An Interview With Willie Sutton--Network Robber

Willie Sutton was a prolific bank robber who robbed about 100 banks from the late 1920s until his final arrest in 1952. An urban legend was created when a reporter asked him why he robbed banks and he supposedly answered “because that’s where the money is.” He denies he said it claiming the reporter added the statement to embellish the story.

While banks are still “where the money is” in physical form, enterprise networks are banks for information in digital form. That the information stored in those networks has value is an undeniable fact. Determining the value of information is another matter entirely and is more an art than a science. Considering that identity theft cost the US economy $53B last year and theft of personally identifiable information is the primary means by which criminals commit identity theft, we can rightfully conclude that the value of information is very high indeed. And that doesn’t include the theft of sensitive information or intellectual property from businesses or individuals.

So, if Willie were alive today, he might be more interested in stealing information than money so he might change his M.O. from robbing banks to robbing networks.

Just for fun, let’s presume he is alive, has become a prolific hacker, and has consented to an interview with our Undercover Reporter who is doing a story on information theft.

In the fictional interview below, UR is our undercover reporter and WS is, of course Willie Sutton, Master Data Thief.

UR: So, Willie, why do you hack networks?
WS: Aw c’mon … gimme a break … I do it because that’s where the data is.
UR: Data? I thought you were after money. Do I take that to mean you steal the data to sell it?
WS: You got it!
UR: So, there’s money in selling data stolen from networks?
WS: Oh man … you gotta be kidding me … I can’t believe you’re asking me that. You bet there’s money in selling data … big money … and its easy money. Like I said in my book “Go where the money is … and go there often.”[1]
UR: So how do you turn data into cash?
WS: I sell it on the IBM.
UR: What … you sell it to IBM?
WS: No, man, I sell it on the International Black Market.
UR: Oh, I see. Do you have a hard time finding a buyer?
WS: Nope. Piece of cake. It never ceases to amaze me how many people out there are willing to just about any kind of data.
UR: So what kind of data do they like to buy?
WS: Oh just about anything. I’ve discovered that just about everything on a network has some value or it wouldn’t be there in the first place. Yeah there’s some junk out there … sappy love letters … and some really spicy e-mails … but there’s lots and lots of really good stuff too. Speaking of e-mails, you just can’t believe what people will say in e-mails! Almost makes me blush.
UR: So what kind of good stuff do you run into?
WS: Oh, personally identifiable information that can used for identity theft, intellectual property, sensitive information about marketing, mergers & acquisitions, downsizing plans, and the like.
WS: Oh I almost forgot … credit card numbers are a really hot item … especially when you have the security codes to go with them. Man that’s a such a sweet deal … I get top dollar for that data … and the buyer recovers their investment when they use the cards to buy whatever it is they want to buy. And what’s so amazing about it is the card holders don’t lose any money. They have to spend a little time explaining to their bank that they didn’t make the purchases. Then the bank just writes it off as a loss. Man, you gotta love those banks. Like I always said about banks … that’s where the money is!
UR: So tell me more about how you hack into networks to steal data.
WS: Well, I don’t actually “hack” into networks … although it’s sometimes easy to do because some companies just don’t understand the value of the data they have on their networks and so they won’t allocate sufficient resources to cyber security. Besides that’s not my bag man.
UR: So what is your bag? How do you get the data if you don’t hack the network? Are you some sort of magician?
WS: Naw … I use insiders to get me the data I want.
UR: Hmm … so you just walk right up to them and ask them to give you the data?
WS: Aw c’mon, work with me here … I case the joint ya know … I watch people arrive at work in the mornings to see who might be strapped for cash. Young single Moms driving beat up old clunkers are good targets as are young guys with fancy sports cars. The Moms are struggling to feed their kids so they’re always in need of extra dough and you can bet the young hot rods are strapped for cash after making a big car and insurance payment but still need some coins to take Ms. Hottie out on Saturday night. Or I go to the local watering hole and just listen. If you listen long enough people will tell you everything you need to hear. Just the other day, I was sipping a cognac and in walks Mr. Hot Rod and one of his buds. After slammin’ down a few brewskis, I overhead the buddy say ‘That sure is a cool new ride you have.’ and Mr. Hot Rod says “Yeah it’s a sweet machine, but after making the payment and paying the insurance and gas, I can barely find two nickels to rub together. I didn’t realize when I bought it that my diet and love life would change so dramatically … I live on ramen noodles, beanie weenies, and Vienna Sausages … and there’s no dough for a date, and that really sucks, man!’ So, he’s obviously an easy mark in need of some cold hard cash.
UR: OK, OK I get the picture. After you’ve identified your targets, what do you do then?
WS: I simply offer them pennies … yes that’s pennies … for each database record they can get for me.
UR: So you get the data for pennies?
WS: Per record not in total. Let me give you an example. Suppose one of my marks gets me 10,000 records. If I give ‘em ten cents per record, they make a quick and easy $1,000. That’s a lot of diapers and formula for the kiddies or studly duds and gas for the hot rod.
UR: OK. So how do they get that much data to you without getting caught?
WS: Another easy one. I have them use a stega-somethingorother application they can get on the Internet.
UR: You mean a steganography application?
WS: Yeah that’s it. How did you know that?
UR: I just read something in Digital Forensics Investigator the other day about how steganography can be used to hide information in digital files.
WS: Yeah it’s really cool … it’s amazin’ how much data you can hide in a single picture.
UR: How do they get the picture, or pictures, to you?
WS: Another easy one … they simply send it to me as an attachment to an e-mail. Who would suspect anything out of the ordinary about a picture of a kid or a juiced up set of wheels?
UR: So how come you or any of your insiders never get caught?
WS: You know, that’s a really funny one … I think you call it a ‘paradox.’ You see, nobody thinks any body’s using stega-whatever so nobody is willing to spend any dough on the tools needed to detect it. And because nobody’s using tools to look for it, it’ll never be detected? Now ain’t that a beautiful thing?
UR: It’s no wonder they called you “Slick Willie” back in your heyday!
WS: That’s right. Hey are we ‘bout done here? I’m expecting some important emails!

