Covert Channels The Silence Must be Heard The Hidden Must be Seen The Secrets Must be Revealed

Covert ChannelsCovert ChannelsThe Silence Must be HeardThe Silence Must be HeardThe Hidden Must be SeenThe Hidden Must be Seen

The Secrets Must be RevealedThe Secrets Must be Revealed

By: Randy GrubbBy: Randy Grubb

Armstrong Atlantic State University – Cyber & Homeland Security Institute

Cyber Capabilities

• By the turn of the century all known terrorist and criminal groups had a presence on the Internet.– Psychological Warfare– Propaganda– Data Mining– Fundraising/financing– Recruiting– Networking– Information sharing– Planning & coordination– Actual perpetration of their crimes

Why the Internet?

• Anonymous (real or perceived)– Encryption– Covert Channels/Steganography– Public libraries/Internet cafes/wireless access points– Anonymizers/Proxies (Tor)

• Geographically Unbounded– People can communicate with one another from

virtually anywhere in the world– More than 10,000 Internet Service Providers (ISP)

worldwide– Some are sympathetic to the radical cause

Why the Internet?

• Largely unregulated– Developed as an open interoperable network– No central government authority– Most ISPs do not have the resources or

desire to monitor web-site content

• Inexpensive– Free web hosting– Free e-mail accounts

Why the Internet?

• US and coalition military actions since 9/11 have deprived terrorist organizations their base of operations and training camps.

• These actions have dispersed terrorist organizations more widely.

• With the Internet, terrorist organizations can control a worldwide movement without ever meeting.

Source: Harvard Gazette: Terror Online and how to counteract it, Ruth Walker, 2004

Netwar

• Term given to an emerging mode of conflict dealing with the societal relationships between namely terrorists and criminal organizations.– Involves measures short of traditional warfare– Network forms of organization, doctrine,

strategy and communication

• Dispersed and decentralized manner

Netwar

• Small groups from points around the world utilizing network and Internet technology to:– Communicate– Coordinate– Act

Is This a Secure Site?

What are Covert Channels?

• Covert Channels– Any communication channel that can be exploited by

a process to transfer information in a manner that violates the systems security policy.

– In short, covert channels transfer information using non-standard methods

– Against the system design– Communication is obscured; unnoticed– Easily bypass current security tools & products

What are Covert Channels?

• Covert Channels allow multiple parties to communicate ‘unseen’– They hide the fact that a communication is even

occurring– Provides privacy and anonymity

• Unlike encryption, where communication is obvious but obscured– Encryption is easily identified– Clear and visible indications of encryption

Covert Channels

• Covert Channels work because of human deficiencies– Eye sight– Hearing– Analysis skills

• Lack of Interest– It’s not really a problem, doesn’t happen– Prove it to me

• System Design Discrepancies– Components utilized in unintended manner

Covert Channels

• Many covert channels will elude detection simply because most individuals have never considered the possibility

• Perception over rides reality

Covert Channels

• Covert Channels hide the fact that communication between two or more individuals is occurring.

Potential Damage

• Corporate Espionage– Loss of competitive advantage

• Government or Military Activities– Increased threat to National Security– Terrorist Organizations

• Criminal Activities– Transfer of pornography or commercial software

• Financial Impact– Transfer of confidential financial data

Known Covert Methods

• Steganography– Images– Audio

• Text Manipulation• TCP Covert Channels• Alternate Data Streams (ADS)• Deep or invisible web

Tool Summary

• Over 300 known tool variation and releases• Tools for every Operating System including

DOS, Windows, UNIX/Linux, OS2, Mac• Wide variety of methodologies and features• Most software is freeware or shareware

Origins of Steganography

• What does Steganography Mean?– Pronounced “STEHG-uh-NAH-gru-fee”– From the Greek Roots

• “Steganos” or Covered • “Graphie” or Writing• “Covered Writing”

– First Known Usage• The early Greeks and Persians used several forms of

covered writing to conceal the communication of secret or covert messages

• Origins date back as far 2500 years ago

Carrier + Payload = Covert Message

• Carrier – The file that provides cover for and conceals the payload. Payload – The secret message or information that you wish to conceal or communicate.

• Covert Message – The combination of the payload and the carrier. The covert message file should appear identical to the carrier.

• Most current stego tools also encrypt the payload to increase security.

Digital Images

• Digital Images are created by software– Digital camera– Scanner– Graphics program

• Digital Images are made up of pixels– Represented on a grid– The pixel is the smallest visual component– Resolution & representation

• 640 x 480 – rows x columns• 75 dpi – number of dots per inch

1

1 http://www.library.cornell.edu/preservation/tutorial/intro/intro-01.htmlSource: WetStone Technologies

Digital Images

• Color is represented in digital images by three different methods.– Paletted images– True color images– Compressed images

Palette Images• Map to a pre-defined color on a table

– Pixel represented by table lookup value

2http://www.webstyleguide.com/graphics/displays.html

2

Source: WetStone Technologies

True Color Images

• True Color images– Typically 24 bits– Most common format is

RGB or Red – Green - Blue– 8 bits for each color byte

(red, green, blue)– 16.7M possible colors

4http://www.webstyleguide.com/graphics/displays.html

4

Source: WetStone Technologies

Least Significant Bit Steganography

“The hiding of data within a digital carrier by slightly altering an insignificant characteristic of the carrier that does not appear to alter the normal rendering of the data”

Hosmer, 1999

Source: WetStone Technologies

Altering a True Color Image

2http://www.webstyleguide.com/graphics/displays.html

2

Image source: www.wikipedia.com

LSB Substitution – bit 0

11 0 1 1 0 1 0

1 1 0 0 0 1 1

1 1 1 0 0 0 0

RED

GREEN

BLUE

0

0

1

Before

Before After

Combined Color

Individual Colors

After

0

1

0

LSB Substitution

Source: WetStone Technologies

LSB Substitution bit 0 and 1

11 0 1 1 0 1 0

1 1 0 0 0 1 0

1 1 1 0 0 0 1

RED

GREEN

BLUE

1

0

1

Before

Before After

Combined Color

Individual Colors

After

0

1

0

LSB Substitution

Source: WetStone Technologies

LSB Substitution bits (0-3)

11 0 1 1 100

1 1 0 0 100

1 1 1 0 111

RED

GREEN

BLUE

1

0

1

Before

Before After

Combined Color

Individual Colors

After

0

1

0

LSB Substitution

Source: WetStone Technologies

Color Differences

Source: WetStone Technologies

Color Differences

Source: WetStone Technologies

Color DifferencesCan you spot the modified pixel?

Source: WetStone Technologies