Steganography Over Covert Channels: Implementation and Government Response

by Hal Wigoda  (hal.wigoda@gmail.com)

Security and privacy have been a concern of people for centuries.

Whether it is private citizens, governments, military, or business, it seems everyone has information that needs to be kept private and out of the hands of unintended third-parties.  Information wants to be free, but it is necessary to keep information private.

That need has come about because governments have sensitive information, corporations send confidential financial records, and individuals send personal information to others and conduct financial transactions online.  Information can be hidden so it cannot be seen.  The information can also be made indecipherable.

This is accomplished using steganography and cryptography.  These two processes are closely related.  While cryptography is about protecting the content of a message, steganography is about concealing the very existence of the message itself.

They can be combined together to provide double protection.  Notwithstanding, both steganography and cryptography can stand on their own independent of the other.  While cryptography encodes a message in plain sight that cannot be read with normal efforts, steganography hides the information so outsiders are not aware of its presence.  It travels under the nose of the common man.

The hidden message is placed within the data boundaries of a digital file such as an email, MP3 music file, MP4 movie file, spreadsheet, Microsoft Word document, text file, PDF file, et. al.  Any third-party could look at or listen to the digital file that the message is hiding in and not be aware that the hidden message is present.  When the digital file reaches the intended party, the recipient should have the knowledge necessary to extract the hidden message from the digital file.

Steganography simply works this way: Start with a secret message using a previously agreed upon algorithm and insert the secret message into a cover object, thus creating the stego object.  Then the stego object is sent to the receiver.  The receiver accepts the stego object and extracts the hidden message using the agreed upon algorithm.

Present Day Steganography

Steganography preceded cryptography.

Before mankind was able to encode messages with cryptography, messages would be hidden with steganographic means.  It would be hidden in wax tables, under soldiers hair, or with invisible ink.

Today, hiding of data with steganography can be performed within the static medium of the new digital technologies.  Almost any digital file on a hard drive can have information embedded into it without any apparent presence.  This is static steganography and it occurs on the bit/byte level.

Taking this a further step and one not apparent to the layman, data can also be hidden in the medium of the Internet, the layer that the data flows over, in the packets that travel from computer to computer, over twisted pair, Ethernet, and optical connections, through firewalls and routers, from network to network, untouched by the fingers of any telegrapher or data technician, in the electrical current that flows over the power transmission lines.  This is dynamic steganography.  This is the covert channel of the Internet.

Steganography can be covertly implemented further in the timing channels of information varied by the fourth dimension of time, or the side channels, such as the power bursts that our appliances and televisions subsists upon or the concurrent magnetic waves that emanate from various household and commercial devices.  These are some of the covert channels of physical hardware.

Steganography and the Internet

Dynamic steganography can accomplished over the Internet using the medium referred to as the covert channels.

Network steganography is a method of hiding data in normal data transmissions on the modern network of the Internet.  These methods of hiding can be used for good or nefarious purposes, legal or illegal activities, unapproved or sanctioned processes.

Any interception by a rival of the owner of this hidden data, also known as stego-data, could compromise the sending entity, cause a loss of information and resources, and lead to its downfall.  There must be a good reason to go to such trouble and effort to hide data using these surreptitious techniques.

Today, sending messages electronically is a common mode of conveyance.  Email, web documents, video, audio, file-transfer protocol, attachments such as legal documents are all used over the Internet to exchange information.  With increasingly fast processors, intercepting, detecting, and deciphering messages has become easier, which means more secure means of hiding information are necessary to overcome any detection.  There are many unique and creative methods of securing communications with steganography and it's close relative cryptography.

Covert Channels

In these modern and technologically sophisticated times, using covert channels has become a means of transmitting information securely.

How widespread its use is not known.  A covert channel is a communication channel that allows two cooperating processes to transfer information in a manner that violates the system's security policy.

For instance, Internet appliances such as two routers could use these covert channels to pass information between themselves.  This information could be instructions to the other appliance to use an alternate path, redo the last transaction, or increase the speed of transmission.  There are many methods available to enhance and guide the ongoing and orderly operational exchange of packets.

Butler Lampson introduced the concept of covert channels in 1973.

