Saturday, August 26, 2006

Steganography and Cyber Terrorism Communications

Following my previous post on Cyber Terrorism Communications and Propaganda, I'm continuing to summarize interesting findings on the topic. The use of encryption to ensure the confidentiality of a communication, be it criminals or terrorists taking advantage of the speed and cheap nature of Internet communications, is often taken as the de-facto type of communication. I feel that it's steganographic communication in all of its variety that's playing a crucial role in terrorist communications. It's never been about the lack of publicly or even commercially obtainable steganographic tools, but the ability to know where and what to look for. Here's a brief comment on a rather hard to intercept communication tool - SSSS - Shamir's Secret Sharing Scheme :

"No other medium can provide better speed, connectivity, and most importantly anonymity, given it’s achieved and understood, and it often is. Plain encryption might seem the obvious answer, but to me it’s steganography, having the potential to fully hide within legitimate (at least looking) data flow. Another possibility is the use secret sharing schemes. A bit of a relevant tool that can be fully utilized by any group of people wanting to ensure their authenticity and perhaps everyone’s pulse, is SSSS - Shamir's Secret Sharing Scheme. And no, I’m not giving tips, just shredding light on the potential in here! The way botnets of malware can use public forums to get commands, in this very same fashion, terrorists could easily hide sensitive communications by mixing it with huge amounts of public data, while still keeping it secret."

Intelligence officials/analysts are often confronted with the difficult task of, should they actively work on scanning the entire public Internet, or single partitions of the known chaos, namely the majority of Islamic/Jihadi related web sites. Trouble is, it's heck of a short sighted approach, and way too logical one to actually provide results. Moreover, in all the fuss of terrorists using steganography, even encryption to communicate, the majority of experts -- shooting into the dark -- have totally neglected the very concept of disinformation. To be honest, I'm a little bit surprised on the lack of such, picture the media buzz of a recently found map of key region and encoded messages embedded in public image, continue with the public institutions raising threat levels, vendors taking advantages of this "marketing window" when in between, someone gained access to a third-party's E-identity and used to creatively communicate the real message.

It's a public secret that the majority of already obtained Terrorist Training Manuals on the Web give instructions on primitive, but IT-centered approaches for anonymity such as encryption, use of proxies, and yes, steganography as well. Yet another public secret, these very same training manuals are actual copies of unclassified and publicly obtained Intelligence, Military and Security research documents. Here's a chapter on Secret Writing and Cipher and Codes. Primitive, but still acting as an indicator of the trend.

The most comprehensive Scan of the USENET for steganography was conducted back in 2001, primarily because of the post 9/11 debate on the use of steganography by terrorists. Surprisingly, the experiment didn't find a single hidden image -- out of a dictionary based attack on the JSteg and JPHide positive images of course :

"After scanning two million images from eBay without finding any hidden messages, we extended the scope of our analysis. A detailed description of the detection framework can be found in Detecting Steganographic Content on the Internet. This page provides details about the analysis of one million images from the Internet Archive's USENET archive. Processing the one million images with stegdetect results in about 20,000 suspicious images. We launched a dictionary attack on the JSteg and JPHide positive images. The dictionary has a size of 1,800,000 words and phrases. The disconcert cluster used to distribute the dictionary attack has a peak performance of roughly 87 GFLOPS."

Concerns about the invaluable sample :
- Used primarily USENET as a possible source for images
- Excluded music and multimedia files, and the hard to detect while in transmission TCP/IP covert communication channels -- information can indeed move with the speed of an error message
- Cannot scan the Dark Web, the one closed behind common crawlers blocking techniques or simple authentication
- Cannot scan what's not public, namely malware-infected hosts, or entire communication platforms hosted on a defaced web server somewhere, temporary communication dead boxes -- and while taking about such, free web space providers can provide interesting information given you know where and what to look for as always

The bottom line is that if someone really wants to embed something into a commodity data such as video, picture or an MP3 file, they would. Generating more noise when there's enough of it is on the other hand a smart approach I feel is getting abused all the time. How to deal with the problem? Ensure your ECHELON approaches are capable of detecting the patterns of the majority of public/commercial steganography tools. And according to public sources, that seems to be the case already :

