Digital Steganography An Emerging Insider Threat September 21, 2007 An affiliate of Digital Steganography An Emerging Insider Threat September 21, 2007 James E. Wingate, CISSP-ISSEP, CISM, NSA-IAM Vice President for West Virginia Operations and Director, Steganography Analysis and Research Center (SARC) Backbone Security
Clarke’s Third Law “Any sufficiently advanced technology is indistinguishable from magic.” --Sir Arthur Charles Clarke Retrieved from “http:\//en.wikipedia.org/wiki/Clarke%27s_three_laws”
The Insider Threat Hard Problem List (HPL)* Hardest and most critical problems from perspective of IRC member agencies Original list published in 1997 Revised November 2005 Insider Threat #2 out of 8 hard problems! Just behind Global-Scale Identity Management * http://www.infosec-research.org/docs_public/20051130-IRC-HPL-FINAL.pdf
The Insider Threat Lists insiders as example of threat agent along with usual threat agents Malicious hackers Organized crime Terrorists Nation states In describing threat and vulnerability trends … insiders are at the top of the list!
Insider Threat Insiders Surrounded By Sensitive Information Credit Card Information SSANs Names Addresses Phone Numbers Classified Information Law Enforcement Information Intellectual Property Jane and John Insider
Portable Electronic Devices Portable storage media Insider Threat Portable Electronic Devices (PDA/iPod/etc) Telephone E-mail E-mail attachments Cell/Camera phones Steganography Printed listings 3.5” Floppies Portable storage media CDs/DVDs Jane and John Insider
What Is Steganography? Stega-what? Not stenography… writing in shorthand notation Pronounced "ste-g&-'nä-gr&-fE”* Derived from Greek roots “Steganos” = covered “Graphie” = writing * - By permission. From the Merriam-Webster Online Dictionary ©2007 by Merriam-Webster, Incorporated (www.Merriam-Webster.com).
What Is Steganography? A form of secret communication used throughout history The Codebreakers by David Kahn Interleaves use of cryptography and steganography throughout history Fast forward to Internet era … Evolution from analog to digital steganography Hide any file “inside” another file Typically, text in image or image in image
Definition of Steganography “Derived from the ancient Greek words for covered writing, steganography is the art and science of writing hidden messages in such a way that no one apart from the intended recipient knows of the existence of the message.” -- Federal Plan for Cyber Security and Information Assurance Research and Development, April 2006 Mirror Lake Yosemite National Park Simulated Child Pornography 9 9
Definition of Steganalysis “The examination of an object to determine whether steganographic content is present, and potentially to characterize or extract such embedded information.” -- Federal Plan for Cyber Security and Information Assurance Research and Development, April 2006 Mirror Lake Yosemite National Park Simulated Child Pornography 10 10
Why Use Steganography? Legitimate purposes … Nefarious purposes … Digital Rights Management (DRM) Digital watermarking of copyrighted works … typically songs and movies Covert LE or military operations Nefarious purposes … Conceal evidence of criminal activity Establish covert channels to steal sensitive or classified information
Why Communicate Covertly? Use of encryption is “overt” Fact that information is encrypted is easily detected Could lead to attempts to decrypt the information Use of steganography is “covert” Fact that information exists is concealed Information often encrypted before being hidden Steganography often called “dark cousin” of cryptography
Relevance to Cybercrime Is being used to conceal various types of criminal and unauthorized activity Child pornography Identity theft Terrorism (recruiting, planning, etc.) Economic/industrial espionage Theft of intellectual property Drug and weapons trafficking Money laundering etc.
Is Steganography A Threat? “The threat posed by steganography has been documented in numerous intelligence reports.” “These technologies pose a potential threat to U.S. national security.” “International interest in R&D for steganographic technologies and their commercialization and application has exploded in recent years.”
Is Steganography A Threat? Lists insiders as example of threat agent along with usual threat agents Malicious hackers Organized crime Terrorists Nation states In describing threat and vulnerability trends … insiders are at the top of the list!
Insider Use of Steganography E-mail Scenario Firewall Firewall Internet External Recipient Insider
Insider Use of Steganography Web Site Scenario External User Insider
Insider Use of Steganography Level of Interest 3,300,000 Links!
Insider Use of Steganography Over 1,000 steganography applications available on the Internet Number is growing… over 400 added last year Most are freeware/shareware http://www.stegoarchive.com Most are easy to use Many feature “drag-and-drop” interface Many offer encryption option Some offer VERY STRONG encryption Very easy to find, download, and use!
