eCrime and Steganography Lecture & Demonstration
© WetStone Technologies, Inc. Origins of Steganography Steganography Origins – From the Greek Roots Steganos or Covered Graphie or Writing Covered Writing – First Known Usage The early Greeks and Persians used several forms of covered writing to conceal the communication of secret or covert messages Origins date back as far 2,500 years ago
© WetStone Technologies, Inc. Origins of Steganography Demaratus of Ariston was exiled in Persia, and while there, he received news that Xerxes had decided to invade Greece. He decided that he must get word of the pending invasion to Sparta. Since discovery of such an act meant certain death, he decided that he must conceal the message. He scraped the wax off a pair of wooden folding writing tablets and carved a warning message in the wood. He then covered the wood with a fresh coat of wax. The tablet was passed by the sentries without raising any suspicion and was delivered to and read by the Greeks. WAX TABLET
© WetStone Technologies, Inc. Origins of Steganography Null Cipher Messages – Most notably this method was used during World War I by the Germans – Text based steganography has taken on several forms PRESIDENTS EMBARGO RULING SHOULD HAVE IMMEDIATE NOTICE. GRAVE SITUATION AFFECTING INTERNATIONAL LAW, STATEMENT FORESHADOWS RUIN OF MANY NEUTRALS. YELLOW JOURNALS UNIFYING NATIONAL EXCITEMENT IMMENSELY PERSHING SAILS FROM NY JUNE 1
© WetStone Technologies, Inc. Dangers of Steganography Steganography vs. Encryption – Steganography and Encryption each have distinct purposes Encryption – Keeps information private by using a mathematical algorithm which renders the contents unreadable unless you possess a specific key allowing you to decipher the message – Encrypted objects are typically easy to identify or detect – The existence of the message is obvious, however the content is obscured Steganography – Hides the actual existence of a message or hidden data – Hides information in plain sight by exploiting weaknesses of our human senses
© WetStone Technologies, Inc. Dangers of Steganography Steganography Encryption
Steganography Communication Covert Message Send Message With Innocuous Attachment Firewall RevealStego CP Carrier Image ApplyStego Revealed CP password
© WetStone Technologies, Inc. Who knows about this technology?
© WetStone Technologies, Inc. How big is the problem?
© WetStone Technologies, Inc. Who knows about it? source google.com
© WetStone Technologies, Inc. How global is the problem? ARABICARABIC
© WetStone Technologies, Inc. How global is the problem? CHINESECHINESE
© WetStone Technologies, Inc. How global is the problem? GERMANGERMAN
© WetStone Technologies, Inc. How global is the problem? KOREANKOREAN
© WetStone Technologies, Inc. How global is the problem? CROATIANCROATIAN
© WetStone Technologies, Inc. How global is the problem? JAPANESEJAPANESE
Steganography How does it work?
© WetStone Technologies, Inc. How is this possible? Human Sight – Characteristics Poor detection and identification of differing shades of color Poor recognition of high intensity shades (i.e. bright blue and violet shades of color) Human Hearing – Characteristics Very sensitive to noise and distortion Imperceptible in detecting slight amplitude shifts Imperceptible in detecting slight phase shifts
© WetStone Technologies, Inc. Palette Images Map to a pre-defined color on a table – Pixel represented by table lookup value 2 2
© WetStone Technologies, Inc. RGB or True Color Images True Color images – Typically represented by 24 bits – 8 bits for each color (red, green, blue) – 16.7M possible colors (2 8 x 2 8 x 2 8 ) – Each pixel holds color triplet 4 4
Least Significant Bit (LSB) Steganography Applied to RGB Color Images
© WetStone Technologies, Inc. LSB Substitution – bit RED GREEN BLUE Before After Combined Color Individual Colors After LSB Substitution
© WetStone Technologies, Inc. LSB Substitution bit 0 and RED GREEN BLUE Before After Combined Color Individual Colors After LSB Substitution
© WetStone Technologies, Inc. LSB Substitution bits (0-3) RED GREEN BLUE Before After Combined Color Individual Colors After LSB Substitution
© WetStone Technologies, Inc. Visual Analysis
© WetStone Technologies, Inc. Visual Analysis
© WetStone Technologies, Inc. Visual Analysis
© WetStone Technologies, Inc. Digital Audio CD Audio – Typically referred to as wave audio files – Wave audio is an uncompressed set of samples – Each samples is represented as a16-bit value Binary – – Hex – FFFF Decimal – to – Each sample is collected at a frequency of 44.1 Khz or 44,100 times per second based on Nyquists theorem Nyquist's theorem: A theorem, developed by H. Nyquist, which states that an analog signal waveform may be uniquely reconstructed, without error, from samples taken at equal time intervals. The sampling rate must be equal to, or greater than, twice the highest frequency component in the analog signalanalog signal waveformerrortimesampling ratefrequency component Nyquist's theorem: A theorem, developed by H. Nyquist, which states that an analog signal waveform may be uniquely reconstructed, without error, from samples taken at equal time intervals. The sampling rate must be equal to, or greater than, twice the highest frequency component in the analog signalanalog signal waveformerrortimesampling ratefrequency component 5 5
© WetStone Technologies, Inc. Digital Audio - Dangers Audio based steganography has the potential to conceal more information – Audio files are generally larger than images – Our hearing can be easily fooled – Slight changes in amplitude can store vast amounts of information Many sources and types makes statistical analysis more difficult – Greater amounts of information can be embedded without audible degradation
