Here is a very good article why we should and how we can enforce security policies in a corporate environment:

http://www.cw.com.hk/article.php?type=article&id_article=2588

As we have discussed before in this blog, the point is that you need to let employees know why there are security policies and how the policies are benefiting them. And let them know the consequences of violating the policies.

CISCO has recently released a study that shows many employees do not follow Security Policies in the work environment. The reason is that they think the policy is not fair to them, and that the policy is not aligned with the reality of their daily work activities.

http://www.cw.com.hk/article.php?type=article&id_article=2591

In the article, it states:
“The study found that the majority of employees believe their companies’ IT security policies are unfair. Indeed, surveyed employees said the top reason for non-compliance is the belief that policies do not align with the reality of what they need to do their jobs, according to Cisco”.

This reconfirms that the human factor in Information Security is still the primary issue we need to deal with in our day-to-day security management.

Tags: Information Security Policy, Information Security Policy Management, Employee Attitude to Security Policy, Security Policy, Security Policy Management

Tags

General Information Security, Security Management

Technorati Tags: Information Security Policy, Information Security Policy Management, Employee Attitude to Security Policy, Security Policy, Security Policy Management

This illusion is best illustrated by an interesting game called the Monty Hall Problem, which goes like this:

Suppose you are a lucky game show player who is picked to participate in a game. The game requires you to stand in front of the three doors. Behind one door is a car, and behind each of the other two doors is a goat. You are told to choose one of the doors, and if you choose the door to the car, you win the car.

The game requires you to make your choice, and then the host (who knows what is behind each door) will open one of the other two doors that he knows does not open to the car. According to the game rules, you have the chance to change your mind and choose the other remaining door, or remaining with your original choice.

The problem is: Should you pick the other remaining door, or trust your first choice? Would this decision make any difference in the chance of winning the car?

Most people will say that the chance is the same for whichever choice because you have half the chance to win the car out of the two remaining doors. It sounds logical, doesn’t it?

But let’s examine this carefully. Suppose you label these two strategies as:

Strategy A:  Remaining with the present door choice.

Strategy B:  Changing the choice to pick the other remaining door.

Let’s take a look at Strategy A first, where there are two outcomes:

Strategy A, Outcome 1: Your original door choice was the one if front of the car all along, and you win because you chose to remain with the first door you picked. The chance of you picking the door with the car at the beginning of the game was 1/3 because you had to choose one out of the three doors.

Strategy A, Outcome 2: Your original door choice was one of the two doors in front of a goat, and you lose because you chose to remain with this first door you picked.  There is 2/3 of chance for this scenario to take place, since two of the doors had goats behind them.

So for Strategy A, you had only a 1/3 chance to win the car.
What about Strategy B, where you change your original choice?

Strategy B, Outcome 1:  You change your door choice, and unfortunately your new door choice is hiding the other goat. You lose. Remember you have 1/3 of chance in this outcome as discussed previously.

Strategy B, Outcome 2: You change your door choice, and open the door hiding the car. You win! And you have 2/3 of chance in this outcome. (If you’re interested in a full explanation of how the outcome changes to 2/3, search for the term “Monty Hall Problem” using your favorite search engine and you’ll find plenty of information.)

Looking at the problem this way, it’s quite obvious that Strategy B is a better choice, isn’t it?

Some of you might still feel confused. You might need to re-read the whole discussion above to clarify your thoughts.

Ultimately, this game illustrates one very important weakness of people: We tend to jump to conclusions for many problems too easily without careful analysis. And worst of all, we are usually over confident as to what we have concluded at the beginning.

This problem is closely related to the people issue in Information Security or Corporate Risk Management. People tend to overlook many possible system vulnerabilities when undergoing so-called “risk analysis”. They are not aware that they have been overly naïve when thinking about the possible threats to their system of operations.

It’s quite interesting that this phenomenon is well observed now, as there are so many financial institutions around the world running into their own financial problems because the people who run those organizations were too confident in themselves to manage the risks. And indeed, they seem to be completely blind to the possible exposure of managing and holding all those financial products they have on hand, without even thinking about the possible serious consequence of dragging down their own companies if things go against them. And indeed, it catches up to them in the end.

So in the risk management exercise of information security, the number one beneficial attitude is to be humble. We need to realize that we are not invincible, and be very careful in weighing all possible risks related to the information system we are using. We have to work out the plan in every step of risk management without the tendency to overlook or jump to conclusions too easily. Without the right mind set, we are very likely to fail to manage all possible risks properly.

