Presentation is loading. Please wait.

Presentation is loading. Please wait.

Digital Steganography An Emerging Insider Threat September 21, 2007 James E. Wingate, CISSP-ISSEP, CISM, NSA-IAM Vice President for West Virginia Operations.

Similar presentations


Presentation on theme: "Digital Steganography An Emerging Insider Threat September 21, 2007 James E. Wingate, CISSP-ISSEP, CISM, NSA-IAM Vice President for West Virginia Operations."— Presentation transcript:

1 Digital Steganography An Emerging Insider Threat September 21, 2007 James E. Wingate, CISSP-ISSEP, CISM, NSA-IAM Vice President for West Virginia Operations and Director, Steganography Analysis and Research Center (SARC) Backbone Security An affiliate of

2 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 2 Clarkes Third Law Any sufficiently advanced technology is indistinguishable from magic. --Sir Arthur Charles Clarke Retrieved from

3 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 3 The Insider Threat Hard Problem List (HPL)* –Hardest and most critical problems from perspective of IRC member agencies –Original list published in 1997 –Revised November 2005 Insider Threat #2 out of 8 hard problems! Just behind Global-Scale Identity Management *

4 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 4 The Insider Threat Lists insiders as example of threat agent along with usual threat agents –Malicious hackers –Organized crime –Terrorists –Nation states In describing threat and vulnerability trends … insiders are at the top of the list!

5 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 5 Insider Threat Insiders Surrounded By Sensitive Information Jane and John Insider Credit Card Information Names Addresses Phone Numbers SSANs Law Enforcement Information Classified Information Intellectual Property

6 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 6 Insider Threat Telephone Printed listings 3.5 Floppies CDs/DVDs Portable Electronic Devices (PDA/iPod/etc) Portable storage media Jane and John Insider attachments Cell/Camera phones

7 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 7 What Is Steganography? Stega-what? –Not stenography… writing in shorthand notation –Pronounced "ste-g&-'nä-gr&-fE* –Derived from Greek roots Steganos = covered Graphie = writing * - By permission. From the Merriam-Webster Online Dictionary ©2007 by Merriam-Webster, Incorporated (www.Merriam-Webster.com).

8 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 8 What Is Steganography? A form of secret communication used throughout history –The Codebreakers by David Kahn Interleaves use of cryptography and steganography throughout history Fast forward to Internet era … –Evolution from analog to digital steganography Hide any file inside another file Typically, text in image or image in image

9 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 99 Definition of Steganography Derived from the ancient Greek words for covered writing, steganography is the art and science of writing hidden messages in such a way that no one apart from the intended recipient knows of the existence of the message. --Federal Plan for Cyber Security and Information Assurance Research and Development, April 2006 Simulated Child Pornography Mirror Lake Yosemite National Park

10 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 10 Definition of Steganalysis The examination of an object to determine whether steganographic content is present, and potentially to characterize or extract such embedded information. --Federal Plan for Cyber Security and Information Assurance Research and Development, April 2006 Mirror Lake Yosemite National Park Simulated Child Pornography

11 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 11 Why Use Steganography? Legitimate purposes … –Digital Rights Management (DRM) Digital watermarking of copyrighted works … typically songs and movies –Covert LE or military operations Nefarious purposes … –Conceal evidence of criminal activity –Establish covert channels to steal sensitive or classified information

12 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 12 Why Communicate Covertly? Use of encryption is overt –Fact that information is encrypted is easily detected Could lead to attempts to decrypt the information Use of steganography is covert –Fact that information exists is concealed Information often encrypted before being hidden Steganography often called dark cousin of cryptography

13 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 13 Relevance to Cybercrime Is being used to conceal various types of criminal and unauthorized activity –Child pornography –Identity theft –Terrorism (recruiting, planning, etc.) –Economic/industrial espionage Theft of intellectual property –Drug and weapons trafficking –Money laundering –etc.

14 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 14 Is Steganography A Threat? The threat posed by steganography has been documented in numerous intelligence reports. These technologies pose a potential threat to U.S. national security. International interest in R&D for steganographic technologies and their commercialization and application has exploded in recent years.

15 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 15 Is Steganography A Threat? Lists insiders as example of threat agent along with usual threat agents –Malicious hackers –Organized crime –Terrorists –Nation states In describing threat and vulnerability trends … insiders are at the top of the list!

