How to Encrypt a File and apply Image Steganography
August 30, 2007
Steganography is the art and science of writing hidden messages in such a way that no one apart from the intended recipient knows of the existence of the message. Generally, a steganographic message will appear to be something else: a picture, an article, a shopping list, or some other message. A Steganographic message (plaintext) is often first encrypted by some traditional means, and then a covertext is modified in some way to contain the encrypted message (ciphertext) , resulting in stegotext.
In this article, we will teach you how to do this. First to encrypt a message and then apply image steganography techniques to hide this encrypted message in an image.
PHASE # 1: How to encrypt a text/message
When Concealing data within encrypted data, the data to be concealed is first encrypted before being used to overwrite part of a much larger block of encrypted data. This technique works most effectively when the decrypted version of data being overwritten has no special meaning or use. Some cryptosystems, especially those designed for filesystems, add random looking padding bytes at the end of a ciphertext so that its size can’t be used to know what was the plaintext size. We will be applying this encryption technique using TrueCrypt.
TrueCrypt is a free open source disk encryption software that works on both Windows and Linux platforms. No data stored on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys. TrueCrypt does this by creating a virtual hard drive that will read and write encrypted files on the fly. The advantage of using TrueCrypt is that you need not download it everywhere. All you need are the files truecrypt.exe, truecrypt.sys and the volume file you create which you can carry on your flash drive.
Step by Step Tutorial on how to encrypt your Hard disk or data or message using TrueCrypt
Step # 1: Download and install TrueCrypt
Step # 2: Once you Launch TrueCrypt, Click on “Create Volume” button. This launches the Volume Creation wizard that prepares the encryped drive location. Next, choose ” Create a Standard TrueCrypt Volume” and hit Next. Next, click on “Select File” button. Browse to a place where you want to store your encryped files. In this case, I am selecting askstudent.secret Note: This is not the file you want to encrypt. Think of this as a Folder Name which in turn would contain the files you want to encrypt later on. Hit Next
If you liked this article, click here to buy me a beer!Dear visitor, thanks for dropping by. If you enjoyed reading this post, you may want to subscribe to my RSS feed. It could could win you some great prizes this month. Thanks for visiting!
Remove url.cpvfeed.com spyware and core.sys rootkit
August 14, 2007
url.cpvfeed.com is a nasty browser hijacker that is doing the rounds in the Internet today. Luckily for us, our resident security expert Ajit has outlined a detailed and foolproof method on how to get rid of the url.cpvfeed.com browser hijacker from your computer and get rid of the popups that come with that piece of computer spyware.
How to remove url.cpvfeed.com
Is your Internet Explorer showing a “page cannot be displayed” but occasionally you are directed to an unknown site? Would your search term if you try to do a Google search … display a popup ad showing Ebay or some other site? You are infected by the core.sys Rootkit which also contains the url.cpvfeed.com browser hijacker popups
Click on the link to remove url.cpvfeed.com browser hijacker and also remove core.sys rootkit
If you liked this article, click here to buy me a beer!How to use the .htaccess file. Frequently Asked Questions
May 5, 2007
What is an htaccess file?
The htaccess file is a simple ASCII file which you can create using a regular text editor like NotePad. This file allows us to make configuration changes on a per directory basis. This file works on both Windows and Unix/Linux platforms with Apache Web Server.
Note: htaccess is not the name of a file. It is simple a file extension like .mp3. Only in this case, it is not something.htaccess or file.htaccess. It is simply named .htaccess. Also, if you are modifying an existing .htaccess file,make sure you make a backup of it somewhere before proceeding.
What can I use the htaccess file for?
There are several benefits of using the htaccess file for webmasters and developers. Most of them provide enhanced security to your site. You can prevent directory browsing, password protection for directories, change the default index page of a directory, redirect visitors for one page or directory to another and also prevent hot linking of images on your website.
How to create the htaccess file?
Open up a simple text editor, say Notepad and save it as .htaccess. While saving in say Notepad, remove under the save as option for .txt and save it under all files. Also remember to save under the ASCII mode and not Binary. Once uploaded to your server, make sure the permissions for your .htaccess file are 644 or (RW-R–R–). Having this makes the file writable by the server but not by others including visitors to your site.
Once created, where do I upload my .htaccess file?
Since the .htaccess allows us to drill down and implement changes on a per directory basis , there are multiple options for you to place this file. The only thing you need to remember is that a htaccess file in the root of your site affects your whole site whereas an htaccess file in your images folder is unique to that folder and its subdirectories if any.
