This article can also be found in the Premium Editorial Download "Information Security magazine: Symantec 2.0: Evaluating their recent acquisitions."
Download it now to read this article plus other related content.
See No Evil
Historically, military and law enforcement officials have been concerned with stego for its use in espionage and hiding illegal information. For example, child pornographers hide illicit images within legal porn so they can distribute it without detection. Businesses, however, need to be concerned with other abuses that endanger data.
Stealing files: Using stego, an employee or contractor can walk a sensitive file out the door on a laptop, USB drive or CD, or can email it outside the company.
Communicating with competitors: In many organizations, employees have no expectation of privacy when using company email, so they can use stego to hide the real content of, say, an email to a competitor's VP. But wait, wouldn't communicating with that VP arouse suspicion, regardless of the content? Always resourceful, we've seen people evade detection by setting up Web email drop boxes where the competitor would pick up the messages and extract the data.
Bypassing controls: Perhaps your organization has Web and email filters set to monitor employees' Internet communications and activity. With stego, malicious insiders can hide their true intentions and slip through these content control filters. One possible counter is stego-marking, a method developed to flag sensitive files. Stego-marked files can be detected by firewalls, IDSes and content filters. Similar to stego-marking, but visible, is digital watermarking, which modifies bits in such a way that the image is still visible through the watermark, but there is no way to remove the watermark without destroying the image.
The digital dead drop is a variation on the Web email drop technique. In this case, someone inside your organization posts a file with hidden information to a particular location—for example, a newsgroup, Web site or eBay auction: To pass research information to a competitor, the employee puts his boat up for auction on the Internet and posts a picture of it. Hundreds, perhaps, thousands of people view it, but the contact would download the image through his browser and extract the hidden research information.
Sit back for a moment and think of how you would be able to detect or stop that. Your options are pretty limited, but let's consider them.
This was first published in November 2006