Facebook Sued Over Privacy ‘Improvements’

By Hovanes | Published: February 17, 2010

In late November/early December of 2009, Facebook — the popular social networking site — rolled out a set of privacy changes billed as improvements. Being a regular Facebook user, my initial reaction to the announcement itself was positive. Facebook touted several new features, such as per-post privacy controls and a more simplified interface to control privacy settings.

However, as we all began to explore and see the changes, we learned there was a big catch. Along with strengthening some privacy features, Facebook actually relaxed or completely removed others. Electronic Frontier Foundation (EFF) was quick to criticize the changes as having an overall negative effect on privacy. Another privacy group, Electronic Privacy Information Center (EPIC) filed a complaint with the Federal Trade Commission (FTC) in December.

Now, five Facebook users have filed a class-action lawsuit on behalf of all users. The lawsuit alleges that Facebook was deceptive in its portrayal of the changes as being positive for privacy. Among other things, the claims are made:

  • At one time Facebook users had “exclusive” control of privacy.
  • Facebook now characterizes the following user information as “publicly available information:” name, profile, friends list, pages the user is fan of, gender, geographic region, and networks the user belongs to.
  • In addition, the lawsuit notes that Facebook by default sets the privacy setting of certain information to “everyone.”
  • Tools and information provided by Facebook are misleading and do not help users interested in privacy.
  • Facebook permits third-party application developers to access more information than they were previously allowed. In fact, all applications will now have access to “publicly available” information such as Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages.

In addition to damages and restitution, the lawsuit is seeking an injunction with the following remedies:

  • That Facebook notify its users that it set the privacy settings to an “unreasonably low level”
  • Change default privacy settings
  • Improved privacy help including: an 800-number hotline for privacy, a simple PowerPoint presentation in plain English and Spanish explaining the settings, and a complete redraft of the privacy policy.
  • Require third-party developers to display a privacy settings page for every application when the user signs in to the application for the first time.

Here is the full filing as hosted by Courthouse News Service.  (PDF reader required)

Posted in Privacy, Social Networking | Tagged , , , | Leave a comment

Smart Grids and Privacy Concerns

By Hovanes | Published: December 3, 2009

The smart grid has received significant attention from policy makers as a way to address global warming, efficient energy utilization, and kickstart the economy. Yet there are numerous information security challenges that remain to be addressed. One significant challenge is privacy.

The “smart meters” that are deemed an inherent part of the new power grid will be able to collect and relay very detailed information about our electricity consumption. This information may then be shared, stored, and retained not only by your power-utility but also other third parties. Google and Microsoft already have products targetting this market.

A lot of information about our private lives can be derived from this usage data. For illustration purposes, consider the diagram below.

Smart Grid Privacy

Smart Grid Privacy*

We’ll have more to post on this topic later.

For more information, please visit:

* Source for image: Elias Leake Quinn, Smart Metering & Privacy: Existing Law and Competing Policies, A Report for the Colorado Public Utilities Commission, Spring 2009.

Posted in Privacy, smart grid | Tagged , , | Leave a comment

Introduction to Steganography and Steganalysis

By Hovanes | Published: May 22, 2009
Hyangwonjeong pavillion inside Gyeongbokgung Palace in Seoul, Korea. (Original, see below for steg image.)

Hyangwonjeong pavillion inside Gyeongbokgung Palace in Seoul, Korea. (Original, see below for steg image.)

While visiting the American University of Armenia today, I stumbled upon a talk by Dr. Sos Agaian on digital signal processing and steganalysis. I have been interested in this area for years and Dr. Agaian’s talk gave me insight on some new and interesting research into this area while providing me with motivation to share my thoughts here. I hope to cover specifics about Dr. Agaian’s research results in a future posting. With this post, I would like to give an introduction to steganography and steganalysis for those who are new to this topic.

