Upload
desmond-devendran
View
853
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Module XX – Steganography
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Scenario
A couple from Manchester was charged of plotting a terrorist act. Taxi driver Habib Ahmed of Elmfield Street, Cheetham Hill and his wife Mehreen Haji were held in police custody in London.
Ahmed, age 27, was accused of making computer records of possible terror targets and undergoing a course of weapons training at a Pakistani terror camp between April and June of 2006. 25-year-old Haji was accused of providing just under £4,000 to finance her husband's alleged terrorist activities.
The police seized the computer from Ahmed and also recovered a significant amount of material from the computers.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: New Software Can Easily Read Messages Hidden in Noisy Digital Images
Source: http://www.thaindian.com/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
• Steganography• Model of Stegosystem• Classification Of Steganography• Different Forms of Steganography• Issues in Information Hiding • Cryptography• Steganography vs. Cryptography• Stego-forensics• Watermarking• Steganography tools
This module will familiarize you with:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Steganography
Classification Of Steganography
Model of Stegosystem
Issues in Information Hiding
Different Forms of Steganography
Steganography vs. Cryptography
Cryptography
Steganography Detection
Steganography tools
Watermarking
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganography
Steganography is defined as “The art and science of hiding information by embedding messages within other, seemingly harmless messages”
It involves placing a hidden message in some transport medium
The meaning is derived from two Greek words mainly “Stegos” which means secret and “Graphie” which means writing
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Model of Stegosystem
Stegosystem describes the process that is used in performing steganography
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganography Concepts
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Application of Steganography
Steganography is used to hide communication
In military applications, where even the knowledge of communication between two parties can be critical
Health care especially medical imaging systems, may benefit from information hiding techniques
Other areas where steganography is used are workplace communication, digital music, terrorism, and the movie industry
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Classification of Steganography
Steganography
Technical Steganography
Linguistic Steganography
Semagrams
Visual Semagrams
Text Semagrams
Open codes
Jargon code Covered Ciphers
Null Cipher
Grill Cipher
Digital Steganography
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Technical Steganography
Technical steganography uses the physical or chemical means to hide the existence of a message
Some of the technical steganography types include use of invisible ink or microdots
Microdots method is a page sized photograph minimized to 1mm in diameter
The photograph is reduced with the help of reverse microscope
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Linguistic Steganography
Linguistic steganography hides the message in the carrier in some non-obvious ways
It is further categorized into semagrams and open codes
• Visual semagrams use innocent-looking or everyday physical objects to convey a message, such as doodles or the positioning of items on a desk or website
• Text Semagrams hide a message by modifying the appearance of the carrier text, such as subtle changes in the font size or type, adding extra spaces, or different flourishes in letters or handwritten text
Semagrams hide information using symbols or signs:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Linguistic Steganography (cont’d)
• Text is carefully constructed• Positioning text conceals messages
Open codes Steganography:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Linguistic Steganography (cont’d)
Open codes Steganography is divided into:
• It is a language that a group of people can understand but is meaningless to others The Jargon code:
• The message is hidden openly in the carrier medium so that anyone who knows the secret of how it was concealed can recover it
• It is again categorized into Null ciphers and Grille Ciphers
Covered ciphers:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Linguistic Steganography (cont’d)
• A null cipher is an ancient form of encryption where the plaintext is mixed with a large amount of non-cipher material
• It can also be used to hide ciphertext
Null Ciphers:
• In this technique, a grille is created by cutting holes in a piece of paper
• When the receiver places the grille over the text, the intended message can be retrieved
Grille Ciphers:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Digital Steganography Techniques
Digital Steganography hides secret messages in digital media
• Injection• Least Significant Bit (LSB)• Embedding during Transform Process• Spread Spectrum Encoding• Perceptual Masking• Cover Generation Technique• Statistical Method Technique• Distortion Technique
The techniques used in digital steganography:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Injection
The secret message is injected into the host’s medium
Drawback: The host file gets larger and makes it easier to detect the message
Example: In the web page, the message ‘This is a sample of Stego’ is displayed, whereas in the source code of the web page, a secret message ‘This is the hidden message” is viewed
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Least Significant Bit (LSB)
In LSB, the right hand side bit in the binary notation is substituted with the bit from the embedded message
Data is no longer secure if the attacker knows LSB substitution technique is used
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Transform Domain Techniques
A transformed space is generated when the file is compressed at the time of transmission
This transformed space is used for hiding the data
