Digital Steganography: An Emerging Threat
Upcoming SlideShare
Loading in...5
×
 

Digital Steganography: An Emerging Threat

on

  • 717 views

PowerPoint slide show with animations to describe the emerging threat from digital steganography and the products developed in the Steganography Analysis and Research Center to detect the use of ...

PowerPoint slide show with animations to describe the emerging threat from digital steganography and the products developed in the Steganography Analysis and Research Center to detect the use of steganography and extract hidden information.

Statistics

Views

Total Views
717
Views on SlideShare
717
Embed Views
0

Actions

Likes
0
Downloads
22
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • New version of Ribcage will provide capability to detect artifacts and signatures of steganography applications in real-time. <br />

Digital Steganography: An Emerging Threat Digital Steganography: An Emerging Threat Presentation Transcript

  • Digital Steganography An Emerging Threat September 2013
  • Clarke’s Third Law “Any sufficiently advanced technology is indistinguishable from magic.”* —Sir Arthur Charles Clarke * Retrieved from “http://en.wikipedia.org/wiki/Clarke%27s_three_laws” Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 2
  • What Is Steganography? • Stega-what? – Not stenography… writing in shorthand notation – Pronounced "ste-g&-'nä-gr&-fE”* – Derived from Greek roots  “Steganos” = covered  “Graphie” = writing * By permission. From the Merriam-Webster Online Dictionary ©2007 by Merriam-Webster, Incorporated (www.Merriam-Webster.com) Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 3
  • What Is Steganography? • A form of secret communication used throughout history … wax tablets – For the history buff  The Codebreakers by David Kahn  Interleaves history of steganography and cryptography • Fast forward to Internet era … – Evolution into digital steganography The Internet  Hiding information in various types of files  Text or image files inside other image files Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 4
  • Digital Steganography Hiding information in a file Simulated Child Pornography Mirror Lake Yosemite National Park Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 5
  • Digital Steganalysis Detecting and extracting hidden information Simulated Child Pornography Mirror Lake Yosemite National Park Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 6
  • Why Use Steganography? • Legitimate uses … – Digital Rights Management (DRM)  Digital watermarking of copyrighted works … typically songs and movies – Covert military or law enforcement operations • Criminal uses … – Insider theft of sensitive information  Financial information, PII, PHI, etc. – Conceal evidence of criminal activity  Distribution of child pornography, drug trafficking, etc. – Establish covert communications channels  Terrorists Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 7
  • Why Communicate Covertly? • Use of encryption is “overt” – Fact that information has been encrypted is easily detected  Can lead to successful attempts to decrypt • Use of steganography is “covert” – Very fact the information even exists is concealed  As added measure of security … information often encrypted before being hidden in another file  Steganography is the “Dark Cousin” of cryptography Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 8
  • The Threat “The threat posed by steganography has been documented in numerous intelligence reports.” “These technologies pose a potential threat to U.S. national security.” “International interest in R&D for steganographic technologies and their commercialization and application has exploded in recent years.” Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 9
  • The Threat? • Lists insiders as example threat agent along with usual threat agents – – – – Malicious hackers Organized crime Terrorists Nation states • In describing threat and vulnerability trends … insiders are at the top of the list! Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 10
  • Insider Threat Insiders Surrounded By Sensitive Information Credit Card Information SSANs Names Addresses Phone Numbers Classified Information Law Enforcement Information Intellectual Property Jane and John Insider Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 11
  • Insider Threat Portable Electronic Devices (PDA/iPod/etc) E-mail w/wo Attachment Telephone Printed listings Thumb drives Various portable storage media CDs/DVDs Jane and John User Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 12
  • Availability • Applications widely available – 1,500+ on the Web – Most are freeware/shareware  http://www.jjtc.com/Steganography/tools.html • Easy to find – Proof: Google “information hiding”  Result: Over 67,000,000 hits! • Easy to download, install, and use – “Drag and drop” or “wizard” interface • Many offer encryption option – Weak to very strong Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 13
  • Typical E-Mail Example Internet Firewall Firewall Sender Receiver Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 14
  • Typical Web Example Sender Receiver Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 15