Insider Use of Steganography A serious and growing threat Conceal illegal images Child pornography Conceal unauthorized images Adult pornography Steal PII for ID theft Conceal evidence of criminal activity Not detected by firewalls! Not detected by IDS/IPS! Not detected by content filters! 20
Best Place to Hide Something? In plain site … Highly likely that more evidence of criminal activity is being concealed with steganography than anyone knows … … and we don’t know how much because no one is looking for it!
Modern day translation = Old Chinese Proverb Modern day translation = “A picture is worth a thousand words”
With Digital Steganography… …it’s literally quite true!
Typical Application
Modified Carrier Image Hide Text in Image THE GETTYSBURG ADDRESS: Four score and seven years ago our fathers brought forth on this continent a new nation, conceived in liberty and dedicated to the proposition that all men are created equal. Now we are engaged in a great civil war, testing whether that nation or any nation so conceived and so dedicated can long endure. We are met on a great battlefield of that war. We have come to dedicate a portion of that field as a final resting-place for those who here gave their lives that that nation might live. It is altogether fitting and proper that we should do this. But in a larger sense, we cannot dedicate, we cannot consecrate, we cannot hallow this ground. The brave men, living and dead who struggled here have consecrated it far above our poor power to add or detract. The world will little note nor long remember what we say here, but it can never forget what they did here. It is for us the living rather to be dedicated here to the unfinished work which they who fought here have thus far so nobly advanced. It is rather for us to be here dedicated to the great task remaining before us--that from these honored dead we take increased devotion to that cause for which they gave the last full measure of devotion--that we here highly resolve that these dead shall not have died in vain, that this nation under God shall have a new birth of freedom, and that government of the people, by the people, for the people shall not perish from the earth. Carrier Image No Perceptible Change! THE GETTYSBURG ADDRESS: Four score and seven years ago our fathers brought forth on this continent a new nation, conceived in liberty and dedicated to the proposition that all men are created equal. Now we are engaged in a great civil war, testing whether that nation or any nation so conceived and so dedicated can long endure. We are met on a great battlefield of that war. We have come to dedicate a portion of that field as a final resting-place for those who here gave their lives that that nation might live. It is altogether fitting and proper that we should do this. But in a larger sense, we cannot dedicate, we cannot consecrate, we cannot hallow this ground. The brave men, living and dead who struggled here have consecrated it far above our poor power to add or detract. The world will little note nor long remember what we say here, but it can never forget what they did here. It is for us the living rather to be dedicated here to the unfinished work which they who fought here have thus far so nobly advanced. It is rather for us to be here dedicated to the great task remaining before us--that from these honored dead we take increased devotion to that cause for which they gave the last full measure of devotion--that we here highly resolve that these dead shall not have died in vain, that this nation under God shall have a new birth of freedom, and that government of the people, by the people, for the people shall not perish from the earth. Modified Carrier Image
Hide Image in Image No Perceptible Change! Carrier Image No Perceptible Change! Modified Carrier Image Map of Operating Nuclear Power Reactors in the US
A Typical Example Carrier Image Pixel 1 Pixel 2 Pixel 3 Pixels not to scale
A Typical Example R G B R G B Add the letter “W” to a 24-bit image file: W = 01010111 (ASCII) R G B R G B [10000100 10110110 11100111] [10000100 10110111 11100110] [10000101 10110111 11100111] [10000101 10110110 11100111] [10000101 10110110 11100111] [10000101 10110111 11100111] Original Altered
A Typical Example Original Altered Original Values Altered Values Effect of change on first pixel: Original Altered 1 Original Values 1 Altered Values
A Typical Example Carrier Image Altered Image Altered image contains full text of Declaration of Independence (With room for another 286,730 characters!) Image Size (768 X 1,024) = 786,432 pixels = 2,359,296 bytes = 294,912 characters Document Size = 1,322 words = 7,982 characters (w/spaces)
Threshold of Perception Problem Easy to deceive: Human Visual System (HVS) and Human Auditory System (HAS) Can see/hear Can’t see/hear Threshold Visual range Audible range Raise our threshold of perception!