Discrete Cosine Transform (DCT), Discrete Fourier Transform (DFT), and Wavelet Transform are used to embed secret data during the transformation process
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Spread Spectrum Encoding Techniques
• In direct sequence, the stream of information is divided into small parts, each of which is allocated across to a frequency channel across the spectrum
Direct Sequence
• In frequency spectrum, the bandwidth spectrum is divided into many possible broadcast frequencies
Frequency Spectrum
It encodes a small band signal into a wide band cover
The encoder modulates a small band signal over a carrier
Spread Spectrum Encoding techniques are of two types:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Perceptual Masking
Perceptual masking is a type of steganography that refers to masking of one signal over the other making it difficult for the observer to detect
Masking tone
Level (dB)
time
Inaudible tones (under curve)
freq
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Cover Generation Technique
A cover is generated to hide the information, contrary to the one that chooses a cover object to hide the data
Spam Mimic tool is used to embed a text message into a spam message that is emailed to the desired destination
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Statistical Method Technique
This method uses the 1-bit steganographic scheme
It embeds one bit of information in the digital carrier
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Distortion Technique
This technique creates a change in the cover object in order to hide the information
The secret message is recovered by comparing the distorted cover with the original one
Original image
Distorted image
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Different Forms of Steganography
• Text file steganography• Image File steganography• Audio File steganography• Video File steganography
Steganography comes in different forms:
Text File
ImageFile
AudioFile
VideoFile
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Text File Steganography
• It uses spaces in between words or sentences to hide the data
Open space steganography
• It modifies the word order or uses punctuation for hiding the data
Syntactic steganography
• It uses synonyms to encode the secret message
Semantic steganography
Steganography in the Text files include:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Image File Steganography
• GIF- Graphic Interface Format• BMP- A Microsoft standard image • JPEG- Joint Photographic Experts • TIFF- Tag Image File Format
Four image file compressions commonly used in steganography:
Image file properties relate to how digital images vary in terms of their resolution, width, and height
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganography Techniques in Image File
Least Significant Bit Insertion in Image files
Masking and Filtering in Image files
Algorithms in Image files
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Least Significant Bit Insertion in Image Files
The rightmost bit is called the Least Significant Bit (LSB)
The LSB of every byte can be replaced with minor change to the overall file
The binary data of the secret message is broken up and then inserted into the LSB of each pixel in the image file
• Using the Red, Green, Blue (RGB) model, a stego tool makes a copy of an image palette
• The LSB of each pixel 8-bit binary number is replaced with one bit from the hidden message
• A new RGB color in the copied palette is created• The pixel is changed to the 8-bit binary number of the new RGB color
Hiding the Data:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Least Significant Bit Insertion in Image Files (cont’d)
• 01001101 00101110 10101110 10001010 10101111 10100010 00101011
101010111
• The letter “H” is represented by binary digits 01001000. To
hide this “H” above stream can be changed as:
• 01001100 00101111 10101110 10001010 10101111 10100010 00101010
101010110
• To retrieve the “ H”combine all LSB bits 01001000
Recovering the data :
• The stego tool finds the 8-bit binary number of each pixel RGB color • The LSB of each pixel's 8-bit binary number is one bit of the hidden data file • Each LSB is then written to an output file
Example: Given a string of bytes
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Process of Hiding Information in Image Files
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Masking and Filtering in Image Files
Masking technique hides data in a similar way like watermarks on the actual paper
Masking and filtering techniques hide information by marking an image which can be done modifying the luminance of parts of the image
Masking and filtering techniques are mostly used on 24 bit and grayscale images
Masking techniques hide information in such a way that the hidden message is more integral to the cover image than simply hiding data in the "noise" level
Masking adds redundancy to the hidden information
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Algorithms and Transformation
Another steganography technique is to hide data in mathematical functions that are in compression algorithms
JPEG images use the Discrete Cosine Transform (DCT) technique to achieve image compression
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Algorithms and Transformation (C0nt’d)
• Take the DCT or wavelet transform of the cover image and find the coefficients below a specific threshold
• Replace these bits with bits to be hidden • Take the inverse transform and store it as a regular image
Hiding data:
• Take the transform of the modified image and find the coefficients below a specific threshold
• Extract bits of the data from these coefficients and combine the bits into an actual message
Recovering the data:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Algorithms and Transformation (C0nt’d)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Audio File Steganography
Information can be hidden in a audio file by using LSB or by using frequencies that are inaudible to the human ear
High frequency sound can be used to hide information as human ear cannot detect frequencies greater than 20,000 Hz
