Use offense to inform defense. Find flaws before the bad guys do.

Page created by Sue Erickson
 
CONTINUE READING
Use offense to inform defense.
Find flaws before the bad guys do.

                           Copyright SANS Institute
                           Author Retains Full Rights
  This paper is from the SANS Penetration Testing site. Reposting is not permited without express written permission.

Interested in learning more?
Check out the list of upcoming events offering
"Hacker Tools, Techniques, Exploits, and Incident Handling (SEC504)"
at https://pen-testing.sans.org/events/
Steganography

           Richard Lewis

                                               What is Steganography?

                                                                                               s.
                                                                                            ht
                   Steganography, literally meaning covered writing, involves the hiding of data in another

                                                                                        rig
           object. From the time of Herodotus in ancient Greece to the terrorist of today, the secret writing
           of steganography has been used to deny one’s adversaries the knowledge of message traffic.

                                                                                    ull
                    There are many tools that are freely available on the Web that will allow an individual to

                                                                                    f
           hide your data without your

                                                                                 ns
           knowledge     in an innocuous
                Key fingerprint           looking
                                 = AF19 FA27    2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

                                                                              tai
           file. The only way that you would

                                                                           re
           be able to detect this is if you
           happen to have a “golden” copy of

                                                                       or
           the file in question. You would

                                                                    th
           have to do a bit by a bit comparison
           of the file in question in order to                  Au
           detect the subterfuge. Now, the
           reasonable individual would
                                                             2,

           concede, the chances of having a
                                                         00

           pristine copy of a file that you do
                                                      -2

           not control are highly unlikely. So
           would not be a great leap of faith to
                                                  00

           understand that Steganography is
                                               20

           one of the more serious threats to        Figure 1 Cover Image
           the data integrity and an
                                            te

           organizations security posture
                                         tu

           today. It all boils down to trust, can you, do you, trust your employees.
                    As a security professional you are concerned with your organizations proprietary
                                      sti

           information being removed form your premises without your knowledge. Steganography
                                   In

           provides the tools to do just that. Employee data, pricing data and rates, etc can be easily
           smuggled out right under your nose. Utilities that look for “dirty words” or key phrases are not
                               NS

           going to be able to detect information that has been concealed.
                           SA

                                             How Steganography Works
                    Steganography works, in
                        ©

           some cases, by using the lease
           significant bit (LSB) in a byte. By
           encoding the LSB of every byte in
           the file we are able to secrete data
           in an
               Keyotherwise  harmless
                     fingerprint      file.
                                 = AF19     In a2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
                                         FA27
           bitmap file, as shown in figure 1
           and figure 2, we can see some
           degradation of the image. In a

© SANS Institute 2000 - 2002               As part of GIAC practical repository.                   Author retains full rights.
                                                   Figure 2 Stego I mag e
small file this is more apparent because of the higher ratio of modified bytes. (The larger the
           ratio of modified bytes in a file the more apparent the distortion.) If the file had been larger the
           same hidden file would have been barely noticeable, even when compared side by side with the
           original.

                                                                                                s.
                  Baring the use of encryption, we can examine the file and tell whether information has

                                                                                             ht
           been inserted into the file. Of course we would need a utility developed for that purpose, but

                                                                                         rig
           given the power of today’s desk top computers and the fact that the information is not encrypted
           we should have no problem in ascertaining the subterfuge.

                                                                                     ull
                   When we are faced with the use of encryption and steganography together then out job is

                                                                                     f
           made much more difficult. The encrypted data should appear as background noise. Our simple

                                                                                  ns
           scanner
               Key now    can’t find
                    fingerprint      patterns
                                 = AF19  FA27 scattered through
                                                2F94 998D   FDB5theDE3D
                                                                    file. In order
                                                                           F8B5    to combat
                                                                                 06E4        a known encrypted
                                                                                       A169 4E46

                                                                               tai
           steganography file we can alter the file in some way to make recovery of the message

                                                                            re
           impossible. That can be accomplished by inserting our own message in the file. The damage
           done to the original message should render it unreadable. In the event the file in question is a

                                                                        or
           stego image file we can crop or otherwise edit the file to render the message unrecoverable.

