You may think you're guarding your assets, but malicious insiders are using steganography to slip closely guarded
company secrets out of your organization.
You're confident a trusted employee can't steal research information on your company's new anti-cancer drug or plans for its next acquisition. Physical and logical controls monitor just about everything that leaves the building or the network, even encrypted messages sent to unauthorized recipients. But what about the message hidden in the family vacation photo he emailed to his "cousin"? Steganography has just bypassed all your defenses.
Steganography (from the Greek root "staganos," meaning covered or secret), or stego, is the technique of hiding data in a host file. Historically, it's been within the purview of the military, criminals and researchers. In recent years, however, it's drawn a lot of interest from the business community, and with good reason.
Leaks hidden using stego often go undetected or unreported, making losses hard to quantify; many of the investigated cases are kept secret under NDAs, but it's a safe bet that organizations are losing millions of dollars every year.
While some form of steganography has been in use for thousands of years (see "History Lesson"), computer technology and the ubiquity of the Internet has taken this type of covert communication to a whole new level.
Out of Sight
Simply put, stego is hiding a covert message within another file so that only the sender and receiver can access it. The sender uses one of a number of freely available/commercial programs (see "Steganography Tools," above) to hide en-crypted and password-protected data inside a host file. Using the same program, the receiver uses the password to extract the information.
The host file—a photo, text message or email—appears unchanged, and there is no indication of the hidden message. Since the sender is placing binary data within a host file, the hidden message can be any file type; that family vacation image could be hiding an image of a new fighter jet prototype.
There are three primary stego techniques:
- Insertion adds information to the carrier file in a format that will be ignored by the viewing application, so the hidden data will be invisible when you look at the file in your word processor, graphics program or Web browser. The benefit is that you can hide as much information as you want, but if the file size looks too large it could raise suspicion.
- Substitution replaces insignificant data, such as the least significant bit in an image, with the covert information, such as a .bmp or .jpg file. This technique does not increase the size of the file, but too much hidden data will start to degrade the image. S-Tools is a popular stego program that hides data by substituting pixels and making duplicate entries in the color table.
- Generation does not use a host file; the hidden message generates a fake cover message—English text that looks like spam, a letter or a poem. You can hide as much information as you want because the host file is created on the fly. For example, you could type "The merger is dead," and it generates something like this:
Why work for somebody else when you can become rich in 48 DAYS! Have you ever noticed nobody is getting any younger & people are much more likely to BUY with a credit card than cash! Well, now is your chance to capitalize on this! WE will help YOU sell more. Act now!
Only someone with a password could decode the real message hidden behind the fake one.
Free programs, like SpamMimic—which is run on a Web site (www.spammimic.com) through which you can encode and decode messages—use this method, as do other commercial tools and proprietary programs.
See No Evil
Historically, military and law enforcement officials have been concerned with stego for its use in espionage and hiding illegal information. For example, child pornographers hide illicit images within legal porn so they can distribute it without detection. Businesses, however, need to be concerned with other abuses that endanger data.
Stealing files: Using stego, an employee or contractor can walk a sensitive file out the door on a laptop, USB drive or CD, or can email it outside the company.
Communicating with competitors: In many organizations, employees have no expectation of privacy when using company email, so they can use stego to hide the real content of, say, an email to a competitor's VP. But wait, wouldn't communicating with that VP arouse suspicion, regardless of the content? Always resourceful, we've seen people evade detection by setting up Web email drop boxes where the competitor would pick up the messages and extract the data.
Bypassing controls: Perhaps your organization has Web and email filters set to monitor employees' Internet communications and activity. With stego, malicious insiders can hide their true intentions and slip through these content control filters. One possible counter is stego-marking, a method developed to flag sensitive files. Stego-marked files can be detected by firewalls, IDSes and content filters. Similar to stego-marking, but visible, is digital watermarking, which modifies bits in such a way that the image is still visible through the watermark, but there is no way to remove the watermark without destroying the image.
