Economic and Industrial Espionage on the Rise

The latest assessment from the Office of the National Counterintelligence Executive paints a grim picture of the accelerating pace of foreign economic collection and industrial espionage activities against major US corporations and US Government agencies.

The report includes a useful list of Best Practices in Data Protection Strategies and Due Diligence for Corporations at Appendix A.

A copy of the report can be downloaded at http://1.usa.gov/sejRZn.

Something to keep in mind while reading the report is that trusted insiders can use any of the more than 1,000 digital steganography applications available as freeware or shareware on web sites across the Internet to ex-filtrate (i.e., steal) intellectual property, trade secrets, and any other sensitive information you can image.

It is equally important to keep in mind the current generation of data loss prevention tools do not detect insiders downloading or using steganography applications.

Backbone Security’s Steganography Analyzer Real-Time Scanner, StegAlyzerRTS, is the only network security appliance in the world capable of detecting insiders downloading or using steganography in real-time.

For additional details please visit the SARC web site at www.sarc-wv.com, Email the SARC at sarc@backbonesecurity.com, or call (877) 560-SARC for additional details.

Digital Forensic Analysis Methodology

Recently a member of a listserv that I subscribe to asked the list members for assistance with a Digital Forensic Methodology Process. Another member of the same list provided a link to a chart titled “Digital Forensic Analysis Methodology” on the DoJ CCIPS website (http://www.cybercrime.gov/forensics_chart.pdf).

I downloaded the chart and, much to my chagrin, discovered the following at the bottom of the chart: “Return On Investment (Determine when to stop this process. Typically, after enough evidence is obtained for prosecution, the value of additional forensic analysis diminishes.)”

On the one hand, this is understandable because investigators and forensic examiners typically have a large backlog of cases to work on. And, as storage densities have continued to increase, there is an increasing amount of information to process for each case. Coupled with pressure from management and prosecutors to push out as many cases as possible and do it as quickly as possible, it would seem to make sense to take a minimalist approach and spend only as much time as is necessary to find just enough evidence for prosecution or to obtain a plead out and then stop the examination. But does this approach really make sense?

Let’s consider a fictional case involving the use of digital steganography for distribution of child pornography.

After the suspect’s computer and storage media has been seized and imaged, the forensic examiner finds some number of child pornography images in the clear. The images are checked against NCMEC’s CVIP database as the case agent learns the images are part of a collection that has been circulating around the Internet for quite some time. The investigator also learns that all of the children in the images have been identified and rescued from further exploitation and decides to stop the examination at that point and present the evidence to the prosecutor. The suspect pleads nolo contendere and accepts a plea agreement to avoid his family enduring the embarrassment of a public trial. The prosecutor congratulates the investigator and forensic examiner for another job well done in taking another sexual predator off the streets. The case is closed and the investigator and forensic examiner move on to the next case. Everything is hunky-dory, right?

Not so fast. What if the suspect had obtained the illicit images embedded within innocuous looking images such as a toy train collection for sale on eBay or some other set of completely innocuous looking images used as the carrier files? The suspect would have had to use the steganography application that was used to embed the images in order to extract them. Now suppose the suspect had extracted only a few images from the carrier files. There would be other images that had not yet been extracted. Some of these images may contain pictures of children not yet identified in the CVIP database and are, therefore, still be victimized.

In this fictional case, an artifact of the steganography application used by the suspect to extract the illicit images from the carrier files may have been discovered if the examiner had continued the examination instead of stopping after finding images in the clear. The artifact may have been a file associated with the steganography application or a Windows Registry artifact. Discovering the suspect had used steganography may have let to the discovery of the other images still embedded in the carrier files. That may have led to the identification and rescue of previously unidentified child victims.

Far-fetched you say? Perhaps, but one can’t help but wonder how much digital evidence is going undetected because it was hidden with a steganography application but the examiner didn’t conduct steganalysis as a routine aspect of their examination because of the belief the suspect was too stupid, too lazy, or both, to use steganography.

