Few months ago, I was drafting an article about Cryptography. In my draft I wanted to expand the use of Cryptography to not only to cover Confidentiality but likewise Integrity. I began to write in the lines about Public Key Infrastructure; the use of digital signature to encrypt as well as to sign messages. In my search for an email from a friend, I came across an unsent email from my Drafts folder. An old email more than four years ago titled Steganography. In my email were two images. One original and one was stego file. I recall I planned to send to my classmate for our Steganography research. So about less than five years later, here I am talking about the same “art”. Ah, the art and science of steganography.

Earlier this year, I attended a Product Advisory Council meeting from McAfee. One of the future product integration they are adding to their suite of Security products is the Data Leakage Protection, from the acquisition of Reconnix.

The DLP, be it a Host or Network addresses the detection of file that could be leaking out from a confidentiality standpoint within the company. One of the concerns I have brought up was the detection steganography. As you can see, even sophisticated technology could lack in the ability to decrypt or guess the algorithm used in the steganography.

It is not the scope of this article to cover how steganography is performed or ways to accomplish it. Likewise, this article is not going to list down available steganography tools to perform this. In searching the Internet, you could probably find many articles about this and the tools available as well as countermeasures.

This article only wishes to address the pros and cons of steganography. As with many tools and technologies, using it with the wrong hands determines the result of it. As a security professional, this should be used as yet another layered defense or security. If we combine steganography with PKI, the result is a more secured document. Let’s take this simple approach:

I have a document. The document is hashed for message integrity. Together with the hash, I encrypt it with my private key. This is non-repudiation. The altogether result is encrypted with the user’s public key. This is confidentiality, since only the receiver can decrypt it. The result is cryptic digitally signed message. This is the PKI part. This by itself is already super secure. What if I still want to embed this using steganography and the result is encrypt again with my private key? Maybe it is too much but you see my point in combining them to add layers of security.

I’ll write a separate discussion on digital certificates next time, but for now the use of steganography can be very beneficial. On the other hand, this tool can be used in bad ways as well. It was also suspected that terrorists have used this method for their communications, but no evidence to support it.

This is a very simple method to conceal your messages. The result is almost impossible for the naked eye to spot the difference. Back to the two images I’ve talked about earlier in my email. By looking at them both now, scared me to tell that I cannot spot which one has embedded document and which one is not. Both appear identical and file size is the same.

In conclusion, when you see an image, for example the logo in this website, how easy for you to know that it is actually an image embedded with my secret recipe for my steak sauce for my sister to download? Scary but it could be true. But it is not the end of the world; steganalysis, which is the science of detecting hidden messages using steganography exist. Similar to cryptography, these are not impossible to crack. It is not a matter of if, it is a matter of when.

One of the overlooked area many of us struggle with is password management. In our day to day computing activities, many of us would simply just use or chose to protect our assets with a simple password. These assets could be critical such as bank accounts, confidential data, or even health information. We are lacking the real work on password management.

Now, just what is password management really is? Well, in its very simplest form, managing passwords!

In corporate world, there are various technologies that does password management. In fact, password management is covered in a good scope on many of books for the CISSP exam.

Now, before going deeper to it, let’s magnify our glass to the word password itself. Many, if not all of us know what password is. That’s the word you write on your sticky note and hide it underneath your keyboard. Kidding aside.

Password is the most widely and commonly used authentication mechanism. They are also considered the weakest security mechanism. Users would simply choose very easy passwords such as their date of birth, favorite color, their nickname, etc., that are easy enough to guess. Sometimes too, they give it away to their buddies or best friends.

It is funny yet interesting to see how users typically thinks security is not one of the most important part of their computer. Not until someone hacks into their computer or account, then that’s when security is all the frustrations.

So here comes password management to the rescue. Although the scope of this article will dive only deeper to day-to-day users of computers, emails and services; it will touch a bit on the corporate world where I will cover some of the best ways in managing password. Bear in mind, this article does not go deeper in how to implement SSO technologies or token devices and such.

Simply put, you got to protect your treasured belongings with your best security. You wouldn’t really want to put your jewelries, money, and other important belongings into a carton box just lying around your doorstep. The same would you need to protect your emails, your computers, your accounts with a good password.

A good password is at least eight characters and contains a combination of upper and lower case and special characters. Try to choose something not closely related to you, such as your color, pet name, or belongings. An example would be “1Fo126iveYoU” is a strong password. “blue123″, while it contains letters and numbers, it is still vulnerable to dictionary and brute-force attacks. I am not going to explain those but in short, those are types of attacks a hacker can use to guess your password. There are many free and easy to use programs out there that can easily do the guessing.

Also, not writing your password where someone can read or see is a good countermeasure to remember. Sometimes, we often change our password similar to previous one but incrementing or decrementing other characters. Such as “PassWord1″ is your previous and “PassWord2″ is your new. If you wrote it down in a piece of paper and throw it away, an attacker can go to the trash bin and try to find them. This technique is also called Dumpster Diving. So be aware, not because you are done with your password doesn’t mean they still cannot use it to guess your other passwords.

There are systems nowadays that will ask you for phrase instead of a password. These are called passphrase. So instead of entering “password 123″, you might be asked to key in “let me in this is me”. Also other systems do a different way by allowing you to enter cognitive password. Cognitive password are opinion- or fact-based information. These are usually derived by answering questions related about your life. The answers are then transposed to a virtual password.

In systems where we are only required to put our password, it is your duty to secure it. I’ve covered few ways to secure your password here but there are other many ways you can do on your own. Something I did not cover which is beyond the scope of this article is the implementation of encryption or token device to ensure that the password of user are not sniffed, eavesdropped, or captured by attacker for a replay-attack. These countermeasures are for security professionals to implement technical or logical controls in their enterprise.

The use of password synchronization, assisted password reset, and self-service password reset are few approaches you can implement in your enterprise to assist users reset their password and not being compromised during resets. Those are the real “password management” discussion.

As end users, protect your password as if it is the key to all your belongings. Remember, attackers can sniff them (so corporate should implement encryption), can brute-force guess them (apply hard-to-guess strong password), or they can steal them (using techniques such as dumpster diving, shoulder surfing, keyboard monitoring). Shoulder surfing is when someone is looking over your shoulder or back as you type in your password.

Next time, I will try to cover in details some of these attacks that you really need to be aware of.