Tags: Corporate Governance, IT Governance

Tags

General Information Security, Risk Management

Technorati Tags: Risk Management, Monty Hall Problem, risk analysis, Corporate Governance, IT Governance

The first way you can do this is, of course, to apply such a certificate from a trusted Certificate Authority (CA), such as VeriSign. But can you do this without a CA?

Yes, it is possible for you to generate such a certificate manually using open source software. However, note that the certificate is self-signed, meaning it is signed by you as the trusted root source.

To do this, you have first to download a piece of software than can generate PCKS12 format certificates. The most common one is OpenSSL software.  You can visit this website to know more:

http://www.openssl.org.

The original OpenSSL software is made primarily to be run on the Linux platform. As a general Windows user, you might need to use the program on a Windows platform, and may not know how to compile the source code of OpenSSL to make it run on a Windows platform. If you have this headache, you can try the Windows compatible OpenSSL work available for free here:

http://www.slproweb.com/products/Win32OpenSSL.html

Upon successful installation of the software, go to the bin directory of your installation to locate the software openssl.exe that you need to use to generate PKCS12 certificate.

I followed the instructions here to create my own certificate:

http://tinyurl.com/4s5zqo

I have added my own explanations and remarks and simplified a bit the process. Here are the steps:

Assume you have installed your software on the path c:\Openssl

1.    Generate a RSA Private Key in PEM format

Type:
>C:\Openssl\bin\openssl.exe genrsa -out my_key.key 2048
Where:

• my_key.key  is the desired filename for the private key file
• 2048  is the desired key length of either 1024, 2048, or 4096

2.    Generate a Certificate Signing Request:
Type:
>C:\Openssl\bin\openssl.exe req –new –key my_key.key –out my_request.csr

• my_key.key is the input filename of the previously generated private key
• my_request.csr  is the output filename of the certificate signing request

3.    Follow the on-screen prompts for the required certificate request information.
4.    Generate a self-signed public certificate based on the request.
Type:
>C:\Openssl\bin\openssl.exe x509 -req -days 3650 -in my_request.csr -signkey my_key.key -out my_cert.crt

my_request.csr  is the input filename of the certificate signing request
my_key.key is the input filename of the previously generated private key
my_cert.crt  is the output filename of the public certificate
3650 are the duration of validity of the certificate. In this case, it is 10 years (10 x 365 days)
x509 is the X.509 Certificate Standard that we normally use in S/MIME communication

This essentially signs your own public certificate with your own private key. In this process, you are now acting as the CA yourself!
5.    Generate a PKCS#12 file:
type:
>C:\Openssl\bin\openssl.exe pkcs12 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -export -in my_cert.crt -inkey my_key.key -out my_pkcs12.pfx -name “my-name”

• my_cert.crt  is the input filename of the public certificate, in PEM format
• my_key.key  is the input filename of the private key
• my_pkcs12.pfx  is the output filename of the pkcs#12 format file
• my-name  is the desired name that will sometimes be displayed in user interfaces.

6.    (Optional) You can delete the certificate signing request (.csr) file and the private key (.key) file.
7.    Now you can import your PKCS#12 file to your favorite email client, such as Microsoft Outlook or Thunderbird. You can now sign an email you send out using your own generated private key. For the public certificate (.crt) file, you can send this to others when requesting them to send an encrypted message to you.

Tags: self-signed Public Key, OpenSSL command

Tags

Cryptography, Network Security, Security Tools

Technorati Tags: S/MIME, PKCS12, private key, public key, secure email communication, Certificate Authority, OpenSSL, RSA, self-signed public certificate, X.509, PKCS#12, self-signed Public Key, OpenSSL command

http://www.pgpi.org/products/pgp/versions/freeware/

However, since they have recently taken down the freeware for the Windows platform, I’ll show you how to use another piece of software called “gpg4win” to do the same thing.

This software was created from an open source effort, and it supports OpenPGP standard. With a suitable plugin, you can use this with some other email clients such as Thunderbird and Clawmail for S/MIME email encryption.

You can download the latest version here:

http://www.gpg4win.org

Upon successful installation, you’ll find the following welcome screen:

Select “Generate key now” if you do not have a PGP private and public key pair.