Information can be hidden using musical tones with a substitution scheme
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Low-bit Encoding in Audio Files
Low bit Encoding is a type of audio steganography, which is similar to Least Bit Insertion method done through Image Files
Binary data can be stored in the least important audio files
The channel’s capacity is 1 kilo byte per second per kil0hertz
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Phase Coding
• The original sound sequence is shortened into short segments• A DFT (Discrete Fourier Transform) is applied to each segment
to create a matrix of the phase and magnitude• The phase difference between each adjacent segment is
calculated• For all other segments, new phase frames are created• The new phase and original magnitude are combined to get a new
segment• The new segments are concatenated to create the encoded output
The method is described below:
Phase coding is the phase in which an initial audio segment is replaced by a reference phase that represents the data
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Spread Spectrum
The encoded data is spread across as much as the frequency spectrum
Spread Spectrum can be clearly illustrated by using Direct Sequence Spread Spectrum (DSSS)
Unlike phase coding, DSSS does introduce some random noise to the signal
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Echo Data Hiding
In echo data hiding technique, an echo is embedded into the host audio signal
Three Parameters of echo:
Initial Amplitude
Decay Rate
Offset
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Video File Steganography
Discrete Cosine Transform (DCT) manipulation is used to add secret data during the video transformation
The techniques used in audio and image files are used in video files, as video consists of audio and image
A large amount of secret messages can be hidden in video files since it is a moving stream of images and sound
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganographic File System
Steganographic file system is a method to store the files in a way that it encrypts and hides the data without the knowledge of others
It hides the user’s data in other seemingly random files
It allows the user to give names and passwords for some files while keeping other files secret
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Issues in Information Hiding
• The embedding process distorts the cover to a point where it is visually unnoticeable i.e., if the image is drastically distorted then the carrier is insufficient for the payload, and if the image is not distorted then the carrier is adequate
Levels of Visibility:
• Redundancy is needed for a robust method of embedding the message, but it subsequently reduces the payload
• Robustness and payload are opposites of each other i.e., less the payload, more the robustness
Robustness vs. Payload:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Issues in Information Hiding (cont’d)
• Some image and sound files are lossy or lossless• The conversion of lossless information to a compressed lossy
information destroys the hidden information in the cover• Example: Conversion of uncompressed bitmap to a compressed
estimated JPEG, changes the bits to include bits containing embedded message
File format dependence:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Cryptography
Cryptography is an art of writing text or data in secret code
It encrypts the plain text data into unreadable format, which is called cipher text
It is based on mathematical algorithms
These algorithms use a secret key for secure transformation
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Model of Cryptosystem
Cyrptosystems are cryptography systems such as secure electronic mail systems which might include methods for digital signatures, cryptographic hash functions, key management techniques, and so on
It involves algorithms that take a key and covert plaintext to cypertext and vice versa
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganography vs. Cryptography
Steganography Cryptography
Steganography is the technique of hiding information by embedding messages within other messages
Cryptography is the technique of encoding the contents of the message in such a way that its contents are hidden from outsiders
The message is not visible, because it is hidden behind the other message
The existence of the message is clear, but the meaning is obscured
Only one private key is usedTwo keys are used i.e. public key for encryption and private key for decryption
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Public Key Infrastructure (PKI)
PKI is used for secure and private data exchange over the Internet
It uses public and a private cryptographic key pair that is obtained and shared through a trusted authority
PKI provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates
It uses public key cryptography, which is the most common method on the Internet for authenticating a message sender or encrypting a message
PKI consists of:
• A certificate authority (CA) that issues and verifies digital certificate• A registration authority (RA) that acts as the verifier for the certificate authority before a digital certificate is issued to a
request• One or more directories where the certificates (with their public keys) are held
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Key Management Protocols
The primary goal of a key management scheme is to provide two communicating devices with a common or shared cryptographic key
“Session key” is used to identity short-lived keys. This key does not require a session-based communication model
"Master Key" is used to denote keys having a longer life period than a session key
Key Management Controller (KMC) provides a key to a communication unit that is referred to as rekeying
KMC will assign keys to the communication units through Over-the-Air-Rekeying (OTAR), i.e. the communication units are rekeyed over a radio channel
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Watermarking
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
What is Watermarking?
