Please check out our recent posts on SlideShare ...
PowerPoint presentation on the emerging threat from criminal and insider use of digital steganography conceal evidence of criminal activity or steal sensitive information:
http://www.slideshare.net/jwingate/digital-steganographyan-emerging-threat
(best viewed in slide show mode)
Steganography Analysis & Research Center (SARC) Product and Training brochures:
http://www.slideshare.net/jwingate/sarc-product-brochures
Wednesday, September 30, 2009
Monday, September 28, 2009
DLP Exposed
There's a huge gaping hole in Data Leak Prevention (DLP) products currently being marketed that vendors don’t want you to know about.So what is it they don’t want you to know? They don't want you to know their products cannot detect steganography, or information embedded within files with any of the digital steganography applications currently available as freeware or shareware on thousands of web sites across the Internet. This hidden information, in the form of personally identifiable information, stolen intellectual property, or unauthorized images in the workplace, cannot be detected by current DLP products.
But those who purchase DLP systems, which often carry six-figure price tags, must know that the detection capability of even the most technically sophisticated DLP system can be defeated with a simple steganography application obtained for free on the Internet.
Detecting insider use of steganography to exfiltrate sensitive information requires a network security appliance capable of detecting steganography in real-time. StegAlyzerRTS, the Steganography Analyzer Real-Time Scanner does just that.
For more information, please visit the SARC web site at http://www.sarc-wv.com/.
Tuesday, September 22, 2009
The Compelling Reason to Buy StegAlyzerRTS
To sell their products, all vendors must discover the most significant need that would cause a customer to buy their product.
In marketing parlance, this is called the compelling reason to buy. I’ll refer to that simply as the CRTB.
Please bear with me for a bit while I build up to the CRTB the real-time steganography detection system developed in Backbone’s Steganography Analysis and Research Center (SARC).
Ever since mankind rose up out of the primordial ooze, there has been crime … and there will always be crime.
One can picture a caveman bashing another caveman over the head with his club to steal a big chunk of Wooly Mammoth for dinner! Yum! So, here we have our first case of assault with a deadly weapon or attempted murder along with theft of a Mammoth carcass, or a piece thereof. Hence, criminal activity emerges.
Now, let’s boogie down the evolutionary path a few million years to the Internet era.
The advent of the Internet has done many great things for mankind. However, it has also facilitated the emergence of an entirely new class of criminal … the cyber criminal. Criminal activity is no longer confined to real space. It has evolved and now takes place in both real space and cyber space.
To keep things simple, let’s define a cyber criminal as anyone who would use a computer to do anything that would be considered a violation of law. Further, for the purposes of this blog, let’s say the cyber criminal is a trusted insider on an enterprise network who is contemplating how to achieve a life of ease … perhaps on a chaise lounge on a beach in the Bahamas sipping colorful, sweet drinks with funny names.
Because practically everything in 21st century depends on computers in some way, shape, form, or fashion, there will never be fewer computers than we have today. Rather, there will continue to be more computers and more computer users.
According to the Internet World Stats web site [1], Internet user growth from 2000 to 2008 was a whopping 342.2% and there are now nearly 1.6 billion, yup … that’s B-I-L-L-I-O-N, Internet users worldwide.
So, now let’s assume the ratio of criminals who used computers for criminal activity remained constant during that period … it could be 1 in 100, 1 in 50, 1 in 10, etc. It doesn’t really matter. The point is the number of cyber criminals grew at the same rate as the general Internet user population—a rate of 342.2% over that period!
More criminals using more computers add up to more cyber crime.
More cyber crime is driving the need for improved network security tools to detect malicious insiders.
As the network security tools used to detect insider behavior, malicious insiders are becoming motivated to find more technically sophisticated ways to conceal their nefarious activities to avoid a visit to, and possibly an extended stay in, the Cross Bar Hotel.
Hence, the stage is set for Google-search savvy users to Google something really clever like “information hiding” which results in nearly 5.8 million links many of which will inevitably lead the user to “steganography” which results in more than 620,000 links when Googled.
