There is interesting article at SDL blog titled: SDL and the Unconcerned Pragmatic Fundamentalist.

Related to this is the research done by privacy expert Dr. Alan Westin. Westin divided the respondents of performed survey into the following categories:

The Privacy Fundamentalists: Fundamentalists are generally distrustful of organizations that ask for their personal information, worried about the accuracy of computerized information and additional uses made of it, and are in favor of new laws and regulatory actions to spell out privacy rights and provide enforceable remedies. They generally choose privacy controls over consumer-service benefits when these compete with each other. About 25% of the public are privacy Fundamentalists.

The Pragmatic: They weigh the benefits to them of various consumer opportunities and services, protections of public safety or enforcement of personal morality against the degree of intrusiveness of personal information sought and the increase in government power involved. They look to see what practical procedures for accuracy, challenge and correction of errors the business organization or government agency follows when consumer or citizen evaluations are involved. They believe that business organizations or government should “earn” the public’s trust rather than assume automatically that they have it. And, where consumer matters are involved, they want the opportunity to decide whether to opt out of even non-evaluative uses of their personal information as in compilations of mailing lists. About 57% of public fall into this category.

The Unconcerned: The Unconcerned are generally trustful of organizations collecting their personal information, comfortable with existing organizational procedures and uses are ready to forego privacy claims to secure consumer-service benefits or public-order values and not in favor of the enactment of new privacy laws or regulations. About 18% of public fall into this category.