During the manufacture of paper, the wet fiber is subjected to high pressure to expel the moisture
If the press' mold has a slight pattern, this pattern leaves an imprint, a watermark, in the paper, best viewed under transmitted light
Digital watermarks are imperceptible or barely perceptible transformations of the digital data; often the digital data set is a digital multimedia object
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Case Study
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganography vs. Watermarking
Steganography Watermarking
The main goal of steganography is to hide a message ‘m’ in some audio or video (cover) data ‘d’, to obtain new data ‘D', practically indistinguishable from ‘d’, by people, in such a way that an eavesdropper cannot detect the presence of ‘m’ in ‘d'
The main goal of watermarking is to hide a message ‘m’ in some audio or video (cover) data ‘d’, to obtain new data ‘D', practically indistinguishable from ‘d’, by people, in such a way that an eavesdropper cannot remove or replace ‘m’ in ‘d'
Original message is hidden behind other message
The original image is visible in watermarking
Emphasizes on avoiding detectionEmphasizes on avoiding distortion of the cover
Largest hidden message possible Usually small hidden message
It can be used for secret communicationIt can be used for copyright protection, image authentication
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Types of Watermarks
• A visible watermark is robust• Though not part of the foundation image, the
watermark's presence is clearly noticeable and often difficult to remove
Visible watermarks:
• An invisible watermark's purpose is to identify ownership or verify the integrity of an image or piece of information
• It is imperceptible but can be extracted via computational methods
Invisible watermarks:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Working of Different Watermarks
• The tampering with the image can be determined by observing the position of tampering caused due to any alteration
Semi-fragile:
• Fragile watermark has low robustness when the data is modified, it destroys the embedded information with a small change in the content
Fragile:
• Robust watermark has high robustness when the data is modified• It can be visible or invisible and is difficult to remove or damage the
robust watermark
Robust:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Attacks on Watermarking
• These attacks attempt to diminish or remove the presence of watermarks in a suspect image without rendering the image
Robustness Attacks:
• In a presentation attack, the watermarked content is manipulated, so a detector cannot find it
Presentation Attack:
• Interpretation attacks seek to falsify invalid or multiple interpretations of a watermark
Interpretation Attacks:
• Legal attacks is the ability of an attacker to cast doubt on the watermarking scheme in the courts
Legal Attacks:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Application of Watermarking
A popular application of watermarking techniques is to provide a proof of ownership of digital data by embedding copyright statements into video or image digital products
Data augmentation - to add information for the benefit of the public
Automatic audit of radio transmissions
Automatic monitoring and tracking of copy-write material on WEB
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Currency Watermarking
Watermarking is used on the currency note to protect from counterfeiting
Watermarks on currency note can be seen when held against the light that shows an image similar to the printed image on the note
The image of the watermark is caused due to difference in thickness of the note
A highlighted feature of ultra thin paper is an added security effect in watermarking
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Digimarc's Digital Watermarking
Digimarc's digital watermarking technologies allow users to embed a digital code into audio, images, video, and printed documents that is imperceptible during normal use but readable by computers and software
It is a special message embedded in an image, whether it is a photo, video, or other digital content
Digimarc's software embeds these "imperceptible" messages by making subtle changes to the data of the original digital content
These watermarks can then be "read" to validate the original content
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Watermarking – Mosaic Attack
Mosaic attack works by splitting an image into multiple pieces and stitching them together using javascript code
The web browser simply ‘sticks’ them back together at display time
Both images are watermarked with Digimarc; but the watermark is unreadable in small parts
The attack works because copyright marking methods have difficulties to embed watermarks in small images (typically below 100×100 pixels)
Watermarked imageSplit into 9 pieces
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Mosaic Attack – Javascript Code
<nobr><img SRC="kings_chapel_wmk1.jpg’ BORDER="0’ ALT="1/6’ width="116’ height="140"><img SRC="kings_chapel_wmk2.jpg’ BORDER="0’ ALT="2/6’ width="116’ height="140"><img SRC="kings_chapel_wmk3.jpg’ BORDER="0’ ALT="3/6’ width="118’ height="140"></nobr><br><nobr><img SRC="kings_chapel_wmk4.jpg’ BORDER="0’ ALT="4/6’ width="116’ height="140"><img SRC="kings_chapel_wmk5.jpg’ BORDER="0’ ALT="5/6’ width="116’ height="140"><img SRC="kings_chapel_wmk6.jpg’ BORDER="0’ ALT="6/6’ width="118’ height="140"></nobr>
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
2Mosaic – Watermark Breaking Tool
2Mosaic is a 'presentation' attack against digital watermarking systems
It consists of chopping an image into a number of smaller sub images, which are embedded in a suitable sequence in a web page
Common web browsers render juxtaposed sub images stuck together, so they appear similar to the original image
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganography Detection
