Rooting out hidden code in media files
Until recently, steganography -- the invisible insertion of messages into image files -- was more of an intellectual exercise employed in spy novels than a real threat to organizations that don’t handle sensitive information.
In recent months, however, steganography has gotten more sophisticated. The Gatak/Stegoloader malware, which emerged in 2015, for example, upped the ante by hiding not just messages but malicious code within an image file.
And a Polish researcher has just made public a way of extending the principles of steganography to music files. Krzysztof Szczypiorski, a professor at the Warsaw University of Technology, dubbed his algorithm “StegIbiza,” to connote steganography used with Ibiza dance music. StegIbiza encodes data by varying the tempo of the music in ways inaudible to humans.
In August, EndGame, a security company based in Arlington, Va., announced that it had used simple image steganography to hide command-and-control messages in plain sight within images posted to the Instagram social media site.
“The kind of signal that we used in our proof of concept was the most bare-bones simple thing,” said Hyrum Anderson, EndGame’s principal data scientist. “The point was that even the easiest thing works, even on a big platform like Instagram. ‘Stego’ has an adversarial advantage -- it’s a lot easier to generate than it is to detect.”
EndGame’s proof-of-concept, Anderson said, basically argues that detecting the presence of steganography in files -- much less determining what is encoded -- is “maybe too hard.”
Anderson recommends taking a different approach. “Let’s do something to all the images that would -- if they happen to contain anything bad -- destroy that content without destroying the visual content of the image,” he said.
Fortunately, embedded steganography has an Achilles’ heel. “Stego can be very sensitive to really small changes,” Anderson explained. And compression algorithms, which throw out bits of data not needed for presenting an image or audio file, effectively negate the hidden message. “Every time an image comes in, let’s recompress it using a variation on its original compression,” he said. “If a message were hidden in there, it would get shoveled in the process.”
Likewise, files can be automatically compressed before leaving an organization’s network to guard against malicious steganography being inserted that may send sensitive data to third parties.
Posted by Patrick Marshall on Aug 30, 2016 at 1:49 PM