It is a means of communication that is not part of the original design of the system.  It could even be said that a covert channel is a security flaw.  It is a part of a program or system that can cause the system to violate its security requirements.  It can be an electronic means of sending and hiding messages.  Covert channels can be a means of taking any normal electronic communications and adding some secret element that does not cause noticeable interference to the original item.

Covert channels occur in two states: static or dynamic.

There is the static hiding of data in electronic files sitting on a hard drive.  When hiding data in a timing channel, the difference is that the data is dynamic, moving and always changing its location on the network.  It's here, now it's there.  If small amounts of insignificant bits or bytes are replaced, the effect on the moving vessel file should be fairly unnoticeable to the casual viewer or listener.

If the byte count of the file changes, detection can be less difficult to attain.  Performing a checksum on the file will raise a flag and possible give up the embedding.  The ability to detect the hidden data is next to impossible as the data streams over the wires in the midst of the billions of bits that now pass.  All Internet traffic would have to be monitored for hidden data, perhaps an insurmountable task.

A covert channel can be very hard to detect.  That's the idea.

The packets used for carrying the message can appear innocuous and beyond suspicion.  The idea of a covert channel seems very simple and unique, but it must be carefully implemented so as to not disturb normal user operations.

Just as covert channels can be implemented using superior computing power, so can detection be implemented to intercept and prevent such surreptitious activity.  Stealth technology is one of the methods used by attackers to hide their malicious actions after a successful break-in.

Taking surreptitious control of a computer or system, installation of backdoors, planting of a rootkit, alteration of the system's operating system is an example of using chained exploits that work together.  Rootkits can modify the operating system to insert a kernel module that can perform further exploits such as steganography or a Distributed Denial-of-Service attack (DDoS).

The worldwide network of the Internet is the perfect medium for steganography to occur.

Data can be hidden in web pages and the embedded images that pass over the Internet, a relatively easy task to perform and perhaps just as easy to examine.  An even more surreptitious and unique way to hide messages would be in the unused fields of the TCP/IP packet headers.  The operation of the Internet runs on the Transmission Control Protocol and Internet Protocol (TCP/IP).  The fields in the TCP/IP packet header help guide the movement as they hop across the Internet and coordinate the reassembly of these packets when they reach their destination.

These packets hold all the overt data that travels over the Internet: web pages, FTP data, video and audio, email, images and pictures.  These Internet packets are directed to their destination by the information contained in the fields of the header at the beginning of each packet.

Because packets are so small, only 1024 bytes, it takes many, many separate packets to convey all of the information in a web page or in any digital file.  Unless specifically monitored with software or hardware, most users are not aware of the packets, nor do they ever see them.

Inside the packet are data frames where slices of the data reside.  These data slices make up over 80 percent of each TCP/IP packet.  Until they reach their destination, the packets are incomplete and fragmented.

Sometimes packets get lost and must be re-transmitted.  A handshake and acknowledgment initiates a session, then a sending and receiving of packets occurs like a dance, each participant performing their next step.

When they reach their ultimate destination, the packets are finally reordered and reassembled.  The sheer volume of the Internet and the great number of the simple network packets guarantees that covert messages can be hidden in the unused header fields of the packets containing all transmitted information.  It's not as granular as a molecular layer.

Ross Anderson said: "For covertness reasons, you'd probably want to hide your traffic in traffic that's very common."  Nothing is more common than the ubiquitous Internet TCP/IP packet.

Uses of Steganography

Steganography, in the form of media watermarking and fingerprinting, has been found to be useful for legitimate commercial applications.

It can enable the tracing of the original source of pirated, stolen, and illegal copies of protected books, audio, or video files.  Watermarking provides the ability to identify these copied files.

In a typical application of image watermarking, some message is encoded imperceptibly embedded into the host file like a copyright notice identifying the intellectual property owner or rightful user.

One example of utilizing watermarking is to embed a digital signature in a printed document for verifying authenticity.  This signature is made up of information such as the serial number, the model and manufacturer of the printer used, date of document printing, and author of the document.  This information is inserted into the initial characters of each page of a document.  This steganographic function, unknown to many, is a common feature of many printers used today on a daily basis.