                                                                     th
           Thus it is a simple matter to destroy a hidden message but detection and recovery are quite a
           different matter.                                     Au
                  In a wave file the hidden data would appear as white, or random, noise. More than likely
                                                              2,

           you would be unable to hear it; your dog might but not you. The casual observer would not find
                                                          00

           any evidence that data was being smuggled in or out of the facility.
                                                       -2
                                                   00
                                                20
                                             te
                                          tu
                                        sti
                                    In
                                   NS
                            SA
                         ©

               Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

           Figure 3 Stego Object

© SANS Institute 2000 - 2002                As part of GIAC practical repository.                    Author retains full rights.
As you can see the first figure and the second figure appear almost identical if it were not
           for some image degradation the files would be identical. However, they are not. This is because
           the second image, through use of Steganography, contains a complete Excel spreadsheet. It is
           only because of the small size of the image file that we are able to see the degradation of the

                                                                                                 s.
           image. It is a good to note that the larger the image file the more data can be hidden there.

                                                                                              ht
                                                                                          rig
                                                  Vigilance Is The Key

                                                                                      ull
                   I think now would be a good time to talk about bandwidth. As I have said, due to the
           small size if the cover image and the relatively large size of the Stego object, the Stego image

                                                                                     f
           has a noticeable amount of distortion present. It is easier to hide a small message in a large file,

                                                                                  ns
           thanKey
                a large  file. One
                    fingerprint    more FA27
                                = AF19  concern is that
                                             2F94   998Dof FDB5
                                                           traffic DE3D
                                                                   flow security.
                                                                         F8B5 06E4If someone  suddenly starts to
                                                                                       A169 4E46

                                                                               tai
           take image and wave files out of your facility for no apparent reason then, you as a security

                                                                            re
           professional, should become suspicious. To combat the threat you need to know the normal
           patterns and then look for changes in the norm. We always come back to know your system. I

                                                                        or
           will expand that to, “Know your environment.”

                                                                     th
                                                                 Au
                    The S-Tools application is easy to use and the novice user can hide a large amount of
           data with little effort. The S-Tools application can be found at the following link.
                                                              2,

           ftp://ftp.funet.fi/pub/crypt/mirrors/idea.sec.dsi.unimi.it/code/s-tools4.zip
                                                          00
                                                       -2

                    Once the application has been downloaded, installed, and started, you would just drag
           and drop a sound or picture file into the application’s workspace. Now comes the fun part. Find
                                                   00

           the file that you want to hide. Simply drag the file over the picture and drop it. You will then
                                                20

           see the passphrase GUI, see figure 4, enter your passphrase, select your encryption algorithm,
           and click on OK. That’s all there is to it. Do not forget your passphrase.
                                             te
                                          tu

                   Now if you think that you can use S-Tools to identify weather or not a file has hidden
           data in it, you are out of luck. Without the correct passphrase, you will not be able to tell. The
                                       sti

           data is encrypted so it will look like noise to the application if the correct passphrase is not
                                    In

           entered.
                               NS

                   Decoding or extracting the hidden file is also a simple process. The file that contains the
           hidden data is placed into the S-Tools work area. The mouse pointer is positioned over the file,
                           SA

           and when you right click on the file you should select the reveal option. You will then see the
           passphrase GUI, see figure 4.you then enter your passphrase, twice, select your encryption
                        ©

           algorithm, and click on OK. If you were successful the program will display the reviled archive
           window, see figure 6.

                                                      Summary
               Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
                   Steganography, literally meaning covered writing, involves the hiding of data in another
           object. Steganography provides the tools to do just that. Employee data, pricing data and rates,
           etc can be easily smuggled out right under your nose. Steganography has been with us since the

© SANS Institute 2000 - 2002                As part of GIAC practical repository.                    Author retains full rights.
time of the ancient Greeks. Modern terrorists organizations use it to pass plans and information
           between cells by placing altered pictures in newsgroups on web sites and passing them in chat
           groups.
                   By encoding the LSB of every byte in the file we are able to secrete data in an otherwise
           harmless file. In a bitmap file, as shown in figure 1 and figure 2, we can see some degradation of

                                                                                              s.
           the image. If the file had been larger the same hidden file would have been barely noticeable,

                                                                                           ht
           even when compared side by side with the original.