  • Is It Really Being Used? • Shadowz Brotherhood Case – “Operation Twins,” March 2002  Led by UK’s National Hi-Tech Crimes Unit (NHTCU) – Group’s activities included  Production/distribution of child pornography  Some featured real-time abuse of children – “The group used encryption and also steganography, the practice of hiding of one file within another for extraction by the intended recipient.”  OUT-LAW.COM, http://www.out-law.com/page-2732, “Global raid breaks advanced internet child porn group” - http://www.news.bbc.co.uk/1/hi/sci/tech/2082657.stm, “Accessing the secrets of the brotherhood” - http://www.news.bbc.co.uk/1/hi/uk/2082308.stm, “Police smash net paedophile ring” Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 16
  • Is It Really Being Used? • The Train Pictures Case – Investigator in Tennessee …  Found Invisible Secrets during CP investigation  Also found 500 images of trains … Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 17
  • Is It Really Being Used? • The Coffee Can Case – Probation Officer in Minnesota …  Found two CDs taped under coffee can  One CD contained Cloak v7.0a » Very strong encryption option  Other CD contained » 41 files between ~12.5Mb and ~23Mb » Carrier file was only 263Kb Coffee Carrier file Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 18
  • Is It Really Being Used? • Juan Carlos Ramirez Abadia Juan Carlos Ramírez Abadía – Colombian drug trafficker  Accumulated $1.8B fortune sending drugs to California through Mexico – Used pictures of Hello Kitty to hide messages about drug shipments – Arrested by Brazilian Federal Police in Aug 07 Born February 16, 1963 (1963-02-16) (age 46) Palmira, Colombia Alias(es) Chupeta, Cien, Don Augusto, El Patron, Gustavo Ortiz, Charlie Pareja Charge(s) Drug trafficking and smuggling, racketeering, money laundering Status Arrested / Extradited Ship the goods to CA on the 15th!  DEA assisted with computer forensics examination  Detected/extracted hidden messages Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 19
  • Is It Really Being Used? Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 20
  • Is It Really Being Used? Russian Spy Case Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 21
  • Is It Really Being Used? Operation Shady RAT Three Stages: 1.Spear Phishing — Malicious attachment 2.Phone Home — Access image/HTML files 2.Remote Control — Upload collected data Used steganography to conceal commands from C&C server! Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 22
  • Typical Example Least Significant Bit (LSB) Image Encoding Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 23
  • Typical Example Pixel 1 Pixel 2 Pixel 3 Carrier Image Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. Pixels not to scale 24
  • Typical Example Add the letter “W” to a 24-bit image file: W = 01010111 (ASCII) R G B R G B [10000100 10110110 11100111] [10000100 10110111 11100110] [10000101 10110111 11100111] [10000101 10110110 11100111] [10000101 10110110 11100111] [10000101 10110111 11100111] Original Altered Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 25
  • Typical Example Effect of change on first pixel: Original Values Altered Values 1 0 0 0 0 1 0 0 1 0 0 0 0 1 0 0 1 0 1 1 0 1 1 0 1 0 1 1 0 1 1 1 Original 1 1 1 0 0 1 1 1 Altered 1 1 1 0 0 1 1 0 Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 26
  • Typical Example Carrier Image Altered Image Altered image contains text of 121-page extract from a terrorist training manual (With room for another 72,094 characters!) Image Size (768 X 1,024) Carrying capacity = = = 786,432 pixels 2,359,296 bytes 294,912 characters Payload Size = = 37,025 words 222,818 characters (w/spaces) Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 27
  • Detecting Steganography • Traditional approach – Blind detection  Visual attack  Structural attack  Statistical attack – Result expressed as probability  No extraction capability • New approach needed – Analytical detection  Detect “fingerprints”  Detect “signatures” – Accurately identify application used  Provide extraction and decryption capability Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 28
  • The SARC Steganography Analysis and Research Center World’s largest repository of steganography applications, fingerprints and signatures. Provider of tools, techniques, and procedures to detect use steganography and extract hidden information. Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 29
  • Detecting Steganography Detecting “fingerprints” of file artifacts - Artifact Detection A539F21BCA458D2EFFD44F3A5C023DB1 MD5 Hash Value Detecting “signatures” - Signature Detection John Hancock Hexadecimal Byte 2E DD 43 Pattern Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 30
  • Detecting Steganography File Associated with Steganography Application Any File 3E 25 9F AD 2E E4 48 E3 52 F9 DA E2 4E 84 01 92 B3 21 00 00 62 10 29 3B 12 00 00 26 FF 01 23 54 21 01 34 FF 10 32 45 12 10 43 E4 AA 02 75 1E BC 42 4E AA 20 57 E1 CB 24 00 DC 04 67 E8 A1 B3 00 CD 40 76 8E 1A 3B 44 02 34 53 47 85 4E 44 20 43 35 74 58 E4 73 E6 FF 32 D2 21 03 37 6E FF 23 2D 12 30 24 45 A0 21 BB C4 34 42 54 0A 12 BB 4C 43 67 F5 E2 DD 34 58 EF 76 5F 2E DD 43 85 FE A539F21BCA458D2EF… 2E DD 43 Resulting “hash value” referred to as the fingerprint of the file artifact associated with a steganography application Resulting “hexadecimal byte pattern” referred to as the signature left in the carrier file by the steganography application Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 31