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
How to Detect Steganography
• Steganographic investigators need to be familiar with the name of the common steganographic software and related terminology, and even websites about steganography
• Investigators should look for file names, web site references in browser cookie or history files, registry key entries, e-mail messages, chat or instant messaging logs, comments made by the suspect, or receipts that refer to steganography
• These will provide hard clues for the investigator to look deeper
• Finding similar clues for cryptography might also lead one down this path
Software clues on the computer
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
How to Detect Steganography (cont’d)
• Non-steganographic software might offer clues that the suspect hide files inside other files
• Users with binary (hex) editors, disk wiping software, or specialized chat software might demonstrate an inclination to alter files and keep information secret
Other program files
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
How to Detect Steganography (cont’d)
• Look for the presence of a large volume of the suitable carrier files
• While a standard Windows computer will contain thousands of graphics and audio files, for example, majority of these files are small and are an integral part of the graphical user’s interface
• A computer system with an especially large number of files that could be steganographic carriers are potentially suspected; this is particularly true if there are a significant number of seemingly duplicate "carrier" files
Multimedia files
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
How to Detect Steganography (cont’d)
• The type of crime being investigated may also make an investigator think more about steganography than other types of crime
• Child pornographers, for example, might use steganography to hide their wares when posting pictures on a web site or sending them through e-mail
• Crimes that involve business-type records are also good steganographycandidates because the perpetrator can hide the files but still get access to them; consider accounting fraud, identity theft (lists of stolen credit cards), drugs, gambling, hacking, smuggling, terrorism, and more
Type of crime
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Detecting Steganography
• Identifies whether the image is modified or not by determining its statistical properties
Statistical tests:
• Stegdetect• Stegbreak
Tools used:
Detecting steganography is a difficult task especially during low payloads
The different ways of detecting steganography:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Detecting Steganography (cont’d)
• It breaks the encoded password with the help of dictionary guessing
Stegbreak:
The different ways of detecting steganography are:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Detecting Text, Image, Audio, and Video Steganography
• For the text files, the alterations are made to the character positions for hiding the data
• The alterations are detected by looking for text patterns or disturbances, language used, and the unusual amount of blank spaces
Text file:
• The hidden data in image can be detected by determining the changes in size, file format, the last modified timestamp, and the color palette pointing to the existence of the hidden data
• Statistical analysis method is used for image scanning
Image file:
Information that is hidden in different file system can be detected in the following ways:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Detecting Text, Image, Audio, and Video Steganography (cont’d)
• Statistical analysis method can also be used for audio files since the LSB modifications are also used on audio
• The inaudible frequencies can be scanned for information • The odd distortions and patterns show the existence of the
secret data
Audio file:
• Detection of the secret data in video files include combination of methods used in image and audio files
• Special code signs and gestures can also be used for detecting secret data
Video file:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Counterfeit Detection
The methods used to protect and validate currency are:
• First Line Inspection method• Second Line Inspection method
First line inspection method involves the first site determining authenticity of the currency that is being exchanged
This type of inspection is detected by both the verifier and counterfeiter
This method of detection can be assessed by varied density of watermark, Ultraviolet Fluorescence, and Microtext
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Counterfeit Detection (cont’d)
Second-Line inspection methods cannot be detected by the naked eye and requires additional devices
The methods of second line inspection:
• Isocheck/Isogram depends on the specific dots or lines that leads to some pattern when printed
• Hidden watermarks can be applied in these patterns to know the genuineness of the note when a filter is placed
Isocheck/Isogram:
• This method uses unique configurations of fibers embedded in the paper
Fiber-Based Certificates of Authenticity
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganalysis
Steganalysis is the art and science of detecting hidden messages using steganography
It is the technology that attempts to defeat steganography—by detecting the hidden information and extracting it or destroying it
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganalysis Methods/Attacks on Steganography
• Only the stego-object is available for analysis
Stego-only attack:
• The stego-object as well as the original medium is available• The stego-object is compared with the original cover object to
detect any hidden information
Known-cover attack:
• The hidden message and the corresponding stego-images are known
