Spy vs. Spy

Spy vs. Spy
By Sally Adee
Orig URL : http://spectrum.ieee.org/print/6593
What's hidden in me?

DO YOU WANNA KNOW A SECRET??: Altered with the proper steganography algorithm, this innocuous picture of a cat could be a carrier for corporate espionage.?

Earlier this year, someone at the United States Department of Justice smuggled sensitive financial data out of the agency by embedding the data in several image files. Defeating this exfiltration method, called steganography, has proved particularly tricky, but one engineering student has come up with a way to make espionage work against itself. 

Keith Bertolino, founder of digital forensics start-up E.R. Forensics, based in West Nyack, N.Y., developed a new way of disrupting steganography last year while finishing his electrical engineering degree at Northeastern University, in Boston. 

Steganography uses innocuous documents, usually an image file, as carriers for secret messages. Unlike encryption, steganography encodes the message while at the same time concealing the fact that a message is being sent at all. The Greek-derived name means “covered writing.” The earliest steganographers were said to be Greek generals who tattooed sensitive information onto the shaved heads of messengers. Once the hair grew back, the messenger could travel without suspicion to the intended recipient, who “decrypted” the secret message by shaving the messenger’s head again. In its current incarnation, steganography often makes use of e-mail, an ideal carrier for any corporate spy, disgruntled employee, or terrorist.  

Steganography algorithms vary widely—digital forensics firm WetStone Technologies Inc., of Ithaca, N.Y., lists 612 applications—but they work on basically the same principle. To embed a message in an innocuous image of a cat, for example, a commonly used steganography algorithm called LSB takes advantage of the way computers digitally encode color. The algorithm hides the fugitive file inside the so-called noncritical bits of color pixels. Noncritical bits are just what they sound like—the least important information in a pixel. A gray pixel in the cat’s uniformly gray fur, for example, is coded as a number that looks something like 00 10 01 00. By changing the least significant bits—the last two—you introduce one-millionth of a color change, an absurdly subtle alteration that no human eye could detect.  

The steganography application folds the secret message’s bits into the image’s least significant bits, but it typically leaves the image file unaltered in size or any other variable that would provide clues to infiltration. Compression does not affect the integrity of the stowaway data—the algorithms work just as well for lossy compression (for example, in a JPEG format) as they do for lossless compression methods. When the message reaches its intended recipient, an unlocking algorithm locates the stowaway bits in the cat image pixels and uses them to reconstruct the secret message.  

Bertolino’s method turns this technology on itself. The key to jamming steganography, he says, is using steganography—what he calls “double-stegging.” Double-stegging adds some noise, scrambling some of the image’s least-significant bits. “As long as you’re damaging at least some part of the file,” Bertolino explains, the hidden file becomes garbled and cannot be deciphered. If the cat in the picture is just a cat, the file comes to no harm. But a hidden file, once processed by the double-stegging algorithm, will yield only gibberish. “Our results are simple,” Bertolino says. “An extremely high percentage of the hidden files were destroyed.” Though the jamming techniques were tested only on image file carriers, Bertolino is confident that his method can be extended to other file formats, like audio and video files, which can also carry hidden messages. Digital steganography relies on the same basic principles to hide data for any digital carrier. In January, Bertolino will present his research at the Defense Department’s annual digital forensics conference, the Cyber Crime Conference.  

According to Bertolino, the steganography-jamming application would be made available to organizations as part of a software package and would work at the e-mail server level to scour all outgoing communication of nefarious content. Filtering e-mail automatically through an algorithm could give an organization peace of mind without chewing up a lot of billable hours. (Steganography can be detected by trained examiners if the images are passed through a variety of filters to reveal visual indicators, but that requires hours of manpower.)  

One major disadvantage, Bertolino concedes, is that his method does nothing to alert authorities to the presence of the mole. However, despite well-funded research, the bottom line remains that it is easier to jam steganography than it is to detect its presence. “Is it better to know who is doing the attacking or to stop the attack from happening?” Bertolino asks. “Sometimes catching an intruder is less important than preventing the potential damage caused by releasing that information.” 