Susa (or modern day Shush, Iran) is one of the most ancient settlements known to man and one of the capitals of the Persian Empire. Much older than Rome, this city has played an important role in world history. It is also where steganography is believed to have first been used.

It was there that in the 5th century B.C. – according to Herodotus – a deposed king of Sparta by the name of Demaratus witnessed the plans by Persia to attack the Greeks. The Persian emperor Xerxes I had allegedly amassed one of the largest fighting forces in history and was intent on conquering all Greek city-states. Demaratus, still loyal to his people, decided to warn his compatriots of the impeding attack. In order to avoid detection, Demaratus used a pair of wooden folding tablets. Scraping off the original wax he inscribed news of the impeding attack and covered the tablets with fresh wax. His secret message to the Spartans reached its destination disguised as blank tablets. Thanks to Demaratus, the Greeks were able to prepare and fend off the Persian attack.

Armenian poet Yeghishe Charents, during the height of Soviet repression and censorship in the 1930s, penned a poem titled “The Message,” seemingly paying tribute to the Soviets. The poem includes these lines:

A new light shone on the world.
Who brought this sun?
… It is only this sunlight
Which for centuries will stay alive.

The poem bypassed the censors and was happily published as propaganda until they figured out that the first letter of every line spelled an entirely different and more nationalistic message: “O Armenian people, your only salvation is in the power of your unity.” Charents was not allowed to publish thereafter and in a year or so disappeared under mysterious circumstances that are not so mysterious to those familiar with the history of Stalin’s purges. Charents may have been eliminated but due to his successful use of steganography his message is alive today and for generations to come.

The art and science of hiding information with a secret meaning inside other seemingly innocuous media is known as steganography. Attempting to detect and decipher these messages is called steganalysis. Steganography also can be characterized as a specific form of covert channel.

These are popular areas of study in security today due to the apparent ability to effortlessly communicate in a secret and secure manner in adversarial conditions. In particular, governments are concerned with terrorists being able to use this technology to communicate with each other bypassing detection.

Many different media can be used for the purpose of steganography, including:

Image above with hidden text.

Image above with hidden text.

  • Images: Images can be used for steganography. There are various methods that can be used. One of the methods is called Least Significant Bit (LSB) where data is hidden in the least significant bits of pixels in an image reducing the quality of an image by a very small and possibly visually undetectable manner. Consider the photo of at the top of this post. For illustration purposes, I have embedded the contents of a small text file inside the beautiful image (right).
  • Audio: Steganography using audio is a bit more complex than images but still possible. In order to hide data in audio, you must have a good algorithm for detecting peaks in an audio waveform and hide the data within the peaks. Secret data can be embedded in one of the thousands of MPG files on a computer for instance.
  • Video: A video simply consists of many frames of images. Messages can be hidden in just one or some of the frames.
  • Text: Consider white space in a full-justified text document. The combination of spaces (some double spaces and single spaces) can convey special meaning and thus act as a covert channel. Besides white spaces, the following can also be used to convey special meaning: letter frequency, word frequency, grammar style, and so forth.

Steganalysis involves detecting whether steganography is used and being able to extract the hidden message. A variety of steganalysis methods exist, depending on the type of medium involved.

One way to visually see the difference between the original and steganographic image is to obtain a color histogram of both images. You can see that the histogram on the right is slightly different than the one on the left. In simple terms steg analysis usually involves figuring out a mathematical model that would help us determine if an image is abnormal in the sense that it contains hidden information, without the benefit of having the original image.

Comparison of histograms.

Comparison of histograms.

For this particular case the relatively small amount of hidden data we injected (only 1K for an 813K file) makes steganalysis much more difficult. I will cover more steganalysis techniques in future postings on this blog.

Smart users of steganography will also rely on tactically choosing the carrier image. For instance, binary images (those composed of only 2 colors) do not yield themselves well to steganography. Thus, someone wishing to conceal his/her traces would pick images that have features that would make it easy to hide bits of information.

