Evidence of Steganography in Real Criminal Cases

ancientribe writes "Researchers at Purdue University have found proof that criminals are making use of steganography in the field. Steganography is the stealth technique of hiding text or images within image files. Experts say that the wide availability of free point-and-click steganography tools is making the method of hiding illicit images and text easier to use. Not everyone is convinced; some security experts such as Bruce Schneier have dismissed steganography as too complex and conspicuous for the bad guys to bother using, especially for inside corporate espionage: 'It doesn't make sense that someone selling out the company can't just leave with a USB.'"

Re:"Security Expert"

[Sobieski]

Well, he might work at a company developing a new top secret Universal Serial Bus interface that someone else is willing to pay for.

looks like something doesn't work properly

[petes_PoV]

The whole point of steganography is to embed undetectable data in a file. If some people now claim to have found evidence of it, then the original users can't have a very effective steganographic process.

Maybe this really means that the software available for this type of use just doesn't work very well?

These must be freshman researchers

[tkrotchko]

Kids,

To those versed in statistics or the scientific method, find the flaw in this statement (as taken from the article):

"with the little data we have so far, we are finding that there's a strong correlation between criminal activity and at least the installation of steganography programs on those [confiscated] computers"

With the little data I have so far, I think the researchers are pulling our leg.

I doubt it happens on a large scale

[starseeker]

Installation of steganography tools != using those tools in practice. If someone is looking to conceal data, they may be grabbing anything out there that stands a remote chance of being helpful. Sort of like how in the early days students would have all kinds of music players and point-to-point file exchange programs, looking for ones that would do what they wanted or had what they wanted.

James Wingate, director of the steganography analysis & research center at Backbone Security, and a vice president there, says the use of steganography is on the rise, and it could be used for things like transporting malware.

"Some would call me 'Chicken Little,' but I fervently and passionately believe criminal activity is being conducted with steganography... We do know it's being used to conceal child pornography," Wingate says. "

When someone "fervently and passionately" believes something, particularly something related to a day-to-day project where one's institution stands a good chance of increased funding if what you believe is true, that's a good indication that you need to look hard for real, reproducible evidence that will stand up to rigorous peer review. Nor should concealing those types of images be surprising - unfortunately there seem to be a large number of sickos out there with this stuff, and probably every data-concealing program ever written has been used to conceal it (or try to). More to the point, is it in WIDE use?

I agree that a USB stick is a much more plausible attach vector for a company insider (no "hey what was that huge surge of email traffic with images?" signatures for IT to poke their noses into, just for starters.) If someone wants to hide data on their machine, I would think any of the various harddrive encryption techniques would both be simpler and much more effective.

I remember looking around at steganography tools some years back for other purposes (watermarking images people were considering contributing to a collectibles website) and my conclusion was that the most practical use of the techniques was to store information one WANTED to be found - another way to put metadata into an image so you could later figure out additional information about it (say, for a baseball card certified by a company you could add the certification information using steganography to ensure later availability of the information even without the website context, unless the image was compressed or otherwise distorted. It didn't and doesn't strike me as anything that can be used for anything uniquely evil or even uniquely practical (real image metadata is most likely a better place for useful info, and hiding information in it is an iffy proposition at best.

Remember, just because non-government researchers can't cover all 800+ programs doesn't mean someone like the NSA with large funding and budgets couldn't throw resources at it until they had all of them covered. Somebody will probably use it, but someone will use virtually every possible technique to do something at least once in the vastness of the Internet so that's not a very interesting statement. The interesting question is will a lot of people use it, and I just can't see it being worth the trouble.

Re:looks like something doesn't work properly

[mu22le]

The article is just saying that they found steganographic software on some criminal's pc.

FYI you can detect the presence of steganographed information by statistical means (http://en.wikipedia.org/wiki/Steganalysis).

From the article

[johndiii]

But Bruce Schneier, CTO of BT Counterpane, disagrees. He says steganography doesn't make sense as an insider threat. It's much easier to just suck the data off onto a USB thumb drive and walk out of the building.

That seems to make a little more sense. They still don't quote Schneier directly, but his general conclusion seems valid. The purpose of steganography is to provide a clandestine channel, in part to avoid traffic analysis. If the data embedded through steganography is also encrypted, it would be very hard to detect. That's why this study is significant. I'll wait until it's farther along than its "early phases" before I draw any substantive conclusions, though.

Re:Old news though

[Anonymous Coward]

To be clear, neither of the examples you gave are steganography, but are a simple cypher and watermarking, respectively.

Re:These must be freshman researchers

[Obyron]

Since being inconspicuous is the very definition of steganography, something tells me Mr. Schneier doesn't have a firm handle on the concept

Considering that Bruce Schneier has been around the block for a loooong time and has written several good books on cryptography and computer security, including the seminal "Applied Cryptography" (which needs a new edition! Hint hint if you're out there, Bruce!), I think it's far more likely that you have no idea who Bruce Schneier is. I'm sure that by "conspicuous" he's referring to the fact that steganography can be detected through statistical analysis, and the fact that most steganography software is crap.