So it goes, insiders are exfiltrating sensitive data with complete impunity because no one has deployed tools to detect steganography because no one thinks any one is using it because there’s not a large amount of proof that steganography is being used … because nobody is looking for it!

1. Where the Money Was: The Memoirs of a Bank Robber (Viking Press, New York, 1976)

Steganography Insider Threat Presentation and Product Brochures on SlideShare

Please check out our recent posts on SlideShare ...

PowerPoint presentation on the emerging threat from criminal and insider use of digital steganography conceal evidence of criminal activity or steal sensitive information:

http://www.slideshare.net/jwingate/digital-steganographyan-emerging-threat
(best viewed in slide show mode)

Steganography Analysis & Research Center (SARC) Product and Training brochures:
http://www.slideshare.net/jwingate/sarc-product-brochures

DLP Exposed

There's a huge gaping hole in Data Leak Prevention (DLP) products currently being marketed that vendors don’t want you to know about.

So what is it they don’t want you to know? They don't want you to know their products cannot detect steganography, or information embedded within files with any of the digital steganography applications currently available as freeware or shareware on thousands of web sites across the Internet. This hidden information, in the form of personally identifiable information, stolen intellectual property, or unauthorized images in the workplace, cannot be detected by current DLP products.



But those who purchase DLP systems, which often carry six-figure price tags, must know that the detection capability of even the most technically sophisticated DLP system can be defeated with a simple steganography application obtained for free on the Internet.

Detecting insider use of steganography to exfiltrate sensitive information requires a network security appliance capable of detecting steganography in real-time. StegAlyzerRTS, the Steganography Analyzer Real-Time Scanner does just that.

For more information, please visit the SARC web site at http://www.sarc-wv.com/.

The Compelling Reason to Buy StegAlyzerRTS

To sell their products, all vendors must discover the most significant need that would cause a customer to buy their product.

In marketing parlance, this is called the compelling reason to buy. I’ll refer to that simply as the CRTB.

Please bear with me for a bit while I build up to the CRTB the real-time steganography detection system developed in Backbone’s Steganography Analysis and Research Center (SARC).

Ever since mankind rose up out of the primordial ooze, there has been crime … and there will always be crime.

One can picture a caveman bashing another caveman over the head with his club to steal a big chunk of Wooly Mammoth for dinner! Yum! So, here we have our first case of assault with a deadly weapon or attempted murder along with theft of a Mammoth carcass, or a piece thereof. Hence, criminal activity emerges.

Now, let’s boogie down the evolutionary path a few million years to the Internet era.

