Date post: | 27-Mar-2015 |
Category: |
Documents |
Upload: | timothy-chavez |
View: | 230 times |
Download: | 0 times |
eCrime and SteganographyeCrime and Steganography
Lecture & Demonstration
© 2003-2006 WetStone Technologies, Inc.
Origins of Steganography
Steganography Origins– From the Greek Roots
“Steganos” or Covered “Graphie” or Writing “Covered Writing”
– First Known Usage The early Greeks and Persians used several forms of
covered writing to conceal the communication of secret or covert messages
Origins date back as far 2,500 years ago
© 2003-2006 WetStone Technologies, Inc.
Origins of Steganography
Demaratus of Ariston was exiled in Persia, and while there, he received news that Xerxes had decided to invade Greece. He decided that he must get word of the pending invasion to Sparta.
Since discovery of such an act meant certain death, he decided that he must conceal the message. He scraped the wax off a pair of wooden folding writing tablets and carved a warning message in the wood. He then covered the wood with a fresh coat of wax.
The tablet was passed by the sentries without raising any suspicion and was delivered to and read by the Greeks.
WAX TABLET
© 2003-2006 WetStone Technologies, Inc.
Origins of Steganography
Null Cipher Messages– Most notably this method was used during World
War I by the Germans– Text based steganography has taken on several
forms
PRESIDENT’S EMBARGO RULING SHOULD HAVE IMMEDIATE
NOTICE. GRAVE SITUATION AFFECTING INTERNATIONAL LAW,
STATEMENT FORESHADOWS RUIN OF MANY NEUTRALS. YELLOW
JOURNALS UNIFYING NATIONAL EXCITEMENT IMMENSELY
PRESIDENT’S EMBARGO RULING SHOULD HAVE IMMEDIATE
NOTICE. GRAVE SITUATION AFFECTING INTERNATIONAL LAW,
STATEMENT FORESHADOWS RUIN OF MANY NEUTRALS. YELLOW
JOURNALS UNIFYING NATIONAL EXCITEMENT IMMENSELY
PERSHING SAILS FROM NY JUNE 1
© 2003-2006 WetStone Technologies, Inc.
Dangers of Steganography
Steganography vs. Encryption– Steganography and Encryption each have distinct purposes
Encryption– Keeps information private by using a mathematical algorithm
which renders the contents unreadable unless you possess a specific key allowing you to decipher the message
– Encrypted objects are typically easy to identify or detect – The existence of the message is obvious, however the content is
obscured Steganography
– Hides the actual existence of a message or hidden data– Hides information in plain sight by exploiting weaknesses of our
human senses
© 2003-2006 WetStone Technologies, Inc.
Dangers of Steganography
SteganographyEncryption
Steganography E-Mail Communication
Covert Message
SendMessage
WithInnocuous Attachment
Firewall
Firewall
RevealRevealStegoStego
CP
Carrier Image
ApplyApplyStegoStego
RevealedCP
password
password
© 2003-2006 WetStone Technologies, Inc.
Who knows about this technology?
© 2003-2006 WetStone Technologies, Inc.
How big is the problem?
327
0
50
100
150
200
250
300
350
2001 2002 2003 2004 Today
Steganography Programs in the Wild
© 2003-2006 WetStone Technologies, Inc.
Who knows about it?
source google.com
© 2003-2006 WetStone Technologies, Inc.
How global is the problem?
ARABIC
© 2003-2006 WetStone Technologies, Inc.
How global is the problem?
CHINESE
© 2003-2006 WetStone Technologies, Inc.
How global is the problem?
GERMAN
© 2003-2006 WetStone Technologies, Inc.
How global is the problem?
KOREAN
© 2003-2006 WetStone Technologies, Inc.
How global is the problem?
CROATIAN
© 2003-2006 WetStone Technologies, Inc.
How global is the problem?
JAPANESE
Steganography
How does it work?
© 2003-2006 WetStone Technologies, Inc.
How is this possible?
Human Sight– Characteristics
Poor detection and identification of differing shades of color
Poor recognition of high intensity shades (i.e. bright blue and violet shades of color)
Human Hearing– Characteristics
Very sensitive to noise and distortion
Imperceptible in detecting slight amplitude shifts
Imperceptible in detecting slight phase shifts
© 2003-2006 WetStone Technologies, Inc.
Palette Images
Map to a pre-defined color on a table– Pixel represented by table lookup value
2http://www.webstyleguide.com/graphics/displays.html
2
© 2003-2006 WetStone Technologies, Inc.
RGB or True Color Images
True Color images– Typically represented
by 24 bits– 8 bits for each color
(red, green, blue)– 16.7M possible colors
(28 x 28 x 28)– Each pixel holds
color triplet
4http://www.webstyleguide.com/graphics/displays.html
4
Least Significant Bit (LSB)Steganography
Applied to RGB Color Images
© 2003-2006 WetStone Technologies, Inc.