Music files sold over iTunes are also encoded with watermarks that identify the purchaser and host computer where the audio files were purchased.  This allows them to be used by the rightful purchaser, while preventing the illegal transfer of these files to others.  Apple's iTunes software examines the sound files on iPods and uses the hidden authorization codes to authenticate and allow legitimate use of purchased music files.  Similarly, DVDs issued to members of the Academy of Motion Picture Arts and Sciences are tracked with watermarks to combat piracy through media source identification.

It has also been suggested that sending information requested by users in mobile banking systems can be made more safe and secure through the practice of steganography.  The indirect sending of information increases the security for users in a mobile banking system.

The uses and methods of hiding data are many and will continue to grow and expand.  Only imagination and the many technical methods and rules of science will put limits on how data will be dealt with while traveling under our noses.  The need to hide that data will always be present as the exploits and attacks increase to uncover and decipher information.

The user of any tool, a corporation or terrorist, will determine whether the steganographysteganographic purpose is good or evil.  Enslaved peoples can also use these tools to get their story out to the free world.

Using cryptography and steganography, people who have freedom of information and speech are now able to receive the stories and tales of others who do not, those who should be able to enjoy the inalienable rights that belong to all humans.  The recent (((Arab Spring))) in Algeria, Tunisia, and Egypt has been attributed to use of the Internet to overcome corrupt political regimes and silence political dictators and despots.  Steganography can keep people free.

Terrorism on the Internet

There are often reports in the news of the use of the Internet by terrorist groups operating within the U.S.

Many of these encrypted digital messages might be passed by way of covert channels, embedded within other innocent- looking files, or in the covert channels that hide next to the overt pathway of the Internet.

A covert channel is typically used when the participants knows that they are being monitored in the usual mainstream and mundane communications channels of snail mail, financial records, telephone calls, and even electronic mail.  The huge bandwidth of the world's largest network of the Internet offers an alternate medium of covert channels from snail and email, and messaging for transport of hidden data.

The process of using the Internet for terrorist activities has been in the news more and more as Homeland Security "cries wolf" louder and louder.

Steganographic and encryption soft ware is so powerful that its usage and export is regulated by law.  Its usage can allow criminals, malcontents, and terrorists - in addition to lawful actors - to operate and communicate through public channels practically unfettered.

Such software and encryption algorithms are categorized as weapons and cannot be exported outside the nation's borders.  There are many free and open-source software packages available to anyone who wishes to hide data.

Recent terrorist activity has been tentatively linked to the likely occurrence of steganography and is seen by the usual governmental agencies as a likely method of sending covert information.  With the wide use and abundance of the many powerful and free open-source steganographic and cryptographic tools on the Internet, law enforcement authorities should and do have serious concerns about detection of questionable material and information through web page source files.  No doubt there is more effective in-house software developed by corporations and governmental agencies to accomplish undetectable steganography.

Steganalysis and Detection

Steganalysis is described as the process of detection and identification of hidden stegodata.

There are many issues to be considered when studying steganographic systems.  While steganography deals with the various techniques used for hiding information, the goal of steganalysis is to detect and/or estimate the presence of any potentially hidden information.  This has to be done with little or no knowledge about the unknown steganographic algorithm used to hide the message in the original cover object, if it does exist.

One way to track Internet steganography would be to develop Internet appliances that have the capability of detecting embedded documents in cover data in the data packet field and anomalies in any other packet header field.  Packet analysis is also performed using packet sniffer programs such as tcpdump, OmniPeek, and Wireshark.  They capture raw network data over the wire.

Specialized hardware devices are, in fact, available, but are not openly marketed to the general public and only available to approved users such as law enforcement and Homeland Security agencies.  These devices go beyond the capability and functionality of normal routers, firewalls, and intrusion detection systems.

These appliances are only available to law enforcement agencies and operate under the radar.  They are called wardens and add to the cybersecurity defenses already available.

There are three types of wardens:

1. A passive warden can only spy on the channel but cannot alter any messages
2. An active warden is able to slightly modify the messages, but without altering the semantic context.
3. A malicious warden may alter the messages with impunity.