The advent of the Internet has done many great things for mankind. However, it has also facilitated the emergence of an entirely new class of criminal … the cyber criminal. Criminal activity is no longer confined to real space. It has evolved and now takes place in both real space and cyber space.

To keep things simple, let’s define a cyber criminal as anyone who would use a computer to do anything that would be considered a violation of law. Further, for the purposes of this blog, let’s say the cyber criminal is a trusted insider on an enterprise network who is contemplating how to achieve a life of ease … perhaps on a chaise lounge on a beach in the Bahamas sipping colorful, sweet drinks with funny names.

Because practically everything in 21st century depends on computers in some way, shape, form, or fashion, there will never be fewer computers than we have today. Rather, there will continue to be more computers and more computer users.

According to the Internet World Stats web site [1], Internet user growth from 2000 to 2008 was a whopping 342.2% and there are now nearly 1.6 billion, yup … that’s B-I-L-L-I-O-N, Internet users worldwide.

So, now let’s assume the ratio of criminals who used computers for criminal activity remained constant during that period … it could be 1 in 100, 1 in 50, 1 in 10, etc. It doesn’t really matter. The point is the number of cyber criminals grew at the same rate as the general Internet user population—a rate of 342.2% over that period!

More criminals using more computers add up to more cyber crime.

More cyber crime is driving the need for improved network security tools to detect malicious insiders.

As the network security tools used to detect insider behavior, malicious insiders are becoming motivated to find more technically sophisticated ways to conceal their nefarious activities to avoid a visit to, and possibly an extended stay in, the Cross Bar Hotel.

Hence, the stage is set for Google-search savvy users to Google something really clever like “information hiding” which results in nearly 5.8 million links many of which will inevitably lead the user to “steganography” which results in more than 620,000 links when Googled.

Thus, more and more trusted insiders who have gone over to the dark side will use steganography applications that are widely available on Internet web sites and are easy to find, download, install, and use to exfiltrate (that’s a fancy word for “steal”) sensitive information.

If only 1% of the estimated 1.5 billion Internet users were using steganography to steal information, that would be 15 million cyber criminals. So let’s bump it down a notch and say that only .1%, or one-tenth of one percent, are using steganography to steal information … that’s still 1.5 million cyber criminals using steganography. Now let’s assume only 1% of those cyber criminals are trusted insiders. That’s still 15,000 malicious insiders who could steal untold amounts of sensitive information without ever being detected.

Thus, the CRTB StegAlyzerRTS is to detect malicious insiders who download and use steganography applications to steal sensitive information such as Personally Identifiable Information to sell on the Identity Theft Black Market or Intellectual Property that is the Crown Jewels of the company.

But even with such a CRTB, many enterprise networks will continue to go unprotected from the threat of insider use of digital steganography.

So … now, where’s that Sex on the Beach … ahhhh.



[1] Internet World Stats, Usage and Population Statistics, http://www.internetworldstats.com/stats.htm

Update to SAFDB Coming Soon

A new version of the Steganography Application Fingerprint Database (SAFDB) containing the file artifacts of more than 750 steganography applications will be created by Nov 30th.

SAFDB was developed in Backbone’s Steganography Analysis and Research Center (SARC) and is now widely recognized as the world’s largest database of hash values exclusive to digital steganography applications.

SAFDB is an integral part of StegAlyzerAS (Steganography Analyzer Artifact Scanner) and StegAlyzerRTS (Steganography Analyzer Real-Time Scanner).

StegAlyzerAS is a computer forensics tool used to detect the presence of steganography applications on seized media. In addition to detecting file artifacts, StegAlyzerAS offers the unique capability to detect Windows Registry artifacts (i.e., keys and/or values). This makes it possible to determine if a particular steganography application was ever installed by the user even if the user uninstalled the application and then deleted the files and folders associated with the application that were created in the installation process.

StegAlyzerRTS is a network security appliance that detects insiders downloading any of the applications in SAFDB in real-time.

SAFDB contains seven different hash values for each file artifact associated with each steganography application in the SARC’s steganography application archive. The hash values were computed with the CRC-32 and MD-5 hashing algorithms plus all five of the algorithms specified in FIPS 180-2, Secure Hash Standard—SHA 1, SHA 224, SHA256, SHA 384 and SHA 512.

SAFDB also includes the artifact file name, file size, associated application name, in addition to other information about each file and application.