LSB Substitution – bit 0
11 0 1 1 0 1 0
1 1 0 0 0 1 1
1 1 1 0 0 0 0
RED
GREEN
BLUE
0
0
1
Before
Before After
Combined Color
Individual Colors
After
0
1
0
LSB Substitution
© 2003-2006 WetStone Technologies, Inc.
LSB Substitution bit 0 and 1
11 0 1 1 0 1 0
1 1 0 0 0 1 0
1 1 1 0 0 0 1
RED
GREEN
BLUE
1
0
1
Before
Before After
Combined Color
Individual Colors
After
0
1
0
LSB Substitution
© 2003-2006 WetStone Technologies, Inc.
LSB Substitution bits (0-3)
11 0 1 1 100
1 1 0 0 100
1 1 1 0 111
RED
GREEN
BLUE
1
0
1
Before
Before After
Combined Color
Individual Colors
After
0
1
0
LSB Substitution
© 2003-2006 WetStone Technologies, Inc.
Visual Analysis
© 2003-2006 WetStone Technologies, Inc.
Visual Analysis
© 2003-2006 WetStone Technologies, Inc.
Visual Analysis
© 2003-2006 WetStone Technologies, Inc.
Digital Audio
CD Audio– Typically referred to as wave audio
files– Wave audio is an uncompressed
set of samples– Each samples is represented as a16-bit
value Binary
– 0000 0000 0000 0000 – 1111 1111 1111 1111 Hex
– 0000 - FFFF Decimal
– -32768 to +32767– Each sample is collected at a frequency
of 44.1 Khz or 44,100 times per secondbased on Nyquist’s theorem
“Nyquist's theorem: A theorem, developed by H. Nyquist, which states that an analog signal waveform may be uniquely reconstructed, without error, from samples taken at equal time intervals. The sampling rate must be equal to, or greater than, twice the highest frequency component in the analog signal”
“Nyquist's theorem: A theorem, developed by H. Nyquist, which states that an analog signal waveform may be uniquely reconstructed, without error, from samples taken at equal time intervals. The sampling rate must be equal to, or greater than, twice the highest frequency component in the analog signal”
5http://www.its.bldrdoc.gov
5
© 2003-2006 WetStone Technologies, Inc.
Digital Audio - Dangers
Audio based steganography has the potential to conceal more information
– Audio files are generally larger than images
– Our hearing can be easily fooled– Slight changes in amplitude can
store vast amounts of information Many sources and types makes
statistical analysis more difficult– Greater amounts of information can
be embedded without audible degradation
© 2003-2006 WetStone Technologies, Inc.
LSB in Action
Steganography Demonstration
© 2003-2006 WetStone Technologies, Inc.
Known Methods of Steganography
DataAppending
CovertChannels
FormattingModificatio
n
WordSubstitutio
n
ColorPalette
Modification
EncodingAlgorithm
Modification
24-Bit LSBEncoding
© 2003-2006 WetStone Technologies, Inc.
Known Methods of Steganography
Typically modifies the cover file by appendingdata after the standard end-of-file marker
DataAppending
ExampleProgram
Camouflage
© 2003-2006 WetStone Technologies, Inc.
Data Appending Example
Carrier Image
Hidden Data
© 2003-2006 WetStone Technologies, Inc.
Data Appending Example
Original Carrier File
Camouflage Hidden Message
End of File Markers Hidden Data
Camouflage in Action
Demonstration
© 2003-2006 WetStone Technologies, Inc.
Known Methods of Steganography
FormattingModificatio
n
ExampleProgram
Invisible Secrets
Works by making subtle modification to text and/or line spacing in standard documents
© 2003-2006 WetStone Technologies, Inc.
Formatting Modification Example
Carrier File
Hidden Data
© 2003-2006 WetStone Technologies, Inc.
Formatting Modification Example
Original Carrier File Modified Carrier File
HASH D350 E408 495B D1A4 2FDB 6A54 6C34 2F94 DE8F 89E5
HASH 7E62 FC70 65FE 8095 7796 23DC 697D CBDF EEEC 3E07
© 2003-2006 WetStone Technologies, Inc.
Formatting Modification Example
Original Carrier File Modified Carrier File
© 2003-2006 WetStone Technologies, Inc.
Known Methods of Steganography
WordSubstitution
WordSubstitution
Spam Mimic – Web based steganography tool
http://www.spammimic.com/
Automatically create “spam” like messages that actually contain hidden data
© 2003-2006 WetStone Technologies, Inc.
Word Substitution Example
Message to Encode
© 2003-2006 WetStone Technologies, Inc.
Spam mimic
Spam encoded message
© 2003-2006 WetStone Technologies, Inc.
Spam mimic
© 2003-2006 WetStone Technologies, Inc.
Spam mimic
© 2003-2006 WetStone Technologies, Inc.
Known Methods of Steganography
Typically applied to 8-BIT images such as GIF or 8 BIT BMP files. The technique modifies the color palette and the associated colors in the image to embed data
ColorPalette
Modification
ExampleProgram
Gif-it-Up
© 2003-2006 WetStone Technologies, Inc.