"R2051 Steganography Decryption by Distributive Network Attack Develop a distributive network analysis application that can detect, identify, and decrypt steganography in multiple types of files, including commonly used audio, video and graphic file formats.The application must quickly and accurately detect and identify files containing steganography and extract the hidden messages and data from the file. Decryption of any messages or data encoded before the use of a steganography program is not required. The system must allow for easy, low-cost, frequent updating to counter new emerging programs. It must detect, extract, and decrypt messages in any file that has used any currently commercially available steganography programs as well as commonly encountered non-commercial programs. These would include, but are not limited to, the following: Covert.tcp; dc-Steganograph; EzStego; FFEncode; Gzsteg; Hide 4 PGP; Hide and Seek 4.1; Hide and Seek 5.0; Hide and Seek for Windows 95; jpeg-jsteg; Paranoid, Paranoid1.1.hqx.gz; PGE - Pretty Good Envelope; PGPn123; S-Tools : S-Tools 1.0 (Italy, Finland); S-Tools 2.0 (Italy, Finland); S-Tools 3.0 (Italy), Finland); S-Tools 4.0 (Italy, Finland); Scytale; Snow; Stealth, Stealth 2.01 ; Steganos 1.4; Steganos for Windows 95 and upgrade 1.0a; Stego by John Walker; Stego by Romana Machado; Stegodos; Texto; wbStego; WitnesSoft; and WINSTORM"

The rest is making sense out of the noise and OSINT approaches for locating the "bad neighborhoods".

Figure courtesy of Bauer 2002 at the FBI's Overview of Steganography for the Computer Forensics Examiner.
- No comments:

Microsoft's OneCare Penetration Pricing Strategy

In a previous post, Microsoft in the Information Security Market, I commented on Microsoft's most recent move into the information security market, and the anti-virus market segment. Moreover, several months earlier I pointed out 5 things Microsoft can do to secure the Internet and why it wouldn't, namely,

- Think twice before reinventing the security industry
- Become accountable, first, in front of itself, than, in front of the its stakeholders
- Reach the proactive level, and avoid the reactive, in respect to software vulnerabilities
- Introduce an internal security oriented culture, or better utilize its workforce in respect to security
- Rethink its position in the security vulnerabilities market

Recently, the much hyped debate on whether Microsoft's Anti Virus would take a piece of the anti virus market seem to have finally materialized with the help of basic pricing strategies :

"Helped by low pricing, Microsoft's Windows Live OneCare landed the number two spot in sales at US stores in its debut month, according to The NPD Group. The antivirus and PC care package nabbed 15.4 per cent of security suite sales at retailers such as Best Buy and Amazon.com, according to NPD's data. The average price was $29.67, well below Microsoft's list price of $49.95. Online at Amazon.com, OneCare is available for only $19.99."

Ya-hoo? Not so fast since stats like these exclude the hundreds of licensing deals, co-branding, ISPs affiliation and resellership positions, as well as shipped-ready PCs with software from the rest of the vendors :

"Symantec noted that NPD covers retail sales only, and does not include consumer sales through internet service providers and PC makers, for example. "We just had a record June quarter in consumer sales, said Mike Plante, a marketing director at the company. You can't really draw market share conclusions from the NPD data alone, particularly with just a month of data."

I wonder what would Microsoft's strategy consist of by the time their offering reaches the growth stage, and starts maturing, perhaps bargaining by offering software discounts and one-stop-shop services. I've once pointed out on another anti virus market statistics concern, namely Panda Software's -- private company, no SEC or stockholders to bother about -- stated earnings right next to the rest of publicly traded companies. My point is that, if Gartner were to offer a better grasp of this vibrant market segment, they'd better have used F-Secure which is a publicly traded anti virus vendor, as it would greatly improve an analysts confidence in the provided data, wouldn't it?

Penetration pricing is all about gaining market share, and Microsoft's case reminds of how RealNetworks were ready to lose cents on each and every song sold through their digital music service, but to offer, at least temporary, a competitive alternative to iTunes.

Security cannot be bought, a false sense of security can though. Whereas risk exposure and risk mitigation define a scientific approach going beyond a visionary security management, it's arguable which one dominates, as marketing and branding often do the job -- if (true) advertising does its job, millions of people keep theirs. Case in point, Symantec which currently has the largest market share -- greatly depends on the geographical area and number of anti virus products included -- is indeed the market leader, but it doesn't necessarily mean it offers the "leading" product. Exactly the opposite, the most popular, available, one that usually comes with Norton's powerful and well known brand offering.

Why wouldn't Microsoft want to license Kaspersky's, F-Secure's or Symantec's technology for instance? Because that would have been like a Chinese growth syndrome so to speak. The Chinese economy is shifting from a source of raw materials, to an actual manufacturer, a little bit of vertical integration given you have something to offer to the market at a particular moment in time and start counting the new millionaires. The higher proportion of the business machine you own, the greater the profits at the end of quarter, and with the key regions across the world still getting online, malware is only going to get more attention from both sides of the front.

From a business point of view, you can twist a user's actual wants so successfully you can make it almost impossible to remember what was needed at the first place -- long live the sales forces! It is often arguable whether anti virus software has turned into a commodity the way media players did, but for the end user -- the one with the powerful bandwidth available -- price and availability speak for themselves. Controversial to some recent comments on why the most popular anti virus products don't work, mostly because malware authors are testing their "releases" on these products, they actually do it on all anti virus products the way pretty much everyone aware is testing suspicious files, or evaluating vendors' response times.

Don't get surprised if next time you buy a cheeseburger, the dude starts explaining the basics of zero day protection, and offer you a ZIP-based discount if any on an anti virus solution -- with up to three licenses for your wired family. Co-branding, licensing and industry outsiders are on the look for fresh revenues, and with malware representing the most popular threat as well as security "solution" bought, stay tuned a McDonald's Anti Virus "on-the-go". Hopefully one using a licensed technology from a vendor with experience and vision.

Related posts:
Look who's gonna cash for evaluating the maliciousness of the Web
Spotting valuable investments in the information security market
Valuing Security and Prioritizing Your Expenditures
Budget Allocation Myopia and Prioritizing Your Expenditures
- No comments:

Futuristic Warfare Technologies

The future of warfare will definitely have to do with technologies and convergence, at least the near one. Some logical developments such as, remote sensing intercontinental UAVs, autonomous warfare, remotely controlled forces, network centric warfare, higher reliance on AI probability and decision-making scenarios, are just warming up the major innovations we're about to witness -- whether defensive or offensive is an entirely different topic. In the very long term though, Nano warfare, Robot wars and Cyber wars reaching the levels of VR warfare, are among the fully realistic scenarios. Very informative slides on the Future Strategic Issues/Future Warfare [Circa 2025], and here are some important key points that made me an impression :

Technological Ages of Humankind
- Hunter/Killer groups [ Million BC 10K BC]
- Agriculture [ 10K BC 1800 AD]
- Industrial [1800-1950]
- IT [1950-2020]
- Bio/NANO [2020?]
- Virtual

The developments
- Chem/bio Antifunctionals/Anti fauna
- Binary agents distributed via imported products (Vitamins, Clothing, Food)
- Blast Wave Accelerator - global precision strike "On the Cheap"
- Bio/Chem/Molec./Nano Computing
- Ubiquitous Optical Comms
- Micro/Nano/Ubiquitous Sensors
- BioWeaponry
- Volumetric weaponry
- Cyber/Artificial Life (Beyond AI) -?
- Transoceanic UUV's, UAV's -- Boing's X45 series
- Spherical Submarines to deal with the accoustics issue

To sum up, the best warriors win their battles without waging war -- or at least not against themselves.
- No comments:

Face Recognition At Home

In a previous post, Biased Privacy Violation I mentioned two web sites, DontDateHimGirl.com, DontDateHerMan.com and the associated privacy implications out of these. Just came across to MyHeritage.com whose face recognition feature works remarkably well -- for relatives and everyone in between varying on the sample.

"Recognizing faces is done by algorithms that compare the faces in your photo, with all faces previously known to MyHeritage Face Recognition, through photos and meta-data contributed by yourself and other users. So the more photos added to the system, the more powerful it becomes. If people in your photos are not recognized well, it is likely that MyHeritage.com has never encountered them before. By adding these photos to MyHeritage.com and annotating the people in the photo manually, MyHeritage.com will "learn" these faces and will be able to recognize them in future photos, even in different ages of the same person's life. Note: the algorithms used by MyHeritage Face Recognition are likely to find relatives of people in your photo, due to the genetic-based facial similarities that exist between relatives. You can use this to form connections between people whom you never even knew were related."

Face recognition @home just got a boost and so did the obvious privacy implications out of the ever-growing families database, and its natural abuse by interested (third) parties.
- No comments:
Subscribe to: Posts (Atom)