Digital Steganography An Emerging Insider Threat September 21, 2007 James E. Wingate, CISSP-ISSEP, CISM, NSA-IAM Vice President for West Virginia Operations.

Digital Steganography

An Emerging Insider Threat

September 21, 2007

James E. Wingate, CISSP-ISSEP, CISM, NSA-IAMVice President for West Virginia OperationsandDirector, Steganography Analysis and Research Center (SARC)Backbone Security

An affiliate of

2 © 2007 Backbone Security. All rights reserved.

SARC ~ Raising the Threshold of Perception

Clarke’s Third Law

“Any sufficiently advanced technologyis indistinguishable from magic.”

--Sir Arthur Charles Clarke

Retrieved from “http:\//en.wikipedia.org/wiki/Clarke%27s_three_laws”



The Insider Threat

• Hard Problem List (HPL)*– Hardest and most critical problems from

perspective of IRC member agencies– Original list published in 1997 – Revised November 2005

Insider Threat #2 out of 8 hard problems! Just behind Global-Scale Identity Management

* http://www.infosec-research.org/docs_public/20051130-IRC-HPL-FINAL.pdf



The Insider Threat

• Lists insiders as example of threat agent along with usual threat agents– Malicious hackers– Organized crime– Terrorists– Nation states

• In describing threat and vulnerability trends … insiders are at the top of the list!



Insider Threat

Insiders Surrounded By Sensitive Information

Jane and John Insider

Credit CardInformation

NamesAddresses

Phone Numbers

SSANs

Law EnforcementInformation

ClassifiedInformation

IntellectualProperty



Insider Threat

Telephone

Printed listings

E-mail

3.5” Floppies

CDs/DVDs

Portable Electronic Devices

(PDA/iPod/etc)

Portable storage media

Jane and John Insider

E-mail attachments

Cell/Camera phones



What Is Steganography?

• Stega-what?

– Not stenography… writing in shorthand notation

– Pronounced "ste-g&-'nä-gr&-fE”*

– Derived from Greek roots “Steganos” = covered “Graphie” = writing

* - By permission. From the Merriam-Webster Online Dictionary ©2007 by Merriam-Webster, Incorporated (www.Merriam-Webster.com).



What Is Steganography?

• A form of secret communication used throughout history– The Codebreakers by David Kahn

Interleaves use of cryptography and steganography throughout history

• Fast forward to Internet era …– Evolution from analog to digital steganography

Hide any file “inside” another file Typically, text in image or image in image


SARC ~ Raising the Threshold of Perception 9

Definition of Steganography“Derived from the ancient Greek words for covered writing,

steganography is the art and science of writing hidden messages in such a way that no one apart from the

intended recipient knows of the existence of the message.”

-- Federal Plan for Cyber Security and Information Assurance Research and Development, April 2006

SimulatedChild Pornography Mirror Lake

Yosemite National Park



Definition of Steganalysis“The examination of an object to determine whether steganographic content is present, and potentially to characterize or extract such embedded information.”

-- Federal Plan for Cyber Security and Information Assurance Research and Development, April 2006

Mirror LakeYosemite National Park

SimulatedChild Pornography



Why Use Steganography?

• Legitimate purposes …– Digital Rights Management (DRM)

Digital watermarking of copyrighted works … typically songs and movies

– Covert LE or military operations

• Nefarious purposes …– Conceal evidence of criminal activity– Establish covert channels to steal sensitive or

classified information



Why Communicate Covertly?

• Use of encryption is “overt”– Fact that information is encrypted is easily

detected Could lead to attempts to decrypt the information

• Use of steganography is “covert”– Fact that information exists is concealed

Information often encrypted before being hiddenSteganography often called “dark cousin” of cryptography



Relevance to Cybercrime

• Is being used to conceal various types of criminal and unauthorized activity– Child pornography– Identity theft– Terrorism (recruiting, planning, etc.)– Economic/industrial espionage

Theft of intellectual property – Drug and weapons trafficking– Money laundering– etc.



Is Steganography A Threat?“The threat posed by steganography has been documented in numerous intelligence reports.”

“These technologies pose a potential threat to U.S. national security.”

“International interest in R&D for steganographic technologies and their commercialization and application has exploded in recent years.”



Is Steganography A Threat?

• Lists insiders as example of threat agent along with usual threat agents– Malicious hackers– Organized crime– Terrorists– Nation states

• In describing threat and vulnerability trends … insiders are at the top of the list!



FirewallFirewall

Insider Use of Steganography

Internet

E-mail Scenario

Insider External Recipient



Insider Use of SteganographyWeb Site Scenario

InsiderExternalUser



3,300,000 Links!

