A useful application of stealth tools
steganography (n) - the practice of concealing messages or information within other non-secret text or data.
I was reading the other night of a hack where confidential data was leaked via modified Image files on an externally accessible website.
It reminded me of a useful application of this sort of technology I developed a few years ago.
The problem was simple - I needed a procedure document. It had to explain how to shutdown all the equipment in two full height racks (VM servers, 3Par Storage, NAS, Routers, fiber switches, switches and a few other appliances) and then the correct sequence to bring everything up once power was restored.
Once everything was working normal Application and Infrastructure monitoring kicked in and showed up any anomalies. VMs were automatically shutdown at loss of power but a total hardware level shutdown or startup required manual intervention.
Of course, the online Knowledge Base (in a Sharepoint document store) and the Incident Tracking system were running on a bunch of VMs within these same racks. When everything was shutdown the information was inaccessible. So the document had to be offline, in a hard copy. It also had to have a few key accounts, passwords and IPs. It was in a locked room. Only key staff had access, but in any case, I did not want the document to be usable if it got misplaced. My solution was to write the document as a standard Word procedure manual. But I created a table with the key information in it, encrypted it with a password, and turned it into a 2D QR Code image. This QR code got embedded into the document.
The beauty was I could say in the document which key staff had been told the password, and even give a brief outline on what tools (on the engineer's Smartphone) to use to read the code. Easy !
In a sense, it is a physical document with its information protected with two-factor (something you know and something you have). As with most documents of this type it only gets used a few times a year, if that. I think it is fit for purpose and contains the required information in a secure manner with the required measure of availability and accessibility.
An article on Steganogrpaghy tools.
Some information on QRCodes.
And a very video on true embedding messages in images
The other day I saw a QR code stuck above the intercom on a doorway outside a city office. I scanned it. nothing. But if made me think " what a great idea for getting people to do a drive-by download". Perhaps a bit equivalent to ducking into an "unattended" office and leaving behind a small basket of USB keys sitting at reception. Everyone assumes it is ok to take one and use it.