[Written on December 4th 2003]
Steganography strength (is it easy to see there is hidden data?): Low
Cryptography strength (is it easy to recover the hidden data?): Low
1. First look, first surprise
A company called MicroIdea sells a steganography / cryptography shareware called "Safe and Quick File Hide" version 2002, for 20 dollars. This program can nicely hide files from Explorer windows, making them harder to find, encrypt files, or camouflage them into an innocuous looking carrier, like image or sound data. It has a nice non-rectangular interface. There is an original routine: it protects itself against desinstallation, apparently by running two similar programs at the same time that appear to protect each other (so you have to close both at the exact same time, which is almost impossible by hand). If you don't know the password, you cannot uninstall it. In theory.
It's incredible how you can have a rough idea about a program just by reading its web presentation, or help files. I read the whole stuff, which has a little bit of the usual snake-oil ("unbreakable military grade crypto algorithm") but not that much. And then I almost choked when I read their point no9: "Password-Get-Back support. Sometimes you may forget the password. Don't worry about it; just click the
In a strong cryptographic system, if you lose your password, you're toasted. There is absolutely no way to get your data back. That's why it's secure. That's the whole point of cryptography. If there is an easy way to get back a forgotten password, that means that this password is stored somewhere in plain text. If someone (in this case, the developpers of this software) can guess your password and send it back to you, than everybody can guess it too.
Which means that this system is not secure at all. Anybody can read, directly or remotely, with the help of some trojan, what is inside your encrypted files. Even if they are encrypted with a strong algorithm (in this case, some strings in the executable seem to point to RC4 by RSA Labs). Who cares, the attacker has the password!
A simple analogy would be something like to install a ultra-solid 10 cm thick steel door with a super-secure lock, and let the key sit just right there in front of the door. Or to encrypt your hard drive with PGP and let a post-it on the side of the screen with your password written on it. Security is a whole system, not just the utilisation of one secure algorithm. A single weakness in the system, and the overall security is compromised, everything crumbles down. The global security level is as best as the security level of the weakest step.
Some people may think "But nobody can and will access my computer! So no person will get the password!". It's a circular argument. If you are absolutely certain sure that nobody will ever break into your computer, than you don't need cryptography in the first place.
2. So where is the damn password and how did you find it?
These pages are supposed to talk about detection of steganography. Okay, just for a minute, let's talk about how to get the password.
No complex reverse engineering was necessary. Everybody can do the same. I used Filemon to see which file was opened by SQFileHide while it was checking the password validity. This file contains the password. It is a "hidden" file in a "hidden" directory that contains a few other things: it does not appears in the Explorer. But it is still here. If you type the complete path in an editor, you're going to load it. Then you will see that it has the same length than the password (maximum 18 bytes), and, by comparing its content after a few password changes ("aaaa", "aaab" for example), that it is XORed with a fixed hardcoded 18 bytes key. This key is:
This is how the developpers can recover your password. But now, of course, anybody can do the same. Security by obscurity does not work.
3. What about the steganography routine?
The steganography part took me ten seconds to crack. And I'm not even kidding.
8 seconds to start the software, look around, and do a first test by hiding a small text file called "hidden_file.txt" inside a very small JPG image file.
1 second to open the resulting carrier image file in an hexadecimal editor.
1 second to scroll down and see the file in its entirety.
0 second to understand how it works: it is evident if you know a little bit some usual file formats.
Here is the resulting file in an hexadecimal editor. Anybody who is even remotely familiar with the ZIP compression file format ("PK" markers; several directories containing the names of the files in the archive) will understand right away: my hidden text has been zipped, and the ZIP file has been fused at the end of the JPG (you may recognize the underlined "FF D9" mark of the JPG file format end). The JPG is in white, the ZIP in yellow.
You can just rescue this concatenated ZIP by copy-pasting the bytes, save it under the name you want, and open it with your favorite ZIP manager like Winzip: it is perfectly valid and not even encrypted. It's actually smart to use the robust ZIP file format to archive the hidden files (or even folders) and not just invent a new one. But of course, the security is very low. Anything added at the end of strictly defined file formats like JPG is as detectable as a nose in a face.
This program uses a very detectable technique similar to the one used in Camouflage. The level of security is as low. I don't think I need to code any program to retrieve the hidden data here. Just use an hexadecimal editor, and a ZIP manager. My hope is that the developpers will increase the security level of this software with the next release. They showed some originality in several ideas, now they just have to think a little bit more about the security side.
Have a nice day!