Insider Use of Steganography

Level of Interest



Insider Use of Steganography• Over 1,000 steganography applications

available on the Internet– Number is growing… over 400 added last year

• Most are freeware/shareware– http://www.stegoarchive.com

• Most are easy to use– Many feature “drag-and-drop” interface

• Many offer encryption option– Some offer VERY STRONG encryption

Very easy to find, download, and use!



Insider Use of Steganography• A serious and growing threat

– Conceal illegal images Child pornography

– Conceal unauthorized images Adult pornography

– Steal PII for ID theft – Conceal evidence of criminal activity

• Not detected by firewalls!• Not detected by IDS/IPS!• Not detected by content filters!



Best Place to Hide Something?

In plain site …

Highly likely that more evidence of criminal activity is being concealed

with steganography than anyone knows …

… and we don’t know how much because no one is looking for it!



Old Chinese Proverb

Modern day translation =

“A picture is worth

a thousand words”



With Digital Steganography…

Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word WordWord Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word Word

…it’s literally quite true!



Typical Application



THE GETTYSBURG ADDRESS: Four score and seven years ago our fathers brought forth on this continent a new nation, conceived in liberty and dedicated to the proposition that all men are created equal. Now we are engaged in a great civil war, testing whether that nation or any nation so conceived and so dedicated can long endure. We are met on a great battlefield of that war. We have come to dedicate a portion of that field as a final resting-place for those who here gave their lives that that nation might live. It is altogether fitting and proper that we should do this. But in a larger sense, we cannot dedicate, we cannot consecrate, we cannot hallow this ground. The brave men, living and dead who struggled here have consecrated it far above our poor power to add or detract. The world will little note nor long remember what we say here, but it can never forget what they did here. It is for us the living rather to be dedicated here to the unfinished work which they who fought here have thus far so nobly advanced. It is rather for us to be here dedicated to the great task remaining before us--that from these honored dead we take increased devotion to that cause for which they gave the last full measure of devotion--that we here highly resolve that these dead shall not have died in vain, that this nation under God shall have a new birth of freedom, and that government of the people, by the people, for the people shall not perish from the earth.

Hide Text in ImageTHE GETTYSBURG ADDRESS: Four score and seven years ago our fathers brought forth on this continent a new nation, conceived in liberty and dedicated to the proposition that all men are created equal. Now we are engaged in a great civil war, testing whether that nation or any nation so conceived and so dedicated can long endure. We are met on a great battlefield of that war. We have come to dedicate a portion of that field as a final resting-place for those who here gave their lives that that nation might live. It is altogether fitting and proper that we should do this. But in a larger sense, we cannot dedicate, we cannot consecrate, we cannot hallow this ground. The brave men, living and dead who struggled here have consecrated it far above our poor power to add or detract. The world will little note nor long remember what we say here, but it can never forget what they did here. It is for us the living rather to be dedicated here to the unfinished work which they who fought here have thus far so nobly advanced. It is rather for us to be here dedicated to the great task remaining before us--that from these honored dead we take increased devotion to that cause for which they gave the last full measure of devotion--that we here highly resolve that these dead shall not have died in vain, that this nation under God shall have a new birth of freedom, and that government of the people, by the people, for the people shall not perish from the earth.

No Perceptible Change!

Carrier Image

Modified Carrier Image



Hide Image in Image

No Perceptible Change!

Carrier Image

Modified Carrier Image

Map of Operating Nuclear Power Reactors in the US



A Typical Example

Carrier Image

Pixel 1 Pixel 2 Pixel 3

Pixels not to scale



A Typical Example

[10000100 10110110 11100111]

Add the letter “W” to a 24-bit image file:

W = 01010111 (ASCII)

Original Altered

[10000100 10110111 11100110]

[10000101 10110111 11100111] [10000101 10110110 11100111]

[10000101 10110110 11100111] [10000101 10110111 11100111]

R BG R BG



A Typical ExampleEffect of change on first pixel:

1 0 0 0 0 1 0 0

1 0 1 1 0 1 1 0

1 1 1 0 0 1 1 1

Original Values

1 0 0 0 0 1 0 0

1 0 1 1 0 1 1 1

1 1 1 0 0 1 1 0

Altered Values

Original Altered



A Typical Example

Carrier Image Altered Image

Altered image contains full text of Declaration of Independence

(With room for another 286,730 characters!)

Image Size (768 X 1,024) = 786,432 pixels= 2,359,296 bytes= 294,912 characters

Document Size = 1,322words= 7,982characters (w/spaces)



Threshold of Perception Problem

Can see/hear

Can’t see/hear

Raise our threshold of perception!