/.htaccess(in the root of your site)
/content/.htaccess(in any content site, say membersonly/.htaccess)
/content/images/.htaccess(in an images folder)
If you liked this article, click here to buy me a beer!The best career paths for nerds and the colleges offering them
May 1, 2007
Online University Lowdown has an excellent article on the 25 best colleges for nerds and some of the cool courses being offered at these colleges.
From colleges with video game design majors to artificial intelligence, to majors in ‘ethical hacking’, colleges around the world are starting to appeal to the nerds in all of us. This list of 25 courses and programs offered at colleges around the world identifies some of the nerdiest coursework, starting with the most obvious, and winding up with the most obscure…
Note: Most of the courses listed below are full 4 year courses. Also, clicking on the links below will take you straight to the course listing whether at physical universities or online schools. A lowdown according to them …
# 1: Game Software Design and Production at DigiPen Insititute of Technology
# 2: Ethical Hacking at the University of Abertay in Dundee, Scotland and InfoSec Institute
# 3: Open Source Development at University of California Berkeley and online equivalent at University of Illinois
# 4: Cryptography at Stanford University, MIT and University of Washington
# 5: Network Security at the University of Tennessee Knoxville and an online equivalent at The American Intercontinental University
If you liked this article, click here to buy me a beer!Second Annual Collegiate Cyber Defense Competition
March 18, 2007
Informit.com is providing a good coverage of the Mid-Atlantic Regional Collegiate Cyber Defense Competition. Students put their skills to the test, trying to lock down systems against intrusion from an invading hacker team. All in the name of learning.How many times have you heard a commercial telling you how much money an Information Technology professional can earn in a year? Well, trust me; the job is not as easy as it sounds. Just ask the eight teams that participated in the annual Collegiate Cyber Defense Competition (CCDC). During the event they are under immense pressure to a build web application, maintain a web server with an ecommerce system, manage an Exchange server, keep a DNS server up and running and more — all while protecting their network from four seriously determined hackers.
From the article: “When the three hour grace period was over, the Red Team slowly worked their way into attack mode. One member started to sort through the information they gleaned from their scans and investigated each possible exploit. Another member fired up a MySQL database client and started to poke around the students databases looking for sensitive data. The two others were adding/changing accounts to routers, firewalls, and systems. However, for the most part, the students were not being pelted with attacks. And this continued for the next several hours.”
The rules were fairly simple — at least at first glance. Basically, the Red Team could do anything but hurt someone or perform a denial of service attack (network flood). The student teams were a bit restricted, with regard to changing IP addresses and messing with the infrastructure.
Communication was allowed between team members, but only the team leader could talk to the white cell members about problems, etc. The feds could be called over for an investigation and the Red Team was allowed to try to talk to the teams to put a social engineering twist on the games. Finally, all business objectives and administrative requests are sent to the CEO via email.
I’m all for this and from TFA, this sounds like a great thing (and lots of fun!). It seems that this includes even the social enginnering aspect. In other words, it’s a trivial matter to get into somebody’s system; it takes a whole another skill set to convince that person to hand you the keys to their data. That is to say, attempting to gain access to a computer system through it’s weakest link: THE USERS! It’s one thing to pit technical skill againt the threat of hacking, but it’s been done over and over, all that technical skill accounts for nothing if you have a user that has his/her password written down on a sticky - on their MONITOR! Users must be educated and kept up to task on things like this, and it’s my opinion that the IT/Security industry does not place enough emphasis in that area.
In this contest, Social engineering was allowed. It seems that a few members of the Hacker/Red team would often walk around the room and try and to watch what people were doing. A few times they even stopped and tried to get information out of the student/blue teams. However, they had to leave our team area when asked. It seems that one team actually left sheets with the wrong passwords on the tables in hopes that they(Red Team) would waste their time.
Even GoogleFight thinks that the Red Team actually whupped the Blue Team with the Red Team(Hackers) returning 267,000,000 results compared to the Blue Team(Students) which returned 146,000,000 results.
For those who read French here is a press release [web.crim.ca] about a team of Scheme hackers headed by Marc Feeley [umontreal.ca] participating in a Quebec security competition who won both the first prize for keeping the other nine teams out and the second prize for finding the most security problems in the other teams’s servers.
