Researchers and hackers are developing tools to execute a new data-leak threat: sneaking proprietary information out of networks by hiding it within VoIP traffic. (A brief history of steganography) Techniques that fall under the category of VoIP steganography have been discussed in academic circles for a few years, but now more chatter is coming from the hacker community about creating easy-to-use tools, says Chet Hosmer, co-founder and Chief Scientist at WetStone Technologies, which researches cybercrime technology and trains security professionals investigating cybercrimes. "There are no mass-market programs yet, but it's on our radar, and we are concerned about it given the ubiquitous nature of VoIP," he says. Steganography in general is hiding messages so no one even suspects they are there, and when done digitally, it calls for hiding messages within apparently legitimate traffic. VoIP steganography conceals secret messages within VoIP streams without severely degrading the quality of calls. For example, secret data can be transferred within .jpg files by using the least significant bits to carry it.
There are more than 1,000 steganographic programs available for download online that can place secret data within image, sound and text files, Hosmer says, and then extract it. Because only the least significant bits are used, the hidden messages have little impact on the appearance of the images the files contain. There are none for VoIP steganography yet, but in the labs, researchers have come up with three basic ways to carry it out. The second is hiding data inside each voice payload packet but not so much that it degrades the quality of the sound. The first calls for using unused bits within UDP or RTP protocols – both used for VoIP - for carrying the secret message. The third method calls for inserting extra and deliberately malformed packets within the VoIP flow.
A variation calls for dropping in packets that are so out of sequence that the receiving device drops them. They will be dropped by the receiving phone, but can be picked up by other devices on the network that have access to the entire VoIP stream. These techniques require compromised devices or conspirators on both ends of calls or a man-in-the-middle to inject extra packets. "It's much more difficult to do and much more difficult to detect," than hiding data within other files, Hosmer says. For example, x86 executables can carry secret messages, according to Christian Collberg, an associate professor of computer science at the University of Arizona and co-author of the book Surreptitious Software. The medium used to carry secret messages is called the carrier, and just about anything can be a carrier. By manipulating the compiler, it can be made to choose one addition operation over another, and that choice can represent a bit in the secret message, Collberg says. "There are lots of choices a compiler makes, and whenever you have a choice, that could represent a bit of information," he says.
One of the newest methods takes advantage of TCP retransmission – known as retransmission steganograpny (RSTEG) - in which sending machines resend packets for which they fail to receive acknowledgements. Even something as broadly used as TCP/IP can be host to steganographic messages. The sending and receiving machines must both be in on the steganography, according to a paper written by a group of Polish researchers headed up by Wojciech Mazurczynk at the Warsaw University of Technology. The resent packet is actually different from the initial packet and contains a steganographic message as the payload. At some point during the transmission of a file, the receiving machine fails to send an acknowledgement for a packet and it is resent.
The receiving machine can distinguish such resent packets and opens up the message, the researchers say. In general, defending against steganography is tough to do because traditional security devices such as firewalls and application firewalls don't detect this type of illicit transfer; a file containing a secret message looks just like a legitimate file. In his blog Crypto-Gram Newsletter, security expert Bruce Schneier dismisses the threat from RSTEG. "I don't think these sorts of things have any large-scale applications," he says, "but they are clever." Mazurczynk and his colleagues have spent a lot of time figuring out new carriers for secret messages, publishing research on embedding them in VoIP and wireless LAN traffic. The best way to combat suspected use of steganography to leak corporate data is to look for the telltale signs - known steganography programs on company computers, says Hosmer. When the steganography program is known, it can be applied to the carrier to reveal the secret message.
On systems where it is found, forensic analysis may reveal files that contained messages and an indication of what data might have been leaked. That message may be in code and have to be decrypted, he says. They can confront the person and take steps to prevent further leaks, Collberg says. In many cases, just knowing that steganography is going on and who is responsible is enough for a business. But businesses can take more active steps such as destroying the secret messages by altering the carrier file. Free programs such as Stirmark for scrambling files enough to destroy steganographic messages are available online.
For instance, if the carrier is an image file, setting all the least significant bits to zero would destroy any messages contained there without significantly changing the appearance of the image, he says. Keith Bertolino, founder of digital forensics start-up E.R. Forensics, based in West Nyack, N.Y., has developed double stegging – inserting stenographic messages within files with the intent of disrupting other stenographic messages that might also be in the files. According to Hosmer, a look at evidence in closed cases of electronic crime found that in 3% of those cases, criminals had steganographic programs installed on their computers. "The fact that these criminals were even aware [of steganography] was a startling surprise to law enforcement agencies," he says. He is waiting to find out if he gets a Small Business Innovation and research (SBIR) grant from the government to pursue turning his steganography jamming technology into a commercial product. Interest in steganography is growing, according to Wetstone Technology's monitoring of six popular steganography applications. That's not a dramatic increase given that the use of Internet-connected computes has gone up in the meantime, but it is still noteworthy, he says.
In 2008, the six combined logged 30,000 downloads per month, up from 8,000 to 10,000 per month about three years ago, Hosmer says. Steganography is not always bad. The watermark is a secret message embedded, for instance, in an image file so if the image is use online, a Web crawler can find it. Technically, steganography is just the same as digital watermarking, but with different intent, Collberg says. Then the creator of the image can check whether the site displaying the image has paid for it or is violating copyright, he says.