Being inconspicuous isn't the definition of steganography any more than being secure is the definition of cryptography (Ceasar Ciphers, ROT-13, DES). They're both just important traits that make their respective -graphies more effective. Bruce's statement is referring to the sad state of pretty much all of the steganographic software out there right now, because it's pretty much all the security equivalent to sticking your super secret files in a hidden directory and hoping the secret police just overlook it.

Re:These must be freshman researchers

[NormalVisual]

America is dying under the thumb of the police and soon to arrive police state.

Yes it is, in large part because the citizens allow it to. Why did you let the cop "toss your car"? He had no basis for a legal search, so either he searched without your permission, or asked if he could and you said "yes". If he searched without your permission you should have followed up in court. If you told him it was okay to search, then you have nothing to bitch about and aren't any better than the rest of the sheep that are letting the government get away with murder. Either way, there was action you could have taken as a citizen, and chose not to.

Re:Stenography probably not used for bulk data xfe

[monkaru]

The viewer or reciever doesn't need to have a constantly updated password. They just need to know, say, a half dozen file names and passwords in advance, maybe years in advance, and try them against the image. It is trivially easy to hide a hashed text file in a compressed image file and it doesn't take special software to do it. A simple HEX editor is enough. It's pretty easy to detect but it wouldn't matter if the text data is hashed with strong encryption. There is a misconception that important data must be large to be worthwhile. 20 to 30 KB of text is one heck of a lot of data if it contains, say, user names and passwords and that's pretty easy to hash and then compress to 8 or 12 KB. So, yes, compressed image files are a pretty good carrier and can be used effectively when preparations are made well in advance. There is no such animal as invisible stenography. It's going to be dead obvious something is going on the instant the file is "HEXed" but the hashed data still has to be decrypted. Obsfucation and encryption - no reason for that not to work and work well.

Re:These must be freshman researchers

[Anonymous Coward]

The probem is in many cases police use leading questions and a negative responce as permission to search your car.

Cop: You don't have any drungs or weapons in the car do you?
Person: No
Cop: You wouldn't mind if I verify that?
Person: No
Cop: Thank you, *begins search*

If the officer had outright asked, "May I search your vehicle?" The answer again would have been "no", and really meant no.

 

Re:One thing I don't get

[Anonymous Coward]

Congratulations, you just re-invented codes (not to be confused with ciphers). This is essentially the same as assigning word X of the Bible = attack at dawn. The problem, as with any code, is that you already need to know what the code means to transmit information by it. This works both for and against you.

Ciphers, on the other hand, are mathematical techniques (like AES) that claim to scramble your information using just a single, relatively short key. It solves the problem of needing massive code books to cover every single bit of information under the sun, at the risk of potentially being vulnerable to mathematical analysis or key compromise.

Also, even an abstract code could theoretically be statistically analyzed. If Osama is wearing a gold watch more than a silver one, you can learn something from that. And huge code books are likely to be discovered.

What ends up happening is that you use a distributed cell structure. You set up everything in advance, and then you just tell your comrades that "9/11 is zero hour." But that's all you can really do with codes. And that's a particularly bad code, because "zero hour" isn't completely divorced from the semantics of the message. What you really want is a code like, "Call my sister for me," because it's both completely innocuous and completely unrelated to what you're actually saying.

Re:Distributing Steganography Software Doesn't Wor

[Agripa]

When software like this is distributed, however, anyone who receives it may potentially figure out where/how it hides the files, and once one person figures it out anyone can then find any files hidden that way, rendering that method of steganography useless.

This is only true for weak forms of steganography in much the same way that it is true for weak forms of cryptography.

With strong steganography, the correct key is necessary to recover the message or to even prove that the message exists. Hiding the specific algorithm is not a required for security.

Some spread spectrum communication techniques (but not all) have this property as well. If the received signal is significantly below the received noise level, then recovery or even detection is not possible without the correct spreading sequence.

Re:get over it

[bobdotorg]

mon. I think your favorite non-suspicious option today would be getting a digicam with a raw option, then use the least significant color bit. It's near noise anyway since very few cameras can actually detect 10/12 bits/channel, there's no reference to go by and it's perfectly reasonable to share photos that way.

And use pics taken indoors with a low iso / long exposure setting. The noise inherent in the CMOS or CCD will probably give 4 out of 10 bits of close to uniformly random noise (or whatever biased, but consistent noise the sensor outputs).

Use (embed) each pic only once, then destroy the original so there does not exist a pic that can be used to run a diff.

A 12MP camera can dump a 48MB RAW file. For smaller files, use a crappy mobile phone camera. In any light setting.