Input your full name and email address, then carefully input a passphrase. This is an important step, so select something you can recall because you need to correctly enter your passphrase when you want to use your private key later.

Follow the onscreen instructions and create your key pairs. If you require a backup key to be generated, make sure you save the key pair in a safe place.

Now you can see your newly generated key in the application windows like the one I have generated for myself:

However, before you ask someone to send an encrypted message to you, you need to export your public key to them. You can select the “Export” function of the application window to do this.

After selecting the Export function, the program will ask you where to save the exported public key. Select a location where you can retrieve the saved public key later.

Now you can send your key to anyone who needs to send you confidential messages. Those who have your public key can then encrypt the message using your public key. Those encrypted messages can only be opened by you, who owns the private key.

As an example, suppose there is someone who already has encrypted a message (or simply a file) using your public key. Let’s call the original file “plaintext.doc,” and the encrypted file you received should be “plaintext.doc.gpg”. (The software adds the file extension “.gpg” to the output file it has encrypted)

Pressing the “Files” button under the application window displays the program’s file manager. You can locate and select the file “plaintext.doc.gpg” that has been saved in your computer previously.

By pressing the Decrypt button, you are prompted to enter the passphrase for your private key to decode the file. Upon presenting the correct key, you should now have the decrypted file under the same directory of your encrypted file.

To encrypt any file to other people, you need to import their public key by using the Import function of the main application screen. Select the public key file you obtain from other people (this should be a file with file extension “asc”), and click okay to proceed with the import.

By using the same file manager, you can select the file you want to encrypt and then choose the “Encrypt” function to produce the encrypted output file. Remember to use the public key of the person you have just imported to encrypt the file. You can then send this file to the party who owns the private key of the corresponding public key you have just imported to encrypt the file. That party should be able to decrypt the file using his/her private key.

Try this software and let me know if you have any problems or issues by leaving a message here.

Tags: GNU Privacy Assistant

Tags

Cryptography, Network Security, Security Tools

Technorati Tags: PGP, Pretty Good Privacy, PGP freeware, gpg4win, OpenPGP, GNU Privacy Assistant

The Google Browser is an open source project, and many of the components it was built on use open source software. One of them is the open-source rendering software called WebKit. This component was found to have a security flaw in its older version. It allows the attacker to maliciously trick web surfers into downloading a java (or other types of) executable file from a webpage. As the downloaded file appears, a button under the Chrome browser could be pressed by the user and hence run the program.

Since a java executable file will not warn the user before it runs, the user could accidentally trigger a malicious java program.

For details of this news, refer to this article:
http://www.cw.com.hk/article.php?id_article=2236

This security flaw has been identified previously with Safari, the browser from Apple. Apple patched the flaw last June.

To avoid the possible download of a malicious file, you can turn on the option to prompt the user for the file download path under Options → Minor Tweaks → Ask where to save each file before downloading.

In fact, other than this security issue, I always recommend using browsers under open source efforts such as Firefox, or now Chrome, because those browsers are built using program sources that are open to everyone. Then, security experts can always look at the program code details inside the program to uncover potential security flaws. This makes the software safer to use in the long run.

Tags: Google Chrome, Apple Safari, Google Chrome Security Issue, Google New Browser

Tags

General Information Security, Network Security

Technorati Tags: WebKit, Google Chrome, Apple Safari, Google Chrome Security Issue, Google New Browser

A trojan horse or spyware operates by running on your computer and opening a communication port (TCP port) to communicate with the remote hacker, so he or she can “spy” on your computer. The easiest way to detect this activity is to look at the ports opened on your computer by using the built-in DOS function netstat. At the DOS prompt, type this command with the switch “-a”, (i.e. “netstat -a”) to look for the ports opened on your computer.

If you have no idea what ports are usually related to a trojan horse, you can do a search on any search engine for the term “common trojan horse ports”. Here are two of the reference sites I’ve found:

http://www.doshelp.com/Ports/Trojan_Ports.htm

http://personal.telefonica.terra.es/web/oscarmartinez/_articlesan/article49-Trojan-horse-ports.htm

If you still have a hard time decoding the lists from these reference sites, you can use a handy program called “fport“. Download this here:

http://www.foundstone.com/us/resources/proddesc/fport.htm

This program helps match your opening ports with the programs in your computer. This is easier way to locate a particular suspicious program in your computer to uncover any potential spyware residing on your computer.