Known-message attack:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganalysis Methods/Attacks on Steganography (cont’d)
• The steganography algorithm is known and both the original and stego-object are available
Known stego attack:
• The steganography algorithm and stego-object are known
Chosen-stego attack:
• Active attackers can change the cover during the communication process
Disabling or active attack:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganalysis Methods/Attacks on Steganography (cont’d)
• The steganalyst generates a stego-object from some steganography tool or algorithm of a chosen message
• The goal in this attack is to determine patterns in the stego-object that may point to the use of the specific steganography tools or algorithms
Chosen-message attack:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Disabling or Active Attacks
• It softens the transitions and averages the adjacent pixels with significant color change
Blur:
• Random noise injects Random colored pixels to an image• Uniform noise inserts slightly similar pixels and colors of the original
pixel
Noise:
• It reduces the noise in the image by adjusting the colors and averaging the pixel values
Noise Reduction:
• It increases the contrast between the adjacent pixels
Sharpen:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Disabling or Active Attacks (cont’d)
• It moves the image around a central point
Rotate:
• It is an interpolation process where the raggedness while expanding an image is reduced
Resample:
• Soften is a uniform blur to an image that smoothens the edges and decreases the contrasts
Soften:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Stego-Forensics
Stego-Forensics is a stream of forensic science dealing with steganographytechniques to investigate a source or cause of a crime
Different methods of Steganalysis can be used to unearth secret communications between antisocial elements and criminals
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganography in the Future
• Protection of the intellectual property• Individuals or organization using steganographic carriers for
personal or private information
Legitimate uses of steganography in the future:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Hiding Information in DNA
In the near future, biological data such as DNA may be a viable medium for hidden messages
This could be particularly useful for "invisible" watermarking that biotech companies could use to prevent unauthorized use of their genetically engineered material
Three researchers in New York successfully hid a secret message in a DNA sequence and sent it across the country
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Unethical Use of Steganography
Criminal communications
Fraud
Hacking
Electronic payments
Gambling and pornography
Harassment
Intellectual property offenses
Viruses
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
TEMPEST
TEMPEST is an official acronym for "Telecommunications Electronics Material Protected From Emanating Spurious Transmissions" and includes technical security countermeasures; standards, and instrumentation, which prevent (or minimize) the exploitation of the security vulnerabilities by technical means
TEMPEST and its associated disciplines involve designing circuits to minimize the amount of "compromising emanations" and to apply appropriate shielding, grounding, and bonding
These disciplines also include methods of radiation screening, alarms, isolation circuits/devices, and similar areas of equipment engineering
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
TEMPEST (cont’d)
When modern electrical devices operate, they generate electromagnetic fields
Digital computers, radio equipment, typewriters, generate massive amounts of electromagnetic signals which if properly intercepted and processed, will allow certain amounts of information to be reconstructed based on these "compromising emanations"
Anything with a microchip, diode, or transistor, gives off these fields
These compromising emanation signals can then escape out of a controlled area by power line conduction, other fortuitous conduction paths such as the air conditioning duct work, or by simply radiating a signal into the air (like a radio station)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
TEMPEST (cont’d)
An excellent example of these compromising emanations may be found in modems and fax machines which utilize the Rockwell DataPump modem chip sets and several modems made by U.S. Robotics
When these modems operate, they generate a strong electromagnetic field which may be intercepted, demodulated, and monitored with most VHF radios
This is a serious problem with many speaker phone systems used in executive conference rooms
This is also a serious problem with many fax machines, computer monitors, external disc drives, CD-R drives, scanners, printers, and other high bandwidth or high speed peripherals
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
TEMPEST (cont’d)
To deal with this "signal leakage" issue, the government developed a series of standards which lay out how equipment should be designed to avoid such leakage
The TEMPEST standards are measurements which were adjusted by the NSA
A TEMPEST approved computer will be in a special heavy metal case, special shielding, a modified power supply, and few other modifications
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Emission Security or Emanations Security (EMSEC)
Electronic based information systems produce unwanted emanations
These emanations are the electromagnetic radiation emitted from the information handling devices
Emanations may also pose a security risk
Emanation Security involves measures designed to deny information of value to be given to the unauthorized persons that may be derived from the interception and analysis of the compromising emanations