Is It Really Being Used? Shadowz Brotherhood Case “Operation Twins,” March 2002 Led by UK’s National Hi-Tech Crimes Unit (NHTCU) Activities included Production/distribution of child pornography Real-time abuse of children “The group used encryption and also steganography, the practice of hiding of one file within another for extraction by the intended recipient.” OUT-LAW.COM, http://www.out-law.com/page-2732, “Global raid breaks advanced internet child porn group” http://www.news.bbc.co.uk/1/hi/sci/tech/2082657.stm, “Accessing the secrets of the brotherhood” http://www.news.bbc.co.uk/1/hi/uk/2082308.stm, “Police smash net paedophile ring”
Is It Really Being Used? Anecdotal evidence from Fall 2005 Investigator in Tennessee … Found Invisible Secrets during CP investigation Also found 500 images of trains …
Is It Really Being Used? Anecdotal evidence from June 2006 Probation Officer in Minnesota … Found two CDs taped under coffee can One CD contained Cloak v7.0a Very strong encryption option Other CD contained 41 files between ~12.5Mb and ~23Mb Carrier file was only 263Kb Coffee Carrier file
Is It Really Being Used?
Detecting Steganography Traditional approach Blind detection Visual attack Structural attack Statistical attack Result expressed as probability No extraction capability New approach Analytical detection Detect “fingerprints” Detect “signatures” Accurately identify application used Provide extraction capability
Detecting Steganography Detecting “fingerprints” of file artifacts - Artifact Detection A539F21BCA458D2EFFD4 Hash Value Detecting “signatures” - Signature Detection John Hancock 2E DD 43 Hexadecimal Byte Pattern
Detecting Steganography Difference is subtle but very significant Artifact detection Detecting hash values of files associated with steganography applications Application may be used to hide something Signature detection Detecting hexadecimal byte patterns associated with steganography applications in carrier files Application has been used to hide something 38
Detecting Steganography File Associated With Steganography Application Any File 3E 25 9F AD 2E E4 48 01 92 B3 21 00 00 62 FF 01 23 54 21 01 34 E4 AA 02 75 1E BC 42 00 DC 04 67 E8 A1 B3 44 02 34 53 47 85 4E 73 E6 FF 32 D2 21 03 24 45 A0 21 BB C4 34 67 F5 E2 DD 34 58 EF E3 52 F9 DA E2 4E 84 10 29 3B 12 00 00 26 FF 10 32 45 12 10 43 4E AA 20 57 E1 CB 24 00 CD 40 76 8E 1A 3B 44 20 43 35 74 58 E4 37 6E FF 23 2D 12 30 42 54 0A 12 BB 4C 43 76 5F 2E DD 43 85 FE A539F21BCA458D2EFFD4 2E DD 43 Result is “hash value” or “fingerprint” of the file artifact associated with a steganography application Result is “hexadecimal byte pattern” or “signature” left in carrier file by the steganography application 39
SARC Steganalysis Tools Artifact Scanner Detects file artifacts associated with 625 applications Detects Windows Registry™ artifacts Unique feature Law enforcement use Internal investigation use StegAlyzerAS Artifact Scanner Detect File Artifacts Detect Registry Keys 40
SARC Steganalysis Tools Signature Scanner Detects signatures of 55 steganography applications Automated Extraction Algorithms (AEAs) Unique feature Law enforcement use Internal investigation use StegAlyzerSS Signature Scanner Point, Click, and Extract Interface 41
Summary Insider use of steganography is serious and growing threat State-of-the art tools available to detect presence or use of steganography Will never be detected if no one ever looks for it Steganalysis should be conducted as routine aspect of computer forensic examinations 42
Raise Your Threshold of Perception! Intensive two-day course History of steganography Steganographic techniques Artifact scanning Signature scanning Upcoming courses: Techno Forensics 2007: October 26 – 27 in Gaithersburg, MD Contact the SARC to reserve your spot! DONE 43 43
www.sarc-wv.com
For Additional Information Backbone Security 320 Adams Street, Suite 105 Fairmont, West Virginia 26554 Phone: 866.401.9392 304.333.SARC Fax: 304.366.9163 E-mail: sarc@backbonesecurity.com Web: www.sarc-wv.com 45
Hi-Tech Metaphysical Humor What’s the difference between “virtual” and “transparent”? Virtual is when you think it’s there… …but it really isn’t. Transparent is when it’s really there… …but you just can’t see it.
Territory is but the body of a nation. Questions Territory is but the body of a nation. The people who inhabit its hills and valleys are its soul, its spirit, its life. -- James A. Garfield