Please note that since this is a command mode program, you need to bring up a command prompt window by choosing Start ==> Run and then type in the command “cmd” in the “Run” window. Next, type in the exact path of the program. For example, if you have installed the program under c:\, type in c:\fport to run it. The program will create a list of programs associated with your computer under inspection. If you have difficulty comprehending a long list of ports on the command prompt window, you can tell the program to redirect the outputs to a text file for printing and later analysis. You can do this by typing, for instance, “c:\fport > c:\output.txt” to create a file named “output.txt” on your c:\ drive.

This is a handy tool for running an inspection on your computer to detect any possible hacker’s attack. I recommend that you use it regularly – it’s to your benefit.

Tags: Trojan Horse Removal, Popular Trojan Horse Port List

Tags

Network Security, Security Tools

Technorati Tags: trojan horse, netstat, fport, Trojan Horse Removal, Popular Trojan Horse Port List

In other words, it’s actually management’s intention for how various stakeholders, especially employees, should uphold and follow the required security standards in operating the company’s activities.

Policies should:

• state reasons why the policy is needed
• describe what is covered by the policy - whom, what, and where
• define contacts and responsibilities to outside agencies
• discuss how violations will be handled

A recent journal by James and Coldwell (2007) states that corporate policies should consider security and ethics issues. Management should include explicit statements about the following:

• An organization’s method of handling the security of its system and information;
• Privacy and security issues of information;
• Informational assets complying with the impact of ethical behavior and conflict.

Users should be educated to recognize the value of assets, risks, and costs of compromise, as the human being is always the weakest link in security management. Therefore, when designing a security policy, human factors should be closely examined and reviewed. This view is supported by a white paper from British Telecommunication plc (BT White Paper 2004).

If you take a look at most security life cycle models, you will notice that a security policy is at the center of security processes, as shown in some typical models below:

http://www.sans.org/reading_room/whitepapers/testing/260.php (SANS Institute)

http://www.bradreese.com/andrew-r-reese.htm (BradReese.com)

http://www.audisec.com/html/philosophy.html

You should not overlook this important security tool in your organization n, should you?

Reference:

BT Write Paper (2004), ‘Why Security Policies Fail’, http://www.mis.uwec.edu/keys/Teaching/is365/208770-BT%20Why%20Security%20Policies%20Fail%20-20000718.pdf Accessed 08/08/08

James, H. and Coldwell, R.A. (1993), ‘Corporate Security: An Australian Ostrich’, Information Management & Computer Security, Vol 1, (Issue 4), 10-12

Walt, C. (2001a), ‘Introduction to Security Policies, Part One: An Overview of Policies’, SecurityFocus, August 27, 2001, http://www.securityfocus.com/print/infocus/1193 Accessed 08/08/08

Walt, C. (2001b), ‘Introduction to Security Policies, Part Three: Structuring Security Policies’, SecurityFocus, October 9, 2001, http://www.securityfocus.com/infocus/1487 Accessed 08/08/08

Weil, S. (2004), ‘How UTIL Can Improve Information Security’, December 22, http://www.securityfocus.com/infocus/1815 Accessed 08/08/08

Tags: Security Life Cycle Model

Tags

Security Management

Technorati Tags: security policy, security life cycle, Security Life Cycle Model

Actually, there is a third-party GUI interface program that can be run on a computer without administrator rights, and you are still able to access the container file of TrueCrypt upon supplying the correct password.

This software is called TCExplorer, and you can access it for free here:

http://www.codeproject.com/KB/files/TCExplorer.aspx

I have been testing this for a while and I think it’s a great piece of software, especially if you want to use a TrueCrypt file on a public computer.

Here are some notes about using this software:

1   TCExplorer cannot manage the TrueCrypt file created by the latest version. I tried this software on a container file made with Version 6.0a without success. Based on information in the author’s release information, I tried the earlier version of TrueCrypt back to 2007, such as Version 4.3a, and it works fine.

2   Fortunately, Version 4.3a’s container file can still be managed by the latest TrueCrypt program, v6.0a. So what you need to do is create a v4.3a container file using the old version of the TrueCrypt program by running it once (you can download the old version of TrueCrypt here: http://www.truecrypt.org/pastversions.php) and use the latest version to manage the file, like mapping this old version container file as a drive to your computer with administrative rights.