Thus, more and more trusted insiders who have gone over to the dark side will use steganography applications that are widely available on Internet web sites and are easy to find, download, install, and use to exfiltrate (that’s a fancy word for “steal”) sensitive information.
If only 1% of the estimated 1.5 billion Internet users were using steganography to steal information, that would be 15 million cyber criminals. So let’s bump it down a notch and say that only .1%, or one-tenth of one percent, are using steganography to steal information … that’s still 1.5 million cyber criminals using steganography. Now let’s assume only 1% of those cyber criminals are trusted insiders. That’s still 15,000 malicious insiders who could steal untold amounts of sensitive information without ever being detected.
Thus, the CRTB StegAlyzerRTS is to detect malicious insiders who download and use steganography applications to steal sensitive information such as Personally Identifiable Information to sell on the Identity Theft Black Market or Intellectual Property that is the Crown Jewels of the company.
But even with such a CRTB, many enterprise networks will continue to go unprotected from the threat of insider use of digital steganography.
So … now, where’s that Sex on the Beach … ahhhh.
[1] Internet World Stats, Usage and Population Statistics, http://www.internetworldstats.com/stats.htm
In marketing parlance, this is called the compelling reason to buy. I’ll refer to that simply as the CRTB.
Please bear with me for a bit while I build up to the CRTB the real-time steganography detection system developed in Backbone’s Steganography Analysis and Research Center (SARC).
Ever since mankind rose up out of the primordial ooze, there has been crime … and there will always be crime.
One can picture a caveman bashing another caveman over the head with his club to steal a big chunk of Wooly Mammoth for dinner! Yum! So, here we have our first case of assault with a deadly weapon or attempted murder along with theft of a Mammoth carcass, or a piece thereof. Hence, criminal activity emerges.
Now, let’s boogie down the evolutionary path a few million years to the Internet era.
The advent of the Internet has done many great things for mankind. However, it has also facilitated the emergence of an entirely new class of criminal … the cyber criminal. Criminal activity is no longer confined to real space. It has evolved and now takes place in both real space and cyber space.
To keep things simple, let’s define a cyber criminal as anyone who would use a computer to do anything that would be considered a violation of law. Further, for the purposes of this blog, let’s say the cyber criminal is a trusted insider on an enterprise network who is contemplating how to achieve a life of ease … perhaps on a chaise lounge on a beach in the Bahamas sipping colorful, sweet drinks with funny names.
Because practically everything in 21st century depends on computers in some way, shape, form, or fashion, there will never be fewer computers than we have today. Rather, there will continue to be more computers and more computer users.
According to the Internet World Stats web site [1], Internet user growth from 2000 to 2008 was a whopping 342.2% and there are now nearly 1.6 billion, yup … that’s B-I-L-L-I-O-N, Internet users worldwide.
So, now let’s assume the ratio of criminals who used computers for criminal activity remained constant during that period … it could be 1 in 100, 1 in 50, 1 in 10, etc. It doesn’t really matter. The point is the number of cyber criminals grew at the same rate as the general Internet user population—a rate of 342.2% over that period!
More criminals using more computers add up to more cyber crime.
More cyber crime is driving the need for improved network security tools to detect malicious insiders.
As the network security tools used to detect insider behavior, malicious insiders are becoming motivated to find more technically sophisticated ways to conceal their nefarious activities to avoid a visit to, and possibly an extended stay in, the Cross Bar Hotel.
Hence, the stage is set for Google-search savvy users to Google something really clever like “information hiding” which results in nearly 5.8 million links many of which will inevitably lead the user to “steganography” which results in more than 620,000 links when Googled.
Thus, more and more trusted insiders who have gone over to the dark side will use steganography applications that are widely available on Internet web sites and are easy to find, download, install, and use to exfiltrate (that’s a fancy word for “steal”) sensitive information.
