Use offense to inform defense. Find flaws before the bad guys do.
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Use offense to inform defense.
Find flaws before the bad guys do.
Copyright SANS Institute
Author Retains Full Rights
This paper is from the SANS Penetration Testing site. Reposting is not permited without express written permission.
Interested in learning more?
Check out the list of upcoming events offering
"Hacker Tools, Techniques, Exploits, and Incident Handling (SEC504)"
at https://pen-testing.sans.org/events/Steganography
Richard Lewis
What is Steganography?
s.
ht
Steganography, literally meaning covered writing, involves the hiding of data in another
rig
object. From the time of Herodotus in ancient Greece to the terrorist of today, the secret writing
of steganography has been used to deny one’s adversaries the knowledge of message traffic.
ull
There are many tools that are freely available on the Web that will allow an individual to
f
hide your data without your
ns
knowledge in an innocuous
Key fingerprint looking
= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
file. The only way that you would
re
be able to detect this is if you
happen to have a “golden” copy of
or
the file in question. You would
th
have to do a bit by a bit comparison
of the file in question in order to Au
detect the subterfuge. Now, the
reasonable individual would
2,
concede, the chances of having a
00
pristine copy of a file that you do
-2
not control are highly unlikely. So
would not be a great leap of faith to
00
understand that Steganography is
20
one of the more serious threats to Figure 1 Cover Image
the data integrity and an
te
organizations security posture
tu
today. It all boils down to trust, can you, do you, trust your employees.
As a security professional you are concerned with your organizations proprietary
sti
information being removed form your premises without your knowledge. Steganography
In
provides the tools to do just that. Employee data, pricing data and rates, etc can be easily
smuggled out right under your nose. Utilities that look for “dirty words” or key phrases are not
NS
going to be able to detect information that has been concealed.
SA
How Steganography Works
Steganography works, in
©
some cases, by using the lease
significant bit (LSB) in a byte. By
encoding the LSB of every byte in
the file we are able to secrete data
in an
Keyotherwise harmless
fingerprint file.
= AF19 In a2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
FA27
bitmap file, as shown in figure 1
and figure 2, we can see some
degradation of the image. In a
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.
Figure 2 Stego I mag esmall file this is more apparent because of the higher ratio of modified bytes. (The larger the
ratio of modified bytes in a file the more apparent the distortion.) If the file had been larger the
same hidden file would have been barely noticeable, even when compared side by side with the
original.
s.
Baring the use of encryption, we can examine the file and tell whether information has
ht
been inserted into the file. Of course we would need a utility developed for that purpose, but
rig
given the power of today’s desk top computers and the fact that the information is not encrypted
we should have no problem in ascertaining the subterfuge.
ull
When we are faced with the use of encryption and steganography together then out job is
f
made much more difficult. The encrypted data should appear as background noise. Our simple
ns
scanner
Key now can’t find
fingerprint patterns
= AF19 FA27 scattered through
2F94 998D FDB5theDE3D
file. In order
F8B5 to combat
06E4 a known encrypted
A169 4E46
tai
steganography file we can alter the file in some way to make recovery of the message
re
impossible. That can be accomplished by inserting our own message in the file. The damage
done to the original message should render it unreadable. In the event the file in question is a
or
stego image file we can crop or otherwise edit the file to render the message unrecoverable.
th
Thus it is a simple matter to destroy a hidden message but detection and recovery are quite a
different matter. Au
In a wave file the hidden data would appear as white, or random, noise. More than likely
2,
you would be unable to hear it; your dog might but not you. The casual observer would not find
00
any evidence that data was being smuggled in or out of the facility.
-2
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Figure 3 Stego Object
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.As you can see the first figure and the second figure appear almost identical if it were not
for some image degradation the files would be identical. However, they are not. This is because
the second image, through use of Steganography, contains a complete Excel spreadsheet. It is
only because of the small size of the image file that we are able to see the degradation of the
s.
image. It is a good to note that the larger the image file the more data can be hidden there.
ht
rig
Vigilance Is The Key
ull
I think now would be a good time to talk about bandwidth. As I have said, due to the
small size if the cover image and the relatively large size of the Stego object, the Stego image
f
has a noticeable amount of distortion present. It is easier to hide a small message in a large file,
ns
thanKey
a large file. One
fingerprint more FA27
= AF19 concern is that
2F94 998Dof FDB5
traffic DE3D
flow security.
