Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Steganography - An Introduction to Data Hiding Techniques


Published on

Steganography - An Introduction to Data Hiding Techniques

  1. 1. Michael Panczenko, Director, E-Crime The Windermere Group, LLC 2000 Windermere Court Annapolis, MD 21401 Steganography - An Introduction to Data Hiding Techniques Northern Ohio Information Technology Roundtable Independence, Ohio 6 June 2002
  2. 2. Who We Are <ul><li>The Windermere Group, LLC: an Annapolis, MD-based information technology company </li></ul><ul><li>Provide specialized techniques and tools for high-technology crime investigation and security consulting, critical infrastructure assurance, and surveillance </li></ul><ul><li>Offerings include: </li></ul><ul><ul><li>Computer and network forensics </li></ul></ul><ul><ul><li>Data recovery, including decryption </li></ul></ul><ul><ul><li>Signal and data reconstruction, e.g., audio and video enhancement </li></ul></ul><ul><ul><li>Intelligence collection and analysis and unconventional threat assessments </li></ul></ul><ul><ul><li>Specialized security appliqués </li></ul></ul>
  3. 3. A Motivating Example Here’s a highly sensitive document This is a classic example of steganography
  4. 4. Agenda <ul><li>Introduce the concept of steganography </li></ul><ul><li>Discuss common steganographic techniques and their uses </li></ul><ul><li>Explain the challenges to security professionals and the need for improved detection techniques </li></ul><ul><li>Present some readily-available techniques for improving steganographic detection </li></ul>
  5. 5. Terminology <ul><li>Steganography </li></ul><ul><ul><li>Steganography comes from the Greek words for “covered writing” </li></ul></ul><ul><ul><li>It is the practice of disguising the existence of a message </li></ul></ul><ul><li>Cover </li></ul><ul><ul><li>Generally, innocent looking carriers, e.g., pictures, audio, video, text, etc. that hold the hidden information </li></ul></ul><ul><ul><li>The combination of hidden data-plus-cover is known as the stego-object </li></ul></ul><ul><li>Stegokey </li></ul><ul><ul><li>An additional piece of information, such as a password or mathematical variable, required to embed the secret information </li></ul></ul>
  6. 6. Classification of Hiding Techniques Ref: F.A.P. Petitcolas, R.J. Anderson, and M.G. Kuhn, “Information Hiding - A Survey,” in Proc. Of the IEEE , vol. 87, No. 7, July 1999, pg. 1063
  7. 7. Typical Scenario Sender Sender Hides Secret Message In a Cover Using a Stegokey Transmitted Carrier Appears Innocuous Receiver Decodes Secret Message by Removing the Cover Using the Stegokey Receiver Reads Secret Message
  8. 8. Steganography vs. Encryption <ul><li>Steganography should not be confused with encryption </li></ul><ul><ul><li>Encryption disguises the content of a message. The existence of the message is usually obvious </li></ul></ul><ul><ul><li>Steganography disguises the existence of the message </li></ul></ul><ul><li>However, additional security can be obtained if steganography is combined with encryption </li></ul>
  9. 9. Example Encryption Steganography (Contains embedded encrypted message)
  10. 10. Steganography Through History Gaspari Schotti, Schola Steganographica, 1665 Trithemius, Steganographia, 1606 Ancient Greece, 5th-Century B.C. Tattooing secret message on slave’s head A p parently n e utral’s p r otest i s t h oroughly d i scounted a n d i g nored. I s man h a rd h i t. B l ockade i s sue a f fects p r etext f o r e m bargo o n b y products, e j ecting s u ets a n d v e getable o i ls. Pershing sails from NY June 1 Null ciphers — camouflaging secret messages in innocent sounding message Invisible Inks
  11. 11. An Innocent Web Page? Ref:
  12. 12. Why Steganography Works <ul><li>Human Visual System (HVS) - characteristics include: </li></ul><ul><ul><li>Insensitivity to gradual changes in shade </li></ul></ul><ul><ul><li>Insensitive to high frequencies and blue region of visible spectrum </li></ul></ul><ul><li>Human Audio System (HAS) - characteristics include: </li></ul><ul><ul><li>Sensitive to additive random noise </li></ul></ul><ul><ul><li>Inability to perceive absolute phase </li></ul></ul>But, poor human perceptibility  undectability