You might wonder why the official TrueCrypt project does not offer this feature to the program. Actually, this is a common drawback of all so-called “on-the-fly” real time data encryption programs. One of the main intentions of this kind of real-time data encryption program is to use system drivers to embed all encryption processes in the system so that the user will not need to take care of the encryption/decryption process when they add or extract data files from the container file. The whole process can be made transparent to the users.

And to be able to install and use the specially created system drivers, you must have the administrative rights.

If the on-the-fly feature is not needed, then we definitely do not need to install the system drivers and hence there is no need to have the administrative rights. But then you have to take care of another security concern. The user needs to set up a temporary place to store and process the encrypted/decrypted file from the container file as now there is no real-time process to help encrypt/decrypt the file directory to the system. This place is prone to data leakage as the user must remember to clean it up after using the program.

Take the TCExplorer as an example. It automatically creates a temporary directory either in the USB thumb drive you are using or it sets up a temporary directory in your computer, such as: C:\Documents and Settings\YourUserName\Local Settings\Temp.

After using the program, you need to clean the temporary data there or risk that the decrypted files will be left there without encryption. This program does provide a feature to delete the temporary directory as shown:

But the user still has to remember to use this feature.

So perhaps this explains why the official TrueCrypt project does not provide this feature, because it introduces a security weakness to the program if we allow the user to use this program on a computer without administrative rights.

So use this program carefully if you think it can help. As the author of TCExplorer commented, there are advantages and disadvantages of using this program. The author’s intention is to provide a truly portable solution for people with documents that are not highly confidential but don’t want others to view their documents (for instance, if a thumb drive is lost). If this is what you’re looking for, then perhaps TCExplorer is right for you.

Tags: on-the-fly data encryption, USD Data Encryption, Encrypting data without administrative rights, USB Data Encryption and Decryption without administrative rights

Tags

Cryptography, Operations Security, Security Tools

Technorati Tags: TCExplorer, TrueCrypt, on-the-fly data encryption, USD Data Encryption, Encrypting data without administrative rights, USB Data Encryption and Decryption without administrative rights

To illustrate this, let’s suppose Bob wants to send a message to Mary securely over the Internet. He needs Mary’s public key to encrypt the message. Theoretically, it is Mary, who owns the one and only one private key of her own, who can decrypt the message. So Mary is the only recipient who can open this message. Bob achieves his objective of keeping the secrecy of this message and revealing it to Mary only.

But the problem is: how can Bob get Mary’s correct public key? Suppose hacker Tom wants to intercept their communication. He can create a fake public key for Mary and send it to Bob. Bob, without knowing that this key is fake, uses it to encrypt the message he intended to send to Mary. The message could then be compromised by Tom for he is the person who owns the corresponding private key to the fake public key he created for Mary.

Tom can then even further re-encrypt the secret message using Mary’s real public key, sending it to Mary, and she doesn’t realize that someone other than her has read the message. And worst of all, Tom can modify the message before he encrypts and sends it, compromising both the confidentiality and the integrity of the message.

How can Bob solve this problem? He can ask for a trusted third party to help verify Mary’s public key. Let’s say this third party is Peter. Peter can help Bob by signing on Mary public key using his own private key. However, there are two conditions that need to be satisfied for this verification to work:

• First Bob must have full faith in Peter’s role as a verifier.

• Second, Bob must have an authentic public key for Peter in his key database. He needs Peter’s public key to verify Mary’s signed public key and hence reconfirm the validity of Mary’s public key sent by Peter. (Without Peter’s authentic public key, Bob has no way to ensure he has Mary’s correct public key.)

If the above two conditions are satisfied, there is no way that hacker Tom can send a fake public key for Mary to Bob, because Bob can identify it as fake, with the help of Peter.

But then this leads to another problem: Bob must have a trusted and verified public key for Peter! This seems to create the very same problem involved with verifying Mary’s public key. Bob needs to repeat the same verification procedure used for Mary’s public key, looking for someone who can verify Peter’s public key. This problem can go on and on in a circle until Bob can find an ultimate trusted “root” of public keys.

In the modern public key infrastructure (PKI), the role of Peter is played by a so-called Certificate Authority (CA). In a communication system, CAs are trustworthy organizations that have the corresponding, verified public keys of the users you want to communicate to. The CA holds a database containing the signed public keys it issued for the users who have applied and obtained the public key/private key pair through it. The private key is kept by the user, and the public key is posted to the public and maintained by the CA.