F8B5 06E4If someone suddenly starts to
A169 4E46
tai
take image and wave files out of your facility for no apparent reason then, you as a security
re
professional, should become suspicious. To combat the threat you need to know the normal
patterns and then look for changes in the norm. We always come back to know your system. I
or
will expand that to, “Know your environment.”
th
Au
The S-Tools application is easy to use and the novice user can hide a large amount of
data with little effort. The S-Tools application can be found at the following link.
2,
ftp://ftp.funet.fi/pub/crypt/mirrors/idea.sec.dsi.unimi.it/code/s-tools4.zip
00
-2
Once the application has been downloaded, installed, and started, you would just drag
and drop a sound or picture file into the application’s workspace. Now comes the fun part. Find
00
the file that you want to hide. Simply drag the file over the picture and drop it. You will then
20
see the passphrase GUI, see figure 4, enter your passphrase, select your encryption algorithm,
and click on OK. That’s all there is to it. Do not forget your passphrase.
te
tu
Now if you think that you can use S-Tools to identify weather or not a file has hidden
data in it, you are out of luck. Without the correct passphrase, you will not be able to tell. The
sti
data is encrypted so it will look like noise to the application if the correct passphrase is not
In
entered.
NS
Decoding or extracting the hidden file is also a simple process. The file that contains the
hidden data is placed into the S-Tools work area. The mouse pointer is positioned over the file,
SA
and when you right click on the file you should select the reveal option. You will then see the
passphrase GUI, see figure 4.you then enter your passphrase, twice, select your encryption
©
algorithm, and click on OK. If you were successful the program will display the reviled archive
window, see figure 6.
Summary
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Steganography, literally meaning covered writing, involves the hiding of data in another
object. Steganography provides the tools to do just that. Employee data, pricing data and rates,
etc can be easily smuggled out right under your nose. Steganography has been with us since the
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.time of the ancient Greeks. Modern terrorists organizations use it to pass plans and information
between cells by placing altered pictures in newsgroups on web sites and passing them in chat
groups.
By encoding the LSB of every byte in the file we are able to secrete data in an otherwise
harmless file. In a bitmap file, as shown in figure 1 and figure 2, we can see some degradation of
s.
the image. If the file had been larger the same hidden file would have been barely noticeable,
ht
even when compared side by side with the original.
rig
Baring the use of encryption, we can examine the file and tell whether information has
ull
been inserted into the file. The encrypted data should appear as background noise. In order to
combat a known encrypted steganography file we can alter the file in some way to make
f
recovery of the message impossible. In the event the file in question is a stego image file we can
ns
cropKey
or otherwise
fingerprintedit the file
= AF19 to render
FA27 the message
2F94 998D FDB5 unrecoverable.
DE3D F8B5 06E4In aA169
wave4E46
file the hidden
tai
data would appear as white, or random, noise.
re
The ability to remove information undetected is a threat to the integrity of any
or
organizations data. Protecting your organizations data requires hard work and diligence. Many
th
tools are freely available on the web to secrete data and enable someone to smuggle data out of
your facility. You must know your environment and become aware to changes in its patterns.
Au
Knowing that the threat exists is the first step on combating the problem.
2,
Using encryption and steganography makes the job of detecting a hidden message much
00
more difficult and more than likely would place it outside the ability of the average organization.
-2
If it is suspected that a file contains a hidden message, editing or cropping the image file or
placing your own hidden message in the stego file can easily destroy the message.
00
20
To combat the threat you need to know the normal patterns and then look for changes in
the norm. We always come back to know your system. I will expand that to, “Know your
te
environment.”
tu
sti
In
Steganography & Digital Watermarking Information Hiding
NS
SA
http://www.jjtc.com/stegdoc/stegdoc.html
Schneier, Bruce, Secrets and Lies Digital Security in a Networked World, John Wiley and Sons,
©
Inc., New York, 2000, pp246
IEEE Journal on Selected Areas in Communications (J-SAC), Special Issue on Copyright &
Privacy Protection, vol. 16 no. 4, pp 474-481, May 1998
http://netsecurity.about.com/compute/netsecurity/gi/dynamic/offsite.htm?site=http%3A%2F%2F
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
www.cl.cam.ac.uk%2F%257Efapp2%2Fpapers%2Fjsac98-limsteg%2F
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.‘Wavelet-based digital image watermarking’, H-J. M. Wang, P.-C. Su, C.-C. J. Kuo, Optics
Express, vol. 3 no. 12 pp. 491–496, 7 Dec. 1998 .
http://epubs.osa.org/oearchive/pdf/7081.pdf
Steganography Mailing List. Markus Kuhn -- 1995-07-03
s.