  13. 13. Uses of Steganography <ul><li>Steganography is primarily of use in maintaining anonymity and it can be applied to virtually any digitized audio, graphics, or text file </li></ul><ul><li>Uses include: </li></ul><ul><ul><li>Creating covert channels for private communications </li></ul></ul><ul><ul><li>Data infiltration/exfiltration </li></ul></ul><ul><ul><li>Digital signatures for file authentication (digital watermarking or copyrighting) </li></ul></ul><ul><ul><li>Web surfer tracking/direct marketing </li></ul></ul>
  14. 14. Digital Watermarking <ul><li>Protection of intellectual property rights/thwart software piracy </li></ul><ul><li>Watermarking has been proposed as the “last line of defense” </li></ul><ul><ul><li>Implements copy protection, e.g., “never copy,” “copy once” </li></ul></ul><ul><ul><li>Copyright ownership and original, authorized recipient can be determined </li></ul></ul><ul><ul><li>Allows trace-back of illegally produced copies for prosecution </li></ul></ul>
  15. 15. SDMI <ul><li>Secure Digital Music Initiative (SDMI) - forum of more than 180 companies (IT, consumer electronics, recording industry) </li></ul><ul><li>Attempting to prevent digital piracy through watermarking technology </li></ul><ul><li>Some consumer electronics manufacturers already introducing SDMI compatible products </li></ul>Ref:
  16. 16. Digital Piracy <ul><li>Annual global piracy losses are $11B </li></ul><ul><ul><li>9 of 10 business software applications in China, Vietnam, Indonesia, and Russia are pirated </li></ul></ul><ul><ul><li>Asia leads the world in developing and selling pirated software </li></ul></ul><ul><li>Piracy will continue to increase due to Internet distribution methods </li></ul><ul><ul><li>Global market for media and entertainment expected to be $1T by 2004 (PWC Report) </li></ul></ul><ul><ul><li>Recorded music sales: $42B </li></ul></ul><ul><ul><li>“Legitimate sales” of digital on-line music: $1.5B USD </li></ul></ul><ul><li>Significant hacking activity by bootleggers to render watermarking techniques useless </li></ul>
  17. 17. How Is Hiding Typically Done? <ul><li>The simpler techniques replace the least significant bit (LSB) of each byte in the cover with a single bit for the hidden message </li></ul><ul><li>Frequently, these are encrypted as well </li></ul><ul><li>More sophisticated methods include: </li></ul><ul><ul><li>select robbed bytes using a random number generator </li></ul></ul><ul><ul><li>resampling the bytes-to-pixel mapping to preserve the color scheme </li></ul></ul><ul><ul><li>hiding information in the coefficients of the discrete cosine, fractal, or wavelet transform of the image </li></ul></ul><ul><ul><li>spread spectrum </li></ul></ul><ul><ul><li>mimic functions that adapt bit patterns to a given statistical distribution </li></ul></ul>Hidden message Cover
  18. 18. LSB Substitution Example As can be seen from these figures, 3-5 LSBs can be removed and still provide acceptable image quality
  19. 19. Who’s Using It? <ul><li>Good question… nobody knows for sure. </li></ul><ul><li>The whole point to steganography is to disguise its use. </li></ul><ul><li>However, anybody can use it to hide data or to protect anonymity </li></ul><ul><li>Likely users include: </li></ul><ul><ul><li>Trade fraud </li></ul></ul><ul><ul><li>Industrial espionage </li></ul></ul><ul><ul><li>Organized crime </li></ul></ul><ul><ul><li>Narcotics traffickers </li></ul></ul><ul><ul><li>Child pornographers </li></ul></ul><ul><ul><li>Criminal gangs </li></ul></ul><ul><ul><li>Individuals concerned about perceived government “snooping” </li></ul></ul><ul><ul><li>Those who want to circumvent restrictive encryption export rules </li></ul></ul><ul><ul><li>Anyone who wants to communicate covertly and anonymously </li></ul></ul>