The digital dead drop is a variation on the Web email drop technique. In this case, someone inside your organization posts a file with hidden information to a particular location—for example, a newsgroup, Web site or eBay auction: To pass research information to a competitor, the employee puts his boat up for auction on the Internet and posts a picture of it. Hundreds, perhaps, thousands of people view it, but the contact would download the image through his browser and extract the hidden research information.
Sit back for a moment and think of how you would be able to detect or stop that. Your options are pretty limited, but let's consider them.
Seeing the Unseen
Stego is hard to detect. As is frequently the case with criminal activity, malicious insiders are often caught not because of great detective work or superior technology, but because of mistakes they make—they become too greedy or brag. The real problem is that there's no good way to screen for stego globally. However, if you suspect stego is being used, there are forensic techniques to help you investigate.
The easiest—but least effective—methods involve looking for general indications of stego use on a computer. One way is to look for apparently identical files with different binary compositions; stego programs keep the original and make a copy with the hidden data, and the stego user may forget or choose not to delete the duplicate file. Open-source programs like diff or commercial products like Tripwire can be used to determine if the files are really identical. diff is primarily an investigative tool: It yields information on which parts of the file are different, but can be run only on a single system. Tripwire, on the other hand, can be run across an enterprise, but will only tell you the files are different with no additional details.
Of course, finding a copy of S-Tools or Invisible Secrets on a computer is also a pretty good clue. The more advanced investigative technique is to look for indications of stego use within a file. These methods are time-consuming, require specific expertise to create and use detection programs.
One approach is to look for characteristics of the stego technology used. Each tool manipulates a file in a certain way to hide the data. By carefully examining how a given technique works, you can find characteristics that determine whether data has been hidden. For example, S-Tools manipulates the color table in an image. A normal .bmp file has a low number of duplicate colors in its table, so look for a high number of duplicate colors.
Or, you can look for characteristics that are not typical of a particular file type. For example, the actual data in .jpg files is compressed, so any attempts to hide data in this area it would be lost by the compression; therefore, to hide data, you would have to manipulate the compression algorithm itself. So, check for changes to the algorithm.
In an ideal world, there would be a universal way to detect stego, regardless of file format or method used; a single algorithm could be developed and used to scan a system. While this is yet to be done, researchers have achieved about 70 percent accuracy using statistical processing techniques such as wavelets and Fourier transforms.
If your aim is simply to stop, rather than detect, stego, the easiest thing to do is to convert file formats. For example, a proxy gateway could run a program that converts image formats (e.g., .jpg to .bmp back to .jpg), which would remove any hidden information. For text, you could convert the message from English to Spanish, then back to English. However, translation programs aren't completely accurate, which could result in some mangled messages.
While most of attention on stego is focused on nefarious behavior, there are some legitimate applications. They aren't being widely applied, but their use is growing.
The most obvious use is to protect intellectual property and trade secrets, for example, when executives are traveling abroad. It's good practice to assume that all communications—emails, phone and instant messaging— are being watched and analyzed at all times. If this sounds paranoid, consider the limited infrastructure in many countries that makes it feasible to monitor the relatively few ingress and egress points.
Even crypto isn't foolproof. For example, if an executive conducting negotiations sends a short message, this could indicate that his company received what they wanted—or maybe the deal is simply dead. However, if there are 50 encrypted messages back and forth, it probably means they are working on an alternative plan, or that negotiations have hit a snag.
In this kind of situation, stego is the perfect alternative, hiding sensitive information within innocuous communications. For example, our traveling executive could use stego to hide business messages in his daily video conference with his family.
What You Don't See Can Hurt You
In the past, stego has primarily been used by criminals to evade law enforcement, but it's increasingly used by malicious insiders to steal information that could cost your company millions of dollars.
On the other hand, stego can also be used to protect an organization's critical trade secrets and increase the security of existing security devices.
You are already investing time, money and personnel to secure your company's critical data. If you ignore the risks of stego, your best efforts may be undermined.