Evidence of Steganography in Real Criminal Cases 231
ancientribe writes "Researchers at Purdue University have found proof that criminals are making use of steganography in the field. Steganography is the stealth technique of hiding text or images within image files. Experts say that the wide availability of free point-and-click steganography tools is making the method of hiding illicit images and text easier to use. Not everyone is convinced; some security experts such as Bruce Schneier have dismissed steganography as too complex and conspicuous for the bad guys to bother using, especially for inside corporate espionage: 'It doesn't make sense that someone selling out the company can't just leave with a USB.'"
Re:"Security Expert" (Score:2, Informative)
looks like something doesn't work properly (Score:5, Informative)
Maybe this really means that the software available for this type of use just doesn't work very well?
These must be freshman researchers (Score:5, Informative)
To those versed in statistics or the scientific method, find the flaw in this statement (as taken from the article):
"with the little data we have so far, we are finding that there's a strong correlation between criminal activity and at least the installation of steganography programs on those [confiscated] computers"
With the little data I have so far, I think the researchers are pulling our leg.
I doubt it happens on a large scale (Score:5, Informative)
Installation of steganography tools != using those tools in practice. If someone is looking to conceal data, they may be grabbing anything out there that stands a remote chance of being helpful. Sort of like how in the early days students would have all kinds of music players and point-to-point file exchange programs, looking for ones that would do what they wanted or had what they wanted.
James Wingate, director of the steganography analysis & research center at Backbone Security, and a vice president there, says the use of steganography is on the rise, and it could be used for things like transporting malware.
"Some would call me 'Chicken Little,' but I fervently and passionately believe criminal activity is being conducted with steganography... We do know it's being used to conceal child pornography," Wingate says. "
When someone "fervently and passionately" believes something, particularly something related to a day-to-day project where one's institution stands a good chance of increased funding if what you believe is true, that's a good indication that you need to look hard for real, reproducible evidence that will stand up to rigorous peer review. Nor should concealing those types of images be surprising - unfortunately there seem to be a large number of sickos out there with this stuff, and probably every data-concealing program ever written has been used to conceal it (or try to). More to the point, is it in WIDE use?
I agree that a USB stick is a much more plausible attach vector for a company insider (no "hey what was that huge surge of email traffic with images?" signatures for IT to poke their noses into, just for starters.) If someone wants to hide data on their machine, I would think any of the various harddrive encryption techniques would both be simpler and much more effective.
I remember looking around at steganography tools some years back for other purposes (watermarking images people were considering contributing to a collectibles website) and my conclusion was that the most practical use of the techniques was to store information one WANTED to be found - another way to put metadata into an image so you could later figure out additional information about it (say, for a baseball card certified by a company you could add the certification information using steganography to ensure later availability of the information even without the website context, unless the image was compressed or otherwise distorted. It didn't and doesn't strike me as anything that can be used for anything uniquely evil or even uniquely practical (real image metadata is most likely a better place for useful info, and hiding information in it is an iffy proposition at best.
Remember, just because non-government researchers can't cover all 800+ programs doesn't mean someone like the NSA with large funding and budgets couldn't throw resources at it until they had all of them covered. Somebody will probably use it, but someone will use virtually every possible technique to do something at least once in the vastness of the Internet so that's not a very interesting statement. The interesting question is will a lot of people use it, and I just can't see it being worth the trouble.
Re:looks like something doesn't work properly (Score:5, Informative)
FYI you can detect the presence of steganographed information by statistical means (http://en.wikipedia.org/wiki/Steganalysis).
From the article (Score:3, Informative)
Re:Old news though (Score:2, Informative)
Re:These must be freshman researchers (Score:5, Informative)
Considering that Bruce Schneier has been around the block for a loooong time and has written several good books on cryptography and computer security, including the seminal "Applied Cryptography" (which needs a new edition! Hint hint if you're out there, Bruce!), I think it's far more likely that you have no idea who Bruce Schneier is. I'm sure that by "conspicuous" he's referring to the fact that steganography can be detected through statistical analysis, and the fact that most steganography software is crap.
Being inconspicuous isn't the definition of steganography any more than being secure is the definition of cryptography (Ceasar Ciphers, ROT-13, DES). They're both just important traits that make their respective -graphies more effective. Bruce's statement is referring to the sad state of pretty much all of the steganographic software out there right now, because it's pretty much all the security equivalent to sticking your super secret files in a hidden directory and hoping the secret police just overlook it.
Re:These must be freshman researchers (Score:3, Informative)
Yes it is, in large part because the citizens allow it to. Why did you let the cop "toss your car"? He had no basis for a legal search, so either he searched without your permission, or asked if he could and you said "yes". If he searched without your permission you should have followed up in court. If you told him it was okay to search, then you have nothing to bitch about and aren't any better than the rest of the sheep that are letting the government get away with murder. Either way, there was action you could have taken as a citizen, and chose not to.
Re:Stenography probably not used for bulk data xfe (Score:2, Informative)
Re:These must be freshman researchers (Score:1, Informative)
Cop: You don't have any drungs or weapons in the car do you?
Person: No
Cop: You wouldn't mind if I verify that?
Person: No
Cop: Thank you, *begins search*
If the officer had outright asked, "May I search your vehicle?" The answer again would have been "no", and really meant no.
Re:One thing I don't get (Score:1, Informative)
Ciphers, on the other hand, are mathematical techniques (like AES) that claim to scramble your information using just a single, relatively short key. It solves the problem of needing massive code books to cover every single bit of information under the sun, at the risk of potentially being vulnerable to mathematical analysis or key compromise.
Also, even an abstract code could theoretically be statistically analyzed. If Osama is wearing a gold watch more than a silver one, you can learn something from that. And huge code books are likely to be discovered.
What ends up happening is that you use a distributed cell structure. You set up everything in advance, and then you just tell your comrades that "9/11 is zero hour." But that's all you can really do with codes. And that's a particularly bad code, because "zero hour" isn't completely divorced from the semantics of the message. What you really want is a code like, "Call my sister for me," because it's both completely innocuous and completely unrelated to what you're actually saying.
Re:Distributing Steganography Software Doesn't Wor (Score:3, Informative)
This is only true for weak forms of steganography in much the same way that it is true for weak forms of cryptography.
With strong steganography, the correct key is necessary to recover the message or to even prove that the message exists. Hiding the specific algorithm is not a required for security.
Some spread spectrum communication techniques (but not all) have this property as well. If the received signal is significantly below the received noise level, then recovery or even detection is not possible without the correct spreading sequence.
Re:get over it (Score:3, Informative)
And use pics taken indoors with a low iso / long exposure setting. The noise inherent in the CMOS or CCD will probably give 4 out of 10 bits of close to uniformly random noise (or whatever biased, but consistent noise the sensor outputs).
Use (embed) each pic only once, then destroy the original so there does not exist a pic that can be used to run a diff.
A 12MP camera can dump a 48MB RAW file. For smaller files, use a crappy mobile phone camera. In any light setting.