ECrime and Steganography Lecture & Demonstration.

eCrime and SteganographyeCrime and Steganography

Lecture & Demonstration

© 2003-2006 WetStone Technologies, Inc.

Origins of Steganography

Steganography Origins– From the Greek Roots

“Steganos” or Covered “Graphie” or Writing “Covered Writing”

– First Known Usage The early Greeks and Persians used several forms of

covered writing to conceal the communication of secret or covert messages

Origins date back as far 2,500 years ago



Demaratus of Ariston was exiled in Persia, and while there, he received news that Xerxes had decided to invade Greece. He decided that he must get word of the pending invasion to Sparta.

Since discovery of such an act meant certain death, he decided that he must conceal the message. He scraped the wax off a pair of wooden folding writing tablets and carved a warning message in the wood. He then covered the wood with a fresh coat of wax.

The tablet was passed by the sentries without raising any suspicion and was delivered to and read by the Greeks.

WAX TABLET



Null Cipher Messages– Most notably this method was used during World

War I by the Germans– Text based steganography has taken on several

forms

PRESIDENT’S EMBARGO RULING SHOULD HAVE IMMEDIATE

NOTICE. GRAVE SITUATION AFFECTING INTERNATIONAL LAW,

STATEMENT FORESHADOWS RUIN OF MANY NEUTRALS. YELLOW

JOURNALS UNIFYING NATIONAL EXCITEMENT IMMENSELY

PRESIDENT’S EMBARGO RULING SHOULD HAVE IMMEDIATE

NOTICE. GRAVE SITUATION AFFECTING INTERNATIONAL LAW,

STATEMENT FORESHADOWS RUIN OF MANY NEUTRALS. YELLOW

JOURNALS UNIFYING NATIONAL EXCITEMENT IMMENSELY

PERSHING SAILS FROM NY JUNE 1


Dangers of Steganography

Steganography vs. Encryption– Steganography and Encryption each have distinct purposes

Encryption– Keeps information private by using a mathematical algorithm

which renders the contents unreadable unless you possess a specific key allowing you to decipher the message

– Encrypted objects are typically easy to identify or detect – The existence of the message is obvious, however the content is

obscured Steganography

– Hides the actual existence of a message or hidden data– Hides information in plain sight by exploiting weaknesses of our

human senses


Dangers of Steganography

SteganographyEncryption

Steganography E-Mail Communication

Covert Message

SendMessage

WithInnocuous Attachment

Firewall

Firewall

RevealRevealStegoStego

CP

Carrier Image

ApplyApplyStegoStego

RevealedCP

password

password

http://www.travisa.com/passporc.htm


Who knows about this technology?


How big is the problem?

327

0

50

100

150

200

250

300

350

2001 2002 2003 2004 Today

Steganography Programs in the Wild


Who knows about it?

source google.com


How global is the problem?

ARABIC



CHINESE



GERMAN



KOREAN



CROATIAN



JAPANESE

Steganography

How does it work?


How is this possible?

Human Sight– Characteristics

Poor detection and identification of differing shades of color

Poor recognition of high intensity shades (i.e. bright blue and violet shades of color)

Human Hearing– Characteristics

Very sensitive to noise and distortion

Imperceptible in detecting slight amplitude shifts

Imperceptible in detecting slight phase shifts


Palette Images

Map to a pre-defined color on a table– Pixel represented by table lookup value

2http://www.webstyleguide.com/graphics/displays.html

2


RGB or True Color Images

True Color images– Typically represented

by 24 bits– 8 bits for each color

(red, green, blue)– 16.7M possible colors

(28 x 28 x 28)– Each pixel holds

color triplet

4http://www.webstyleguide.com/graphics/displays.html

4

Least Significant Bit (LSB)Steganography

Applied to RGB Color Images


LSB Substitution – bit 0

11 0 1 1 0 1 0

1 1 0 0 0 1 1

1 1 1 0 0 0 0

RED

GREEN

BLUE

0

0

1

Before

Before After

Combined Color

Individual Colors

After

0

1

0

LSB Substitution


LSB Substitution bit 0 and 1

11 0 1 1 0 1 0

1 1 0 0 0 1 0

1 1 1 0 0 0 1

RED

GREEN

BLUE

1

0

1

Before

Before After

Combined Color

Individual Colors

After

0

1

0

LSB Substitution


LSB Substitution bits (0-3)

11 0 1 1 100

1 1 0 0 100

1 1 1 0 111

RED

GREEN

BLUE

1

0

1

Before

Before After

Combined Color

Individual Colors

After

0

1

0

LSB Substitution


Visual Analysis


Visual Analysis


Visual Analysis


Digital Audio

CD Audio– Typically referred to as wave audio

files– Wave audio is an uncompressed

set of samples– Each samples is represented as a16-bit

value Binary

– 0000 0000 0000 0000 – 1111 1111 1111 1111 Hex

– 0000 - FFFF Decimal

– -32768 to +32767– Each sample is collected at a frequency

of 44.1 Khz or 44,100 times per secondbased on Nyquist’s theorem

“Nyquist's theorem: A theorem, developed by H. Nyquist, which states that an analog signal waveform may be uniquely reconstructed, without error, from samples taken at equal time intervals. The sampling rate must be equal to, or greater than, twice the highest frequency component in the analog signal”

“Nyquist's theorem: A theorem, developed by H. Nyquist, which states that an analog signal waveform may be uniquely reconstructed, without error, from samples taken at equal time intervals. The sampling rate must be equal to, or greater than, twice the highest frequency component in the analog signal”