Also, it must be mentioned that stopping an examination after just enough evidence is obtained for prosecution, or a plead out, may result in overlooking evidence that may be more valuable to the investigation and subsequent prosecution than any evidence that may have been easily found in the clear.

While it is true that a typical suspect is not going to think of the word “steganography,” it is equally true, and should be reasonably presumed, the suspect will think of something like “hiding information” or “information hiding.” If you want a real eye opener as to the extent of the threat from criminal use of steganography, simply do a Google search on “information hiding” and Google will return over 8,000,000 hits! Many of the links will lead to web sites where steganography applications can be downloaded as freeware or shareware or a license can be purchased for a small amount.

Given the growing use of anti-forensic tools, including digital steganography, it seems examiners need more comprehensive forensic tools that provide the capability to perform steganalysis and to search for other forensic tools. Thus far, the major forensic tool vendors have not seemed terribly interested in capabilities for detecting anti-forensic tools. That, in and of itself, seems very odd because one would think the first thing an examiner would want to do is determine if the suspect had used any tools that would taint any evidence their forensic tool(s) of choice would find.

Until such time as the major forensic tool vendors decide to incorporate anti-forensic tool detection capability in their tools, examiners are left to find other tools to search for the presence or use of digital steganography applications or other anti-forensic tools.

In summary, I would suggest revising the chart to avoid conveying the message, whether real or implied, that a minimalist approach to digital forensic analysis is sufficient. I would also suggest adding a bullet to the Search Leads table (see graphic) that reads "Search media for presence of digital steganography applications and other anti-forensic tools.”

Steganalysis must become part of the digital forensic analysis methodology or potentially crucial evidence will continue going undetected.

Digital Watermarking—A Specialized Form of Digital Steganography

In classifying digital watermarking programs as digital steganography applications, it is important to distinguish between watermarking programs that embed a visible watermark and those that embed an invisible watermark.

Because the objective of steganography is to conceal the existence of information, a watermarking program that embeds a visible watermark in the carrier file could hardly be considered a steganography application.

However, a watermarking program that leaves an invisible watermark in the carrier file should be properly classified as an application of digital steganography because the embedded watermark is imperceptible to the human senses.

Another characteristic of digital watermarking programs is robustness.

A watermark is considered to be fragile if the mark is not detectable after even the slightest transformation of the carrier file. For example, resizing an image file could destroy a fragile watermark.

On the other hand, a watermark is considered to be robust if the mark is detectable after certain transformations are performed on the carrier file.

Thus, digital watermarking programs that embed robust imperceptible watermarks must be properly classified as digital steganography applications.

Another aspect of digital watermarking programs is the size of the payload that can be embedded in the carrier file. The payload size of a digital watermarking program will be much more restricted than the payload size of other digital steganography applications.

Many steganography applications can accommodate multi-megabyte payloads. However, a digital watermarking program may only embed a few bytes or a few hundred bytes.

The quantity of information that can be embedded in a carrier file is not a good criterion for determining whether or not an application should be considered a steganography application. It is not difficult to imagine scenarios where a single word or number could have a much larger meaning.

Therefore, even though digital watermarking programs have restricted payload capability, the programs that employ techniques to embed robust and imperceptible watermarks must be classified as digital steganography applications

It is important to note that some steganography investigation datasets do not include any digital watermarking programs because the dataset creators do not consider any digital watermarking programs to be steganography applications even if the program embeds a robust imperceptible watermark.

Therefore, digital forensics examiners must be careful when determining which steganography data set to use because selecting the wrong one could result in failure to detect certain digital watermarking programs that may have been used to hide information of evidentiary value in a criminal investigation.

At Backbone Security, we include digital watermarking programs that embed a robust and imperceptible watermark in our Steganography Application Fingerprint Database (SAFDB). Because the watermark embedded by these programs is not detectable by the Human Visual System, it meets our criterion for classification as a digital steganography application.