If only 1% of the estimated 1.5 billion Internet users were using steganography to steal information, that would be 15 million cyber criminals. So let’s bump it down a notch and say that only .1%, or one-tenth of one percent, are using steganography to steal information … that’s still 1.5 million cyber criminals using steganography. Now let’s assume only 1% of those cyber criminals are trusted insiders. That’s still 15,000 malicious insiders who could steal untold amounts of sensitive information without ever being detected.
Thus, the CRTB StegAlyzerRTS is to detect malicious insiders who download and use steganography applications to steal sensitive information such as Personally Identifiable Information to sell on the Identity Theft Black Market or Intellectual Property that is the Crown Jewels of the company.
But even with such a CRTB, many enterprise networks will continue to go unprotected from the threat of insider use of digital steganography.
So … now, where’s that Sex on the Beach … ahhhh.
[1] Internet World Stats, Usage and Population Statistics, http://www.internetworldstats.com/stats.htm
Thursday, September 10, 2009
Update to SAFDB Coming Soon
A new version of the Steganography Application Fingerprint Database (SAFDB) containing the file artifacts of more than 750 steganography applications will be created by Nov 30th.
SAFDB was developed in Backbone’s Steganography Analysis and Research Center (SARC) and is now widely recognized as the world’s largest database of hash values exclusive to digital steganography applications.
SAFDB is an integral part of StegAlyzerAS (Steganography Analyzer Artifact Scanner) and StegAlyzerRTS (Steganography Analyzer Real-Time Scanner).
StegAlyzerAS is a computer forensics tool used to detect the presence of steganography applications on seized media. In addition to detecting file artifacts, StegAlyzerAS offers the unique capability to detect Windows Registry artifacts (i.e., keys and/or values). This makes it possible to determine if a particular steganography application was ever installed by the user even if the user uninstalled the application and then deleted the files and folders associated with the application that were created in the installation process.
StegAlyzerRTS is a network security appliance that detects insiders downloading any of the applications in SAFDB in real-time.
SAFDB contains seven different hash values for each file artifact associated with each steganography application in the SARC’s steganography application archive. The hash values were computed with the CRC-32 and MD-5 hashing algorithms plus all five of the algorithms specified in FIPS 180-2, Secure Hash Standard—SHA 1, SHA 224, SHA256, SHA 384 and SHA 512.
SAFDB also includes the artifact file name, file size, associated application name, in addition to other information about each file and application.
Current plans call for the creation of new versions of SAFDB in each quarter of CY2010 with each version containing information on all file artifacts associated with at least 25 more steganography applications than the previous version.
SAFDB was developed in Backbone’s Steganography Analysis and Research Center (SARC) and is now widely recognized as the world’s largest database of hash values exclusive to digital steganography applications.
SAFDB is an integral part of StegAlyzerAS (Steganography Analyzer Artifact Scanner) and StegAlyzerRTS (Steganography Analyzer Real-Time Scanner).
StegAlyzerAS is a computer forensics tool used to detect the presence of steganography applications on seized media. In addition to detecting file artifacts, StegAlyzerAS offers the unique capability to detect Windows Registry artifacts (i.e., keys and/or values). This makes it possible to determine if a particular steganography application was ever installed by the user even if the user uninstalled the application and then deleted the files and folders associated with the application that were created in the installation process.
StegAlyzerRTS is a network security appliance that detects insiders downloading any of the applications in SAFDB in real-time.
SAFDB contains seven different hash values for each file artifact associated with each steganography application in the SARC’s steganography application archive. The hash values were computed with the CRC-32 and MD-5 hashing algorithms plus all five of the algorithms specified in FIPS 180-2, Secure Hash Standard—SHA 1, SHA 224, SHA256, SHA 384 and SHA 512.
SAFDB also includes the artifact file name, file size, associated application name, in addition to other information about each file and application.
Current plans call for the creation of new versions of SAFDB in each quarter of CY2010 with each version containing information on all file artifacts associated with at least 25 more steganography applications than the previous version.
Sunday, August 16, 2009
Steganography: Threat or Hype?
Any discussion on digital steganography ultimately polarizes around two groups: those who believe steganography is being used and those who don’t.