  • Detecting Steganography • Difference is very subtle yet very significant – Fingerprint Detection  Indicates application is, or was present, and may have been used to hide something – Signature Detection  Indicates application was used to hide something Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 32
  • Steganalysis Products and Services Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 33
  • Products Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 34
  • StegAlyzerAS Steganography Analyzer Artifact Scanner Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 35
  • StegAlyzerAS • Independently evaluated and tested by Defense Cyber Crime Institute (DCCI) – Found to be effective for law enforcement and forensic use • Automates process of detecting file artifacts of steganography applications • Detects file artifacts associated with over 1,200 steganography applications in SAFDB Uses SAFDB … world’s largest steganography hash set! Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 36
  • StegAlyzerAS • Scans mounted file systems or selected directories • Scans EnCase, ISO, RAW (dd), SMART, SafeBack, Paraben Forensic Replicator, and Paraben Forensic Storage formatted disk images • Employs highly efficient algorithms for file selection and subsequent hashing – Lightening fast Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 37
  • StegAlyzerAS • Searches Windows Registry™ for keys created or modified by installing digital steganography applications – Only commercially available steganalysis tool that does this! Registry Artifact Key Database (RAKDB) Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 38
  • StegAlyzerSS Steganography Analyzer Signature Scanner Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 39
  • StegAlyzerSS • Scan all files on suspect media for known signatures of steganography applications – Unique byte patterns left in carrier file as by-product of embedding hidden information Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 40
  • StegAlyzerSS • Unlike blind detection products that only yield a “probability” that a given file may contain hidden information – No blind paths to examine! Hmmm … there’s only a 62% probability that something may have been hidden in this file! Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 41
  • StegAlyzerSS • Independently evaluated and tested by Defense Cyber Crime Institute (DCCI) – Determined results to be highly accurate  Degree of Confidence (DoC) = 99.6%  85% is lower threshold for acceptability  Measure of Usefulness (MoU) = 77%  50% is lower threshold for acceptability Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 42
  • StegAlyzerSS • Automated Extraction Algorithms (AEAs) – Automatically extract hidden information from carrier files • Only commercially available product with this capability! Unique “Point-Click-and-Extract” Feature Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 43
  • StegAlyzerSS • Append Analysis feature – Identify files with information embedded beyond end-of-file marker • Least Significant Bit (LSB) Enhancement feature – Identify files with information embedded using LSB image encoding Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 44
  • Steganography Analyzer Field Scanner Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 45
  • StegAlyzerFS • Executes from single USB flash drive • Requires no installation or configuration • Does not change target storage media – Preserves forensic integrity • Detects file artifacts associated with over 1,200 steganography applications in SAFDB • Detects signatures associated with over 55 steganography applications Perform rapid triage on suspect computers for the presence and use of steganography! Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 46
  • StegAlyzerFS • Supports popular file systems – FAT, FAT32, and NTFS file systems on Windows – Ext2, Ext3, EXT4, ReiserFS, and XFS file systems on Linux – HFS+ file system on Intel-based Apple operating systems. • Automated decompression/extraction of archived and compressed file types – Zip, iso, tar, gz, gz2, bz, bz2, rar, cab, pax, cpio, xar, lha, ar, mtree • Extensive report generation in HTML format • Automated logging of key events and information of potential evidentiary value Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 47
  • StegAlyzerRTS StegAlyzerAS StegAlyzerSS StegAlyzerRTS Artifact Scanner Signature Scanner Real-Time Scanner Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 48
  • StegAlyzerRTS Hardware Platform Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 49
  • StegAlyzerRTS • Hardware Specifications (100Mbps or 1Gbps) – 1U Rack Mountable (1.75”)  Connect to:  Switch Port Analyzer (SPAN) port of gateway router  Network Tap (Recommended) – Single Eight-Core Xeon Processor  2.90GHz CPU – – – – 128GB RAM 146GB 15K RPM SAS HDD X 2 Four Gigabit Ethernet NICs Redundant power supply Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 50