© WetStone Technologies, Inc. LSB in Action Steganography Demonstration
© WetStone Technologies, Inc. Known Methods of Steganography Data Appending Covert Channels Formatting Modification Word Substitution Color Palette Modification Encoding Algorithm Modification 24-Bit LSB Encoding
© WetStone Technologies, Inc. Known Methods of Steganography Typically modifies the cover file by appending data after the standard end-of-file marker Data Appending Example Program Camouflage
© WetStone Technologies, Inc. Data Appending Example Carrier Image Hidden Data
© WetStone Technologies, Inc. Data Appending Example Original Carrier File Camouflage Hidden Message End of File MarkersHidden Data
Camouflage in Action Demonstration
© WetStone Technologies, Inc. Known Methods of Steganography Formatting Modification Example Program Invisible Secrets Works by making subtle modification to text and/or line spacing in standard documents
© WetStone Technologies, Inc. Formatting Modification Example Carrier File Hidden Data
© WetStone Technologies, Inc. Formatting Modification Example Original Carrier File Modified Carrier File HASH D350 E B D1A4 2FDB 6A54 6C34 2F94 DE8F 89E5 HASH 7E62 FC70 65FE DC 697D CBDF EEEC 3E07
© WetStone Technologies, Inc. Formatting Modification Example Original Carrier FileModified Carrier File
© WetStone Technologies, Inc. Known Methods of Steganography Word Substitution Spam Mimic – Web based steganography tool Automatically create spam like messages that actually contain hidden data
© WetStone Technologies, Inc. Word Substitution Example Message to Encode
© WetStone Technologies, Inc. Spam mimic Spam encoded message
© WetStone Technologies, Inc. Spam mimic
© WetStone Technologies, Inc. Spam mimic
© WetStone Technologies, Inc. Known Methods of Steganography Typically applied to 8-BIT images such as GIF or 8 BIT BMP files. The technique modifies the color palette and the associated colors in the image to embed data Color Palette Modification Example Program Gif-it-Up
© WetStone Technologies, Inc. Color Palette Modification Example Carrier Image Hidden Data
© WetStone Technologies, Inc. Color Palette Modification Example Carrier Image Covert Message
© WetStone Technologies, Inc. Known Methods of Steganography 24-Bit LSB Encoding Example Program The LSB method makes subtle changes to each pixel of the image. The changes are undetectable through visual inspection for most images Example Program : S-Tools Version 4.0
© WetStone Technologies, Inc. Known Methods of Steganography Encoding Algorithm Modification JPEG Discrete Cosine Transform (DCT) Modification MP3 perceptual noise shaping (PNS) Modification
© WetStone Technologies, Inc. Known Methods of Steganography Most typically applied to JPEG files. LSB modifications are made to the coefficients of the Discrete Cosine Transform prior to the lossless stage of compression DCT Coefficient Modification Example Program JPHS
© WetStone Technologies, Inc. DCT Coefficient Modification Example Carrier Image Hidden Data
© WetStone Technologies, Inc. Carrier Image HASH 7847 C7B B350 17E B315 27B1 8ABE File Size 224,186 Modified Carrier Image HASH 4AC7 2ADA 5C95 08A3 645A 8FC2 30CD 3AA5 E D File Size 223,122 DCT Coefficient Modification Example
© WetStone Technologies, Inc. DCT Formula 8 x 8 2D Forward DCT 8 x 8 2D Inverse DCT
© WetStone Technologies, Inc. Quantized DCT LOW ENERGY MEDIUM ENERGY HIGH ENERGY
© WetStone Technologies, Inc. Known Methods of Steganography Modification of the MP3 encoding algorithm to insert data without altering the sound quality MP3 PNS Modification Example Program MP3 Steno
© WetStone Technologies, Inc. Known Methods of Steganography A modified communication channel exploited by a sender and receiver to exchange information Covert Channels Example Program Covert TCP Source code supplied with informational article published in First Monday nd/index.html#app
© WetStone Technologies, Inc. Covert Channels Example Manipulation of the Initial Sequence Number Field* – The Initial Sequence Number is used to establish a communication link between a client and remote server – A program can be created to generate this number using a constant divided by an ASCII character value – A similar program on the other end can passively listen for communication and then decode the message *
© WetStone Technologies, Inc. Covert Channels Example 20:30: > : S : (0) win 512 (ttl 64, id 49408) Packet Header 20:30: Time Stamp Source : ISN > S Destination Win 512 (ttl 64, id 49408) Misc. Fields
© WetStone Technologies, Inc. Covert Channels Example : Locate ISN / = 72 Divide by constant 72 = H in ASCII Convert to ASCII
Steganography Investigation Demonstration
© WetStone Technologies, Inc. Summary Steganography weapons are easy to use, and readily available to our adversaries
© WetStone Technologies, Inc. Summary Steganography is capable of concealing the mere existence of incriminating information and/or covert communications
© WetStone Technologies, Inc. Summary Steganography provides criminals with the ability to: Conceal incriminating information Covertly communicate with accomplices Innocuously share dangerous information
© WetStone Technologies, Inc. Summary Steganography is difficult to: Detect Analyze Break
© WetStone Technologies, Inc. Summary Modern digital steganography is capable of innocuously concealing or transferring large amounts of information. A rule of thumb is 30-40% of the carrier size.
© WetStone Technologies, Inc. Summary When used in conjunction with the Internet, steganography becomes a globally effective weapon for criminals and terrorists.
Thank You Chet Hosmer CEO & Chief Scientist