Download presentation
Presentation is loading. Please wait.
Published byTimothy Chavez Modified over 10 years ago
1
eCrime and Steganography Lecture & Demonstration
3
© 2003-2006 WetStone Technologies, Inc. Origins of Steganography Steganography Origins – From the Greek Roots Steganos or Covered Graphie or Writing Covered Writing – First Known Usage The early Greeks and Persians used several forms of covered writing to conceal the communication of secret or covert messages Origins date back as far 2,500 years ago
4
© 2003-2006 WetStone Technologies, Inc. Origins of Steganography Demaratus of Ariston was exiled in Persia, and while there, he received news that Xerxes had decided to invade Greece. He decided that he must get word of the pending invasion to Sparta. Since discovery of such an act meant certain death, he decided that he must conceal the message. He scraped the wax off a pair of wooden folding writing tablets and carved a warning message in the wood. He then covered the wood with a fresh coat of wax. The tablet was passed by the sentries without raising any suspicion and was delivered to and read by the Greeks. WAX TABLET
5
© 2003-2006 WetStone Technologies, Inc. Origins of Steganography Null Cipher Messages – Most notably this method was used during World War I by the Germans – Text based steganography has taken on several forms PRESIDENTS EMBARGO RULING SHOULD HAVE IMMEDIATE NOTICE. GRAVE SITUATION AFFECTING INTERNATIONAL LAW, STATEMENT FORESHADOWS RUIN OF MANY NEUTRALS. YELLOW JOURNALS UNIFYING NATIONAL EXCITEMENT IMMENSELY PERSHING SAILS FROM NY JUNE 1
6
© 2003-2006 WetStone Technologies, Inc. Dangers of Steganography Steganography vs. Encryption – Steganography and Encryption each have distinct purposes Encryption – Keeps information private by using a mathematical algorithm which renders the contents unreadable unless you possess a specific key allowing you to decipher the message – Encrypted objects are typically easy to identify or detect – The existence of the message is obvious, however the content is obscured Steganography – Hides the actual existence of a message or hidden data – Hides information in plain sight by exploiting weaknesses of our human senses
7
© 2003-2006 WetStone Technologies, Inc. Dangers of Steganography Steganography Encryption
8
Steganography E-Mail Communication Covert Message Send Message With Innocuous Attachment Firewall RevealStego CP Carrier Image ApplyStego Revealed CP password
9
© 2003-2006 WetStone Technologies, Inc. Who knows about this technology?
10
© 2003-2006 WetStone Technologies, Inc. How big is the problem?
11
© 2003-2006 WetStone Technologies, Inc. Who knows about it? source google.com
12
© 2003-2006 WetStone Technologies, Inc. How global is the problem? ARABICARABIC
13
© 2003-2006 WetStone Technologies, Inc. How global is the problem? CHINESECHINESE
14
© 2003-2006 WetStone Technologies, Inc. How global is the problem? GERMANGERMAN
15
© 2003-2006 WetStone Technologies, Inc. How global is the problem? KOREANKOREAN
16
© 2003-2006 WetStone Technologies, Inc. How global is the problem? CROATIANCROATIAN
17
© 2003-2006 WetStone Technologies, Inc. How global is the problem? JAPANESEJAPANESE
18
Steganography How does it work?