16 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 16 Firewall Insider Use of Steganography Internet Scenario Insider External Recipient

17 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 17 Insider Use of Steganography Web Site Scenario Insider External User

18 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 18 3,300,000 Links! Insider Use of Steganography Level of Interest

19 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 19 Insider Use of Steganography Over 1,000 steganography applications available on the Internet –Number is growing… over 400 added last year Most are freeware/shareware –http://www.stegoarchive.com Most are easy to use –Many feature drag-and-drop interface Many offer encryption option –Some offer VERY STRONG encryption Very easy to find, download, and use!

20 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 20 Insider Use of Steganography A serious and growing threat –Conceal illegal images Child pornography –Conceal unauthorized images Adult pornography –Steal PII for ID theft –Conceal evidence of criminal activity Not detected by firewalls! Not detected by IDS/IPS! Not detected by content filters!

21 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 21 Best Place to Hide Something? In plain site … Highly likely that more evidence of criminal activity is being concealed with steganography than anyone knows … … and we dont know how much because no one is looking for it!

22 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 22 Old Chinese Proverb Modern day translation = A picture is worth a thousand words

23 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 23 With Digital Steganography… …its literally quite true!

24 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 24 Typical Application

25 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 25 THE GETTYSBURG ADDRESS: Four score and seven years ago our fathers brought forth on this continent a new nation, conceived in liberty and dedicated to the proposition that all men are created equal. Now we are engaged in a great civil war, testing whether that nation or any nation so conceived and so dedicated can long endure. We are met on a great battlefield of that war. We have come to dedicate a portion of that field as a final resting-place for those who here gave their lives that that nation might live. It is altogether fitting and proper that we should do this. But in a larger sense, we cannot dedicate, we cannot consecrate, we cannot hallow this ground. The brave men, living and dead who struggled here have consecrated it far above our poor power to add or detract. The world will little note nor long remember what we say here, but it can never forget what they did here. It is for us the living rather to be dedicated here to the unfinished work which they who fought here have thus far so nobly advanced. It is rather for us to be here dedicated to the great task remaining before us--that from these honored dead we take increased devotion to that cause for which they gave the last full measure of devotion--that we here highly resolve that these dead shall not have died in vain, that this nation under God shall have a new birth of freedom, and that government of the people, by the people, for the people shall not perish from the earth. Hide Text in Image THE GETTYSBURG ADDRESS: Four score and seven years ago our fathers brought forth on this continent a new nation, conceived in liberty and dedicated to the proposition that all men are created equal. Now we are engaged in a great civil war, testing whether that nation or any nation so conceived and so dedicated can long endure. We are met on a great battlefield of that war. We have come to dedicate a portion of that field as a final resting-place for those who here gave their lives that that nation might live. It is altogether fitting and proper that we should do this. But in a larger sense, we cannot dedicate, we cannot consecrate, we cannot hallow this ground. The brave men, living and dead who struggled here have consecrated it far above our poor power to add or detract. The world will little note nor long remember what we say here, but it can never forget what they did here. It is for us the living rather to be dedicated here to the unfinished work which they who fought here have thus far so nobly advanced. It is rather for us to be here dedicated to the great task remaining before us--that from these honored dead we take increased devotion to that cause for which they gave the last full measure of devotion--that we here highly resolve that these dead shall not have died in vain, that this nation under God shall have a new birth of freedom, and that government of the people, by the people, for the people shall not perish from the earth. No Perceptible Change! Carrier Image Modified Carrier Image

26 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 26 Hide Image in Image No Perceptible Change! Carrier Image Modified Carrier Image Map of Operating Nuclear Power Reactors in the US

27 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 27 A Typical Example Carrier Image Pixel 1Pixel 2Pixel 3 Pixels not to scale

28 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 28 A Typical Example [ ] Add the letter W to a 24-bit image file: W = (ASCII) OriginalAltered [ ] [ ][ ] [ ] RBGRBG

29 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 29 A Typical Example Effect of change on first pixel: Original Values Altered Values OriginalAltered

30 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 30 A Typical Example Carrier ImageAltered Image Altered image contains full text of Declaration of Independence (With room for another 286,730 characters!) Image Size (768 X 1,024) =786,432pixels =2,359,296bytes =294,912characters Document Size=1,322words =7,982characters (w/spaces)

31 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 31 Threshold of Perception Problem Can see/hear Cant see/hear Raise our threshold of perception! Easy to deceive:Human Visual System (HVS) and Human Auditory System (HAS) Threshold Visual range Audible range

