As promised from today (07.14) - A Story about Steganography

Rick Butler

Well-known member
  • Aug 8, 2019
    2,087
    7
    3,714
    120,891
    Colorado Springs, CO
    www.intellitec.edu
    Some time ago, I was teaching a class on Security+ and we were having the Final Exam. We had two classes, day and night. The morning came and I slapped a piece of paper to the whiteboard that read:

    Hey - so I posted the answer key on the server. But for security concerns, it will only be up there and available for the next hour. Please make sure you get it before the exam start.

    I went back to my desk and sat down. Nothing further said. Just clickie-clickie on my computer as students' curiosities got the best of them. They came up and read the e-mail formatted note. They asked me about it. I said nothing. Then, I think they got the idea that they had to go looking on our local file server for it. So, in a scene that you could set to Yakety Sax, the students started scrambling around, looking on the server for a file that might be the answer key. They started searching through the student folders, opening various files and searching.

    They couldn't find the file, but they did find one directory they couldn't access. The Day crew could not access the Night folder and vice versa.

    Then one got the idea, "hey, what's the night student password". Day students logged on as night (passwords weren't particularly secure). So they got into the opposite class's folder, where they found a folder with a PDF and picture of the book cover. Upon trying to open the PDF and realizing it was locked down with a password, they scrambled trying to find it. It was then they looked at the pic:

    "Dude, what was the name of that website that Rick used to hide stuff in images?"

    So the students scrambled to find their notes on my discussion regarding steganography, which website I used in class (luckily, one of them wrote it down), and found the password to the PDF encoded in the book cover image. The classes had 60 minutes to recover the file, which turned out to be the exam key for the Final. Day got it in 58 minutes, night didn't get it.

    But it was one of the better finals I've ever given - probably because they had something to gain by playing.

    TL;dr - Used stego to hide a password to an encrypted PDF containing a final's answer key for an open book exam.

    Do you have a similar story? Share below!

    Cheers!

    /r