Security News > 2007 > November > ESU's code breakers
http://www.poconorecord.com/apps/pbcs.dll/article?AID=/20071125/NEWS/711250340/-1/NEWS01 By Dan Berrett Pocono Record Writer November 25, 2007 EAST STROUDSBURG During rush hour on a Tuesday night in July 2006, terrorists set off seven bombs in a coordinated attack on commuter trains outside Mumbai, India, that killed more than 200 people and wounded some 700 others. Thousands of miles away, at East Stroudsburg University, computer science graduate students are trying to foil future terrorists and criminals from using a tool that may have masked the plotters' communications with each other. Authorities have suspected that the Mumbai bombers engaged in a technique called steganography, according to news reports from India. It would have disguised their plans, maps, photographs and bomb-making instructions within common and seemingly innocent digital images that they exchanged over the Web. Steganography is most often deployed legitimately to watermark digital images so that they will not be duplicated illegally. But some say the technique's tracks have been glimpsed in shadier terrain in the trafficking of child pornography, in identity theft, stealing intellectual property and trading insider information. "This is brand new stuff," said Paul Schembari, director of the computer security program at ESU, which is one of 85 in the nation to be certified by the National Security Agency and the U.S. Department of Homeland Security. "It's out there and being used by bad guys." Steganography, which translates roughly as "covered writing," has existed as a concept since antiquity. Ancient Greeks tattooed messages on the shaved scalps of their slaves who traveled long distances during which their hair grew and obscured the message to deliver them. The intended recipient then re-shaved the head of the messenger to read the note. In later centuries, as technology advanced, the practice was typified by less arduous methods invisible ink or microdots, which are shrunken images or text. In today's digital world, steganography has taken a form that is both simpler and more inscrutable. Illicit data can be saved within JPEG images attached to an e-mail message, or even on popular Web sites that are rich with visual files, such as eBay or Flickr. In a computer lab at ESU, Schembari demonstrated how steganography works. He projected two images next to each other on a screen. Each depicted seemingly identical lake landscapes. But they differed imperceptibly. The digital code underpinning the shading of each pixel in one of the images varied by one number a subtle sign that people may have been using it to disguise information. Academics have yet to establish much of a research trail on the subject. Only about 10 scholarly papers on it exist, Schembari said. "We knew this problem was new and unsolved," he said. "And that's what you want." His graduate students, Adam Engle and Michael Moynihan III, are hoping to add something substantial to the body of knowledge on the subject as they carry out their master's theses. The subject's obscurity and the challenges it poses appealed to Moynihan, 24, of East Stroudsburg. "They're hard problems," he said. He is looking to develop a method that reveals the use of steganography in still images. Once he has refined his method, he will test it on a sea of images, some that contain hidden data, and others that do not. When his method finds the disguised data 95 percent of the time without falsely turning them up where they don't exist called false-positives he will have something he can use. "This is cutting-edge research," Moynihan said. "The whole problem-solving gets me going." Engle, 23, who is from West Virginia, is exploring more uncharted territory. He is devising code to reveal the use of steganography in video, which projects images at a rate of 30 frames per second. "There aren't a lot of methods out there for video steganography," he acknowledged. To improve his odds, Engle's tool will analyze sets of five frames at a time to compare any changes in code between them. Engle hopes to parlay his experience at ESU to the types of jobs other alumni of the program have found; he wants to work for the FBI or Lockheed Martin, the defense contractor. "I just want to do something that's cutting edge," he said. To some cyber security experts, steganography is so cutting edge some say impractical that it is unclear how much of a threat it truly poses. "There are lots and lots of tools," said Bruce Schneier, a security technologist, founder of the communications firm BT Counterpane, and author of "Beyond Fear: Thinking Sensibly about Security in an Uncertain World." Calling steganography a "minor tactic," Schneier said terrorists can more easily use other tools: the phone, radio, cryptography or, as has already been demonstrated, simply saving drafts of messages on free Web-based e-mail services, but not sending them across the Internet, thus making them unlikely to be spotted. "Steganography seems like a dumb tool of choice," Schneier said. "It doesn't make any sense." Those on either side of the issue agree that little hard evidence of steganography has yet been found in crimes, except for the sordid case of the Shadowz Brotherhood, a ring of child pornographers who used the technique to exchange images of babies and young children being abused. Police broke the ring in 2002, arresting 50 people in ten countries across Europe and in the United States and Canada. Those who fear that steganography is widespread worry that its lack of demonstrated use is giving people a false sense of security. "I fervently believe there is much more evidence of criminal activity being concealed through the use of digital steganography than anyone knows. And no one really knows because no one is looking for it. It's a classic paradox," said Jim Wingate, director of the Steganography Analysis and Research Center and a vice president at Backbone Security in West Virginia. The company has roots at ESU; it grew out of the school's small business accelerator. The U.S. Department of Justice has taken the threat seriously enough that it has given $1 million to ESU and its partners at Rider and Drexel universities to better anticipate how steganography might be used and to fight other cyber crimes. Still, Wingate finds himself countering charges from critics in security and law enforcement that steganography is too sophisticated for most criminals to master. "It couldn't be further from the truth. You can do a Google search and the applications are out there easy to share, easy to download, easy to use," he said. "It's a serious threat, but the threat perception is extraordinarily low, and that's a dangerous situation in terms of national security and homeland security." __________________________________________________________________ Visit InfoSec News http://www.infosecnews.org/
News URL
http://www.poconorecord.com/apps/pbcs.dll/article?AID=/20071125/NEWS/711250340/-1/NEWS01