                                                                                       rig
                  Baring the use of encryption, we can examine the file and tell whether information has

                                                                                   ull
           been inserted into the file. The encrypted data should appear as background noise. In order to
           combat a known encrypted steganography file we can alter the file in some way to make

                                                                                    f
           recovery of the message impossible. In the event the file in question is a stego image file we can

                                                                                 ns
           cropKey
                or otherwise
                   fingerprintedit the file
                               = AF19       to render
                                         FA27         the message
                                                2F94 998D  FDB5 unrecoverable.
                                                                  DE3D F8B5 06E4In aA169
                                                                                      wave4E46
                                                                                            file the hidden

                                                                              tai
           data would appear as white, or random, noise.

                                                                           re
                   The ability to remove information undetected is a threat to the integrity of any

                                                                       or
           organizations data. Protecting your organizations data requires hard work and diligence. Many

                                                                    th
           tools are freely available on the web to secrete data and enable someone to smuggle data out of
           your facility. You must know your environment and become aware to changes in its patterns.
                                                                Au
           Knowing that the threat exists is the first step on combating the problem.
                                                             2,

                     Using encryption and steganography makes the job of detecting a hidden message much
                                                         00

           more difficult and more than likely would place it outside the ability of the average organization.
                                                      -2

           If it is suspected that a file contains a hidden message, editing or cropping the image file or
           placing your own hidden message in the stego file can easily destroy the message.
                                                  00
                                               20

                  To combat the threat you need to know the normal patterns and then look for changes in
           the norm. We always come back to know your system. I will expand that to, “Know your
                                            te

           environment.”
                                         tu
                                      sti
                                   In

           Steganography & Digital Watermarking Information Hiding
                               NS
                           SA

           http://www.jjtc.com/stegdoc/stegdoc.html

           Schneier, Bruce, Secrets and Lies Digital Security in a Networked World, John Wiley and Sons,
                        ©

           Inc., New York, 2000, pp246

           IEEE Journal on Selected Areas in Communications (J-SAC), Special Issue on Copyright &
           Privacy Protection, vol. 16 no. 4, pp 474-481, May 1998
           http://netsecurity.about.com/compute/netsecurity/gi/dynamic/offsite.htm?site=http%3A%2F%2F
               Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
           www.cl.cam.ac.uk%2F%257Efapp2%2Fpapers%2Fjsac98-limsteg%2F

© SANS Institute 2000 - 2002               As part of GIAC practical repository.                  Author retains full rights.
‘Wavelet-based digital image watermarking’, H-J. M. Wang, P.-C. Su, C.-C. J. Kuo, Optics
           Express, vol. 3 no. 12 pp. 491–496, 7 Dec. 1998 .
           http://epubs.osa.org/oearchive/pdf/7081.pdf

           Steganography Mailing List. Markus Kuhn -- 1995-07-03

                                                                                            s.
           http://www.thur.de/ulf/stegano/announce.html

                                                                                         ht
                                                                                     rig
           Steganalysis of Images Created Using Current Steganography Software
           Neil F. Johnson and Sushil Jajodia Center for Secure Information Systems, George Mason

                                                                                 ull
           University
           http://ise.gmu.edu/~njohnson/ihws98/jjgmu.html

                                                                                  f
                                                                               ns
           An Key
               Introduction  to Steganography,
                    fingerprint                Duncan
                                = AF19 FA27 2F94  998DSellars
                                                       FDB5 DE3D F8B5 06E4 A169 4E46

                                                                            tai
           http://www.cs.uct.ac.za/courses/CS400W/NIS/papers99/dsellars/stego.html

                                                                         re
           Steganography,

                                                                     or
           http://www.tamos.com/privacy/steganoen.htm

                                                                  th
                                                              Au
                                                           2,
                                                       00
                                                    -2
                                                00
                                             20
                                          te
                                       tu
                                     sti
                                  In
                               NS
                           SA
                        ©

               Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

© SANS Institute 2000 - 2002             As part of GIAC practical repository.               Author retains full rights.
Last Updated: May 13th, 2019

