Security B-Sides Vegas 2011 Review: How to Hide Your Pr0n

Conference: B-Sides
Title: How to Hide Your Pr0n
Speaker: Orlando Barrera II and Josh Sokol

Pr0n being a fanciful distortion of “porn”… itself a fanciful name for any data you value and might want to hide.  The speakers started by noting several stupid ways to hide data (hidden files, deep directories, etc) then got down to the good ways… encryption being step one.  In the current political climate (terrorism etc), there is a law which states that the mere presence of encryption is itself suspicion, i.e. that one can be prosecuted for refusing to supply credentials to an investigator under certain circumstances.  So in addition to encryption, one must establish “plausible deniability.”  That is, hide the data and leave no traces that suggest its presence anywhere on any computer you are afraid might be searched.  Steganography is the proffered solution to this.  Steganography is concealing data in some differently-purposed file.  For example, take a lossless encode of an image like PNG and use the least significant bit of each pre-encode pixel to hold the data.  Since in any photographic data, those bits are quite plausibly noise, they can be used to store data.  On a previous Defcon, someone spoke of using whitespace in HTML source to store attack data.  That speaker did not call it steganography and the purpose was attack, not solely concealment, but conceptually, it is basically the same thing.  So, encrypt the files, stego them into image files or whatever, then store the stegoed files in the cloud.  Obviously, this is the ultra paranoid extreme but of course that’s what security is about.  The speakers mentioned that Al Quaeda were communicating data to their operatives by stegoing it into pornography images posted on the Usenet.

My reactions:  this talk inflamed my anti-establishment and paranoid sentiments.  Specifically, I wonder what happens when someone with something like encrypted bank info, encrypted personal info, any info that a private citizen might want to encrypt for quite valid reasons (identity theft etc) could be acquired by legal machinations claiming to be concerned about terrorism, child porn, etc.  Terrorism and child porn are such high fear provokers that any hint of either is so provocative that they can and have had their definitions stretched to rather dubious extremes.  So I’m not rushing to stego all my data but I am concerned that authorities are being granted purview over information beyond their ability to wield such power responsibly.  But that Al Quaeda stuff is rather unsettling as well.  So I fear both the terrorists who are called terrorists and the terrorists that work for the government.  I also think this talk may prove to have some direct relevance to our product.  We might want to write a stego detector module… more for the concealing attacks in webpages variety than the stashing data in images variety although the latter could have assessment relevance as well.

About M. J. Power 22 Articles
Connect with Mike on Google+

1 Comment

  1. Thanks for the write-up on our talk at BSidesLV. I have very similar issues with the governments abuse of power and that was one of the reasons why we wrote Stegg0 to begin with. At the end of your post you mentioned the possibility of writing a steggo detector module for the NTO product. I’m wondering if you ever got around to doing that? If not, you might want to look at RS Steganalysis to assist in that effort.

Leave a Reply

Your email address will not be published.