[ISN] ESU's code breakers

From: InfoSec News (alerts@private)
Date: Sun Nov 25 2007 - 23:07:18 PST


http://www.poconorecord.com/apps/pbcs.dll/article?AID=/20071125/NEWS/711250340/-1/NEWS01

By Dan Berrett
Pocono Record Writer
November 25, 2007

EAST STROUDSBURG During rush hour on a Tuesday night in July 2006, 
terrorists set off seven bombs in a coordinated attack on commuter 
trains outside Mumbai, India, that killed more than 200 people and 
wounded some 700 others.

Thousands of miles away, at East Stroudsburg University, computer 
science graduate students are trying to foil future terrorists and 
criminals from using a tool that may have masked the plotters' 
communications with each other.

Authorities have suspected that the Mumbai bombers engaged in a 
technique called steganography, according to news reports from India. It 
would have disguised their plans, maps, photographs and bomb-making 
instructions within common and seemingly innocent digital images that 
they exchanged over the Web.

Steganography is most often deployed legitimately to watermark digital 
images so that they will not be duplicated illegally. But some say the 
technique's tracks have been glimpsed in shadier terrain in the 
trafficking of child pornography, in identity theft, stealing 
intellectual property and trading insider information.

"This is brand new stuff," said Paul Schembari, director of the computer 
security program at ESU, which is one of 85 in the nation to be 
certified by the National Security Agency and the U.S. Department of 
Homeland Security. "It's out there and being used by bad guys."

Steganography, which translates roughly as "covered writing," has 
existed as a concept since antiquity. Ancient Greeks tattooed messages 
on the shaved scalps of their slaves who traveled long distances during 
which their hair grew and obscured the message to deliver them. The 
intended recipient then re-shaved the head of the messenger to read the 
note.

In later centuries, as technology advanced, the practice was typified by 
less arduous methods invisible ink or microdots, which are shrunken 
images or text.

In today's digital world, steganography has taken a form that is both 
simpler and more inscrutable. Illicit data can be saved within JPEG 
images attached to an e-mail message, or even on popular Web sites that 
are rich with visual files, such as eBay or Flickr.

In a computer lab at ESU, Schembari demonstrated how steganography 
works. He projected two images next to each other on a screen. Each 
depicted seemingly identical lake landscapes.

But they differed imperceptibly. The digital code underpinning the 
shading of each pixel in one of the images varied by one number a subtle 
sign that people may have been using it to disguise information.

Academics have yet to establish much of a research trail on the subject. 
Only about 10 scholarly papers on it exist, Schembari said.

"We knew this problem was new and unsolved," he said. "And that's what 
you want."

His graduate students, Adam Engle and Michael Moynihan III, are hoping 
to add something substantial to the body of knowledge on the subject as 
they carry out their master's theses.

The subject's obscurity and the challenges it poses appealed to 
Moynihan, 24, of East Stroudsburg. "They're hard problems," he said.

He is looking to develop a method that reveals the use of steganography 
in still images. Once he has refined his method, he will test it on a 
sea of images, some that contain hidden data, and others that do not. 
When his method finds the disguised data 95 percent of the time without 
falsely turning them up where they don't exist called false-positives he 
will have something he can use.

"This is cutting-edge research," Moynihan said. "The whole 
problem-solving gets me going."

Engle, 23, who is from West Virginia, is exploring more uncharted 
territory. He is devising code to reveal the use of steganography in 
video, which projects images at a rate of 30 frames per second.

"There aren't a lot of methods out there for video steganography," he 
acknowledged.

To improve his odds, Engle's tool will analyze sets of five frames at a 
time to compare any changes in code between them.

Engle hopes to parlay his experience at ESU to the types of jobs other 
alumni of the program have found; he wants to work for the FBI or 
Lockheed Martin, the defense contractor. "I just want to do something 
that's cutting edge," he said.

To some cyber security experts, steganography is so cutting edge some 
say impractical that it is unclear how much of a threat it truly poses.

"There are lots and lots of tools," said Bruce Schneier, a security 
technologist, founder of the communications firm BT Counterpane, and 
author of "Beyond Fear: Thinking Sensibly about Security in an Uncertain 
World."

Calling steganography a "minor tactic," Schneier said terrorists can 
more easily use other tools: the phone, radio, cryptography or, as has 
already been demonstrated, simply saving drafts of messages on free 
Web-based e-mail services, but not sending them across the Internet, 
thus making them unlikely to be spotted.

"Steganography seems like a dumb tool of choice," Schneier said. "It 
doesn't make any sense."

Those on either side of the issue agree that little hard evidence of 
steganography has yet been found in crimes, except for the sordid case 
of the Shadowz Brotherhood, a ring of child pornographers who used the 
technique to exchange images of babies and young children being abused. 
Police broke the ring in 2002, arresting 50 people in ten countries 
across Europe and in the United States and Canada.

Those who fear that steganography is widespread worry that its lack of 
demonstrated use is giving people a false sense of security.

"I fervently believe there is much more evidence of criminal activity 
being concealed through the use of digital steganography than anyone 
knows. And no one really knows because no one is looking for it. It's a 
classic paradox," said Jim Wingate, director of the Steganography 
Analysis and Research Center and a vice president at Backbone Security 
in West Virginia. The company has roots at ESU; it grew out of the 
school's small business accelerator.

The U.S. Department of Justice has taken the threat seriously enough 
that it has given $1 million to ESU and its partners at Rider and Drexel 
universities to better anticipate how steganography might be used and to 
fight other cyber crimes.

Still, Wingate finds himself countering charges from critics in security 
and law enforcement that steganography is too sophisticated for most 
criminals to master.

"It couldn't be further from the truth. You can do a Google search and 
the applications are out there easy to share, easy to download, easy to 
use," he said. "It's a serious threat, but the threat perception is 
extraordinarily low, and that's a dangerous situation in terms of 
national security and homeland security."


__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/



This archive was generated by hypermail 2.1.3 : Sun Nov 25 2007 - 23:23:22 PST