According to a rumor in computer security circles, earlier this year, someone at the United States Department of Justice smuggled sensitive financial data out of the agency by embedding the data in several image files. Defeating this exfiltration method, called steganography, has proved particularly tricky, but one engineering student has come up with a way to make espionage work against itself.
Keith Bertolino, founder of digital forensics start-up E.R. Forensics, based in West Nyack, N.Y., developed a new way of disrupting steganography last year while finishing his electrical engineering degree at Northeastern University, in Boston.
Steganography uses innocuous documents, usually an image file, as carriers for secret messages. Unlike encryption, steganography encodes the message while at the same time concealing the fact that a message is being sent at all. The Greek-derived name means ”covered writing.” The earliest steganographers were said to be Greek generals who tattooed sensitive information onto the shaved heads of messengers. Once the hair grew back, the messenger could travel without suspicion to the intended recipient, who ”decrypted” the secret message by shaving the messenger’s head again. In its current incarnation, steganography often makes use of e-mail, an ideal carrier for any corporate spy, disgruntled employee, or terrorist.
Steganography algorithms vary widely—digital forensics firm WetStone Technologies Inc., of Ithaca, N.Y., lists 622 applications—but they work on basically the same principle. To embed a message in an innocuous image of a cat, for example, a commonly used steganography algorithm called LSB takes advantage of the way computers digitally encode color. The algorithm hides the fugitive file inside the so-called noncritical bits of color pixels. Noncritical bits are just what they sound like—the least important information in a pixel. A gray pixel in the cat’s uniformly gray fur, for example, is coded as a number that looks something like 00 10 01 00. By changing the least significant bits—the last two—you introduce one-millionth of a color change, an absurdly subtle alteration that no human eye could detect.
The steganography application folds the secret message’s bits into the image’s least significant bits, but it typically leaves the image file unaltered in size or any other variable that would provide clues to infiltration. Compression does not affect the integrity of the stowaway data—the algorithms work just as well for lossy compression (for example, in a JPEG format) as they do for lossless compression methods. When the message reaches its intended recipient, an unlocking algorithm locates the stowaway bits in the cat image pixels and uses them to reconstruct the secret message.
Bertolino’s method turns this technology on itself. The key to jamming steganography, he says, is using steganography—what he calls ”double-stegging.” Double-stegging adds some noise, scrambling some of the image’s least-significant bits. ”As long as you’re damaging at least some part of the file,” Bertolino explains, the hidden file becomes garbled and cannot be deciphered. If the cat in the picture is just a cat, the file comes to no harm. But a hidden file, once processed by the double-stegging algorithm, will yield only gibberish. ”Our results are simple,” Bertolino says. ”An extremely high percentage of the hidden files were destroyed.” Though the jamming techniques were tested only on image file carriers, Bertolino is confident that his method can be extended to other file formats, like audio and video files, which can also carry hidden messages. Digital steganography relies on the same basic principles to hide data for any digital carrier. In January, Bertolino will present his research at the Defense Department’s annual digital forensics conference, the Cyber Crime Conference.
According to Bertolino, the steganography-jamming application would be made available to organizations as part of a software package and would work at the e-mail server level to scour all outgoing communication of nefarious content. Filtering e-mail automatically through an algorithm could give an organization peace of mind without chewing up a lot of billable hours. (Steganography can be detected by trained examiners if the images are passed through a variety of filters to reveal visual indicators, but that requires hours of manpower.)
One major disadvantage, Bertolino concedes, is that his method does nothing to alert authorities to the presence of the mole. However, despite well-funded research, the bottom line remains that it is easier to jam steganography than it is to detect its presence. ”Is it better to know who is doing the attacking or to stop the attack from happening?” Bertolino asks. ”Sometimes catching an intruder is less important than preventing the potential damage caused by releasing that information.”
WetStone CEO Chet Hosmer says Bertolino’s research is founded on legitimate principles. In fact, what Bertolino calls double-stegging is similar to a server-level technology called stego stomping that WetStone sells to companies to filter outgoing e-mail.
The main advantage of such an approach, says Northeastern University computer science professor Ravi Sundaram, under whose guidance Bertolino pursued his research, is that it mitigates a major problem of the espionage ”arms race.” As soon as security personnel figure out how to circumvent one algorithm, 10 more are invented to take its place. Double-stegging could provide a stopgap. No matter how sophisticated steganography methods become, those technology advances could be used against the malefactors. By attacking the applications using the applications themselves, the algorithms become their own worst enemy.
Bertolino thinks his method would be most useful when used alongside detection methods like those being developed at WetStone and Backbone Security, another cybercrime-detection firm, headquartered in Fairmont, W.Va. These firms specialize in detection. Letting Bertolino’s double-stegging application run quietly on an e-mail server means that an examiner could take his time sussing out the intruder while remaining confident that no outgoing e-mails are exporting hidden files.
Thwarting steganography that makes use of static carriers like JPEG or MP3 files is important, says Hosmer. However, steganography is a moving target. Now exfiltrators are beginning to make use of streaming data technologies like voice over Internet Protocol (VoIP). Disrupting or even detecting hidden transmissions inside real-time phone calls is the next hurdle for digital forensics companies, and Hosmer says it poses a significantly more challenging problem.
This story was corrected on 25 August 2008.