5http://www.its.bldrdoc.gov

5


Digital Audio - Dangers

Audio based steganography has the potential to conceal more information

– Audio files are generally larger than images

– Our hearing can be easily fooled– Slight changes in amplitude can

store vast amounts of information Many sources and types makes

statistical analysis more difficult– Greater amounts of information can

be embedded without audible degradation


LSB in Action

Steganography Demonstration


Known Methods of Steganography

DataAppending

CovertChannels

FormattingModificatio

n

WordSubstitutio

n

ColorPalette

Modification

EncodingAlgorithm

Modification

24-Bit LSBEncoding



Typically modifies the cover file by appendingdata after the standard end-of-file marker

DataAppending

ExampleProgram

Camouflage


Data Appending Example

Carrier Image

Hidden Data


Data Appending Example

Original Carrier File

Camouflage Hidden Message

End of File Markers Hidden Data

Camouflage in Action

Demonstration



FormattingModificatio

n

ExampleProgram

Invisible Secrets

Works by making subtle modification to text and/or line spacing in standard documents


Formatting Modification Example

Carrier File

Hidden Data



Original Carrier File Modified Carrier File

HASH D350 E408 495B D1A4 2FDB 6A54 6C34 2F94 DE8F 89E5

HASH 7E62 FC70 65FE 8095 7796 23DC 697D CBDF EEEC 3E07



Original Carrier File Modified Carrier File



WordSubstitution

WordSubstitution

Spam Mimic – Web based steganography tool

http://www.spammimic.com/

Automatically create “spam” like messages that actually contain hidden data


Word Substitution Example

Message to Encode


Spam mimic

Spam encoded message


Spam mimic


Spam mimic



Typically applied to 8-BIT images such as GIF or 8 BIT BMP files. The technique modifies the color palette and the associated colors in the image to embed data

ColorPalette

Modification

ExampleProgram

Gif-it-Up


Color Palette Modification Example

Carrier Image

Hidden Data


Color Palette Modification Example

Carrier Image

Covert Message



24-Bit LSBEncoding

ExampleProgram

The LSB method makes subtle changes to each pixel of the image. The changes are undetectable through visual inspection for most images

Example Program : S-Tools Version 4.0



EncodingAlgorithm

Modification

JPEGDiscrete Cosine

Transform (DCT)Modification

MP3 perceptual noise shaping (PNS)Modification



Most typically applied to JPEG files. LSB modifications are made to the coefficients of the Discrete Cosine Transform prior to the lossless stage of compression

DCTCoefficientModificatio

n

ExampleProgram

JPHS


DCT Coefficient Modification Example

Carrier Image

Hidden Data


Carrier Image

HASH 7847 C7B7 1884 B350 17E9 4783 2603 B315 27B1 8ABEFile Size 224,186

Modified Carrier Image

HASH 4AC7 2ADA 5C95 08A3 645A 8FC2 30CD 3AA5 E323 644DFile Size 223,122

DCT Coefficient Modification Example


DCT Formula

8 x 8 2D Forward DCT

8 x 8 2D Inverse DCT


Quantized DCT

1 2 3 4 5 6 7 8

1 0 1 5 6 14 15 27 28

2 2 4 7 13 16 26 29 42

3 3 8 12 17 25 30 41 43

4 9 11 18 24 31 40 44 53

5 10 19 23 32 39 45 52 54

6 20 22 33 38 46 51 55 60

7 21 34 37 47 50 56 59 61

8 35 36 48 49 57 58 62 63

LOW ENERGY

MEDIUM ENERGY

HIGH ENERGY



Modification of the MP3 encoding algorithm to insert data without altering the sound quality

MP3PNS

Modification

ExampleProgram

MP3 Steno



A modified communication channel exploited by a sender and receiver to exchange information

CovertChannels

ExampleProgram

Covert TCPSource code supplied with informational article published in First Monday

http://www.firstmonday.dk/issues/issue2_5/rowland/index.html#app


Covert Channels Example

Manipulation of the Initial Sequence Number Field*– The Initial Sequence Number is used to establish a

communication link between a client and remote server– A program can be created to generate this number using a

constant divided by an ASCII character value– A similar program on the other end can passively listen for

communication and then decode the message

*http://www.firstmonday.dk/issues/issue2_5/rowland/index.html#app



20:30:10.005553 10.1.1.45321 > 128.162.1.0.80: S 1207959552:1207959552(0) win 512 (ttl 64, id 49408)

Packet Header

20:30:10.005553

Time Stamp

10.1.1.0.45321

Source

1207959552:1207959552

ISN

>

S

128.162.1.0.80

Destination

Win 512 (ttl 64, id 49408)

Misc. Fields



1207959552:1207959552

Locate ISN

1207959552 / 16777216 = 72

Divide by constant

72 = “H” in ASCII

Convert to ASCII

Steganography Investigation

Demonstration


Summary

Steganography weapons are easy to use, and readily available to our adversaries


Summary

Steganography is capable of concealing the mere existence of incriminating information and/or covert communications


Summary

Steganography provides criminals with the ability to: Conceal incriminating information Covertly communicate with

accomplices Innocuously share dangerous

information


Summary

Steganography is difficult to: Detect Analyze Break


Summary

Modern digital steganography is capable of innocuously concealing or transferring large amounts of information. A rule of thumb is 30-40% of the carrier size.


Summary

When used in conjunction with the Internet, steganography becomes a globally effective weapon for criminals and terrorists.

Thank You

Chet HosmerCEO & Chief [email protected]

Date post:	27-Mar-2015
Category:	Documents
Upload:	timothy-chavez
View:	230 times
Download:	0 times

ECrime and Steganography Lecture & Demonstration.

Documents