  • StegAlyzerRTS • Current capabilities – Detects artifacts of over 1,200 applications – Detects signatures of over 55 applications – Processes HTTP and SMTP packets in inbound/outbound packet stream – Management Console for administration Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 51
  • StegAlyzerRTS • Planned enhancements – Web-based Management System – Non-aggregated traffic processing – Detect artifacts and signatures in  Inbound e-mail sent via IMAP/POP3  Files downloaded/uploaded via FTP – Platform for 2.5Gbps and 10Gbps networks – Additional communications protocols – Many more … Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 52
  • Example Scenarios • Insider downloads steganography application • Insider downloads carrier file and uses steganography application to extract child pornography image • Insider steals sensitive information by sending hidden information in e-mail attachment Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 53
  • Demonstration Scenario #1 Insider Downloads Steganography Application Internet Network GhostHost fingerprint detected: Security ghosthost.exe by IP: 234.14.192.76 @ 10:00 01-01-2013 Administrator StegAlyzerRTS Jane Doe USERID: jane.doe@acme.com IP: 234.14.192.77 Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 54
  • Demonstration Scenario #2 Insider Downloads Carrier File and Extracts Simulated CP Image Internet Network GhostHost signature detected: Security capitol.jpg by IP: 234.14.192.76 @ 10:00 01-01-2013 Administrator StegAlyzerRTS John Doe USERID: john.doe@acme.com IP: 234.14.192.76 Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 55
  • Demonstration Scenario #3 Insider E-Mails Sensitive Information to External Recipient Internet External Recipient Name Eliot Ness Adrian Monk Jessica Fletcher Clancy Wiggum Frank Drebin Lenny Briscoe Joe Friday Jim Rockford Dave Starsky Ken Hutchinson Barney Miller Thomas Magnum Christine Cagney T.J. Hooker Dick Tracy SSAN 157-98-9425 248-84-5724 347-65-2585 247-21-8247 578-92-5356 374-75-6872 147-87-6057 598-67-2499 248-56-9610 463-98-5641 344-15-1243 654-89-4321 234-98-6543 567-12-8765 123-54-6789 DOB 12/06/43 03/24/65 04/18/54 11/05/34 10/06/56 05/06/49 02/20/69 03/30/72 12/25/66 01/01/45 07/04/23 04/21/37 10/31/44 08/24/66 09/25/54 Jane Doe USERID: jane.doe@acme.com IP: 234.14.192.77 StegAlyzerRTS Name Eliot Ness Adrian Monk Jessica Fletcher Clancy Wiggum Frank Drebin Lenny Briscoe Joe Friday Jim Rockford Dave Starsky Ken Hutchinson Barney Miller Thomas Magnum Christine Cagney T.J. Hooker Dick Tracy Name SSAN DOB Eliot Ness 157-98-9425 12/06/43 Adrian Monk 248-84-5724 03/24/65 Jessica Fletcher 347-65-2585 04/18/54 Clancy Wiggum 247-21-8247 11/05/34 Frank Drebin 578-92-5356 10/06/56 Lenny Briscoe 374-75-6872 05/06/49 Joe Friday 147-87-6057 02/20/69 Network Jim Rockford 598-67-2499 03/30/72 Security Dave Starsky 248-56-9610 12/25/66 Administrator Ken Hutchinson 463-98-5641 01/01/45 Barney Miller 344-15-1243 07/04/23 Thomas Magnum 654-89-4321 04/21/37 Christine Cagney 234-98-6543 10/31/44 T.J. Hooker 567-12-8765 08/24/66 SSAN DOB Dick Tracy 123-54-6789 09/25/54 157-98-9425 12/06/43 GhostHost signature detected in e-mail attachment: capitol.jpg 248-84-5724 03/24/65 347-65-2585 04/18/54 from IP: 234.14.192.76 @ 10:00 01-01-2013 247-21-8247 11/05/34 578-92-5356 10/06/56 374-75-6872 05/06/49 147-87-6057 02/20/69 598-67-2499 03/30/72 248-56-9610 12/25/66 463-98-5641 01/01/45 344-15-1243 07/04/23 654-89-4321 04/21/37 234-98-6543 10/31/44 567-12-8765 08/24/66 123-54-6789 09/25/54 Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 56
  • What is hidden in this MS Word document? Using StegAlyzerSS, you would discover this: (Simulated Cure For Cancer) Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 57
  • What is hidden in this image? Using StegAlyzerSS, you would discover this: (PDF file containing the Al Qaeda Training Manual) Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 58
  • What is hidden in this image? Using StegAlyzerSS, you would discover this: (Simulated Child Pornography) Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 59
  • Summary • Insider use of steganography is a serious threat • Not being detected—no one looking for it • SARC has created world’s largest database of digital steganography applications • SARC has developed state-of-the-art steganalysis tools • SARC has world’s only commercially available real-time steganography scanner Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 60
  • Summary • Scan inbound and outbound network traffic to detect insiders downloading and using digital steganography applications • Include steganalysis as routine aspect of digital forensic examinations … otherwise key evidence may go undetected! Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 61
  • For Additional Information www.sarcwv.com Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 62
  • For Additional Information Backbone Security 42 Mountain Park Drive Fairmont, West Virginia 26554-8992 Phone: Fax: E-Mail: Web: 877.560.SARC 304.333.7272 sarc@backbonesecurity.com www.sarc-wv.com Copyright © 2004 – 2013 Backbone Security.com, Inc. All rights reserved. 63