covert channels the silence must be heard the hidden must be seen the secrets must be revealed by:...
TRANSCRIPT
Covert ChannelsCovert ChannelsThe Silence Must be HeardThe Silence Must be HeardThe Hidden Must be SeenThe Hidden Must be Seen
The Secrets Must be RevealedThe Secrets Must be Revealed
By: Randy GrubbBy: Randy Grubb
Armstrong Atlantic State University – Cyber & Homeland Security Institute
Cyber Capabilities
• By the turn of the century all known terrorist and criminal groups had a presence on the Internet.– Psychological Warfare– Propaganda– Data Mining– Fundraising/financing– Recruiting– Networking– Information sharing– Planning & coordination– Actual perpetration of their crimes
Why the Internet?
• Anonymous (real or perceived)– Encryption– Covert Channels/Steganography– Public libraries/Internet cafes/wireless access points– Anonymizers/Proxies (Tor)
• Geographically Unbounded– People can communicate with one another from
virtually anywhere in the world– More than 10,000 Internet Service Providers (ISP)
worldwide– Some are sympathetic to the radical cause
Why the Internet?
• Largely unregulated– Developed as an open interoperable network– No central government authority– Most ISPs do not have the resources or
desire to monitor web-site content
• Inexpensive– Free web hosting– Free e-mail accounts
Why the Internet?
• US and coalition military actions since 9/11 have deprived terrorist organizations their base of operations and training camps.
• These actions have dispersed terrorist organizations more widely.
• With the Internet, terrorist organizations can control a worldwide movement without ever meeting.
Source: Harvard Gazette: Terror Online and how to counteract it, Ruth Walker, 2004
Netwar
• Term given to an emerging mode of conflict dealing with the societal relationships between namely terrorists and criminal organizations.– Involves measures short of traditional warfare– Network forms of organization, doctrine,
strategy and communication
• Dispersed and decentralized manner
Netwar
• Small groups from points around the world utilizing network and Internet technology to:– Communicate– Coordinate– Act
Is This a Secure Site?
What are Covert Channels?
• Covert Channels– Any communication channel that can be exploited by
a process to transfer information in a manner that violates the systems security policy.
– In short, covert channels transfer information using non-standard methods
– Against the system design– Communication is obscured; unnoticed– Easily bypass current security tools & products
What are Covert Channels?
• Covert Channels allow multiple parties to communicate ‘unseen’– They hide the fact that a communication is even
occurring– Provides privacy and anonymity
• Unlike encryption, where communication is obvious but obscured– Encryption is easily identified– Clear and visible indications of encryption
Covert Channels
• Covert Channels work because of human deficiencies– Eye sight– Hearing– Analysis skills
• Lack of Interest– It’s not really a problem, doesn’t happen– Prove it to me
• System Design Discrepancies– Components utilized in unintended manner
Covert Channels
• Many covert channels will elude detection simply because most individuals have never considered the possibility
• Perception over rides reality
Covert Channels
• Covert Channels hide the fact that communication between two or more individuals is occurring.
Potential Damage
• Corporate Espionage– Loss of competitive advantage
• Government or Military Activities– Increased threat to National Security– Terrorist Organizations
• Criminal Activities– Transfer of pornography or commercial software
• Financial Impact– Transfer of confidential financial data
Known Covert Methods
• Steganography– Images– Audio
• Text Manipulation• TCP Covert Channels• Alternate Data Streams (ADS)• Deep or invisible web
Tool Summary
• Over 300 known tool variation and releases• Tools for every Operating System including
DOS, Windows, UNIX/Linux, OS2, Mac• Wide variety of methodologies and features• Most software is freeware or shareware
Origins of Steganography
• What does Steganography Mean?– Pronounced “STEHG-uh-NAH-gru-fee”– From the Greek Roots
• “Steganos” or Covered • “Graphie” or Writing• “Covered Writing”
– First Known Usage• The early Greeks and Persians used several forms of
covered writing to conceal the communication of secret or covert messages
• Origins date back as far 2500 years ago
Carrier + Payload = Covert Message
• Carrier – The file that provides cover for and conceals the payload. Payload – The secret message or information that you wish to conceal or communicate.
• Covert Message – The combination of the payload and the carrier. The covert message file should appear identical to the carrier.
• Most current stego tools also encrypt the payload to increase security.
Digital Images
• Digital Images are created by software– Digital camera– Scanner– Graphics program
• Digital Images are made up of pixels– Represented on a grid– The pixel is the smallest visual component– Resolution & representation
• 640 x 480 – rows x columns• 75 dpi – number of dots per inch
1
1 http://www.library.cornell.edu/preservation/tutorial/intro/intro-01.htmlSource: WetStone Technologies
Digital Images
• Color is represented in digital images by three different methods.– Paletted images– True color images– Compressed images
Palette Images• Map to a pre-defined color on a table
– Pixel represented by table lookup value
2http://www.webstyleguide.com/graphics/displays.html
2
Source: WetStone Technologies
True Color Images
• True Color images– Typically 24 bits– Most common format is
RGB or Red – Green - Blue– 8 bits for each color byte
(red, green, blue)– 16.7M possible colors
4http://www.webstyleguide.com/graphics/displays.html
4
Source: WetStone Technologies
Least Significant Bit Steganography
“The hiding of data within a digital carrier by slightly altering an insignificant characteristic of the carrier that does not appear to alter the normal rendering of the data”
Hosmer, 1999
Source: WetStone Technologies
Altering a True Color Image
2http://www.webstyleguide.com/graphics/displays.html
2
Image source: www.wikipedia.com
LSB Substitution – bit 0
11 0 1 1 0 1 0
1 1 0 0 0 1 1
1 1 1 0 0 0 0
RED
GREEN
BLUE
0
0
1
Before
Before After
Combined Color
Individual Colors
After
0
1
0
LSB Substitution
Source: WetStone Technologies
LSB Substitution bit 0 and 1
11 0 1 1 0 1 0
1 1 0 0 0 1 0
1 1 1 0 0 0 1
RED
GREEN
BLUE
1
0
1
Before
Before After
Combined Color
Individual Colors
After
0
1
0
LSB Substitution
Source: WetStone Technologies
LSB Substitution bits (0-3)
11 0 1 1 100
1 1 0 0 100
1 1 1 0 111
RED
GREEN
BLUE
1
0
1
Before
Before After
Combined Color
Individual Colors
After
0
1
0
LSB Substitution
Source: WetStone Technologies
Color Differences
Source: WetStone Technologies
Color Differences
Source: WetStone Technologies
Color DifferencesCan you spot the modified pixel?
Source: WetStone Technologies