Monday, July 28, 2008

That was my move--You stole my move!

Well, I thought I had a few tricks to myself, but I'm not the only one working on ways to keep from compressing a sample so much to destroy it (link). This is one of the problems I was having while working on my StegoFS/watermarking media project--how to make things survive conversion.

For example: Here we have a video clip that was uploaded and downloaded to youtube 4 times. Notice how the audio quality (distortion, with its own wavelike crescendo/decrescendo) goes from this to this. The FLV bounces around at 370KB depending on how many times you feed it back in to youtube's interface.

So, with the audio, adding a sine wave tricks youtube into leaving the audio alone, but the sine wave is still removed from the final compressed upload. This is one way to be sure that any data encoded as audio gets through unmolested (from my point of view, my stego has better fu than it used to).

Now, what can we do with video . . . Still working on a few tricks there myself, hopefully I'll get the remaining, nagging, lurking, festering details rooted out this week so they'll be reading for my DefCon 16 presentation.

Tuesday, July 15, 2008

San Francisco officials locked out of computer network

So I was just telling the folks in last weeks class about how I find myself being more and more involved in investigating the IT crowd. Here is an example of somebody exceeding their authority and now you have a network held hostage. Originally I thought the trend wasn't that big of a deal--I'm a third party consultant--people call me when they don't (or won't) use their internal resources, so naturally I get called on those types of situations more than the next guy.

Well, maybe this is truly a growing trend. This, and the rogue IT department issues where Joe-I-use-myspace-so-I-can-fix-u-r-computer really messes up the infrastructure with his rogue access points and what not . . . .

I love being right

I just wrapped up Community SANS Costa Mesa on Saturday. One of the last things I told the class was "The next Big Thing to go Boom[TM]? DNS." With all the pre-Blackhat/defcon speculation, the word is that Dan Kaminsky is going to blow the roof off of DNS again. The guy is definitely good, and I would not be surprised if DNS starts playing a larger role in exploits overall.

Think about it: Why waste your own botnot resources when you can use somebody else's? DNS is a dangerously beautiful beast of a distributed database system. Top it off with the fact that we can use somebody else's servers for practically free. I think DNS is still overlooked too often. There's been statements made simliar to the effect of: "Google, properly leveraged, is the greatest hacking tool." Google is very powerful--it helps you find things. This is what DNS does. DNS has one advantage over Google, and that is that the random hacker has more control over DNS.

So I think the staged dropping style used by malware will begin to be mirrored with distributed attacks, controlled via DNS. DNS can be signaling or storage, so I will expect to see everything but the payload commonly stashed in DNS somewhere . . .

In other news, not sure yet if I'll make it to SANSFIRE. Next on the agenda is to finish what I've been calling StegoFS for my DefCon Talk, then to Boulder, CO for SANS Network Pentesting and Ethical Hacking (Security 560). I'm really looking forward to it; hoping I can fly into Denver, have some serious Brazilian BBQ, then hack away the rest of the week.