Transcript Covert Channels The Silence Must be Heard The Hidden Must be Seen

Armstrong Atlantic State University – Cyber & Homeland Security Institute
Covert Channels
The Silence Must be Heard
The Hidden Must be Seen
The Secrets Must be Revealed
By: Randy Grubb
Cyber Capabilities
• By the turn of the century all known terrorist and
criminal groups had a presence on the Internet.
–
–
–
–
–
–
–
–
–
Psychological Warfare
Propaganda
Data Mining
Fundraising/financing
Recruiting
Networking
Information sharing
Planning & coordination
Actual perpetration of their crimes
Why the Internet?
• Anonymous (real or perceived)
–
–
–
–
Encryption
Covert Channels/Steganography
Public libraries/Internet cafes/wireless access points
Anonymizers/Proxies (Tor)
• Geographically Unbounded
– People can communicate with one another from
virtually anywhere in the world
– More than 10,000 Internet Service Providers (ISP)
worldwide
– Some are sympathetic to the radical cause
Why the Internet?
• Largely unregulated
– Developed as an open interoperable network
– No central government authority
– Most ISPs do not have the resources or
desire to monitor web-site content
• Inexpensive
– Free web hosting
– Free e-mail accounts
Why the Internet?
• US and coalition military actions since 9/11 have
deprived terrorist organizations their base of
operations and training camps.
• These actions have dispersed terrorist
organizations more widely.
• With the Internet, terrorist organizations can
control a worldwide movement without ever
meeting.
Source: Harvard Gazette: Terror Online and how to counteract it, Ruth Walker, 2004
Netwar
• Term given to an emerging mode of
conflict dealing with the societal
relationships between namely terrorists
and criminal organizations.
– Involves measures short of traditional warfare
– Network forms of organization, doctrine,
strategy and communication
• Dispersed and decentralized manner
Netwar
• Small groups from points around the world
utilizing network and Internet technology
to:
– Communicate
– Coordinate
– Act
Is This a Secure Site?
What are Covert Channels?
• Covert Channels
– Any communication channel that can be exploited by
a process to transfer information in a manner that
violates the systems security policy.
– In short, covert channels transfer information using
non-standard methods
– Against the system design
– Communication is obscured; unnoticed
– Easily bypass current security tools & products
What are Covert Channels?
• Covert Channels allow multiple parties to
communicate ‘unseen’
– They hide the fact that a communication is even
occurring
– Provides privacy and anonymity
• Unlike encryption, where communication is
obvious but obscured
– Encryption is easily identified
– Clear and visible indications of encryption
Covert Channels
• Covert Channels work because of human
deficiencies
– Eye sight
– Hearing
– Analysis skills
• Lack of Interest
– It’s not really a problem, doesn’t happen
– Prove it to me
• System Design Discrepancies
– Components utilized in unintended manner
Covert Channels
• Many covert channels will elude detection
simply because most individuals have
never considered the possibility
• Perception over rides reality
Covert Channels
• Covert Channels hide the fact that communication
between two or more individuals is occurring.
Potential Damage
• Corporate Espionage
– Loss of competitive advantage
• Government or Military Activities
– Increased threat to National Security
– Terrorist Organizations
• Criminal Activities
– Transfer of pornography or commercial software
• Financial Impact
– Transfer of confidential financial data
Known Covert Methods
• Steganography
– Images
– Audio
•
•
•
•
Text Manipulation
TCP Covert Channels
Alternate Data Streams (ADS)
Deep or invisible web
Tool Summary
• Over 300 known tool variation and releases
• Tools for every Operating System including
DOS, Windows, UNIX/Linux, OS2, Mac
• Wide variety of methodologies and features
• Most software is freeware or shareware
Origins of Steganography
• What does Steganography Mean?
– Pronounced “STEHG-uh-NAH-gru-fee”
– From the Greek Roots
• “Steganos” or Covered
• “Graphie” or Writing
• “Covered Writing”
– First Known Usage
• The early Greeks and Persians used several forms of
covered writing to conceal the communication of secret or
covert messages
• Origins date back as far 2500 years ago
Carrier + Payload = Covert Message
• Carrier – The file that provides cover for and
conceals the payload. Payload – The secret
message or information that you wish to conceal
or communicate.
• Covert Message – The combination of the
payload and the carrier. The covert message file
should appear identical to the carrier.
• Most current stego tools also encrypt the
payload to increase security.
Digital Images
• Digital Images are created by software
– Digital camera
– Scanner
– Graphics program
• Digital Images are made up of pixels
1
– Represented on a grid
– The pixel is the smallest visual component
– Resolution & representation
• 640 x 480 – rows x columns
• 75 dpi – number of dots per inch
Source: WetStone Technologies
1 http://www.library.cornell.edu/preservation/tutorial/intro/intro-01.html
Digital Images
• Color is represented in digital images by
three different methods.
– Paletted images
– True color images
– Compressed images
Palette Images
• Map to a pre-defined color on a table
– Pixel represented by table lookup value
2
Source: WetStone Technologies
2http://www.webstyleguide.com/graphics/displays.html
True Color Images
• True Color images
– Typically 24 bits
– Most common format is
RGB or Red – Green - Blue
– 8 bits for each color byte
(red, green, blue)
– 16.7M possible colors
Source: WetStone Technologies
4
4http://www.webstyleguide.com/graphics/displays.html
Least Significant Bit Steganography
“The hiding of data within a digital
carrier by slightly altering an
insignificant characteristic of the
carrier that does not appear to alter
the normal rendering of the data”
Hosmer, 1999
Source: WetStone Technologies
Altering a True Color Image
2
Image source: www.wikipedia.com
2http://www.webstyleguide.com/graphics/displays.html
LSB Substitution – bit 0
LSB Substitution
Individual Colors
Before
RED
1 0 1 1 0 1 0 01
GREEN
1 1 0 0 0 1 1 10
BLUE
1 1 1 0 0 0 0 01
Source: WetStone Technologies
After
Combined Color
Before
After
LSB Substitution bit 0 and 1
LSB Substitution
Individual Colors
Before
RED
1 0 1 1 0 1 10 01
GREEN
1 1 0 0 0 1 0 10
BLUE
1 1 1 0 0 0 1 01
Source: WetStone Technologies
After
Combined Color
Before
After
LSB Substitution bits (0-3)
LSB Substitution
Individual Colors
Before
RED
1 0 1 1 1 0 10 01
GREEN
1 1 0 0 1 0 0 10
BLUE
1 1 1 0 1 1 1 01
Source: WetStone Technologies
After
Combined Color
Before
After
Color Differences
Source: WetStone Technologies
Color Differences
Source: WetStone Technologies
Color Differences
Can you spot the modified pixel?
Source: WetStone Technologies