Slashdot Mirror
Evidence of Steganography in Real Criminal Cases
ancientribe writes "Researchers at Purdue University have found proof that criminals are making use of steganography in the field. Steganography is the stealth technique of hiding text or images within image files. Experts say that the wide availability of free point-and-click steganography tools is making the method of hiding illicit images and text easier to use. Not everyone is convinced; some security experts such as Bruce Schneier have dismissed steganography as too complex and conspicuous for the bad guys to bother using, especially for inside corporate espionage: 'It doesn't make sense that someone selling out the company can't just leave with a USB.'"
This was advertised in the film "the core" when the 'hacker kid' sends a message to a pilot within some other data... Great. It's also in use CONSTANTLY by conspiracy theorists, how many people have received that stupid email about the number 911 and the wingdings font... *yawn*.
Steganography is also in use by some media producers, I've heard cases where demo tracks have included some randomness that is later detectable to find the source of whoever leaked the track (each person on the initial review got a different copy of the randomness).
Why UNIX?
In fact people like Guillermito has regularly showed that a lot point'n'click stegano softs are just completely useless. They either don't work at all (fail to transport data) or store the data in nearly not hidden at all way (payload stored as-is past the end of the file, or zero-padded and used for the least significant bit of the file without any encryption).
Specially if the marketing blurb mentions "military grade" (translation : triple AES is used to store the password. The reader software inputs a password from the user and if it matches the hash... the soft proceeds extracting the otherwise clear, non crypted and un-obfuscated payload).
So while it *is* possible to design actually working steganography, if a would-be pedo-terrorist-criminal tries to google for stenographic software, he'll most likely land on useless software.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Agreed on your comment on the above statement. My problem is that the article author's statement will be used as justification for search warrants. Some bullet-head cop who's barely mastered the idea of opposable thumbs will quote it like gospel and use it as justification to grab IP numbers of downloaders, etc.. As someone that makes a living off of security I'm tired of seeing my tools being judged "guilty until proven otherwise". I few years ago a highway cop tossed my car hard because he found a copy of Schneier's "Applied Cryptography", saw the cover and didn't like the statement "The book the NSA wanted never to be published". He threatened to take it and make me come down to his station to get it back. BTW, this cop was clearly "not the sharpest tool in the shed" even among his own peers.
I really see in ten years owning any non-backdoor crypto tools et al being illegal. America is dying under the thumb of the police and soon to arrive police state.
A point to note is that the criminals using stenography are probably not using it to transfer large quantities of information, but merely communicating small very private messages. This might include links to web servers, credit card numbers or meeting/payment instructions. It is unlikely to require more than a few hundred bytes of data.
While Schneier is correct that corporate theft is best accomplished with USB drives or even your corporate laptop, the criminals using stenographic software are probably not using it for their bulk transfers of information, but rather pointers or encryption keys to information transfered by other means.
Comparing the number of web pages against the number of child pornographers who might be hiding stenographic in online images makes Purdue's attempt to crawl the web in search for stenographic data seem futile.
Data transfers by stenography have to be pre-arranged in advance by some other communication method, otherwise how would sender and receiver know how to encrypt/decrypt their messages? If your interest is in stopping crime, then this is the weakest link and should be the focus of your detective work.
---- It won't be as bad as you fear or as good as you hope, but it will take twice as long as you plan.
Please look at these images and tell me exactly what in the hex dump makes it "blatantly obvious" that one is stegged.
Live today, because you never know what tomorrow brings
Encrypted, hidden data can be added to MP3s, MPEG4s, PDFs, scans, executables, random leftover noise on the disk. It can be hidden on microSD cards, printed on paper, and hidden on DVDs.
See, right there I'm with Bruce. Why would you put steganography tools on microSD cards?
Why not put the data encrypted on the card, and then hide the card? Doesn't that seem to make a lot more sense?
I mean, those things can hold a lot now, a good deal more than you could reasonable hide via steganography.
If you're smart, you'll just up and install the encryption tools like Truecrypt, but have a porn partition or even a tiny file with credit card and personal information, a 'legitimate' use for the program.
And, yes, I know people are talking about hidden communication channels, for, for example, spies, not storage, but, frankly, that's idiotic.
Any large data is going to be transfered in person via encrypted flash drives. A flash drive is a lot easier to dead-drop than a DVD-R. They have ones thin enough that they can fit inside library books or pass as change, and ones sturdy enough that they can stay outside for a week in mud. Anyone who thinks the 'secret plans' are traveling via the internet is confused. (Well, not at the start of the trip. Once they end up at the embassy or whatever the data obviously can be openly strong-encrypted and openly transfered however the hell they want.)
And any tiny data can be communicated via public signals. Which, incidentally, is a kind of steganography. Spies already have all that worked out. For example, if you ever wear the red tie with the brown suit it means your cover is blown and you need immediate pickup, stuff like that.
I don't doubt technology plays a role in this, but I doubt 'encryption' or 'steganography' does, as tools like that are, as you pointed out, dangerous. I suspect it's more stuff like 'If anyone ever anonymously replies to a slashdot post of yours using this specific subject, check dead-drop #3 that evening'. Call it 'manual steganography', where you go around looking for clues that everyone else can see but no one else knows what to look for.
If corporations are people, aren't stockholders guilty of slavery?
On some imageboards (which shall remain anonymous), a common trick is to password-protect a RAR file and append it to a an image (cat foo.jpg bar.rar > baz.jpg). Most RAR utilities skip right over the image data and only extract the RAR file.
ROMANES EUNT DOMUS
It would seem that distributing steganography software software would immediately make it useless. Steganography is based on hiding information in such a way that other people can't find it unless they know EXACTLY where it is (eg if every other prime-numbered byte in a raw image produces a text file when appended in a certain order, it is unlikely anyone will find it). When software like this is distributed, however, anyone who receives it may potentially figure out where/how it hides the files, and once one person figures it out anyone can then find any files hidden that way, rendering that method of steganography useless. This means that only individuals/groups that can develop their own form of steganography will be able to use it with any effectiveness.
The ResearchBuzz blog has proposed "nerdstick". I've standardized on that for my own use.