Software that hides sensitive data on hard drives without using encryption
April 26, 2011
Computer scientists say they have developed specialized software that hides sensitive data on a hard drive and without using encryption technology by controlling the precise disk locations containing the file's data fragments on the drive.
The software, which the academic researchers said they would release as open-source, makes use of steganography, or the ancient art of hiding secret information but in plain sight.
The technique has long been employed to keep sensitive data out of the hands of adversaries. The use of encryption, by contrast, is easy to detect, tipping off adversaries that a hard drive or other piece of media contains information considered sensitive and valuable.
The security software ensures that individual disk clusters that store the critical data fragments are positioned in a way predetermined by their own code. A person who later wants to read the sensitive data uses the same application to reassemble the file.
The scientists say their software makes it possible to store a 20-megabyte message on a 160-gigabyte portable hard drive.
“We have presented a unique data security mechanism, a file system-based covert channel which allows a computer user to evade disk forensics by securely hiding data in a removable or permanent mass storage device,” the researchers wrote in their brief, titled "Designing a cluster-based covert channel to evade disk investigation and forensics".
“Data is completely hidden in a manner that an investigator is unable to positively prove the existence of hidden sensitive information.”
The researchers, from the University of Southern California in Los Angeles and the National University of Science and Technology in Islamabad, Pakistan, said that the technique may cause only small performance degradations.
In certain cases, the approach requires the data to be hidden through the use of a secret password shared between the sender and recipient of the data.
In other Internet security news
San Francisco authorities currently appear to be having embarrassing network issues one more time, after its Fire Department lost the critical computer password for its backup network.
The news come into an inquest into a major fire in the North Beach area of the city on Dec. 31, 2010 which left forty-eight people homeless.
Mayor Ed Lee and other officials "listened with growing disbelief as an emergency services representative casually mentioned that the computer network had crashed as the fire was raging out of control."
When city officials asked whether the firefighters had switched to a backup system, the answer came in the negative. "We couldn't find the computer password, and the only person who knew it wasn't there," the rep replied.
The connection was down for two or three hours, but the rep added, "That's why we have pencils and paper for."
The casual and inappropriate attitude might seem strange in a city that lives in constant danger of being hit by a massive earthquake.
But as division chief Rob Dudgeon added, "We still had radios and cellphones. And it's not like we are going to have Internet connection if we get hit with the Big One."
It's not the first time San Francisco authorities have come to grief over network passwords. Last year, San Francisco's own Terry Childs was given a four-year sentence for locking the city out of its own network.
In other security security news
Internet security provider Barracuda Networks just announced that it has sustained a serious attack on its servers that appears to have exposed sensitive data concerning the company's partners and employee login credentials.
Barracuda representatives didn't respond to emails seeking confirmation of the anonymous post, which claims the data was exposed as the result of a SQL injection attack. Screenshots showed what was purported to be names, email addresses and phone numbers for Barracuda partners from organizations including Fitchburg State University in Massachusetts and the U.K.'s Hartlepool College of Further Education.
But the anonymous post did appear to be authentic, according to some Internet security observers. The spilled contents also included what appeared to be the email addresses and hashed passwords of Barracuda employees authorized to log in to the company's CMS.
The passwords appeared to be hashed using the MD-5 algorithm method that is slowly being phased out in favor of algorithms that are considered more secure options. It was still unclear if the hashed passwords were salted to prevent them from being cracked using various free tools available on the Web.
Overall, SQL injections are the most common form of all Internet-based attacks and have been used as the starting point for an untold number of security breaches, including the one that exposed data for more than 130 million credit cards when confessed hacker Albert Gonzalez broke into credit card processor Heartland Payment Systems.
SQL injection techniques were also the cornerstone in a recent attack on HB Gary, the disgraced security firm that exposed tens of thousands of proprietary emails.
Overall, SQL injection attacks exploit poorly written Internet applications that fail to scrutinize user-supplied data entered into search boxes and other fields included on targeted Web sites. By passing database commands to the site's backend server, attackers can harness the vulnerabilities to view and even modify the confidential contents as much as they wish to.
Source: The University of Southern California.
You can link to the Internet Security web site as much as you like.