  20. 20. Some Known Uses of Steganography <ul><li>Economic espionage - used to exfiltrate information from a major European automaker </li></ul><ul><li>Political extremists - increasingly being used for secure communications, e.g., Germany </li></ul><ul><li>Fraud - used as a “digital dead drop” to hide stolen card numbers on a hacked Web page </li></ul><ul><li>Pedophilia - used to store and transmit pornographic images </li></ul><ul><li>Terrorism - used to hide terrorist communications over the Internet, e.g, Osama bin Laden’s alleged use of steganography </li></ul>
  21. 21. Terrorism <ul><li>Alleged use of stego by Osama bin Laden, Muslim extremists (Feb ‘01) </li></ul><ul><li>Stego’d messages hidden on Web sites to plan attacks against the US </li></ul><ul><li>Maps, target photos hidden in sports chat rooms, pornographic bulletin boards, popular Web sites </li></ul>
  22. 22. Scale of the Problem <ul><li>Unknown... there is little public information on the use of data hiding techniques by cybercriminals </li></ul><ul><li>Only recently has the security community started to concern itself with this subject </li></ul><ul><ul><li>Lack of awareness </li></ul></ul><ul><ul><li>Lack of developed analysis tools and techniques </li></ul></ul><ul><li>It is believed that hiding techniques are predominantly used by more advanced criminals (organized crime) and some emerging threats, e.g., terrorists, nation-states </li></ul><ul><li>Availability, new easy-to-use interfaces may increase attractiveness of stego techniques for the average user </li></ul>
  23. 23. Where Is It Coming From? <ul><li>Over 140 data hiding packages and services currently available from numerous Web sites </li></ul><ul><li>Platforms include: </li></ul><ul><ul><li>Windows </li></ul></ul><ul><ul><li>DOS </li></ul></ul><ul><ul><li>Java </li></ul></ul><ul><ul><li>Macintosh </li></ul></ul><ul><ul><li>OS/2 </li></ul></ul><ul><ul><li>Amiga </li></ul></ul><ul><ul><li>Unix/Linux </li></ul></ul>Ref:
  24. 24. Increasing Awareness <ul><li>Likely factors increasing awareness: </li></ul><ul><ul><li>Privacy/freedom of expression </li></ul></ul><ul><ul><li>E-Commerce </li></ul></ul><ul><ul><li>Encryption export concerns </li></ul></ul><ul><ul><li>Protection of intellectual capital </li></ul></ul><ul><ul><li>Perceived government snooping </li></ul></ul># of AltaVista Keyword Hits on “Steganography” (One hit/Website)
  25. 25. Example Steganography Programs
  26. 26. BMP Secrets <ul><li>Parallel Worlds, Kiev, Ukraine </li></ul><ul><li> products/index.html </li></ul><ul><li>Replaces up to 65% of a true-color BMP carrier with hidden data </li></ul><ul><li>Inputs can be several different formats, e.g., JPEG, GIF; outputs true-color BMP </li></ul>
  27. 27. StegComm <ul><li>Features include: </li></ul><ul><ul><li>Multimedia steganography (images, audio, video) </li></ul></ul><ul><ul><li>Multi-level security and DES encryption </li></ul></ul><ul><ul><li>Built-in E-mail function </li></ul></ul><ul><ul><li>Unlimited hidden data length </li></ul></ul><ul><li> </li></ul>
  28. 29. MP3Stego <ul><li>Compresses, encrypts, then hides data in an MP3 bit stream </li></ul><ul><li>Developed by F.A.P. Petitcolas, Computer Laboratory, Cambridge </li></ul><ul><li>URL: ~fapp2/steganography/mp3stego/ </li></ul>
  29. 30. S-Mail and S-Split <ul><li>Secure Software Development, Ltd. ( </li></ul><ul><li>Bahamian-based developer of privacy software -- promotes usage for offshore banking </li></ul><ul><li>Products include: </li></ul><ul><ul><li>S-Mail: encrypts and stegos data in .EXE or .DLL files </li></ul></ul><ul><ul><li>S-Split: works with stego software to split files into multiple parts </li></ul></ul>
  30. 31. Spammimic <ul><li>Encodes message into innocent-looking spam mail </li></ul><ul><li> </li></ul><ul><li>(From the Web site) “ Even if Spammimic only gets 2 hits a day; the fact that it's here might force the snoops to process terabytes of spam -- making them spend a little less time on other mails.” </li></ul>