32 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 32 Is It Really Being Used? Shadowz Brotherhood Case –Operation Twins, March 2002 Led by UKs National Hi-Tech Crimes Unit (NHTCU) –Activities included Production/distribution of child pornography Real-time abuse of children –The group used encryption and also steganography, the practice of hiding of one file within another for extraction by the intended recipient. OUT-LAW.COM, Global raid breaks advanced internet child porn group -http://www.news.bbc.co.uk/1/hi/sci/tech/ stm, Accessing the secrets of the brotherhood -http://www.news.bbc.co.uk/1/hi/uk/ stm, Police smash net paedophile ring

33 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 33 Anecdotal evidence from Fall 2005 –Investigator in Tennessee … Found Invisible Secrets during CP investigation Also found 500 images of trains … Is It Really Being Used?

34 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 34 Anecdotal evidence from June 2006 –Probation Officer in Minnesota … Found two CDs taped under coffee can One CD contained Cloak v7.0a »Very strong encryption option Other CD contained »41 files between ~12.5Mb and ~23Mb »Carrier file was only 263Kb Coffee Is It Really Being Used? Carrier file

35 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 35 Is It Really Being Used?

36 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 36 Detecting Steganography Traditional approach –Blind detection Visual attack Structural attack Statistical attack –Result expressed as probability No extraction capability New approach –Analytical detection Detect fingerprints Detect signatures –Accurately identify application used Provide extraction capability

37 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 37 Detecting Steganography John Hancock Detecting fingerprints of file artifacts -Artifact Detection Detecting signatures -Signature Detection A539F21BCA458D2EFFD4 Hash Value 2E DD 43 Hexadecimal Byte Pattern

38 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 38 Detecting Steganography Difference is subtle but very significant –Artifact detection Detecting hash values of files associated with steganography applications Application may be used to hide something –Signature detection Detecting hexadecimal byte patterns associated with steganography applications in carrier files Application has been used to hide something

39 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 39 Detecting Steganography A539F21BCA458D2EFFD4 3E 25 9F AD 2E E B FF E4 AA E BC DC E8 A1 B E 73 E6 FF 32 D A0 21 BB C F5 E2 DD EF Result is hash value or fingerprint of the file artifact associated with a steganography application File Associated With Steganography Application 2E DD 43 Result is hexadecimal byte pattern orsignature left in carrier file by the steganography application Any File E3 52 F9 DA E2 4E B FF E AA E1 CB CD E 1A 3B E4 37 6E FF 23 2D A 12 BB 4C F 2E DD FE

40 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 40 SARC Steganalysis Tools Artifact Scanner –Detects file artifacts associated with 625 applications –Detects Windows Registry artifacts Unique feature –Law enforcement use –Internal investigation use StegAlyzerAS Artifact Scanner Detect Registry Keys Detect File Artifacts

41 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 41 SARC Steganalysis Tools Signature Scanner –Detects signatures of 55 steganography applications –Automated Extraction Algorithms (AEAs) Unique feature –Law enforcement use –Internal investigation use StegAlyzerSS Signature Scanner Point, Click, and Extract Interface

42 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 42 Summary Insider use of steganography is serious and growing threat State-of-the art tools available to detect presence or use of steganography Will never be detected if no one ever looks for it Steganalysis should be conducted as routine aspect of computer forensic examinations

43 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 43 Intensive two-day course –History of steganography –Steganographic techniques –Artifact scanning –Signature scanning Upcoming courses: –Techno Forensics 2007: October 26 – 27 in Gaithersburg, MD Contact the SARC to reserve your spot! Raise Your Threshold of Perception!

44 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 44

45 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 45 For Additional Information Backbone Security 320 Adams Street, Suite 105 Fairmont, West Virginia Phone: SARC Fax: Web:www.sarc-wv.com

46 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 46 Hi-Tech Metaphysical Humor Virtual is when you think its there… …but it really isnt. Transparent is when its really there… …but you just cant see it. Whats the difference between virtual and transparent?

47 © 2007 Backbone Security. All rights reserved. SARC ~ Raising the Threshold of Perception 47 Questions Territory is but the body of a nation. The people who inhabit its hills and valleys are its soul, its spirit, its life. -- James A. Garfield


Download ppt "Digital Steganography An Emerging Insider Threat September 21, 2007 James E. Wingate, CISSP-ISSEP, CISM, NSA-IAM Vice President for West Virginia Operations."

Similar presentations


Ads by Google