Easy to deceive: Human Visual System (HVS)and

Human Auditory System (HAS)

ThresholdVisual rangeAudible range



Is It Really Being Used?• Shadowz Brotherhood Case

– “Operation Twins,” March 2002 Led by UK’s National Hi-Tech Crimes Unit (NHTCU)

– Activities included Production/distribution of child pornography Real-time abuse of children

– “The group used encryption and also steganography, the practice of hiding of one file within another for extraction by the intended recipient.” OUT-LAW.COM, http://www.out-law.com/page-2732, “Global

raid breaks advanced internet child porn group”

- http://www.news.bbc.co.uk/1/hi/sci/tech/2082657.stm, “Accessing the secrets of the brotherhood”- http://www.news.bbc.co.uk/1/hi/uk/2082308.stm, “Police smash net paedophile ring”



• Anecdotal evidence from Fall 2005– Investigator in Tennessee …

Found Invisible Secrets during CP investigation Also found 500 images of trains …

Is It Really Being Used?



• Anecdotal evidence from June 2006– Probation Officer in Minnesota …

Found two CDs taped under coffee can One CD contained Cloak v7.0a

» Very strong encryption option Other CD contained

» 41 files between ~12.5Mb and ~23Mb» Carrier file was only 263Kb

Coffee


Carrier file






Detecting Steganography• Traditional approach

– Blind detection Visual attack Structural attack Statistical attack

– Result expressed as probability No extraction capability

• New approach– Analytical detection

Detect “fingerprints” Detect “signatures”

– Accurately identify application used Provide extraction capability



Detecting Steganography

John Hancock

Detecting “fingerprints” of file artifacts- Artifact Detection

Detecting “signatures”- Signature Detection

A539F21BCA458D2EFFD4

Hash Value

2E DD 43

Hexadecimal Byte Pattern




• Difference is subtle but very significant– Artifact detection

Detecting hash values of files associated with steganography applicationsApplication may be used to hide something

– Signature detection Detecting hexadecimal byte patterns associated

with steganography applications in carrier filesApplication has been used to hide something




A539F21BCA458D2EFFD4

3E 25 9F AD 2E E4 48

01 92 B3 21 00 00 62

FF 01 23 54 21 01 34

E4 AA 02 75 1E BC 42

00 DC 04 67 E8 A1 B3

44 02 34 53 47 85 4E

73 E6 FF 32 D2 21 03

24 45 A0 21 BB C4 34

67 F5 E2 DD 34 58 EF

Result is “hash value” or “fingerprint” of the file artifact associated with a

steganography application

File Associated With Steganography Application

2E DD 43

Result is “hexadecimal byte pattern” or “signature” left in carrier file by the

steganography application

Any File

E3 52 F9 DA E2 4E 84

10 29 3B 12 00 00 26

FF 10 32 45 12 10 43

4E AA 20 57 E1 CB 24

00 CD 40 76 8E 1A 3B

44 20 43 35 74 58 E4

37 6E FF 23 2D 12 30

42 54 0A 12 BB 4C 43

76 5F 2E DD 43 85 FE



SARC Steganalysis Tools

• Artifact Scanner– Detects file artifacts associated

with 625 applications– Detects Windows Registry™

artifacts Unique feature

– Law enforcement use– Internal investigation use

StegAlyzerAS

Artifact Scanner

Detect Registry Keys

Detect File Artifacts



SARC Steganalysis Tools

• Signature Scanner– Detects signatures of 55

steganography applications– Automated Extraction Algorithms

(AEAs)Unique feature

– Law enforcement use– Internal investigation use

StegAlyzerSS

Signature Scanner

Point, Click, and ExtractInterface



Summary• Insider use of steganography is serious and

growing threat• State-of-the art tools available to detect

presence or use of steganography• Will never be detected if no one ever looks

for it• Steganalysis should be conducted as

routine aspect of computer forensic examinations



• Intensive two-day course– History of steganography– Steganographic techniques– Artifact scanning– Signature scanning

• Upcoming courses: – Techno Forensics 2007: October 26 – 27 in Gaithersburg, MD

• Contact the SARC to reserve your spot!

Raise Your Threshold of Perception!Raise Your Threshold of Perception!



www.sarc-wv.com



For Additional Information

Backbone Security320 Adams Street, Suite 105

Fairmont, West Virginia 26554

Phone: 866.401.9392304.333.SARC

Fax: 304.366.9163E-mail: [email protected]: www.sarc-wv.com



Hi-Tech Metaphysical Humor

Virtual is when you think it’s there…

…but it really isn’t.

Transparent is when it’s really there…

…but you just can’t see it.

What’s the difference between “virtual” and “transparent”?



Questions

Territory is but the body of a nation.The people who inhabit its hills and valleys are its soul, its spirit, its life.

-- James A. Garfield

Digital Steganography An Emerging Insider Threat September 21, 2007 James E. Wingate, CISSP-ISSEP, CISM, NSA-IAM Vice President for West Virginia Operations.

Documents

threshold of perception

classified information

cyber security

digital steganography

use steganography

image slide

hidden steganography

definition of steganography