  31. 32. Steganos III <ul><li>Features include: </li></ul><ul><ul><li>Strong encryption (AES) </li></ul></ul><ul><ul><li>Secure, hidden drive </li></ul></ul><ul><ul><li>Internet trace destructor </li></ul></ul><ul><ul><li>File shredder </li></ul></ul><ul><ul><li>E-mail encryptor </li></ul></ul><ul><li> </li></ul><ul><li>“ More than one million users world-wide use Steganos” </li></ul>
  32. 33. Z-File <ul><li>Features include: </li></ul><ul><ul><li>Strong encryption (up to 1024 bits) </li></ul></ul><ul><ul><li>Multi-layer protection - up to 20 layers of recursive compression, camouflage, and encryption </li></ul></ul><ul><ul><li>Built-in E-mail function </li></ul></ul><ul><li>Developed by INFOSEC Information Security Co., Ltd., Taipei, Taiwan, ROC </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li>Cost: $14.50USD </li></ul></ul>
  33. 34. Secret Fax <ul><li>MediaFair, Inc. (Monterey Park, CA) </li></ul><ul><li>Secret Fax embeds secret information into the carrier image </li></ul><ul><ul><li>“ Hacker or unrelated person only received [sic] the carrier image and can not recognized [sic] any secret information from it without the password” </li></ul></ul><ul><li> </li></ul>
  34. 35. Other Commercial Products
  35. 36. Detection and Analysis
  36. 37. Need for Improved Detection <ul><li>Growing awareness of data hiding techniques and uses </li></ul><ul><li>Availability and sophistication of shareware and freeware data hiding software </li></ul><ul><li>Concerns over use to hide serious crimes, e.g., drug trafficking, pedophilia, terrorism </li></ul><ul><li>Frees resources currently spent on investigating cases with questionable/unknown payoff </li></ul><ul><li>Legislative calls </li></ul><ul><ul><li>US Bill H.R. 850, Security and Freedom through Encryption (SAFE) Act </li></ul></ul><ul><ul><li>UK Revision of Interception of Communications Act 1985 </li></ul></ul>
  37. 38. Detection <ul><li>Can steganography be detected? </li></ul><ul><ul><li>Sometimes …many of the simpler steganographic techniques produce some discernable change in the file size, statistics, or both. For image files, these include: </li></ul></ul><ul><ul><ul><li>Color variations </li></ul></ul></ul><ul><ul><ul><li>Loss of resolution or exaggerated noise </li></ul></ul></ul><ul><ul><ul><li>Images larger in size than that to be expected </li></ul></ul></ul><ul><ul><ul><li>Characteristic signatures, e.g., distortions or patterns </li></ul></ul></ul><ul><ul><li>However, detection often requires a priori knowledge of what the image or file should look like </li></ul></ul>
  38. 39. Detection Challenges (1/2) <ul><li>Stego software developers understand their products’ weaknesses and have made significant improvements: </li></ul><ul><ul><li>minimal carrier degradation  makes embedded data harder to perceive visually </li></ul></ul><ul><ul><li>better modification immunity  e.g., affine invariance, immunity to channel noise, compression, conversion </li></ul></ul><ul><ul><li>use of error correction coding  ensures integrity of hidden data </li></ul></ul><ul><li>These improvements have led to even greater difficulty in detection </li></ul>
  39. 40. Detection Challenges (2/2) <ul><li>Lack of tools and techniques to recover the hidden data </li></ul><ul><ul><li>No commercial products exist for detection </li></ul></ul><ul><ul><li>Custom tools are analyst-intensive </li></ul></ul><ul><ul><li>Few methods beyond visual analysis of graphics files have been explored </li></ul></ul><ul><li>Usually, no a priori knowledge of existence </li></ul><ul><li>No access to stegokey </li></ul><ul><li>Use of unknown applications </li></ul>
  40. 41. Steganalysis Select Research Overview <ul><li>Several on-going research activities for improving steganographic analysis methods </li></ul><ul><li>Some research is focusing on processing techniques to reveal features in files that will: </li></ul><ul><ul><li>Blindly , i.e., with no a priori knowledge, indicate the presence of hidden data </li></ul></ul><ul><ul><li>Uniquely identify known stego packages </li></ul></ul><ul><li>Some examples follow... </li></ul>
