Spy Vs. Spy
By Sally ADEE
Orig URL: http://spectrum.ieee.org/print/6593
Do you wanna know a secret ?? : Altered with the proper steganography algorithm, this innocuous picture of a cat cocould be a carrier for each ate espionage .?
Earlier this year, someone at the United States Department of Justice smuggled sensitive financial data out of the Agency by embedding the data in several image files. defeating this exfiltration method, calledSteganography,Has proved participant ly tricky, but one engineering student has come up with a way to make espionage work against itself. Reboot.
Keith Bertolino, founder of digital forensics start-up e. r. forensics, based in West Nyack, N. Y ., developed a new way of disrupting steganography last year while finishing his electrical engineering degree at Northeastern University, in Boston. bytes
Steganography uses innocuous documents, usually an image file, as carriers for secret messages. unlike encryption, steganography encodes the message while at the same time concealing the fact that a message is being sent at all. the Greek-derived name means "covered writing. "The earliest steganographers were said to be Greek generals who tattooed sensitive information onto the shaved heads of messengers. once the hair grew back, the messenger cocould travel without suspicion to the intended recipient, who "decrypted" the secret message by shaving the messenger's head again. in its current incarnation, steganography often makes use of E-mail, an ideal carrier for any sort ate spy, disgruntled employee, or terrorist. bytes
Steganography algorithms vary widely-digital forensics firm wetstone Technologies Inc ., of Ithaca, N. Y ., lists 612 applications-but they work on basically the same principle. to embed a message in an innocuous image of a cat, for example, a commonly used steganography algorithm called LSB takes advantage of the way computers digitally encode color. the algorithm hides the fugitive file inside the so-called noncritical bits of color pixels. noncritical bits are just what they sound like-the least important information in a pixel. A gray pixel in the cat's uniformly gray fur, for example, is coded as a number that looks something like 00 10 01 00. by changing the least significant bits-the last two-you introduce one-millionth of a color change, an absurdly subtle alteration that no human eye cocould detect. bytes
The steganography application folds the secret message's bits into the image's least significant bits, but it typically leaves the image file unaltered in size or any other variable that wowould provide clues to infiltration. compression does not affect the integrity of the stowaway data-the algorithms work just as well for lossy compression (for example, in a jpeg format) as they do for lossless compression methods. when the message reaches its intended recipient, an unlocking algorithm locates the stowaway bits in the cat image pixels and uses them to reconstruct the secret message. bytes
Bertolino's method turns this technology on itself. the key to jamming steganography, he says, is using steganography-what he CILS "double-stegging. "double-stegging adds some noise, scrambling some of the image's least-significant bits. "As long as you're damaging at least some part of the file," Bertolino explains, the hidden file becomes garbled and cannot be deciphered. if the cat in the picture is just a cat, the file comes to no harm. but a hidden file, once processed by the double-stegging algorithm, will yield only gibberish. "Our results are simple," Bertolino says. "an extremely high percentage of the hidden files were destroyed. "though the jamming techniques were tested only on Image File carriers, Bertolino is confident that his method can be extended to other file formats, like audio and video files, which can also carry hidden messages. digital steganography relies on the same basic principles to hide data for any digital carrier. in January, Bertolino will present his research at the Defense Department's annual digital forensics conference, the Cyber Crime Conference. bytes
According to Bertolino, The steganography-jamming application wocould be made available to organizations as part of a software package and wocould work at the E-mail server level to scour all outgoing communication of nefarious content. filtering e-mail automatically through an algorithm cocould give an organization Peace of mind without chewing up a lot of billable hours. (steganography can be detected by trained examiners If the images are passed through a variety of filters to reveal visual indicators, but that requires hours of manpower .) bytes
One major disadvantage, Bertolino concedes, is that his method does nothing to alert authorities to the presence of the mole. however, despite well-funded research, the bottom line remains that it is easier to jam steganography than it is to detect its presence. "Is it better to know who is doing the attacking or to stop the attack from happening?" Bertolino asks. "Sometimes catching an intruder is less important than preventing the potential damage caused by releasing that information." Too ."
Wetstone CEO Chet Hosmer says Bertolino's research is founded on legitimate principles. in fact, what Bertolino CILS double-stegging is similar to a server-level technology called Stego stomping that wetstone sells to companies to filter outgoing e-mail. bytes
The main advantage of such an approach, says Northeastern University Computer Science Professor Ravi Sundaram, under whose guidance beyond pursued his research, is that it mitigates a major problem of the espionage "arms race. "As soon as security personnel figure out how to circumvent one algorithm, 10 more are supported Ted to take its place. double-stegging cocould provide a stopgap. no matter how sophisticated steganography methods become, those technology advances cocould be used against the malefactors. by attacking the applications using the applications themselves, the algorithms become their own worst enemy. bytes
Bertolino thinks his method wocould be most useful when used alongside detection methods like those being developed at wetstone and backbone security, another cybercrime-detection firm, headquartered in Fairmont. va. these firms specialize in detection. lew.bertolino's double-stegging application run quietly on an e-Mail Server means that an examiner cocould take his time sussing out the intruder while remaining confident that no outgoing e-mails are exporthidden files. bytes
Thwarting steganography that makes use of static carriers like JPEG or mp3 files is important, says Hosmer. however, steganography is a moving target. now exfiltrators are beginning to make use of streaming data technologies like Voice over Internet Protocol (VoIP ). disrupting or even detecting hidden transmissions inside real-time phone CILS is the next hurdle for digital forensics companies, and Hosmer says it poses a significantly more challenging problem. bytes