Generating Stego Image

Here is how I generated the steganographic image above:

$ outguess -k "linkgard" -d ~/mess.txt ~/ORIG.jpg ~/STEG.jpg
Reading /home/user/ORIG.jpg....
JPEG compression quality set to 75
Extracting usable bits:   441867 bits
Correctable message size: 8102 bits, 1.83%
Encoded '/home/user/mess.txt': 4992 bits, 624 bytes
Finding best embedding...
    0:  2512(50.0%)[50.3%], bias  2505(1.00), saved:    -2, total:  0.57%
    1:  2443(48.6%)[48.9%], bias  2428(0.99), saved:     6, total:  0.55%
   12:  2447(48.7%)[49.0%], bias  2374(0.97), saved:     6, total:  0.55%
   28:  2432(48.4%)[48.7%], bias  2320(0.95), saved:     8, total:  0.55%
28, 4752: Embedding data: 4992 in 441867
Bits embedded: 5024, changed: 2432(48.4%)[48.7%], bias: 2320, tot: 441028,
skip: 436004
Foiling statistics: corrections: 844, failed: 0, offset: 83.645251 +-
220.522425
Total bits changed: 4752 (change 2432 + bias 2320)
Storing bitmap into data...
Writing /home/user/STEG.jpg....

Note: Original image is 813Kb. Maximum usable/recommended steg bandwidth is reported as ~ 1K.

Further reading

Tools

I used a couple of aged but tried and true tools to produce the images and analysis are listed below:

  • Stegdetect is a Linux-based application that will allow you to insert hidden data in JPG files and detect if steganography exists in an image. A variety of statistical methods are used for detection.
  • OutGuess is another tool by the same author (Niels Provos) that uses a different method of hiding the data.
  • The GIMP! For the histograms.

Updates:

  • 5/23/2009 – Minor edits and updated sections.
Posted in Covert Channel, Cryptography | Tagged , , , , , , | Leave a comment

Open a PDF file and get owned?

By Hovanes | Published: May 1, 2009

A recent set of critical flaws in Adobe Acrobat and Adobe Reader products leaves users vulnerable to remote exploitation. With this news we are presented with yet another lesson in software security that we in the industry refuse to learn. At one spot in the life of code we reach a point of diminishing returns where the code becomes so large that testing it is more expensive and difficult. Naturally companies want to make a profit and thus “risk manage” their way out of fully testing the product.

First Things First

First let’s learn more about this vulnerability.

References:

This vulnerability is especially nasty due to the following:

  • Adobe Acrobat and Adobe Reader can be found installed on almost any computer. It is difficult to conceive of any Internet user who hasn’t had the need to read PDF files. This makes the software a very attractive attack vector.
  • Apparently, there is very little that one needs to do in order to be attacked. While I’m not sure whether this vulnerability can be exploited by opening a PDF, I was able to test the JavaScript proof-of-concept by printing, saving, and closing PDF files.
  • Search engines widely report results that link to PDF files. The attacker can literally be just a click away.
  • The proof-of-concept code has already been posted online. It is now much easier for criminal hackers to come up with exploits that can result in access to your system.
  • This vulnerability goes back many versions of the product. While it has recently been discovered and published by some, can we guarantee that this problem hasn’t been successfully exploited for years by others?

Disable JavaScript

To protect yourself you need to disable JavaScript. Here are the instructions from Adobe:

1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK

Screenshot: Disable Javascript in Adobe Reader

Screenshot: How To Disable Javascript in Adobe Reader

Try It Out Yourself

Those with modest technical skills and access to a Linux system will be able to reproduce this problem. The proof-of-concept code can be found on securityfocus.com. You will also need knowledge of how to attach JavaScript to a PDF and we can thank Adobe for this wonderful tutorial: Perk up PDF documents with JavaScript. The proof-of-concept code will not work on Windows without modification.

Why does one need JavaScript inside PDF anyway? Or why is it enabled by default?