Before delving into the reasons why this is so, let’s first define steganography and how it can be used as an information hiding tool.
Demaratus’ Wax Tablets
Steganography is an ancient information hiding technique that dates back to the days of Ancient Greece. In fact, steganography is derived from the Greek words “steganos” which means “covered” and “graphie” which means “writing.” So steganography literally means “covered writing.”
The Egyptians are generally acknowledged to have been the first to use steganography in the form of hieroglyphics. However, one of the first recorded uses of steganography, and one of the most interesting, dates back to 480BC during the Battle of Thermopylae. When he learned of Xerxes plan to lead his army into Greece, Demaratus scraped the wax off his wax tablet, scribed a message directly on the wood, and then recovered the tablet with wax in order to get a message to Sparta past the Roman guards (Demaratus).
But rather than spend too much time discussing how steganography has been used throughout history, let’s fast forward to the Internet era where we see an evolution to digital steganography.
Wizzy-Wig
Actually it’s WYSIWYG and it means “What You See Is What You Get. Right? Not so fast.
For those of us old enough to remember when a WYSIWYG editor was a revelation, we became accustomed to visualizing the contents of a file by what we could see on the screen. If it was on the screen, it was in the file and vice versa.
Well, nowadays, with digital steganography, a slight modification of WYSIWYG is necessary. Now it’s WYSINAWYG or What You See Is Not Always What You Get.
Why? Because it’s possible that information has been appended to the file beyond the file’s EOF marker or, in the case of a bitmap image, information may have been embedded in the image. Essentially, the hidden information is there but you can’t see it. So with steganography, the old saying that “a picture’s worth a thousand words” could quite literally be true.
For example, there is some simulated financial information embedded in the image of the baseball below.
If you would like to know what information is hidden in the image, you can request a Steganography Threat Evaluation Kit at http://www.sarc-wv.com/
The Lazy PeopleTheory
Now let’s go back to why some believe insiders are using steganography to steal sensitive information and intellectual property and criminals are using steganography to conceal evidence of criminal activity but others do not.
First, the non-believers. This group seems to believe that people are like electrons—they take the path of least resistance. Typically, this path is one of using a thumb drive, or some other ultra-portable storage device, to steal information and then just walk out the front door with it.
Their basic question is “Why would anyone go to the trouble of using steganography when there are so many other easier ways to steal information?” This is a valid question.
Many computer forensic examiners in law enforcement hold the belief that “the criminals we deal with are too stupid, too lazy, or both to use steganography.” There is some validity to that as well.
The Devious People Theory
Now, for the believers. This group tends to believe in the “build it, and they will come” approach. In terms of digital steganography, we could say this is the “if it is there, they will use it” approach.
People in this group tend to believe that people will go to great lengths to avoid being caught doing something they shouldn’t be doing. It is the fear of a visit to the “cross bar hotel” that motivates this group to find ways to conceal their nefarious and most likely illegal activities.
As Data Loss Prevention (DLP) tools and forensics tools continue getting better at detecting sensitive information leaving the enterprise network or finding digital evidence of criminal activity, it is only logical to presume that those wishing to evade detection will find more technically sophisticated ways to conceal their nefarious activities.
And it is very easy, child’s play really, to find, download, install, and use steganography applications that are widely available as freeware or shareware on the Internet.
Just do a Google search on “information hiding” and you will see that you get over seven million links in the search results. Many of those links lead to web sites where digital steganography applications can be found.
Going Forward
So there you have it … some believe steganography is being used and some don’t. It is difficult to convince the non-believers that steganography is, indeed, a threat because there isn’t a large body of empirical data to prove that it is being used. Why should I look for something that you say is being used but yet you cannot prove it? Another valid question.
At the end of the day, we have to acknowledge that no one really knows how often steganography is being used for nefarious purposes.
But, going forward, we also have to acknowledge that we will never know much information is being stolen or how much criminal activity is being concealed through the use of digital steganography until more people understand what it is and believe that it is, in fact, being used.
Subscribe to:
Posts (Atom)