Slashback: Streamend, Stego, Patches

The first Slashback of 2002 brings you updates on Ogg streaming (listen in while it lasts, and send feedback if you like it!), Qwest and your privacy, holes and patches for products from the MS-AOL-Time Warner Industrial Complex, and even more steganographic images failing to appear.

Getcher hot streams while they last ... jmoffitt writes: "In his post to the Vorbis list, Ciaran announced that the Ogg Vorbis BBC streams of Radio 1 and Radio 4 that we've enjoyed since early November would go offline as the test is ending. Everyone is encouraged to send their encouragement for these streams to continue to webweaver@bbc.co.uk. Also, as a special treat, the Radio 4 Ogg stream has been extended a week - just enough for all to catch the first episode of Lord of the Rings on Saturday at 1430 GMT."

Please mind the people interrupting your privacy. Matt Clauson writes: "Discussion list for the Qwest privacy issue and possible protest action has been set up -- send an email qwest-action-subscribe@dotorg.org to subscribe to it."

Plug, plug, plug ... timekillerj writes "Well it looks like AOL jumped right in and fixed that pesky hole. We can all go back to speculating how insecure it is now. An article on Yahoo has more info, including a short debate on w00w00 disclosing before getting a response from AOL."

Backstepping by any other name ... dagoalieman writes "It appears the FBI has decided that MS's patch is sufficient. According to CNN, they announced this earlier today in a rather quiet fashion. While MS may see it as good news, I think the fact that the hole is coming back to public attention just blackens the eye a little more for them. It will be interesting to see future ramifications of the government getting involved in these issues, too..." It can't look good when your company's software is called into question by some of your largest customers.

Nope, still don't see any. Niels Provos writes: "I just updated http://www.citi.umich.edu/u/provos/stego/usenet.php to reflect the final results from our search of hidden messages in USENET images. We did not find a single hidden message.

I also released a new version of stegdetect.

The disconcert cluster that we used for the dictionary attack contained more than two-hundred workstations, mostly from CAEN (that is the computer aided engineering network at UMich). The peak performance is comparable to 72 1200 MHz Pentium III machines :-) ...

Below my mail to the cryptography mailing list.

------- Forwarded Message
From: Niels Provos <provos@citi.umich.edu>
To: cryptography@wasabisystems.com
Subject: Stegdetect 0.4 released and results from USENET search available
Date: Fri, 21 Dec 2001 12:16:14 -0500
Sender: provos@citi.umich.edu

I just released Stegdetect 0.4. It contains the following changes:

- Improved detection accuracy for JSteg and JPhide.
- JPEG Header Analysis reduces false positives.
- JPEG Header Analysis provides rudimentary detection of F5.
- Stegbreak uses the file magic utility to improve dictionary
attack against OutGuess 0.13b.

You can download the UNIX source code or windows binary from

http://www.outguess.org/download.php

- -----

The results from analyzing one million images from the Internet Archive's USENET archive are available at http://www.citi.umich.edu/u/provos/stego/usenet.php.

[...]

After scanning two million images from eBay without finding any hidden messages, we extended the scope of our analysis.

This page provides details about the analysis of one million images from the Internet Archive's USENET archive.

Processing the one million images with stegdetect results in about 20,000 suspicious images. We launched a dictionary attack on the JSteg and JPHide positive images. The dictionary has a size of 1,800,000 words and phrases. The disconcert cluster used to distribute the dictionary attack has a peak performance of roughly 87 GFLOPS. However, we have not found a single hidden message. [...]

Comments and feedback are welcome. We have an FAQ at http://www.citi.umich.edu/u/provos/stego/faq.html"

Thanks for the update, Niels!

Ogg streaming is a step in the right direction

[chrysalis]

The streaming test made by the BBC is definitely a good thing. It brings credibility to open source projects. Ogg Vorbis is really an amazing format, but nobody uses it because of the lack of advertisement.
Succesful experiences like the BBC one can change this.

Re:Ogg streaming is a step in the right direction

[ergo98]

Lack of advertising? No one uses it because MP3 is entrenched, so the network effect is in play: To dethrone it you have to have demonstratable advantages that motivate people to adopt it, and honestly as of yet I haven't seen those advantages. The WMA format has the exact same dilemma, but even with claims that it's 2x better at a given bitrate (I'm not claiming that: Just what I've heard), the entrenchment of MP3 still makes people go "Bah...not worth it".

Re:Ogg streaming is a step in the right direction

[ergo98]

Ah very good point indeed. Indeed to be honest if there was a way to get credible sounding streams with 64Kbps, then I'd use that as I feel a little guilty listening to DNA Lounge at 128Kbps. There is definitely a need for high quality, low bitrate solutions.

Am I readintg this right

[adamy]

OK w00w00 sends an Email to AOL, get's no response, and then publishes. to this, AOL said,

``We'd encourage any software programmer that discovers a vulnerability to bring it to our attention prior to releasing it,'' Weinstein said.

Sorry if your organiuzation is too big to react that quickly...

only in english

[donhav]

What if the messages are not in english or god forbid use a non arabic script?

Re:only in english

[Alien54]

even if it was in unicode, you should be able to see a repeating pattern of something.

personally, I think that the best gimmick would be to encode a small picture of a message into another larger picture. That would mess up the search for plain text ;-)

Re:only in english

[oomcow]

i don't understand how people expect to detect encrypted messages that are then steganographically hidden in images anyways.

in theory if you encrypt your message via any good standard method, it should result in something that even statistically looks like random garbage.

Just because you can't see it...

[tbo]

...doesn't mean it's not there, does it? How confident are the makers of stegdetect that no steganographic images would slip past their program? Does their program simply work for all known steg. algorithms, or would it detect some or all kinds of new algorithms?