Current plans call for the creation of new versions of SAFDB in each quarter of CY2010 with each version containing information on all file artifacts associated with at least 25 more steganography applications than the previous version.

Steganography: Threat or Hype?

Any discussion on digital steganography ultimately polarizes around two groups: those who believe steganography is being used and those who don’t.

Before delving into the reasons why this is so, let’s first define steganography and how it can be used as an information hiding tool.

Demaratus’ Wax Tablets

Steganography is an ancient information hiding technique that dates back to the days of Ancient Greece. In fact, steganography is derived from the Greek words “steganos” which means “covered” and “graphie” which means “writing.” So steganography literally means “covered writing.”

The Egyptians are generally acknowledged to have been the first to use steganography in the form of hieroglyphics. However, one of the first recorded uses of steganography, and one of the most interesting, dates back to 480BC during the Battle of Thermopylae. When he learned of Xerxes plan to lead his army into Greece, Demaratus scraped the wax off his wax tablet, scribed a message directly on the wood, and then recovered the tablet with wax in order to get a message to Sparta past the Roman guards (Demaratus).

But rather than spend too much time discussing how steganography has been used throughout history, let’s fast forward to the Internet era where we see an evolution to digital steganography.

Wizzy-Wig

Actually it’s WYSIWYG and it means “What You See Is What You Get. Right? Not so fast.

For those of us old enough to remember when a WYSIWYG editor was a revelation, we became accustomed to visualizing the contents of a file by what we could see on the screen. If it was on the screen, it was in the file and vice versa.

Well, nowadays, with digital steganography, a slight modification of WYSIWYG is necessary. Now it’s WYSINAWYG or What You See Is Not Always What You Get.

Why? Because it’s possible that information has been appended to the file beyond the file’s EOF marker or, in the case of a bitmap image, information may have been embedded in the image. Essentially, the hidden information is there but you can’t see it. So with steganography, the old saying that “a picture’s worth a thousand words” could quite literally be true.

For example, there is some simulated financial information embedded in the image of the baseball below.

If you would like to know what information is hidden in the image, you can request a Steganography Threat Evaluation Kit at http://www.sarc-wv.com/stegalyzerrts.aspx that contains instructions on how to extract the hidden information.

The Lazy PeopleTheory

Now let’s go back to why some believe insiders are using steganography to steal sensitive information and intellectual property and criminals are using steganography to conceal evidence of criminal activity but others do not.

First, the non-believers. This group seems to believe that people are like electrons—they take the path of least resistance. Typically, this path is one of using a thumb drive, or some other ultra-portable storage device, to steal information and then just walk out the front door with it.

Their basic question is “Why would anyone go to the trouble of using steganography when there are so many other easier ways to steal information?” This is a valid question.

Many computer forensic examiners in law enforcement hold the belief that “the criminals we deal with are too stupid, too lazy, or both to use steganography.” There is some validity to that as well.

The Devious People Theory

Now, for the believers. This group tends to believe in the “build it, and they will come” approach. In terms of digital steganography, we could say this is the “if it is there, they will use it” approach.

People in this group tend to believe that people will go to great lengths to avoid being caught doing something they shouldn’t be doing. It is the fear of a visit to the “cross bar hotel” that motivates this group to find ways to conceal their nefarious and most likely illegal activities.

As Data Loss Prevention (DLP) tools and forensics tools continue getting better at detecting sensitive information leaving the enterprise network or finding digital evidence of criminal activity, it is only logical to presume that those wishing to evade detection will find more technically sophisticated ways to conceal their nefarious activities.

And it is very easy, child’s play really, to find, download, install, and use steganography applications that are widely available as freeware or shareware on the Internet.

Just do a Google search on “information hiding” and you will see that you get over seven million links in the search results. Many of those links lead to web sites where digital steganography applications can be found.

Going Forward

So there you have it … some believe steganography is being used and some don’t. It is difficult to convince the non-believers that steganography is, indeed, a threat because there isn’t a large body of empirical data to prove that it is being used. Why should I look for something that you say is being used but yet you cannot prove it? Another valid question.

At the end of the day, we have to acknowledge that no one really knows how often steganography is being used for nefarious purposes.

But, going forward, we also have to acknowledge that we will never know much information is being stolen or how much criminal activity is being concealed through the use of digital steganography until more people understand what it is and believe that it is, in fact, being used.