SAFDB is maintained in our Steganography Analysis and Research Center (SARC) and is the world’s largest hash set exclusive to digital steganography applications.

Jim Wingate is Director of the Steganography Analysis and Research Center and Vice President of Backbone Security and welcomes your views on the proper classification of digital steganography applications.

An Interview With Willie Sutton--Network Robber

Willie Sutton was a prolific bank robber who robbed about 100 banks from the late 1920s until his final arrest in 1952. An urban legend was created when a reporter asked him why he robbed banks and he supposedly answered “because that’s where the money is.” He denies he said it claiming the reporter added the statement to embellish the story.

While banks are still “where the money is” in physical form, enterprise networks are banks for information in digital form. That the information stored in those networks has value is an undeniable fact. Determining the value of information is another matter entirely and is more an art than a science. Considering that identity theft cost the US economy $53B last year and theft of personally identifiable information is the primary means by which criminals commit identity theft, we can rightfully conclude that the value of information is very high indeed. And that doesn’t include the theft of sensitive information or intellectual property from businesses or individuals.

So, if Willie were alive today, he might be more interested in stealing information than money so he might change his M.O. from robbing banks to robbing networks.

Just for fun, let’s presume he is alive, has become a prolific hacker, and has consented to an interview with our Undercover Reporter who is doing a story on information theft.

In the fictional interview below, UR is our undercover reporter and WS is, of course Willie Sutton, Master Data Thief.

UR: So, Willie, why do you hack networks?
WS: Aw c’mon … gimme a break … I do it because that’s where the data is.
UR: Data? I thought you were after money. Do I take that to mean you steal the data to sell it?
WS: You got it!
UR: So, there’s money in selling data stolen from networks?
WS: Oh man … you gotta be kidding me … I can’t believe you’re asking me that. You bet there’s money in selling data … big money … and its easy money. Like I said in my book “Go where the money is … and go there often.”[1]
UR: So how do you turn data into cash?
WS: I sell it on the IBM.
UR: What … you sell it to IBM?
WS: No, man, I sell it on the International Black Market.
UR: Oh, I see. Do you have a hard time finding a buyer?
WS: Nope. Piece of cake. It never ceases to amaze me how many people out there are willing to just about any kind of data.
UR: So what kind of data do they like to buy?
WS: Oh just about anything. I’ve discovered that just about everything on a network has some value or it wouldn’t be there in the first place. Yeah there’s some junk out there … sappy love letters … and some really spicy e-mails … but there’s lots and lots of really good stuff too. Speaking of e-mails, you just can’t believe what people will say in e-mails! Almost makes me blush.
UR: So what kind of good stuff do you run into?
WS: Oh, personally identifiable information that can used for identity theft, intellectual property, sensitive information about marketing, mergers & acquisitions, downsizing plans, and the like.
WS: Oh I almost forgot … credit card numbers are a really hot item … especially when you have the security codes to go with them. Man that’s a such a sweet deal … I get top dollar for that data … and the buyer recovers their investment when they use the cards to buy whatever it is they want to buy. And what’s so amazing about it is the card holders don’t lose any money. They have to spend a little time explaining to their bank that they didn’t make the purchases. Then the bank just writes it off as a loss. Man, you gotta love those banks. Like I always said about banks … that’s where the money is!
UR: So tell me more about how you hack into networks to steal data.
WS: Well, I don’t actually “hack” into networks … although it’s sometimes easy to do because some companies just don’t understand the value of the data they have on their networks and so they won’t allocate sufficient resources to cyber security. Besides that’s not my bag man.
UR: So what is your bag? How do you get the data if you don’t hack the network? Are you some sort of magician?
WS: Naw … I use insiders to get me the data I want.
UR: Hmm … so you just walk right up to them and ask them to give you the data?
WS: Aw c’mon, work with me here … I case the joint ya know … I watch people arrive at work in the mornings to see who might be strapped for cash. Young single Moms driving beat up old clunkers are good targets as are young guys with fancy sports cars. The Moms are struggling to feed their kids so they’re always in need of extra dough and you can bet the young hot rods are strapped for cash after making a big car and insurance payment but still need some coins to take Ms. Hottie out on Saturday night. Or I go to the local watering hole and just listen. If you listen long enough people will tell you everything you need to hear. Just the other day, I was sipping a cognac and in walks Mr. Hot Rod and one of his buds. After slammin’ down a few brewskis, I overhead the buddy say ‘That sure is a cool new ride you have.’ and Mr. Hot Rod says “Yeah it’s a sweet machine, but after making the payment and paying the insurance and gas, I can barely find two nickels to rub together. I didn’t realize when I bought it that my diet and love life would change so dramatically … I live on ramen noodles, beanie weenies, and Vienna Sausages … and there’s no dough for a date, and that really sucks, man!’ So, he’s obviously an easy mark in need of some cold hard cash.
UR: OK, OK I get the picture. After you’ve identified your targets, what do you do then?
WS: I simply offer them pennies … yes that’s pennies … for each database record they can get for me.
UR: So you get the data for pennies?
WS: Per record not in total. Let me give you an example. Suppose one of my marks gets me 10,000 records. If I give ‘em ten cents per record, they make a quick and easy $1,000. That’s a lot of diapers and formula for the kiddies or studly duds and gas for the hot rod.
UR: OK. So how do they get that much data to you without getting caught?
WS: Another easy one. I have them use a stega-somethingorother application they can get on the Internet.
UR: You mean a steganography application?
WS: Yeah that’s it. How did you know that?
UR: I just read something in Digital Forensics Investigator the other day about how steganography can be used to hide information in digital files.
WS: Yeah it’s really cool … it’s amazin’ how much data you can hide in a single picture.
UR: How do they get the picture, or pictures, to you?
WS: Another easy one … they simply send it to me as an attachment to an e-mail. Who would suspect anything out of the ordinary about a picture of a kid or a juiced up set of wheels?
UR: So how come you or any of your insiders never get caught?
WS: You know, that’s a really funny one … I think you call it a ‘paradox.’ You see, nobody thinks any body’s using stega-whatever so nobody is willing to spend any dough on the tools needed to detect it. And because nobody’s using tools to look for it, it’ll never be detected? Now ain’t that a beautiful thing?
UR: It’s no wonder they called you “Slick Willie” back in your heyday!
WS: That’s right. Hey are we ‘bout done here? I’m expecting some important emails!