Emanation security deals with protection against spurious signals emitted by the electrical equipments in the system, such as electromagnetic emission (from displays), visible emission, and audio emission (sounds from printers, etc)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Keyboard Sniffers to Steal Data
Figure: The attacks were shown to work at a distance of 20 meters
Source: http://news.bbc.co.uk/2/hi/technology/7681534.stm
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Van Eck Phreaking
Van Eck phreaking is the process of eavesdropping on the contents of a CRT or LCD display by detecting its electromagnetic emissions
Information that drives the video display takes the form of high frequency electrical signals
These oscillating electric currents create electromagnetic radiation in the RF range
These radio emissions are correlated to the video image being displayed, so in theory they can be used to recover the displayed image
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Legal Use of Steganography
• Steganographically watermark the intermediation materials after the authorization and under the public prosecutor control with predefined marks
• Trace the trade materials• Provide network nodes where the trade material is monitored• Build an international data bank to collect data on the trading
controlled by the investigative bodies
Law enforcement agencies use steganography to:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganography Tools
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganography Tools
S- Tools
Steghide
Mp3Stego
Invisible Secrets 4
Stegdetect
Stego Suite – Steg Detection Tool
Stego Watch
Snow
Fort Knox
ImageHide
Blindside
Camera/Shy
Gifshuffle
Data Stash
JPHIDE and JPSEEK
wbStego
OutGuess
Masker
Cloak
StegaNote
Stegomagic
Hermetic Stego
StegSpy
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganography Tools (cont’d)
Stealth tool
WNSTORM
Xidie
CryptArkan
Info Stego
Scramdisk
Jpegx
CryptoBola JPEG
ByteShelter I
Camouflage
Stego Analyst
Steganos
Pretty Good Envelop
Hydan
EzStego
Steganosaurus
appendX
Stego Break
Stego Hunter
StegParty
InPlainView
Z-File
MandelSteg and GIFExtract
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganography Tool: S- Tools
S- Tools can hide multiple applications in a single object
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganography Tool: Steghide
• Compression of the embedded data• Encryption of the embedded information • Automatic integrity checking using a checksum • Support for JPEG, BMP, WAV, and AU files
Features :
Steghide is a steganography program that is able to hide data in various kinds of image- and audio-files
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steghide: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Mp3Stego
MP3Stego will hide information in MP3 files during the compression process
The data is first compressed, encrypted, and then hidden in the MP3 bit stream
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Invisible Secrets 4
Invisible Secrets 4 encrypts the data and files for secure transfer across the net
It hides the encrypted data or files in places that appear totally innocent, such as picture or sound files, or web pages
With this tool, the user may encrypt and hide files directly from Windows Explorer, and then automatically transfer them by e-mail or via the Internet
It also allows to hide information in five files types: JPEG, PNG, BMP, HTML, and WAV
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Invisible Secrets 4 (cont’d)
• Strong file encryption algorithms• Passwords can be stored in the encrypted
password lists• Ability to create self-decrypting packages• It is a shell integrated (available from Windows
Explorer), so the file encryption operations are easier than ever
• Real-random passwords can also be generated
Features:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Invisible Secrets 4
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Stegdetect
Stegdetect is an automated tool for detecting steganographic content in images
It is capable of detecting different steganographic methods to embed hidden information in JPEG images
Stegbreak is used to launch dictionary attacks against Jsteg-Shell, JPHide, and OutGuess 0.13b
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Stego Suite – Steg Detection Tool
Stego Watch allows users to detect digital steganography, or the presence of communications hidden in digital image or audio files
It can extract information that has been embedded with some of the most popular steganography tools using a dictionary attack
Stego Break is an application designed to obtain the passphrase that has been used on a file found to contain steganography
Currently, Stego Break can crack passphrases for JP Hide ‘n Seek, F5, Jsteg, and Camouflage steganography embedding applications
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Stego Watch
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Snow
Snow is a whitespace steganography program and is used to conceal messages in ASCII text by appending whitespace to the end of lines
Because spaces and tabs are generally not visible in text viewers, the message is effectively hidden from the casual observers. If the built-in encryption is used, the message cannot be read even if it is detected
• http://www.darkside.com.au/snow/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganography Tools (cont’d)
Fort Knox uses MD5, Blowfish, and CryptAPI algorithms
ImageHide is a steganographyprogram which hides loads of text in images and it does simple encryption and decryption of data
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganography Tools (cont’d)
Blindside can hide files of any file type within a windows bitmap image
Camera/Shy works with Windows and Internet Explorer, and allows sharing of censored or sensitive information buried within an ordinary GIF image
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganography Tools (cont’d)
