Presentation is loading. Please wait.

Presentation is loading. Please wait.

Digital Steganography An Emerging Insider Threat September 21, 2007

Similar presentations


Presentation on theme: "Digital Steganography An Emerging Insider Threat September 21, 2007"— Presentation transcript:

1 Digital Steganography An Emerging Insider Threat September 21, 2007
An affiliate of Digital Steganography An Emerging Insider Threat September 21, 2007 James E. Wingate, CISSP-ISSEP, CISM, NSA-IAM Vice President for West Virginia Operations and Director, Steganography Analysis and Research Center (SARC) Backbone Security

2 Clarke’s Third Law “Any sufficiently advanced technology
is indistinguishable from magic.” --Sir Arthur Charles Clarke Retrieved from “http:\//en.wikipedia.org/wiki/Clarke%27s_three_laws”

3 The Insider Threat Hard Problem List (HPL)*
Hardest and most critical problems from perspective of IRC member agencies Original list published in 1997 Revised November 2005 Insider Threat #2 out of 8 hard problems! Just behind Global-Scale Identity Management *

4 The Insider Threat Lists insiders as example of threat agent along with usual threat agents Malicious hackers Organized crime Terrorists Nation states In describing threat and vulnerability trends … insiders are at the top of the list!

5 Insider Threat Insiders Surrounded By Sensitive Information
Credit Card Information SSANs Names Addresses Phone Numbers Classified Information Law Enforcement Information Intellectual Property Jane and John Insider

6 Portable Electronic Devices Portable storage media
Insider Threat Portable Electronic Devices (PDA/iPod/etc) Telephone attachments Cell/Camera phones Steganography Printed listings 3.5” Floppies Portable storage media CDs/DVDs Jane and John Insider

7 What Is Steganography? Stega-what?
Not stenography… writing in shorthand notation Pronounced "ste-g&-'nä-gr&-fE”* Derived from Greek roots “Steganos” = covered “Graphie” = writing * - By permission.  From the Merriam-Webster Online Dictionary ©2007 by Merriam-Webster, Incorporated (www.Merriam-Webster.com).

8 What Is Steganography? A form of secret communication used throughout history The Codebreakers by David Kahn Interleaves use of cryptography and steganography throughout history Fast forward to Internet era … Evolution from analog to digital steganography Hide any file “inside” another file Typically, text in image or image in image

9 Definition of Steganography
“Derived from the ancient Greek words for covered writing, steganography is the art and science of writing hidden messages in such a way that no one apart from the intended recipient knows of the existence of the message.” -- Federal Plan for Cyber Security and Information Assurance Research and Development, April 2006 Mirror Lake Yosemite National Park Simulated Child Pornography 9 9

10 Definition of Steganalysis
“The examination of an object to determine whether steganographic content is present, and potentially to characterize or extract such embedded information.” -- Federal Plan for Cyber Security and Information Assurance Research and Development, April 2006 Mirror Lake Yosemite National Park Simulated Child Pornography 10 10

11 Why Use Steganography? Legitimate purposes … Nefarious purposes …
Digital Rights Management (DRM) Digital watermarking of copyrighted works … typically songs and movies Covert LE or military operations Nefarious purposes … Conceal evidence of criminal activity Establish covert channels to steal sensitive or classified information

12 Why Communicate Covertly?
Use of encryption is “overt” Fact that information is encrypted is easily detected Could lead to attempts to decrypt the information Use of steganography is “covert” Fact that information exists is concealed Information often encrypted before being hidden Steganography often called “dark cousin” of cryptography

13 Relevance to Cybercrime
Is being used to conceal various types of criminal and unauthorized activity Child pornography Identity theft Terrorism (recruiting, planning, etc.) Economic/industrial espionage Theft of intellectual property Drug and weapons trafficking Money laundering etc.

14 Is Steganography A Threat?
“The threat posed by steganography has been documented in numerous intelligence reports.” “These technologies pose a potential threat to U.S. national security.” “International interest in R&D for steganographic technologies and their commercialization and application has exploded in recent years.”

15 Is Steganography A Threat?
Lists insiders as example of threat agent along with usual threat agents Malicious hackers Organized crime Terrorists Nation states In describing threat and vulnerability trends … insiders are at the top of the list!