So it goes, insiders are exfiltrating sensitive data with complete impunity because no one has deployed tools to detect steganography because no one thinks any one is using it because there’s not a large amount of proof that steganography is being used … because nobody is looking for it!

1. Where the Money Was: The Memoirs of a Bank Robber (Viking Press, New York, 1976)

Steganography Insider Threat Presentation and Product Brochures on SlideShare

Please check out our recent posts on SlideShare ...

PowerPoint presentation on the emerging threat from criminal and insider use of digital steganography conceal evidence of criminal activity or steal sensitive information:

http://www.slideshare.net/jwingate/digital-steganographyan-emerging-threat
(best viewed in slide show mode)

Steganography Analysis & Research Center (SARC) Product and Training brochures:
http://www.slideshare.net/jwingate/sarc-product-brochures

DLP Exposed

There's a huge gaping hole in Data Leak Prevention (DLP) products currently being marketed that vendors don’t want you to know about.

So what is it they don’t want you to know? They don't want you to know their products cannot detect steganography, or information embedded within files with any of the digital steganography applications currently available as freeware or shareware on thousands of web sites across the Internet. This hidden information, in the form of personally identifiable information, stolen intellectual property, or unauthorized images in the workplace, cannot be detected by current DLP products.



But those who purchase DLP systems, which often carry six-figure price tags, must know that the detection capability of even the most technically sophisticated DLP system can be defeated with a simple steganography application obtained for free on the Internet.