Data Stash is a security tool that allows hiding of the sensitive data files within other files
Gifshuffle is used to conceal messages in GIF images by shuffling the colormap, which leaves the image visibly unchanged
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganography Tools (cont’d)
JPHIDE and JPSEEK are programs which allow hiding of a file in a jpeg visual image
wbStego is a tool that hides any type of file in bitmap images, text files, HTML files, or Adobe PDF files
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganography Tools (cont’d)
Masker is a program that encrypts files, that requires a password to open and then it hides files and folders inside carrier files, such as image files, video, program, and sound files
OutGuess is a universal steganographic tool that allows the insertion of hidden information into the redundant bits of data sources
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganography Tools (cont’d)
StegaNote is the tool used to protect the sensitive information in a secure way
Cloak is a powerful security tool designed to protect and secure the personal information and documents from the third party
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganography Tools (cont’d)
Stegomagic hides any kind of file or message in TEXT, WAV , BMP 24 bit, and BMP 256 color files
Hermetic Stego is a program for hiding a message file in a single BMP image or in a set of BMP images
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganography Tools (cont’d)
StegSpy is a tool that will detect steganography and the program used to hide the message
Stealth tool takes a PGP 2.x encrypted message, and strips any standard headers off to ensure that the result looks like random noise
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganography Tools (cont’d)
Xidie enables hiding and encryption of files and allows the encryption of sensitive information, while at the same time hiding it in a file that will not look suspicious
WNSTORM is used to encrypt files to keep prying eyes from invading privacy
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganography Tools (cont’d)
CryptArkan encrypts and hides data files and directories inside one or more container files
Info Stego allows the protection of the private information, communication secret, and legal copyright using information watermark, and data encryption technology
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganography Tools (cont’d)
Scramdisk is a program that allows the creation and use of the virtual encrypted drives
Jpegx encrypts and hides messages in jpeg files to provide an ample medium for sending secure information
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganography Tools (cont’d)
CryptoBola JPEG stores only the cypher text without any additional information such as file name, type, length, etc.
ByteShelter I hides data in .doc files and MS Outlook e-mail messages
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganography Tools (cont’d)
Camouflage allows the hiding of files by scrambling them and then attaching them to the host file
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganography Tools (cont’d)
Stego Analyst is a full featured imaging and analysis tool allowing investigators to search for visual clues
Steganos combines Cryptography and Steganography for securing information
Pretty Good Envelop is a program suite for hiding a (binary) message in a larger binary file, and retrieving such a hidden message
Hydan steganographically conceals a message into an application
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganography Tools (cont’d)
EzStego is an easy to use tool for private communication by hiding an encrypted message in a GIF format image file
Steganosaurus is a plain text steganography utility which encodes a (usually encrypted) binary file as gibberish text
appendX is a steganography tool which simply appends data to other files (like JPEGs or PNGs) to hide it
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganography Tools (cont’d)
Stego Break is a built-in utility designed to obtain the pass phrase that has been used on a file found to contain steganography
Stego Hunter is designed to quickly, accurately detect steganographyprograms
StegParty is a system for hiding information inside plain-text files
InPlainView allows hiding of any type of information within a BMP file, as well as recover it
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganography Tools (cont’d)
• Z-File Camouflage&Encryption System, integrates compression, encryption, and camouflage technology to protect personal privacy and business core data
• The file will be effectively compressed, strongly encrypted, and implanted into an ordinary image
Z-File
• It gives an increased level of security compared to sending PGP-encrypted email over the Internet
• MandelSteg will create a Mandelbrot image storing the data in the specified bit of the image pixels
• GIFExtract can be used by the recipient to extract the bit-plane of the image
MandelSteg and GIFExtract
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Steganography is the method of hiding information by embedding messages within other, seemingly harmless messages
Cryptography is the technique of encoding the contents of the message in such a way that its contents are hidden from outsiders.
The main goal of watermarking is to hide a message ‘m’ in some audio or video (cover) data ‘d’, to obtain new data ‘D', practically indistinguishable from ‘d’, by people, in such a way that an eavesdropper cannot remove or replace ‘m’ in ‘d'
Watermarking techniques is used to provide a proof of ownership of digital data, and data augmentation
Steganalysis is the technology that attempts to defeat steganography—by detecting the hidden information and extracting it or destroying it
Steganography is used to secure secret communications
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited