Evidence of Steganography in Real Criminal Cases 231
ancientribe writes "Researchers at Purdue University have found proof that criminals are making use of steganography in the field. Steganography is the stealth technique of hiding text or images within image files. Experts say that the wide availability of free point-and-click steganography tools is making the method of hiding illicit images and text easier to use. Not everyone is convinced; some security experts such as Bruce Schneier have dismissed steganography as too complex and conspicuous for the bad guys to bother using, especially for inside corporate espionage: 'It doesn't make sense that someone selling out the company can't just leave with a USB.'"
"Security Expert" (Score:3, Insightful)
get over it (Score:5, Insightful)
Right now, police can still detect the steganography tools, but those will start to be hidden as well. Encrypted, hidden data can be added to MP3s, MPEG4s, PDFs, scans, executables, random leftover noise on the disk. It can be hidden on microSD cards, printed on paper, and hidden on DVDs.
There is no way governments or companies can stop covert communications of data. Get over it and stop making laws that are unenforceable but give police and governments ever more tools to abuse their powers.
One thing I don't get (Score:4, Insightful)
For example, if "teh terrist" wanted to send a message like "attack now", why couldn't the message be given via a pre-arranged signal -- say the image shows Osama wearing a silver watch for "It's go time", and a gold watch for "wait out the Americans". No one can detect a "hidden message" because there is none.
You could do the same for other things even if you don't use USB (which would probably be easiest in a workplace). How about plain old pencil and paper? Just write down the information, put it in a device called an "envelope", write down the physical address of the guy you're sending it to, and drop it off in the post office. It's virtually untraceable, and would work even if the IT guys turn off the USB ports.
and now THINK for a second. (Score:3, Insightful)
How big is that picture of your daughter? I seen a real world example of it. A 4mb image, that somehow only seemed to result in a small photo of about a 100x100 pixels. Yeah, that ain't suspicious AT ALL. Doesn't set of any alarm bells. Nope.
That is the entire problem with the idea, how do you get enough information inside and still not raise suspicion. It is different for coded messages, keep the code small and it can easily fit but to leak information, you need to start including megabytes of documents in image files that are typically less then a 100kb or do you think nobody will find it odd if you keep a 10megapixel uncompressed image of your daughter on your stick?
Remember, if it is a small amount of data you can get it out easily, memorize it. But if you are talking industrial espionage you are talking blueprint, documents, databases.
The researcher claimed that he found traces of the programs in question. TRACES. Meaning they were removed. Now think about this, why does someone remove software. Because they want to hide it OR because they tried it and found it useless?
Sure, there are uses, but as said, only for situations where the data is small enough to logically fit inside. Child porn image nesting in a harmless image seems about the most logical use, you could easily create a site that serves "harmless" wallpapers but are really childporn. Except one tiny problem, how do you distribute it? Open access, bit risky getting the highly illegal content out there, who knows who might be bored and start snooping. Limited access? Then who are you hiding from?
The problem with the child porn idea is that it ain't going to fool anybody for long. Contrary to popular believe the police ain't stupid, if they suspect childporn and find nothing but a large collection of regular images that ALL seem to be just a bit too large, then just maybe, they are going to investigate further.
As for use in distribution, encryption is far easier, if I know you then I can just send the file encrypted and nobody will be the wiser. If I don't know you and post it blindly on a public site, how are you going to know how to get the content out?
I know that the idea is that one of the elements of hiding is NOT to increase the filesize, but unless I am missing something, if you want to hide 1mb of data, you are going to need at least 1mb of other data to do the hiding in. For a nice database dump, that is a LOT of pictures of your daughter.
Re:One thing I don't get (Score:3, Insightful)
Re:One thing I don't get (Score:3, Insightful)
Because perhaps the "pre-arranged signal" was given in a face to face meeting, which will only happen once so as not to arouse suspicion.
Re:"Security Expert" (Score:3, Insightful)
Re:"Security Expert" (Score:2, Insightful)
Re:The best implementation (Score:1, Insightful)
Underestimating Criminals (Score:3, Insightful)
Yes, there are a tremendous number of stupid criminals out there, just like there are a tremendous number of stupid people out there.
But we chronically underestimate what people are capable of. I know a bit about O-chem, and with a bit of research could probably manufacture meth fairly easily. It's really not much more complicated than setting up a moonshine still. Out of the reach of some? Sure. But the fact remains that tens of thousands of strung-out hoopleheads manage to do it every day.
We complain about them damn young kids sailing the high seas of Internet and maliciously raiding commerce vessels trading in MP3s, and yet many judges seem baffled by even simple concepts like IP addressing and server logging.
These steganography tools are fairly easy to use. So why, again, are we surprised that criminals can point and click?
Re:Old news though (Score:2, Insightful)