Color Palette Modification Example
Carrier Image
Hidden Data
© 2003-2006 WetStone Technologies, Inc.
Color Palette Modification Example
Carrier Image
Covert Message
© 2003-2006 WetStone Technologies, Inc.
Known Methods of Steganography
24-Bit LSBEncoding
ExampleProgram
The LSB method makes subtle changes to each pixel of the image. The changes are undetectable through visual inspection for most images
Example Program : S-Tools Version 4.0
© 2003-2006 WetStone Technologies, Inc.
Known Methods of Steganography
EncodingAlgorithm
Modification
JPEGDiscrete Cosine
Transform (DCT)Modification
MP3 perceptual noise shaping (PNS)Modification
© 2003-2006 WetStone Technologies, Inc.
Known Methods of Steganography
Most typically applied to JPEG files. LSB modifications are made to the coefficients of the Discrete Cosine Transform prior to the lossless stage of compression
DCTCoefficientModificatio
n
ExampleProgram
JPHS
© 2003-2006 WetStone Technologies, Inc.
DCT Coefficient Modification Example
Carrier Image
Hidden Data
© 2003-2006 WetStone Technologies, Inc.
Carrier Image
HASH 7847 C7B7 1884 B350 17E9 4783 2603 B315 27B1 8ABEFile Size 224,186
Modified Carrier Image
HASH 4AC7 2ADA 5C95 08A3 645A 8FC2 30CD 3AA5 E323 644DFile Size 223,122
DCT Coefficient Modification Example
© 2003-2006 WetStone Technologies, Inc.
DCT Formula
8 x 8 2D Forward DCT
8 x 8 2D Inverse DCT
© 2003-2006 WetStone Technologies, Inc.
Quantized DCT
1 2 3 4 5 6 7 8
1 0 1 5 6 14 15 27 28
2 2 4 7 13 16 26 29 42
3 3 8 12 17 25 30 41 43
4 9 11 18 24 31 40 44 53
5 10 19 23 32 39 45 52 54
6 20 22 33 38 46 51 55 60
7 21 34 37 47 50 56 59 61
8 35 36 48 49 57 58 62 63
LOW ENERGY
MEDIUM ENERGY
HIGH ENERGY
© 2003-2006 WetStone Technologies, Inc.
Known Methods of Steganography
Modification of the MP3 encoding algorithm to insert data without altering the sound quality
MP3PNS
Modification
ExampleProgram
MP3 Steno
© 2003-2006 WetStone Technologies, Inc.
Known Methods of Steganography
A modified communication channel exploited by a sender and receiver to exchange information
CovertChannels
ExampleProgram
Covert TCPSource code supplied with informational article published in First Monday
http://www.firstmonday.dk/issues/issue2_5/rowland/index.html#app
© 2003-2006 WetStone Technologies, Inc.
Covert Channels Example
Manipulation of the Initial Sequence Number Field*– The Initial Sequence Number is used to establish a
communication link between a client and remote server– A program can be created to generate this number using a
constant divided by an ASCII character value– A similar program on the other end can passively listen for
communication and then decode the message
*http://www.firstmonday.dk/issues/issue2_5/rowland/index.html#app
© 2003-2006 WetStone Technologies, Inc.
Covert Channels Example
20:30:10.005553 10.1.1.45321 > 128.162.1.0.80: S 1207959552:1207959552(0) win 512 (ttl 64, id 49408)
Packet Header
20:30:10.005553
Time Stamp
10.1.1.0.45321
Source
1207959552:1207959552
ISN
>
S
128.162.1.0.80
Destination
Win 512 (ttl 64, id 49408)
Misc. Fields
© 2003-2006 WetStone Technologies, Inc.
Covert Channels Example
1207959552:1207959552
Locate ISN
1207959552 / 16777216 = 72
Divide by constant
72 = “H” in ASCII
Convert to ASCII
Steganography Investigation
Demonstration
© 2003-2006 WetStone Technologies, Inc.
Summary
Steganography weapons are easy to use, and readily available to our adversaries
© 2003-2006 WetStone Technologies, Inc.
Summary
Steganography is capable of concealing the mere existence of incriminating information and/or covert communications
© 2003-2006 WetStone Technologies, Inc.
Summary
Steganography provides criminals with the ability to: Conceal incriminating information Covertly communicate with
accomplices Innocuously share dangerous
information
© 2003-2006 WetStone Technologies, Inc.
Summary
Steganography is difficult to: Detect Analyze Break
© 2003-2006 WetStone Technologies, Inc.
Summary
Modern digital steganography is capable of innocuously concealing or transferring large amounts of information. A rule of thumb is 30-40% of the carrier size.
© 2003-2006 WetStone Technologies, Inc.
Summary
When used in conjunction with the Internet, steganography becomes a globally effective weapon for criminals and terrorists.