       Upcoming SANS Penetration Testing

SANS New Orleans 2019                                           New Orleans, LA         May 19, 2019 - May 24, 2019         Live Event

SANS Northern VA Spring- Reston 2019                            Reston, VA              May 19, 2019 - May 24, 2019         Live Event

Community SANS Portland SEC504                                  Portland, OR            May 20, 2019 - May 25, 2019 Community SANS

SANS Autumn Sydney 2019                                         Sydney, Australia       May 20, 2019 - May 25, 2019         Live Event

SANS Amsterdam May 2019                                         Amsterdam, Netherlands May 20, 2019 - May 25, 2019          Live Event

SANS Krakow May 2019                                            Krakow, Poland          May 27, 2019 - Jun 01, 2019         Live Event

SANS Atlanta 2019                                               Atlanta, GA             May 28, 2019 - Jun 02, 2019         Live Event

SANS San Antonio 2019                                           San Antonio, TX         May 28, 2019 - Jun 02, 2019         Live Event

Enterprise Defense Summit & Training 2019                       Redondo Beach, CA       Jun 03, 2019 - Jun 10, 2019         Live Event

SANS London June 2019                                           London, United          Jun 03, 2019 - Jun 08, 2019         Live Event
                                                                Kingdom
SANS Kansas City 2019                                           Kansas City, MO         Jun 10, 2019 - Jun 15, 2019         Live Event

Mentor Session - SEC504                                         Austin, TX              Jun 13, 2019 - Aug 08, 2019            Mentor

SANSFIRE 2019                                                   Washington, DC          Jun 15, 2019 - Jun 22, 2019         Live Event

Community SANS Alpharetta SEC504 @ Cisco                        Alpharetta, GA          Jun 17, 2019 - Jun 22, 2019 Community SANS

Community SANS Nashville SEC542                                 Nashville, TN           Jun 17, 2019 - Jun 22, 2019 Community SANS

SANSFIRE 2019 - SEC504: Hacker Tools, Techniques, Exploits,     Washington, DC          Jun 17, 2019 - Jun 22, 2019             vLive
and Incident Handling
Community SANS Santa Monica SEC504                              Santa Monica, CA        Jun 24, 2019 - Jun 29, 2019 Community SANS

Security Operations Summit & Training 2019                      New Orleans, LA          Jun 24, 2019 - Jul 01, 2019        Live Event

Mentor Session - SEC504                                         Des Moines, IA           Jun 24, 2019 - Jul 24, 2019           Mentor

SANS Cyber Defence Canberra 2019                                Canberra, Australia      Jun 24, 2019 - Jul 13, 2019        Live Event

SANS Cyber Defence Japan 2019                                   Tokyo, Japan             Jul 01, 2019 - Jul 13, 2019        Live Event

SANS Munich July 2019                                           Munich, Germany          Jul 01, 2019 - Jul 06, 2019        Live Event

SANS Paris July 2019                                            Paris, France            Jul 01, 2019 - Jul 06, 2019        Live Event

Community SANS Madison SEC504                                   Madison, WI              Jul 08, 2019 - Jul 13, 2019   Community SANS

Pittsburgh 2019 - SEC504: Hacker Tools, Techniques, Exploits,   Pittsburgh, PA           Jul 08, 2019 - Jul 13, 2019            vLive
and Incident Handling
SANS Pittsburgh 2019                                            Pittsburgh, PA           Jul 08, 2019 - Jul 13, 2019        Live Event

SANS Charlotte 2019                                             Charlotte, NC            Jul 08, 2019 - Jul 13, 2019        Live Event

Community SANS Colorado Springs SEC504                          Colorado Springs, CO     Jul 08, 2019 - Jul 13, 2019   Community SANS

SANS Cyber Defence Singapore 2019                               Singapore, Singapore     Jul 08, 2019 - Jul 20, 2019        Live Event

SANS London July 2019                                           London, United           Jul 08, 2019 - Jul 13, 2019        Live Event
                                                                Kingdom
Pittsburgh 2019 - SEC560: Network Penetration Testing and       Pittsburgh, PA           Jul 08, 2019 - Jul 13, 2019            vLive
Ethical Hacking
You can also read