Also, if I was going to try to send a message via steganography, I wouldn't be doing it with images on Usenet. I'd make some useless personal homepage (god knows there are enough of those already, and nobody visits them), and put my steg. image on there. Or, I would use a more primitive kind of steganography--code words embedded in seemingly innocent messages. There's a hell of a lot more spam on usenet than images, so it would be better concealed that way.

AOL did NOT fix the hole

[cr@ckwhore]

Here's the deal with AOL... since everything runs through centralized servers, they've been able to apply filters to catch erroneous message packets.

Big deal!!

Their "fix" is roughly equivalent to using duct tape as a contraceptive. Its just not right.

They havn't changed the fact that there is a buffer overflow in the IM client. This means that AIM users (using the official client) are still vulnerable. AOL has simply made it a bit more obscure, and we all know that security through obscurity is not secure at all.

Re:AOL did NOT fix the hole

[Zog]

They did fix it - in order to exploit it, you had to send a message through AOL's servers. Harmful messages are now blocked at AOL's servers, so the exploit is no longer effective.

I think it's pretty much given that this is the most reasonable course of action - AOL is primarily for people who aren't that great with computers, and very well could have difficulties upgrading, if they decided to do so, so instead of forcing all of their millions of users to fix it themselves (that's basically what it would come across as to most users - they don't know what's really going on), so AOL can simply block it themselves and fix the client in the next round of upgrades. And that leaves out the cost of extra bandwidth, people rushing to upgrade before they get hit, etc.

Obscurity would imply that they hid it; what they in fact did was block the exploit completely.

Re:AOL did NOT fix the hole

[seanadams.com]

Here's the deal with AOL... since everything runs through centralized servers, they've been able to apply filters to catch erroneous message packets.

I think that only true of their ancient, private dialup network (which is still what most people use). However, a lot of AOL customers are now using their own cable/dsl ISP, so their AIM client would be running on a public, non-filtered IP.

Their "fix" is roughly equivalent to using duct tape as a contraceptive. Its just not right.

I dunno - that sounds pretty damn effective to me. Much stronger than latex, and it certainly won't slide off.

They havn't changed the fact that there is a buffer overflow in the IM client.

Obviously, you *can't* change the fact that a particular version has a bug, but you can release a new one. The problem is that it takes a long time to get everybody to update, so this is actually a pretty good fix, notwithstanding the issue of people using the software without the benefit of this filter.

Re:AOL did NOT fix the hole

[cr@ckwhore]

Familiar with the concept of packet insertion? Just for giggles, try a traceroute to your favorite AOL server and note the number of hops traversed. Any one of these can be used as a point of packet insertion.

There are plenty of ways the problem can still be exploited. AOL has simply made it a bit more difficult, but not impossible.

One of the biggest problems in the world of computer security world is thinking that a problem isn't going to be exploited because of its difficulty or obscurity. This has been proven time and time again when the most obscure little security holes get exploited repeatedly.

Re:AOL did NOT fix the hole

[DrSkwid]

Lee, if you had the ability to run code on peoples machines unnoticed what would YOU run?

format?, fdisk? delete all their files?

no, that's what lame schoolkids do

real black hats don't trash your system, they try and keep it alive so they can use it for nefarious activities.

I don;t know much about the AIM one but with Sub7 which was an icq based virus the victim would maybe just have strange things happen occasionally (screen upside down, follow the white rabbit stuff etc.). Or the attacker would just take webcam pictures and download them without the victim's knowledge or consent. Read their email, read their icq log, look at their bookmarks, poke around for text files containing passwords, edit /windows/hosts and try a CC / password scam. And this was wide scale (and probably still is) because Sub7 infecetd hosts advertise themselves on IRC as infected!

Just because your PC isn't "broken" doesn't mean you're not infected. Only the lamest viruses are destructive for without hosts there is no life.

Strong passwords?

[Suicyco]

Well perhaps some people use stego and might actually have used strong passwords that could not be guessed by a dictionary attack. If I were communicating secretly using the internet, I would first encrypt the message with pgp, then place the encrypted text into a large jpeg WITH a strong password, and post to a half dozen groups. How would any kind of attack (well any reasonable attack) be able to detect my message? Even if the dictionary attack worked, how would you know the result was the real message, since it would appear to be random garbage, just like all the incorrectly passworded dumps? Just doesn't seem like this is something you can do, its taking distributed.net several years to crack ONE message. How would you go about finding a needle in a haystack, and THEN decoding it? We are talking tens of millions of images. What is the point of this? I'm sure people use stego, for whatever reason, why wouldn't they? Some hacker group, or warez group, or terrorists or whatever, somewhere, at some time, posted stego'd images to usenet.

How to do good steganography

[DickBreath]

If the purpose of steganography is to conceal the very existence of a message; and, a tool (stegdetect) exists which attempts to spot concealed messages; then it seems to me that if you are trying to conceal a message into a picture on usenet and on the web that you would at least run all your images through stegdetect to be sure that it cannot detect the concealed message.

Could this be why no stego messages are being detected?

Re:Cable, DSL,, and Privacy

[SuperDuG]

Actually I work for a helpdesk that uses VNC on a regular basis. However we have it on a network drive and is ran by the user with their knowledge ... we don't just install it on their machines ... in fact it's ran off the network ... not even local. We're in-house helpdesk ... and we take calls from Solaris, BSD, Linux, Windows, MacOS ... and all kinds of other questions ...

I'm just pissed they first deny the software is there and then don't tell you it's installed ... and always leave it on ... looks like an exploit just waiting to happen ... and looks like a real shady thing to do.