http://www.thur.de/ulf/stegano/announce.html
ht
rig
Steganalysis of Images Created Using Current Steganography Software
Neil F. Johnson and Sushil Jajodia Center for Secure Information Systems, George Mason
ull
University
http://ise.gmu.edu/~njohnson/ihws98/jjgmu.html
f
ns
An Key
Introduction to Steganography,
fingerprint Duncan
= AF19 FA27 2F94 998DSellars
FDB5 DE3D F8B5 06E4 A169 4E46
tai
http://www.cs.uct.ac.za/courses/CS400W/NIS/papers99/dsellars/stego.html
re
Steganography,
or
http://www.tamos.com/privacy/steganoen.htm
th
Au
2,
00
-2
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Last Updated: May 13th, 2019
Upcoming SANS Penetration Testing
SANS New Orleans 2019 New Orleans, LA May 19, 2019 - May 24, 2019 Live Event
SANS Northern VA Spring- Reston 2019 Reston, VA May 19, 2019 - May 24, 2019 Live Event
Community SANS Portland SEC504 Portland, OR May 20, 2019 - May 25, 2019 Community SANS
SANS Autumn Sydney 2019 Sydney, Australia May 20, 2019 - May 25, 2019 Live Event
SANS Amsterdam May 2019 Amsterdam, Netherlands May 20, 2019 - May 25, 2019 Live Event
SANS Krakow May 2019 Krakow, Poland May 27, 2019 - Jun 01, 2019 Live Event
SANS Atlanta 2019 Atlanta, GA May 28, 2019 - Jun 02, 2019 Live Event
SANS San Antonio 2019 San Antonio, TX May 28, 2019 - Jun 02, 2019 Live Event
Enterprise Defense Summit & Training 2019 Redondo Beach, CA Jun 03, 2019 - Jun 10, 2019 Live Event
SANS London June 2019 London, United Jun 03, 2019 - Jun 08, 2019 Live Event
Kingdom
SANS Kansas City 2019 Kansas City, MO Jun 10, 2019 - Jun 15, 2019 Live Event
Mentor Session - SEC504 Austin, TX Jun 13, 2019 - Aug 08, 2019 Mentor
SANSFIRE 2019 Washington, DC Jun 15, 2019 - Jun 22, 2019 Live Event
Community SANS Alpharetta SEC504 @ Cisco Alpharetta, GA Jun 17, 2019 - Jun 22, 2019 Community SANS
Community SANS Nashville SEC542 Nashville, TN Jun 17, 2019 - Jun 22, 2019 Community SANS
SANSFIRE 2019 - SEC504: Hacker Tools, Techniques, Exploits, Washington, DC Jun 17, 2019 - Jun 22, 2019 vLive
and Incident Handling
Community SANS Santa Monica SEC504 Santa Monica, CA Jun 24, 2019 - Jun 29, 2019 Community SANS
Security Operations Summit & Training 2019 New Orleans, LA Jun 24, 2019 - Jul 01, 2019 Live Event
Mentor Session - SEC504 Des Moines, IA Jun 24, 2019 - Jul 24, 2019 Mentor
SANS Cyber Defence Canberra 2019 Canberra, Australia Jun 24, 2019 - Jul 13, 2019 Live Event
SANS Cyber Defence Japan 2019 Tokyo, Japan Jul 01, 2019 - Jul 13, 2019 Live Event
SANS Munich July 2019 Munich, Germany Jul 01, 2019 - Jul 06, 2019 Live Event
SANS Paris July 2019 Paris, France Jul 01, 2019 - Jul 06, 2019 Live Event
Community SANS Madison SEC504 Madison, WI Jul 08, 2019 - Jul 13, 2019 Community SANS
Pittsburgh 2019 - SEC504: Hacker Tools, Techniques, Exploits, Pittsburgh, PA Jul 08, 2019 - Jul 13, 2019 vLive
and Incident Handling
SANS Pittsburgh 2019 Pittsburgh, PA Jul 08, 2019 - Jul 13, 2019 Live Event
SANS Charlotte 2019 Charlotte, NC Jul 08, 2019 - Jul 13, 2019 Live Event
Community SANS Colorado Springs SEC504 Colorado Springs, CO Jul 08, 2019 - Jul 13, 2019 Community SANS
SANS Cyber Defence Singapore 2019 Singapore, Singapore Jul 08, 2019 - Jul 20, 2019 Live Event
SANS London July 2019 London, United Jul 08, 2019 - Jul 13, 2019 Live Event
Kingdom
Pittsburgh 2019 - SEC560: Network Penetration Testing and Pittsburgh, PA Jul 08, 2019 - Jul 13, 2019 vLive
Ethical HackingYou can also read