16 Insider Use of Steganography
Scenario Firewall Firewall Internet External Recipient Insider

17 Insider Use of Steganography
Web Site Scenario External User Insider

18 Insider Use of Steganography
Level of Interest 3,300,000 Links!

19 Insider Use of Steganography
Over 1,000 steganography applications available on the Internet Number is growing… over 400 added last year Most are freeware/shareware Most are easy to use Many feature “drag-and-drop” interface Many offer encryption option Some offer VERY STRONG encryption Very easy to find, download, and use!

20 Insider Use of Steganography
A serious and growing threat Conceal illegal images Child pornography Conceal unauthorized images Adult pornography Steal PII for ID theft Conceal evidence of criminal activity Not detected by firewalls! Not detected by IDS/IPS! Not detected by content filters! 20

21 Best Place to Hide Something?
In plain site … Highly likely that more evidence of criminal activity is being concealed with steganography than anyone knows … … and we don’t know how much because no one is looking for it!

22 Modern day translation =
Old Chinese Proverb Modern day translation = “A picture is worth a thousand words”

23 With Digital Steganography…
…it’s literally quite true!

24 Typical Application

25 Modified Carrier Image
Hide Text in Image THE GETTYSBURG ADDRESS: Four score and seven years ago our fathers brought forth on this continent a new nation, conceived in liberty and dedicated to the proposition that all men are created equal. Now we are engaged in a great civil war, testing whether that nation or any nation so conceived and so dedicated can long endure. We are met on a great battlefield of that war. We have come to dedicate a portion of that field as a final resting-place for those who here gave their lives that that nation might live. It is altogether fitting and proper that we should do this. But in a larger sense, we cannot dedicate, we cannot consecrate, we cannot hallow this ground. The brave men, living and dead who struggled here have consecrated it far above our poor power to add or detract. The world will little note nor long remember what we say here, but it can never forget what they did here. It is for us the living rather to be dedicated here to the unfinished work which they who fought here have thus far so nobly advanced. It is rather for us to be here dedicated to the great task remaining before us--that from these honored dead we take increased devotion to that cause for which they gave the last full measure of devotion--that we here highly resolve that these dead shall not have died in vain, that this nation under God shall have a new birth of freedom, and that government of the people, by the people, for the people shall not perish from the earth. Carrier Image No Perceptible Change! THE GETTYSBURG ADDRESS: Four score and seven years ago our fathers brought forth on this continent a new nation, conceived in liberty and dedicated to the proposition that all men are created equal. Now we are engaged in a great civil war, testing whether that nation or any nation so conceived and so dedicated can long endure. We are met on a great battlefield of that war. We have come to dedicate a portion of that field as a final resting-place for those who here gave their lives that that nation might live. It is altogether fitting and proper that we should do this. But in a larger sense, we cannot dedicate, we cannot consecrate, we cannot hallow this ground. The brave men, living and dead who struggled here have consecrated it far above our poor power to add or detract. The world will little note nor long remember what we say here, but it can never forget what they did here. It is for us the living rather to be dedicated here to the unfinished work which they who fought here have thus far so nobly advanced. It is rather for us to be here dedicated to the great task remaining before us--that from these honored dead we take increased devotion to that cause for which they gave the last full measure of devotion--that we here highly resolve that these dead shall not have died in vain, that this nation under God shall have a new birth of freedom, and that government of the people, by the people, for the people shall not perish from the earth. Modified Carrier Image

26 Hide Image in Image No Perceptible Change!
Carrier Image No Perceptible Change! Modified Carrier Image Map of Operating Nuclear Power Reactors in the US

27 A Typical Example Carrier Image Pixel 1 Pixel 2 Pixel 3
Pixels not to scale

28 A Typical Example R G B R G B
Add the letter “W” to a 24-bit image file: W = (ASCII) R G B R G B [ ] [ ] [ ] [ ] [ ] [ ] Original Altered

29 A Typical Example Original Altered Original Values Altered Values
Effect of change on first pixel: Original Altered 1 Original Values 1 Altered Values

30 A Typical Example Carrier Image Altered Image
Altered image contains full text of Declaration of Independence (With room for another 286,730 characters!) Image Size (768 X 1,024) = 786,432 pixels = 2,359,296 bytes = 294,912 characters Document Size = 1,322 words = 7,982 characters (w/spaces)

31 Threshold of Perception Problem
Easy to deceive: Human Visual System (HVS) and Human Auditory System (HAS) Can see/hear Can’t see/hear Threshold Visual range Audible range Raise our threshold of perception!

