Hiding in plain sight

This article is focused on information technology, security, and monitoring the flow of your IPR beyond your firewall.

Technical? Yes. But I will try to make it understandable for a non-technical audience (the one that actually could use some of the ideas).

The concept? More than an article, a simple sharing of a potential issue and its (cheap) solution.

With a side-effect: once implemented, the solution could also act as a preventive defence against yet unknown issues using the same method- overloading the “filtering”.

Why now?

Over the week-end I was “testing the waters” inside an online community, to see if it would be a worthwhile effort to resurrect a security software/platform that I started creating at the end of the 1980s, to fill my (pre-Internet) travel time.

My concept was simple: finding a simple and efficient way to allow to keep information stored online without having the provider or anybody with access to the database glean knowledge about the data or its structure.

Why? Because I came from some time spent designing DSS (decision support system) models- and often it was not just the data- but also its structure that “gave the model away”.

The best decision models sometimes filtered or converted the famous 99% perspiration of aggregated centuries of experiences (from managers, companies) with my more modest 1% inspiration- that would have been impossible without that 99%.

Why “testing the waters”? I was checking if something Open Source has been developed that immediately comes to mind when I give a general description of my logic to keep data and models secure- seemingly, it doesn’t.

So, as I wrote online <>

But over the last few years once in a while I received spam messages that contained no real message.

Just a series of 5 or 6 letters groups.

Have you seen the movie “Enigma” (that, incidentally, did a poor job of converting the book)?

After receiving some of these non-sense messages, once by chance I started checking the full message, and I noticed few characteristics.

The title was quite long and non-sensical.

The “headers” (the part that shows the source, path, and destination; it is the part that you get if you select “show full headers” in your e-mail software) were interesting.

Sometimes the messages came from companies.

So, I came up with an idea: what if those spam messages were simply a way to transmit information from a source to a destination?

Think about it: you use the title, the real addressee e-mail, and maybe some of the headers (to have a longer text with some non-sense and special characters inside),

Then, you can use a really simple character-substitution to generate the 5-6 chars blocs (i.e. replace each character by a formula using also the character from your reference text, moving forward one character at a time- and then starting again).

The beauty of the scheme? If you “spam” a large number of addressee, most will just discard it, but only those with the right receiving information (e-mail address, etc) will be able to decrypt it.

Moreover: you can do it manually, while writing the message.

And, because it is unknown who, between the gazillion of e-mail addresses you are writing to, is the real addressee, also if somebody filtering the traffic were to try to read it and knew the method, that somebody would need to try to apply the method to each copy of the message.

But, being a consultant, I immediately thought about possible uses and countermeasures.

Uses: transmitting pilfered IPR from a company.

Countermeasure: add “contextual” analysis to the outgoing messages.

Wherever I worked in a company as a consultant, I always advocated disabling the USB ports and reducing the right of technical administrators to access end-user data without supervision, as I designed once a data storage system based on USB and integrating with databases and an ERP.

And for transient messages? Well, hopefully this is already being sorted out, with the new routers that can keep track of each individual flow.

Once the flows are traceable, you can apply some simple network analysis (ask Google :D) to identify suspected “hubs” of information transfer, and monitor “spokes” that appear frequently, also spotting “clusters” (i.e. addresses that tend to appear often and cross-communicating).

In the end- it is just plain “information flows” monitoring.

If we can do it with electricity and financial flows, why not with other electronic flows?

Somebody would say that it is crazy to share potential damaging ideas.

I think that if somebody like me (with no specific training) can think about the logic, the cat is already outside the sack.

And it is better to raise awareness outside the usual “specialist” circles.

Why? Because usually people like me (software engineer) speak “geek”- it seems as if we assume that there is no need to be understood.

But I believe that experts should not focus on show that they are experts by being incomprehensible.

As somebody else wrote long ago “Make everything as simple as possible, but not simpler”.


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s