Saturday, 26 June 2010

System Recovery with Comodo's Time Machine

Comodo's Time Machine is a software application that runs on your Windows machine and periodically (either manually or automatically) takes snapshots of your system. You are then able to roll back to any of these snapshots in the future. Indeed you can jump backwards and forwards in the tree and new branches appear as you make changes to the system.

The idea behind it is that if you suffer any problems with corrupted software, malware, etc., then you can roll back to a known good state and start again. You can lock snapshots so that they don't get deleted and then clear out the ones that you don't want to keep any more. This is quite important, especially if you take automatic snapshots. You have to remember that every change made to the computer (i.e. every time you run it or change a file) the changes are stored. When a new snapshot is created, if you change a file you will have a new version on your system as well as the old one. Due to this, it requires a fair amount of space on your system. However, the upsides are fairly obvious.

I have been using it quite a lot recently on test boxes while performing testing of security software against various malware and other attacks. It enabled me to perform a test, roll back to the pre-test state and perform it again or try another attack from a fresh system. It greatly reduced the testing time for certain attacks as I wasn't having to deal with an imaging server, etc. For the normal user, however, this does mean that if you get infected with malware or something else goes wrong with your system, you can very quickly and easily roll back to a previous state and carry on working.

There are a few issues to keep in mind though. Firstly, as I've already mentioned, the space required can be quite large if you keep taking snapshots and don't clear previous ones off the system. Secondly, if you roll back your system, you won't have access to any new files or software that you have put on the system - you will need to roll forward again to get at these. Finally, I did have one or two occasions where the restore failed. When I say the restore failed, I mean one snapshot failed so that I couldn't boot into it. At the boot stage I had to select another snapshot to boot from. I could always find a snapshot the did work, but it is slightly worrying that there were occasions when the one I wanted wouldn't boot. This could be due to the fact that I was installing various service packs, updates and malware onto the system and switching between them many times, but it is still worth noting that you will require a full system backup and you must backup all your data regularly.

Of course there are other products out there that do the same thing and some reviewers say that they are better (e.g. Acronis). However, I found Comodo's Time Machine very easy to use and it is free. I'm not necessarily endorsing Comodo's product; I'm saying that this type of software is worth a look for keeping your systems running.

Wednesday, 16 June 2010

Twitter Steganography

I have recently been thinking about Steganography again and various carriers as well as applications. For those of you that don't know what Steganography is, it simply means 'hidden writing' from the Greek. Some examples of steganography are: tatooing the scalps of messengers and then waiting for their hair to grow back; writing a message on the wood of a wax tablet before pouring the wax in; 'invisible inks'; pin pricks above characters in a cover letter; etc. Basically, we have a 'cover', which could be an image, passage of text, etc., that we are happy for anyone to see and a message that we want to hide within it so that it is undetectable. It turns out that this last part is quite hard.

Anyway, I thought I'd look at techniques to embed data within Twitter as it is popular now and people are starting to monitor it. Hiding within a crowd, however, is a good technique as it takes quite a lot of resources to monitor all activity on a service like Twitter. The techniques described here would work equally well on other social networks, such as LinkedIn, Facebook, etc. How do we embed data within a medium that allows only 140 plaintext characters though? Well, there are several methods, a few of which I'll talk about here. I'm only going to discuss methods that would be quite simple to detect if you knew what you were looking at, but that will go undetected by the majority of people.

The first method is to use a special grammar within your Tweet. If the person you are communicating with knows the grammar then you can alter a message to pass data back and forth. A simple example of this technique would be to choose 2, 4 or 8 words that mean the same thing, but each one represents a value. For example, you could use fast, speedy, quick and rapid to represent 0, 1, 2 and 3 respectively, effictively giving you 2-bits of embedded data. If we had 8 words then we would have 3-bits and so on. This can be extended to word order in the sentence and even the number of words per sentence. However, messages can be difficult to construct in such a way as to be readable and this is not a high data rate. We could probably get only one or two bytes worth of data in an update message.

Another method is suggested by Adrian Crenshaw. He used unicode characters, giving access to two versions of the charcterset. So the lower range represented 0's and the upper range of characters represented 1's. This is a good scheme, as you then transfer as many bits as there are characters in your message. This gives a maximum of 140 bits. The issue with his scheme is that on some devices and Twitter clients the two character sets look quite different and it is definitely detectable. However, a good idea nonetheless.

Following on from this, we can encode bits within the message, so that they aren't seen by the user, by appending whitespace to the end of the message. Whitespaces are things like a space or a tab, i.e. a place where a letter isn't. A simple method to embed your data is to represent a 0 by a space and a 1 by a tab. The good thing is that web browsers will display multiple whitespaces as only a single space, so this will be invisible within a browser. Other clients will print them out, but there's nothing to see. Now, Twitter, and most social media clients, will strip whitespace from the end of your message as they assume that you added them by accident. This will destroy your data. However, if you add the   HTML code to the end of your message then it will keep all the whitespace (indeed, you could put any character at the end, but you may see multiple spaces in some clients). The advantage of using the   is that it is a whitespace character and won't be displayed in your message. Now, you will need to write a short message and add the non-breaking space at the end, so you won't have that much space, but you should be able to get up to nearly 16 ASCII characters in this way, but certainly over 100 bits if you keep your message short.

We can also be quite blatant with our data. We can rely on the fact that people won't know we're transferring data and won't look very hard. A simple URL shortening service can be exploited in two ways to embed data. The simplest method is to make up a URL. Twitter users rely on http://bit.ly and http://twitpic.com extensively. If we base-64 encode our text or data, then we can add 6 bytes (or characters) to a URL. For example, I could tweet: "Just read this http://bit.ly/UkxSIFVL and saw the photo http://twitpic.com/IEx0ZC4=". Now, these URLs are fake and don't lead anywhere. However, the base-64 encoded text of the two URLs decodes to "RLR UK Ltd." and how many people will follow your link anyway. Even if they do, the two sites here will just put up a helpful message that there was an error with the URL. You can now appologise and provide two real URLs. Meanwhile the message has got across. Obviously more URLs mean more data - up to 36 bytes if you just send 6 URLs.

The second method of using a URL shortening service is to write your own. Now you can provide real URLs but flag particular IP addresses or require the addition of an extra parameter to the URL to make it show a different page to the person you are trying to communicate with, e.g. a password. This isn't really Steganography as such, but could be used to transfer URLs that can be checked by someone else and don't reveal the true target.

The final method I'm going to discuss here is the use of a Stego Profile Image. All social media networks allow you to upload and display a small image on your page. Why not use traditional Steganographic techniques to embed data within this image. If you change your image regularly then it won't look suspicious when you change it to transfer data to someone. There are tools on the Internet to do this for you by replacing the Least Significant Bit (LSB) of every pixel with one bit of your data. This is a simple scheme and easy to detect. There are other much better schemes that are not only harder to detect, but that will give you more 'space' within the image to store your data. To give you some idea, a 4-colour, 73x73 pixel GIF like Twitter's default images can store nearly 4KB of data with no visual impact. However, that's for another blog post...

Welcome to the RLR UK Blog

This blog is about network and information security issues primarily, but it does stray into other IT related fields, such as web development and anything else that we find interesting.

Tag Cloud

Twitter Updates

    follow me on Twitter

    Purewire Trust