19
© 2003-2006 WetStone Technologies, Inc. How is this possible? Human Sight – Characteristics Poor detection and identification of differing shades of color Poor recognition of high intensity shades (i.e. bright blue and violet shades of color) Human Hearing – Characteristics Very sensitive to noise and distortion Imperceptible in detecting slight amplitude shifts Imperceptible in detecting slight phase shifts
20
© 2003-2006 WetStone Technologies, Inc. Palette Images Map to a pre-defined color on a table – Pixel represented by table lookup value 2 http://www.webstyleguide.com/graphics/displays.html 2
21
© 2003-2006 WetStone Technologies, Inc. RGB or True Color Images True Color images – Typically represented by 24 bits – 8 bits for each color (red, green, blue) – 16.7M possible colors (2 8 x 2 8 x 2 8 ) – Each pixel holds color triplet 4 http://www.webstyleguide.com/graphics/displays.html 4
22
Least Significant Bit (LSB) Steganography Applied to RGB Color Images
23
© 2003-2006 WetStone Technologies, Inc. LSB Substitution – bit 0 11011010 1100011 1110000 RED GREEN BLUE 0 0 1 Before After Combined Color Individual Colors After 0 1 0 LSB Substitution
24
© 2003-2006 WetStone Technologies, Inc. LSB Substitution bit 0 and 1 11011010 110001 0 111000 1 RED GREEN BLUE 1 0 1 Before After Combined Color Individual Colors After 0 1 0 LSB Substitution
25
© 2003-2006 WetStone Technologies, Inc. LSB Substitution bits (0-3) 1 1011 100 1100 100 1110 111 RED GREEN BLUE 1 0 1 Before After Combined Color Individual Colors After 0 1 0 LSB Substitution
26
© 2003-2006 WetStone Technologies, Inc. Visual Analysis
27
© 2003-2006 WetStone Technologies, Inc. Visual Analysis
28
© 2003-2006 WetStone Technologies, Inc. Visual Analysis
29
© 2003-2006 WetStone Technologies, Inc. Digital Audio CD Audio – Typically referred to as wave audio files – Wave audio is an uncompressed set of samples – Each samples is represented as a16-bit value Binary – 0000 0000 0000 0000 – 1111 1111 1111 1111 Hex – 0000 - FFFF Decimal – -32768 to +32767 – Each sample is collected at a frequency of 44.1 Khz or 44,100 times per second based on Nyquists theorem Nyquist's theorem: A theorem, developed by H. Nyquist, which states that an analog signal waveform may be uniquely reconstructed, without error, from samples taken at equal time intervals. The sampling rate must be equal to, or greater than, twice the highest frequency component in the analog signalanalog signal waveformerrortimesampling ratefrequency component Nyquist's theorem: A theorem, developed by H. Nyquist, which states that an analog signal waveform may be uniquely reconstructed, without error, from samples taken at equal time intervals. The sampling rate must be equal to, or greater than, twice the highest frequency component in the analog signalanalog signal waveformerrortimesampling ratefrequency component 5 http://www.its.bldrdoc.gov 5
30
© 2003-2006 WetStone Technologies, Inc. Digital Audio - Dangers Audio based steganography has the potential to conceal more information – Audio files are generally larger than images – Our hearing can be easily fooled – Slight changes in amplitude can store vast amounts of information Many sources and types makes statistical analysis more difficult – Greater amounts of information can be embedded without audible degradation
31
© 2003-2006 WetStone Technologies, Inc. LSB in Action Steganography Demonstration
32
© 2003-2006 WetStone Technologies, Inc. Known Methods of Steganography Data Appending Covert Channels Formatting Modification Word Substitution Color Palette Modification Encoding Algorithm Modification 24-Bit LSB Encoding
33
© 2003-2006 WetStone Technologies, Inc. Known Methods of Steganography Typically modifies the cover file by appending data after the standard end-of-file marker Data Appending Example Program Camouflage
34
© 2003-2006 WetStone Technologies, Inc. Data Appending Example Carrier Image Hidden Data
35
© 2003-2006 WetStone Technologies, Inc. Data Appending Example Original Carrier File Camouflage Hidden Message End of File MarkersHidden Data
36
Camouflage in Action Demonstration
37
© 2003-2006 WetStone Technologies, Inc. Known Methods of Steganography Formatting Modification Example Program Invisible Secrets Works by making subtle modification to text and/or line spacing in standard documents
38
© 2003-2006 WetStone Technologies, Inc. Formatting Modification Example Carrier File Hidden Data
39
© 2003-2006 WetStone Technologies, Inc. Formatting Modification Example Original Carrier File Modified Carrier File HASH D350 E408 495B D1A4 2FDB 6A54 6C34 2F94 DE8F 89E5 HASH 7E62 FC70 65FE 8095 7796 23DC 697D CBDF EEEC 3E07
40
© 2003-2006 WetStone Technologies, Inc. Formatting Modification Example Original Carrier FileModified Carrier File
41
© 2003-2006 WetStone Technologies, Inc. Known Methods of Steganography Word Substitution Spam Mimic – Web based steganography tool http://www.spammimic.com/ Automatically create spam like messages that actually contain hidden data