According to a member of the student team
If you liked this article, click here to buy me a beer!Review of USB Flash Drives which can be used as Security Tokens
March 10, 2007
USB flash drive Logon programs review
In my searches I have found lots of people (like me) asking for programs/software that would turn a regular USB drive into a security token to replace a Windows password. There is not a whole lot of information or a review of similar programs (except in Chech here: http://www.zive.cz/h/Uzivatel/Ar.asp?ARI=126071&CHID=1&EXPS=&EXPA= or in German here: http://www.se-community.com/forum/viewtopic.php?t=23325&highlight=rohos ) .
So, I decided to spend some time trying and outlaying the features of four of the top most programs out there to make this USB drive into a security token — which you have to insert into a port on the portable laptop or a desktop to login.
This table was completed based my personal requirements to the features and most asked features by other people in the forums/blogs. See notes on a specific feature below.
| Features of the product: | Rohos Logon Key (the winner) www.rohos.com |
Dekart Logon www.dekart.com |
Proteg www.inflexpoint.com |
Natural Login www.palcott.com |
| Notes: | Available as an EXE, MSI, or a server version. |
Can be installed only using an Administrator account. Windows 2003 is not supported. |
||
| USB Key creation |
Quick and easy. |
Key Activation then adding user accounts to USB Key |
It does not replace your pass with a USB Key. But adds additional authentication level – by using USB flash drive. Password usage is required. |
Advanced. |
| USB Key removal options: |
Lock desktop, turnoff, shutdown, hibernate pc. Log Off user. Activate screen saver1 |
Lock/logoff/ turnoff/restart |
lock |
lock |
| Can completely disable password login |
+ |
+ |
- |
+ |
| USB Key security. (two-factor login) |
PIN. Keeps passwords on a USB drive in a secured manner. |
Keeps plain passwords. Optional PIN for encryption. |
Does not creates any file on USB drive. Always makes you to use a password along with a USB flash drive. |
Optional user defined questions or a graphical pattern you need to enter Creates encrypted file. |
| Multiple logins on a single USB Key |
+ |
+ |
- |
+ |
| Key duplicate security hole. |
- program bounds up to owner USB flash drive and does not accept other for login (unless owner has 2 keys) |
+ |
- Program bounds up to your USB flash drive. It does not creates any files on USB flash drive. |
+ |
| Has emergency login way in case you lost or USB Key |
+ based on a set of questions… |
- |
+ By answering to predefined set of questions. |
+ login with user-defined questions/answers. |
| Windows XP welcome screen support |
+ |
- |
- |
~ |
| Windows Vista support |
+ |
- |
- |
- |
| Easy of use for Key |
Higher. |
Standard |
Standard |
Higher |
| Additional Options |
login screen customizations, Enhanced system shutdown dialog. Password generator. Remote desktop login via USB key support. Access restriction for users based on time factor. Has a Server version for networks. |
Biometric logon + support of a dozen corporate security tokens. |
no |
no |
| New features development? Support? |
Has the best live product and support. Has a blog. Also available is a thorough Admin guide. |
No new features for a long time. Support personnel always saying ‘we will implement this in future…’ |
No replies to my messages. Last release date: 2005 year. |
They speak French basically … Last release date: 2005. |
| Price & Score (max of 10): Features /Support /Usage /Security |
25/35$ 9 10 10 10 |
~40$ 7 5 8 8 |
25$ 6 6 8 9 |
19/29$ 8 6 9 10 |
A Step by Step guide on Encrypting files using TrueCrypt
January 2, 2007
TrueCrypt is a free open source disk encryption software that works on both Windows and Linux platforms. No data stored on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys. TrueCrypt does this by creating a virtual hard drive that will read and write encrypted files on the fly. The advantage of using TrueCrypt is that you need not download it everywhere. All you need are the files truecrypt.exe, truecrypt.sys and the volume file you create which you can carry on your flash drive.
Step by Step Tutorial on how to encrypt your Hard disk or data or message using TrueCrypt
Step # 1: Download and install TrueCrypt
Step # 2: Once you Launch TrueCrypt, Click on “Create Volume” button. This launches the Volume Creation wizard that prepares the encryped drive location. Next, choose ” Create a Standard TrueCrypt Volume” and hit Next. Next, click on “Select File“ button. Browse to a place where you want to store your encryped files. In this case, I am selecting askstudent.ajit Note: This is not the file you want to encrypt. Think of this as a Folder Name which in turn would contain the files you want to encrypt later on. Hit Next
Recent Comments