32 Is It Really Being Used? Shadowz Brotherhood Case
“Operation Twins,” March 2002 Led by UK’s National Hi-Tech Crimes Unit (NHTCU) Activities included Production/distribution of child pornography Real-time abuse of children “The group used encryption and also steganography, the practice of hiding of one file within another for extraction by the intended recipient.” OUT-LAW.COM, “Global raid breaks advanced internet child porn group” “Accessing the secrets of the brotherhood” “Police smash net paedophile ring”

33 Is It Really Being Used? Anecdotal evidence from Fall 2005
Investigator in Tennessee … Found Invisible Secrets during CP investigation Also found 500 images of trains …

34 Is It Really Being Used? Anecdotal evidence from June 2006
Probation Officer in Minnesota … Found two CDs taped under coffee can One CD contained Cloak v7.0a Very strong encryption option Other CD contained 41 files between ~12.5Mb and ~23Mb Carrier file was only 263Kb Coffee Carrier file

35 Is It Really Being Used?

36 Detecting Steganography
Traditional approach Blind detection Visual attack Structural attack Statistical attack Result expressed as probability No extraction capability New approach Analytical detection Detect “fingerprints” Detect “signatures” Accurately identify application used Provide extraction capability

37 Detecting Steganography
Detecting “fingerprints” of file artifacts - Artifact Detection A539F21BCA458D2EFFD4 Hash Value Detecting “signatures” - Signature Detection John Hancock 2E DD 43 Hexadecimal Byte Pattern

38 Detecting Steganography
Difference is subtle but very significant Artifact detection Detecting hash values of files associated with steganography applications Application may be used to hide something Signature detection Detecting hexadecimal byte patterns associated with steganography applications in carrier files Application has been used to hide something 38

39 Detecting Steganography
File Associated With Steganography Application Any File 3E 25 9F AD 2E E4 48 01 92 B FF E4 AA E BC 42 00 DC E8 A1 B3 E 73 E6 FF 32 D 24 45 A0 21 BB C4 34 67 F5 E2 DD EF E3 52 F9 DA E2 4E 84 B FF 4E AA E1 CB 24 00 CD E 1A 3B E4 37 6E FF 23 2D 12 30 A 12 BB 4C 43 76 5F 2E DD FE A539F21BCA458D2EFFD4 2E DD 43 Result is “hash value” or “fingerprint” of the file artifact associated with a steganography application Result is “hexadecimal byte pattern” or “signature” left in carrier file by the steganography application 39

40 SARC Steganalysis Tools
Artifact Scanner Detects file artifacts associated with 625 applications Detects Windows Registry™ artifacts Unique feature Law enforcement use Internal investigation use StegAlyzerAS Artifact Scanner Detect File Artifacts Detect Registry Keys 40

41 SARC Steganalysis Tools
Signature Scanner Detects signatures of 55 steganography applications Automated Extraction Algorithms (AEAs) Unique feature Law enforcement use Internal investigation use StegAlyzerSS Signature Scanner Point, Click, and Extract Interface 41

42 Summary Insider use of steganography is serious and growing threat
State-of-the art tools available to detect presence or use of steganography Will never be detected if no one ever looks for it Steganalysis should be conducted as routine aspect of computer forensic examinations 42

43 Raise Your Threshold of Perception!
Intensive two-day course History of steganography Steganographic techniques Artifact scanning Signature scanning Upcoming courses: Techno Forensics 2007: October 26 – 27 in Gaithersburg, MD Contact the SARC to reserve your spot! DONE 43 43

44

45 For Additional Information
Backbone Security 320 Adams Street, Suite 105 Fairmont, West Virginia 26554 Phone: SARC Fax: Web: 45

46 Hi-Tech Metaphysical Humor
What’s the difference between “virtual” and “transparent”? Virtual is when you think it’s there… …but it really isn’t. Transparent is when it’s really there… …but you just can’t see it.

47 Territory is but the body of a nation.
Questions Territory is but the body of a nation. The people who inhabit its hills and valleys are its soul, its spirit, its life. -- James A. Garfield


Download ppt "Digital Steganography An Emerging Insider Threat September 21, 2007"

Similar presentations


Ads by Google