Earlier this year, someone at the United States Department of Justice smuggled sensitive financial data out of the agency by embedding the data in several image files. Defeating this exfiltration method, called steganography, has proved particularly tricky, but one engineering student has come up with a way to make espionage work against itself.
Keith Bertolino, founder of digital forensics start-up E.R. Forensics, based in West Nyack, N.Y., developed a new way of disrupting steganography last year while finishing his electrical engineering degree at Northeastern University, in Boston.
[...]
Bertolino’s method turns this technology on itself. The key to jamming steganography, he says, is using steganography—what he calls “double-stegging.” Double-stegging adds some noise, scrambling some of the image’s least-significant bits. “As long as you’re damaging at least some part of the file,” Bertolino explains, the hidden file becomes garbled and cannot be deciphered. If the cat in the picture is just a cat, the file comes to no harm. But a hidden file, once processed by the double-stegging algorithm, will yield only gibberish. “Our results are simple,” Bertolino says. “An extremely high percentage of the hidden files were destroyed.” Though the jamming techniques were tested only on image file carriers, Bertolino is confident that his method can be extended to other file formats, like audio and video files, which can also carry hidden messages. Digital steganography relies on the same basic principles to hide data for any digital carrier. In January, Bertolino will present his research at the Defense Department’s annual digital forensics conference, the Cyber Crime Conference.
According to Bertolino, the steganography-jamming application would be made available to organizations as part of a software package and would work at the e-mail server level to scour all outgoing communication of nefarious content. Filtering e-mail automatically through an algorithm could give an organization peace of mind without chewing up a lot of billable hours. (Steganography can be detected by trained examiners if the images are passed through a variety of filters to reveal visual indicators, but that requires hours of manpower.)
One major disadvantage, Bertolino concedes, is that his method does nothing to alert authorities to the presence of the mole. However, despite well-funded research, the bottom line remains that it is easier to jam steganography than it is to detect its presence. “Is it better to know who is doing the attacking or to stop the attack from happening?” Bertolino asks. “Sometimes catching an intruder is less important than preventing the potential damage caused by releasing that information.”
WetStone CEO Chet Hosmer says Bertolino’s research is founded on legitimate principles. In fact, what Bertolino calls double-stegging is similar to a server-level technology called stego stomping that WetStone sells to companies to filter outgoing e-mail.
The main advantage of such an approach, says Northeastern University computer science professor Ravi Sundaram, under whose guidance Bertolino pursued his research, is that it mitigates a major problem of the espionage “arms race.” As soon as security personnel figure out how to circumvent one algorithm, 10 more are invented to take its place. Double-stegging could provide a stopgap. No matter how sophisticated steganography methods become, those technology advances could be used against the malefactors. By attacking the applications using the applications themselves, the algorithms become their own worst enemy.
Bertolino thinks his method would be most useful when used alongside detection methods like those being developed at WetStone and Backbone Security, another cybercrime-detection firm, headquartered in Fairmont, W.Va. These firms specialize in detection. Letting Bertolino’s double-stegging application run quietly on an e-mail server means that an examiner could take his time sussing out the intruder while remaining confident that no outgoing e-mails are exporting hidden files.
Thwarting steganography that makes use of static carriers like JPEG or MP3 files is important, says Hosmer. However, steganography is a moving target. Now exfiltrators are beginning to make use of streaming data technologies like voice over Internet Protocol (VoIP). Disrupting or even detecting hidden transmissions inside real-time phone calls is the next hurdle for digital forensics companies, and Hosmer says it poses a significantly more challenging problem.
------------------------------
Very interesting work.
No comments:
Post a Comment