CALEA

In October 1994, Congress took action to protect public safety and ensure national security by enacting the Communications Assistance for Law Enforcement Act of 1994 or CALEA.

The objective of the implementation of CALEA was to assure law enforcement's ability to conduct lawfully authorized electronic surveillance while preserving public safety and the public's right to privacy.

Technology can provide the necessary tools that law enforcement agencies must have to detect questionable activities.  Such agencies as the FBI, the NSA, and the CIA must be able to detect questionable activities by both domestic and international malcontents.  There do not exist rooms where real individuals listen to calls manually, as there were during the early years of wiretapping telephone calls for J. Edgar Hoover.

There do exist certain specialized computers in server rooms that do the automated interception, monitoring, and collection of data.  There is occasional eavesdropping and wiretapping of lawful citizens, participants in the political process, and others who may be in violation of the serious legal guidelines society refers to as laws.  The mandate of the federal law of Homeland Security and specific court orders authorizes wiretapping of phone calls or monitoring of Internet traffic.

Such activities require and authorize specialized equipment be placed on the main network pipeline of broadband Internet Service Providers (ISPs) and Voice over Internet Protocol (VoIP) providers to do that legal privacy override of examining electronic transmissions of all types.

Internet service providers and telecommunications carriers must assist law enforcement in executing electronic surveillance pursuant to court order or other lawful authorization.

Comprehensive National Cybersecurity Initiative

Further government action has been mandated recently.

In May 2009, President Obama accepted the recommendations of the Cyberspace Policy Review.  The Comprehensive National Cybersecurity Initiative (CNCI), was launched by President George W. Bush.

President Obama determined that the CNCI and its associated activities should evolve to become key elements of a broader, updated national U.S. cybersecurity strategy.  These CNCI initiatives will play a key role in supporting the achievement of many of the key recommendations of President Obama's Cyberspace Policy Review.  The CNCI initiatives are designed to help secure the United States in cyberspace.

The existing EINSTEIN 2 capability enables analysis of network flow information to identify potential malicious activity while conducting automatic full packet inspection of traffic entering or exiting U.S. government networks for malicious activity using signature-based Intrusion Detection System (IDS) technology.

A planned EINSTEIN 3 initiative will expand these capabilities to foster safety and security on the wires, heading off any covert activities that may intrude on the nation's communication channels.

The goal of EINSTEIN 3 is to identify and characterize malicious network traffic to enhance cybersecurity analysis, situational awareness, and security response.  The government created the Internet as part of a DARPA project over 40 years ago.  Its usage was expanded for commercial use and to include the general public in the 1990s.

The appropriate agencies need to guarantee a mature Internet with the ability to deter and turn away any malicious attacks, exploits, or intrusions.  EINSTEIN 3 is part of this effort.

Network Appliances and Steganalysis Detection

Network appliances, such as routers and firewalls, play a large role in handling and parsing network traffic.

Directing data between portions of a network is the primary purpose of a router.  Therefore, the security of routers and their configuration settings is vital to network operation.  In addition to directing and forwarding packets, a router may be responsible for filtering traffic, allowing some data packets to pass, and rejecting malformed or suspect packets.

This filtering function is a very important responsibility for routers; it allows them to protect computers and other network components from illegitimate or hostile traffic.

Intelligent Support Systems for Lawful Interception, Criminal Investigation, and Intelligence Gathering (ISS), holds wiretapping conferences and seminars for the law enforcement community, military, governmental agencies, and Homeland Security agencies.

One featured company, Packet Forensics, was marketing Internet spying boxes to the feds at a recent ISS conference.  The website of Packet Forensics lists the products available from the company, though some pages are restricted to authorized law enforcement and intelligence organizations only.

These protected pages must describe defense and intelligence applications and hardware platforms too sensitive for public release.

Generally, these Internet appliances automate the processes that allow observation and collection of data on Internet traffic and/or phone calls when given the legal authority by either court order or mandate provided by legal statute to do so.  They can forward captured packets for storage and further analysis later by a system designed for extreme DPI.