Detecting insider use of steganography to exfiltrate sensitive information requires a network security appliance capable of detecting steganography in real-time. StegAlyzerRTS, the Steganography Analyzer Real-Time Scanner does just that.

For more information, please visit the SARC web site at http://www.sarc-wv.com/.

The Compelling Reason to Buy StegAlyzerRTS

To sell their products, all vendors must discover the most significant need that would cause a customer to buy their product.

In marketing parlance, this is called the compelling reason to buy. I’ll refer to that simply as the CRTB.

Please bear with me for a bit while I build up to the CRTB the real-time steganography detection system developed in Backbone’s Steganography Analysis and Research Center (SARC).

Ever since mankind rose up out of the primordial ooze, there has been crime … and there will always be crime.

One can picture a caveman bashing another caveman over the head with his club to steal a big chunk of Wooly Mammoth for dinner! Yum! So, here we have our first case of assault with a deadly weapon or attempted murder along with theft of a Mammoth carcass, or a piece thereof. Hence, criminal activity emerges.

Now, let’s boogie down the evolutionary path a few million years to the Internet era.

The advent of the Internet has done many great things for mankind. However, it has also facilitated the emergence of an entirely new class of criminal … the cyber criminal. Criminal activity is no longer confined to real space. It has evolved and now takes place in both real space and cyber space.

To keep things simple, let’s define a cyber criminal as anyone who would use a computer to do anything that would be considered a violation of law. Further, for the purposes of this blog, let’s say the cyber criminal is a trusted insider on an enterprise network who is contemplating how to achieve a life of ease … perhaps on a chaise lounge on a beach in the Bahamas sipping colorful, sweet drinks with funny names.

Because practically everything in 21st century depends on computers in some way, shape, form, or fashion, there will never be fewer computers than we have today. Rather, there will continue to be more computers and more computer users.

According to the Internet World Stats web site [1], Internet user growth from 2000 to 2008 was a whopping 342.2% and there are now nearly 1.6 billion, yup … that’s B-I-L-L-I-O-N, Internet users worldwide.

So, now let’s assume the ratio of criminals who used computers for criminal activity remained constant during that period … it could be 1 in 100, 1 in 50, 1 in 10, etc. It doesn’t really matter. The point is the number of cyber criminals grew at the same rate as the general Internet user population—a rate of 342.2% over that period!

More criminals using more computers add up to more cyber crime.

More cyber crime is driving the need for improved network security tools to detect malicious insiders.

As the network security tools used to detect insider behavior, malicious insiders are becoming motivated to find more technically sophisticated ways to conceal their nefarious activities to avoid a visit to, and possibly an extended stay in, the Cross Bar Hotel.

Hence, the stage is set for Google-search savvy users to Google something really clever like “information hiding” which results in nearly 5.8 million links many of which will inevitably lead the user to “steganography” which results in more than 620,000 links when Googled.

Thus, more and more trusted insiders who have gone over to the dark side will use steganography applications that are widely available on Internet web sites and are easy to find, download, install, and use to exfiltrate (that’s a fancy word for “steal”) sensitive information.

If only 1% of the estimated 1.5 billion Internet users were using steganography to steal information, that would be 15 million cyber criminals. So let’s bump it down a notch and say that only .1%, or one-tenth of one percent, are using steganography to steal information … that’s still 1.5 million cyber criminals using steganography. Now let’s assume only 1% of those cyber criminals are trusted insiders. That’s still 15,000 malicious insiders who could steal untold amounts of sensitive information without ever being detected.

Thus, the CRTB StegAlyzerRTS is to detect malicious insiders who download and use steganography applications to steal sensitive information such as Personally Identifiable Information to sell on the Identity Theft Black Market or Intellectual Property that is the Crown Jewels of the company.

But even with such a CRTB, many enterprise networks will continue to go unprotected from the threat of insider use of digital steganography.

So … now, where’s that Sex on the Beach … ahhhh.



[1] Internet World Stats, Usage and Population Statistics, http://www.internetworldstats.com/stats.htm