42
© 2003-2006 WetStone Technologies, Inc. Word Substitution Example Message to Encode
43
© 2003-2006 WetStone Technologies, Inc. Spam mimic Spam encoded message
44
© 2003-2006 WetStone Technologies, Inc. Spam mimic
45
© 2003-2006 WetStone Technologies, Inc. Spam mimic
46
© 2003-2006 WetStone Technologies, Inc. Known Methods of Steganography Typically applied to 8-BIT images such as GIF or 8 BIT BMP files. The technique modifies the color palette and the associated colors in the image to embed data Color Palette Modification Example Program Gif-it-Up
47
© 2003-2006 WetStone Technologies, Inc. Color Palette Modification Example Carrier Image Hidden Data
48
© 2003-2006 WetStone Technologies, Inc. Color Palette Modification Example Carrier Image Covert Message
49
© 2003-2006 WetStone Technologies, Inc. Known Methods of Steganography 24-Bit LSB Encoding Example Program The LSB method makes subtle changes to each pixel of the image. The changes are undetectable through visual inspection for most images Example Program : S-Tools Version 4.0
50
© 2003-2006 WetStone Technologies, Inc. Known Methods of Steganography Encoding Algorithm Modification JPEG Discrete Cosine Transform (DCT) Modification MP3 perceptual noise shaping (PNS) Modification
51
© 2003-2006 WetStone Technologies, Inc. Known Methods of Steganography Most typically applied to JPEG files. LSB modifications are made to the coefficients of the Discrete Cosine Transform prior to the lossless stage of compression DCT Coefficient Modification Example Program JPHS
52
© 2003-2006 WetStone Technologies, Inc. DCT Coefficient Modification Example Carrier Image Hidden Data
53
© 2003-2006 WetStone Technologies, Inc. Carrier Image HASH 7847 C7B7 1884 B350 17E9 4783 2603 B315 27B1 8ABE File Size 224,186 Modified Carrier Image HASH 4AC7 2ADA 5C95 08A3 645A 8FC2 30CD 3AA5 E323 644D File Size 223,122 DCT Coefficient Modification Example
54
© 2003-2006 WetStone Technologies, Inc. DCT Formula 8 x 8 2D Forward DCT 8 x 8 2D Inverse DCT
55
© 2003-2006 WetStone Technologies, Inc. Quantized DCT 12345678 1015614152728 22471316262942 338121725304143 4911182431404453 51019233239455254 62022333846515560 72134374750565961 83536484957586263 LOW ENERGY MEDIUM ENERGY HIGH ENERGY
56
© 2003-2006 WetStone Technologies, Inc. Known Methods of Steganography Modification of the MP3 encoding algorithm to insert data without altering the sound quality MP3 PNS Modification Example Program MP3 Steno
57
© 2003-2006 WetStone Technologies, Inc. Known Methods of Steganography A modified communication channel exploited by a sender and receiver to exchange information Covert Channels Example Program Covert TCP Source code supplied with informational article published in First Monday http://www.firstmonday.dk/issues/issue2_5/rowla nd/index.html#app
58
© 2003-2006 WetStone Technologies, Inc. Covert Channels Example Manipulation of the Initial Sequence Number Field* – The Initial Sequence Number is used to establish a communication link between a client and remote server – A program can be created to generate this number using a constant divided by an ASCII character value – A similar program on the other end can passively listen for communication and then decode the message *http://www.firstmonday.dk/issues/issue2_5/rowland/index.html#app
59
© 2003-2006 WetStone Technologies, Inc. Covert Channels Example 20:30:10.005553 10.1.1.45321 > 128.162.1.0.80: S 1207959552:1207959552(0) win 512 (ttl 64, id 49408) Packet Header 20:30:10.005553 Time Stamp 10.1.1.0.45321 Source 1207959552:1207959552 ISN > S 128.162.1.0.80 Destination Win 512 (ttl 64, id 49408) Misc. Fields
60
© 2003-2006 WetStone Technologies, Inc. Covert Channels Example 1207959552:1207959552 Locate ISN 1207959552 / 16777216 = 72 Divide by constant 72 = H in ASCII Convert to ASCII
61
Steganography Investigation Demonstration
62
© 2003-2006 WetStone Technologies, Inc. Summary Steganography weapons are easy to use, and readily available to our adversaries
63
© 2003-2006 WetStone Technologies, Inc. Summary Steganography is capable of concealing the mere existence of incriminating information and/or covert communications
64
© 2003-2006 WetStone Technologies, Inc. Summary Steganography provides criminals with the ability to: Conceal incriminating information Covertly communicate with accomplices Innocuously share dangerous information
65
© 2003-2006 WetStone Technologies, Inc. Summary Steganography is difficult to: Detect Analyze Break
66
© 2003-2006 WetStone Technologies, Inc. Summary Modern digital steganography is capable of innocuously concealing or transferring large amounts of information. A rule of thumb is 30-40% of the carrier size.
67
© 2003-2006 WetStone Technologies, Inc. Summary When used in conjunction with the Internet, steganography becomes a globally effective weapon for criminals and terrorists.
68
Thank You Chet Hosmer CEO & Chief Scientist chet@wetstonetech.com
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.