Getting infected by a virus or being exploited by crackers may now be as simple as interacting with a specially-crafted PDF file. Yet again we are reminded that extra software features come at the expense of security. In software development, the greater the complexity the higher the likelihood of flaws. There are many techniques to improve software quality. While good software design and testing is essential in order to mitigate the problem, we are constantly faced with example after example that even the best software companies are not able to cope with this problem.

Exchanging image, PDF, and word-processor documents are some of the most common tasks by a computer user. We should not expect basic functionality like this to have as many serious problems as we have seen. For the month of April 2009 alone I was able to find at least 10 Adobe Reader “remote” vulnerabilities on SecurityFocus. (29420, 30035, 32100, 32105, 33751, 34229, 34169, 34736, 34740, and 34768).

While I think Adobe deserves its due criticism, they are not alone. We can all recall similar issues with other software vendors. One of my least favorite ways to get hacked would be by opening JPG files.

As a custom software development consultancy, we always inform our clients that extra features and extra code comes at an extra cost that will grow non-linearly compared with functionality.

So what is a good balance between useful and robust features vs. stability and security in this case? I don’t know, but I am now seeking out alternatives for Adobe PDF. I know others are too.

Technorati Profile

Posted in Software Security, Vulnerabilities | Tagged , , , | Leave a comment

New attack against SHA-1

By Hovanes | Published: April 29, 2009

According to researchers the complexity of the SHA-1 one-way hash function has been significantly reduced. Exploiting this weakness for practical purposes is now possible for a “well-funded organization.” While the research remains unpublished this revelation underscores the need for us to move away from SHA-1 and related algorithms.

One-way cryptographic hash functions have many uses in modern computing. For instance, they are used in authentication, encryption, digital signatures, and integrity checking. MD5 and SHA-1 are two popular hash functions still in use today. For years, the public at large has been aware that there were security problems with these particular algorithms, but until recently these problems had been classified as theoretical and not practical. MD5 was the first to be targeted and SHA-1 was considered a more secure alternative.

Until yesterday, the best-known attack for SHA-1 was considered to have a complexity of 2^63 which is considered to still be secure for most uses. However, if the claims prove valid, the complexity of SHA-1 can be reduced to 2^52 or 2048 times less secure.

Unfortunately, SHA-1 is very popular and the move away may not be as quick. For instance, SHA-1 is used in the following:

  • TLS and SSL powering your HTTPS connection
  • Pretty Good Privacy (PGP) used to encrypt emails and data
  • S/MIME, another email encryption protocol
  • IPsec a popular VPN protocol
  • And of course, my most favorite of all, Secure Shell (SHH v2) protocol

If this is the first time you’re hearing about hash functions, you can use this site to enter text and receive MD5 output.

For those of you interested in more technical details, I would suggest reading Bruce Schneier’s “Applied Cryptography” as well as his blog entry on this topic.

Posted in Cryptography | Tagged , , , , , , , , , | 2 Comments

Welcome

By Hovanes | Published: April 29, 2009

Hello and welcome to the new LinkGard Security Blog.

More than a decade ago, when I was studying in college, security seemed like something only a hobbyist “hacker” would practice for the purpose of self-indulgence. On the other end of the spectrum you’d have to be employed in some well-funded organization with a 3-letter acronym and we wouldn’t know about you. Today, this has all changed.

Everybody needs security awareness! Whether it is for the sake of online privacy for you and your family or whether you’d like to protect your finances from cyber-gangsters, being aware of security issues is instrumental. For the security professional it is not smooth sailing from here. Not only does the security professional need to know about today’s problems, he/she also needs to constantly improve skills in order to tackle tomorrow’s.

My colleagues and I would like to use this space to communicate with fellow software and security professionals as well as contribute our insight and experience to the general audience in order to help deal with a problem that will be with us for many years to come.

Thanks for visiting.

Posted in Uncategorized | Tagged | Comments closed