WetStone CEO Chet Hosmer says Bertolino’s research is founded on legitimate principles. In fact, what Bertolino calls double-stegging is similar to a server-level technology called stego stomping that WetStone sells to companies to filter outgoing e-mail.  

The main advantage of such an approach, says Northeastern University computer science professor Ravi Sundaram, under whose guidance Bertolino pursued his research, is that it mitigates a major problem of the espionage “arms race.” As soon as security personnel figure out how to circumvent one algorithm, 10 more are invented to take its place. Double-stegging could provide a stopgap. No matter how sophisticated steganography methods become, those technology advances could be used against the malefactors. By attacking the applications using the applications themselves, the algorithms become their own worst enemy.  

Bertolino thinks his method would be most useful when used alongside detection methods like those being developed at WetStone and Backbone Security, another cybercrime-detection firm, headquartered in Fairmont, W.Va. These firms specialize in detection. Letting Bertolino’s double-stegging application run quietly on an e-mail server means that an examiner could take his time sussing out the intruder while remaining confident that no outgoing e-mails are exporting hidden files. 

Thwarting steganography that makes use of static carriers like JPEG or MP3 files is important, says Hosmer. However, steganography is a moving target. Now exfiltrators are beginning to make use of streaming data technologies like voice over Internet Protocol (VoIP). Disrupting or even detecting hidden transmissions inside real-time phone calls is the next hurdle for digital forensics companies, and Hosmer says it poses a significantly more challenging problem.  

Spy vs. Spy相关推荐

Spy++的使用方法及下载
很多朋友都对窗口句柄比较迷糊,这篇短文就以spy++这个软件为主,介绍下窗体句柄和使用按键插件时 ,如果对这个句柄发送消息,即所谓的后台挂机. spy++这个软件来自VC++,装好VC后,就可以在工具 ...
SPY++ 学习总结
spy++使用方法分步阅读 spy++ 是微软 Visual Studio 编译器自带的一款工具.它可以显示系统对象(包括进程.线程和窗口)之间关系的图形树,搜索指定的窗口.线程.进程或消息, 查 ...
Mockito的使用（一）——@InjectMocks、@Spy、@Mock
GItHub上有相应的翻译好的中文文档: https://github.com/hehonghui/mockito-doc-zh/blob/master/README.md#0 搭建Mockito测试 ...
如何使用spy ++ (How to use Spy ++)
一个网友在我的一篇随笔后问道,如何使用spy ++ 查找要用到的窗体类名以及相关信息现把相关作法整理如下如果你装了vs.net,在vs.net的工具里面就可以看到spy ++ 打开spy ++,会 ...
40 sinon spy间谍函数
sinon 辅助我们进行前端测试. 安装:npm install sinon -D 引入: import sinon from 'sinon'; spy 间谍函数 const spy = sinon. ...
@Mock，@Spy和@InjectMock
1.@Mock:mock对象,对函数的调用均使用mock,不会调用真实方法,使用: Mockito.when(testService.getById(Mockito.any())).thenRetur ...
如何用SPY++工具查看窗体的句柄
我安装的是vs2012,先找到SPY++工具打开打开方式: 方式1:通过路径(C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microso ...
Mockito cannot mock/spy because : - final class 问题
Mockito cannot mock/spy because : - final class 问题现象: 出现报错,且报错信息如下 Mockito cannot mock/spy because ...
hdu 4468 spy 极其精彩的一道kmp灵活运用题
出的超级好的一道题.至于好在哪里,请思考题目: 题意抽象出来为给定一个字符串r,找出它的一个最短后缀s,使得这个r可以被 s的某前缀+s的某前缀+......+s的某前缀+s本身构造出来. 具体题目描 ...

Spy vs. Spy

Spy vs. Spy相关推荐

最新文章

热门文章