You must have trusted CAs in your database or otherwise the above story can never reach its end.  Take our popular Internet Browser IE as an example. If you take a look at Tools ==> Internet Option ==> Content ==> Certificate ==> Trusted Root Certificate Authorities, you can see it contains a long list of trusted Root CAs.

The popular ones in the USA are VeriSign, Thawte, etc., which are commercial organizations. In most other regions, CAs come from Government initiatives. Take my home country of Hong Kong as an example. The official CA here is the Hong Kong Post Office, which is a governmental department, with its original function serving the postal service in Hong Kong. Government-backed organizations possess the “trust” factor, and that is an important criterion for a root Certificate Authority who needs to sign and verify its publicly issued keys.

Each CA must possess a very robust infrastructure of its Internet public key directory in serving the intended communication parties of its certificate clients.

Without CAs, you would have to verify the public key yourself. In the above case, Bob would need to verify Mary’s public key before he sends her any message encrypted by the public key he has on hand. This can be done with offline communication such as phoning Mary to verify the key, or simply getting the key from Mary by meeting her face-to-face. Of course, this is very inconvenient and impractical in most electronic communication cases.

Tags: Asymmetric Encryption, Root CA, Root Certificate Authorities, Trusted Root Certificate Authorities, confidentiality of message, integrity of message

Tags

Cryptography, Network Security

Technorati Tags: public key, private key, public key infrastructure, PKI, Certificate Authority, Certificate Authorities, trusted Root CAs, VeriSign, Thawte, root Certificate Authority, Asymmetric Encryption, Root CA, Root Certificate Authorities, Trusted Root Certificate Authorities, confidentiality of message, integrity of message

To reveal this interesting application, try the following program available on the Internet:

http://linux01.gwdg.de/~alatham/stego.html

JPHS is a program written by Allan Latham (alatham@flexsys-group.com) many years ago to conceal a hidden ASCII-based text message within a JPEG picture file.

After successfully downloading and decompressing the file, you can follow these steps to test out this program:

To hide the message:

1. Select a picture or image you like. Download it (if necessary) and save it as JPEG file. Note the JPEG file size.
2. Use Notepad to create a simple text file with some “secret message”. Save the file.
3. Extract the downloaded file. You should find a file named Jphswin.exe. This is the Windows Version of the program with GUI to operate steganography on the jpeg file. Upon running the file, you will see the JPHS for Windows screen.
4. First, click Open jpeg to define the JPEG file you made in Step 1 as the input jpeg file. Look at the bottom of the window. What’s the message?
5. Do you have any limitation on the data file you want to hide inside the JPEG file? (Hint: look at the description of the first row of the JPSH for Windows screen)
6. To begin the process of hiding information, click the Hide button on the JPHS toolbar. It prompts you for a passphrase. Enter something of your choice here. (What are the criteria of a good passphrase?)
7. Next, select a file you want to hide. (You can use the text file you made in Step 2.)
8. Look at the middle row of the JPHS for Windows. You will see that your hidden file has been defined.
9. The next step is to generate the output JPEG file by clicking Save jpeg (or Save As if you want to save the output jpeg file as different name). Look at the bottom of the window and make sure you get a confirmation message from JPHS before you close the program.
10. Check again with the file size of the newly generated JPEG file. Is there any change?
11. Open the two JPEG files (the original file and the new one). Can you detect any difference between the images?

To extract the hidden message:

1. Run JPHS for Windows again. Click Open jpeg and select the previously generated JPEG file with hidden information.
2. Click the Seek button and JPHS will prompt you for the passphrase of the hidden information. Enter the passphrase and click OK.
3. JPHS prompts you for a location to save the hidden data. Browse to the location and click Save.
4. To open the data, open the Windows explorer and locate the new file. Right click on the file, then select Open with, and select the appropriate application to view the information. In this exercise, Notepad can be used. You can now retrieve the hidden information.

Note: If your input secret text file is too large compared to the original JPEG file, the program will warn you that there will be statistically significant bias of the resultant JPEG file from an original JPEG file that could cause the possible detection of the embedded secret message. The bias can be so great that it could be noticed by even unsophisticated users.

So, use this program carefully, following the program’s advised size limitation of the secret message file.

Tags: Hide Information in a Picture File, tool to perform steganography

Tags

Cryptography, Security Tools

Technorati Tags: steganography, JPHS, Allan Latham, Hide Information in a Picture File, tool to perform steganography