  41. 42. Twin Peaks Histogram Attack <ul><li>Some stego packages produce easily detectable double histogram spikes </li></ul><ul><li>These spikes indicate isolated colors in the image </li></ul><ul><li>Isolated colors occur when certain bits are suppressed or when the RGB colors of original image are mapped to limited set of smaller colors in stego image </li></ul>Ref: Unstego’d Stego’d Note double spikes
  42. 43. Stegdetect <ul><li>Automated tool for detecting steganographic content in images </li></ul><ul><li>Currently-claimed detection schemes: </li></ul><ul><ul><li>Jsteg </li></ul></ul><ul><ul><li>JPHide </li></ul></ul><ul><ul><li>Invisible Secrets </li></ul></ul><ul><ul><li>Outguess 0.1.3b </li></ul></ul><ul><li>Windermere’s analysis shows this program is extremely unreliable and provides excessive (i.e., near 100%) false-positives </li></ul>
  43. 44. Summary Some Indicators of Data Hiding Activity <ul><li>Evidence of steganography software on computer </li></ul><ul><ul><li>Forensics examination </li></ul></ul><ul><ul><li>Hashes of well-known files don’t match originals </li></ul></ul><ul><li>Transmission logs </li></ul><ul><ul><li>Excessive/unusual e-mails involving pictures, sound files, etc. </li></ul></ul><ul><li>Discernable (visual) changes </li></ul><ul><li>Statistical analysis </li></ul>
  44. 45. Detection Countermeasures Additional Challenges to the Forensics Community
  45. 46. Disk Wiping Programs <ul><li>Several products currently available on the Internet that are designed to thwart forensic examination by wiping critical files on a hard disk </li></ul><ul><li>Example: </li></ul><ul><ul><li>Evidence Eliminator </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li>“ Buy protection for just $74.95(US) that will defeat Forensic Analysis equipment costing over $7000.00(US).” </li></ul></ul>
  46. 47. Zero Emission Pad <ul><li>Ref: /english/steganos/zep.htm </li></ul><ul><li>“ Since decades international secret services use the fact that all electronic devices emit compromising rays. These rays can be used to recover a picture displayed by a monitor. Even if these rays passed walls and the receiver is many meters away. Together with our partner, the University of Cambridge (Great Britain), we offer to you the possibility to defuse these compromising rays via software (patent-pending &quot;Soft-Tempest&quot;). The text editor Steganos II Zero Emission Pad is the world's first Windows editor that supports the emission defusing display.” </li></ul>
  47. 48. Trends <ul><li>Increased convergence of Internet with telephony and other media will likely increase development, impact of new data hiding techniques </li></ul><ul><ul><li>Personal Digital Assistants </li></ul></ul><ul><ul><li>Voice over IP </li></ul></ul><ul><ul><li>PCS </li></ul></ul><ul><li>Software piracy likely to increase  criminals will actively work to develop new watermark attack techniques </li></ul>
  48. 49. Summary <ul><li>Steganography is primarily used to maintain anonymity and is easily available to most anyone </li></ul><ul><li>Sophisticated tools are readily available on the Internet, and are easy-to-use </li></ul><ul><li>Lack of both awareness and developed tools and analysis techniques </li></ul><ul><ul><li>Only recently has the security community started to concern itself with this subject </li></ul></ul><ul><ul><li>Little public information on the use of data hiding </li></ul></ul><ul><li>Development/use of information hiding products far outpaces the ability to detect/recover them; this situation is not likely to change soon </li></ul>
  49. 50. A Final Thought “ I think we are perilously close to a lose-lose situation in which citizens have lost their privacy to commercial interests and criminals have easy access to absolute anonymity. That's not a world we want.” Philip Reitinger Former Senior Counsel, US Justice Department Computer Crime and Intellectual Property Division
  50. 51. Questions?