These Internet appliances perform lawful interception, investigative analysis, and intelligence gathering, stealthily, while protecting the privacy rights and civil liberties of the law-abiding users of the Internet.  These appliances can handle a large number of surveillance requests while heading off any and all possible terrorist exploits before they occur.  These appliances can record and collect the evidence needed to convict the guilty.  These devices perform deep packet inspection, searching for thousands of different strings deep inside each packet.

These products are highly recommended to officials so digital communication traffic can be scanned and examined.

SSL encryption is built into web browser software and protects our web traffic.  Such traffic cannot normally be decrypted and read by any packet-sniffing tool.  SSL encryption is designed to protect users' data from regular eavesdropping.

Such SSL encryption is not safe from the products of Packet Forensics and other powerful tools.  They most likely will be able to overcome and decrypt most SSL algorithms.  These devices provide for regulatory compliance, such as required by CALEA, and comply with lawful intercept requirements and meet the essential needs of law enforcement.

Such devices can be part of a packet processing and network compliance platform.  These particular appliances can be linked together in closed networks called darknets to collect and share real-time network intelligence.  Packet Forensics products are subject to the export control laws administered by the United States and may not be exported outside the U.S. without prior federal government approval.

Deep Packet Inspection

Of the billions of messages that roam the Internet, there must exist some messages that are malicious, containing worms or viruses, malware or spyware, which organized criminals and terrorists utilize to commit cybercrimes.

Here, Deep Packet Inspection (DPI) comes to the rescue, since it allows monitoring and filtering of packets wherever they happen to pass.  DPI can also meet other objectives in security and legal compliance.  This technology enables instant, ubiquitous monitoring of everything that travels the Internet.

DPI is the next surveillance application that enters society unnoticed and available for use by authorities to combat crime, even before it happens.  Security and traffic cameras, miniature cameras, directional microphones, automated face and number-plate recognition, data mining, and profiling add to all of the technologies used by Big Brother to watch over its citizenry.

Ours is a database society with a great increase of data generation, processing, and storage needs.  DPI captures data for later examination and diverts it for messaging and analysis.  This capability adds to the tools in the government surveillance toolkit.

Once broadband providers and other companies embrace DPI, they can monitor and select passing traffic much more sophisticatedly than by merely scanning header information.  This capacity can prove of great benefit to law enforcement agencies and intelligence services, using its existing investigation powers to enlist the assistance of broadband providers.

Particularly relevant is that DPI allows for real-time monitoring, and hence facilitates a preventative approach, as opposed to the retroactive approach that law enforcement traditionally used.

DPI adds to the trend that broader groups of unsuspected citizens are under surveillance: rather than investigating relatively few individuals on the basis of reasonable indications that they have committed a crime, more people, including groups, are nowadays being watched for slight indications of being involved in potential crimes.

This is profiling of the masses.  The movie Minority Report illustrated the use of data to predict the likelihood of a crime occurring in the near future to justify the preemptive arrest of non-guilty parties.  The explosion of data generation, inspection, and storage enables the government to collect and use significantly more data about citizens.  This increase is not only quantitative but also qualitative.

More checks and balances are required to safeguard citizen rights and privacy.

The increased government powers need to be balanced by additional checks and safeguards.  Citizens must know which data is being collected and processed - and why.  This does not mean that the government can have a phishing trip and examine all traffic.  Only specific individuals or corporations can have their traffic examined.

The courts have deemed profiling illegal on numerous occasions.  Independent authorities should regularly review and check whether the government uses its powers correctly and legitimately.

Data protection is a key element.

The legal framework for data protection has become outdated.  The assumption of preventing data processing as much as possible is no longer valid in the current networked database society.  Large-scale data collection and correlation is inevitable nowadays, and the emergence of DPI serves to emphasis this.

Instead of focusing data protection on prevention in the data collection stage, it should rather be focused on better utilization of the data.  Data protection is valuable not so much to enhance privacy, but to ensure transparency of government and nondiscrimination.

While data protection can serve to regulate the use of data, it remains to be discussed whether DPI should be allowed for government use in the first place.

Here, other elements of privacy come to the fore: protection of the home, family relations, and personal communications.  These elements are likely to be infringed by DPI.  Since privacy is a core, though not specifically stated, constitutional value to safeguard citizens' liberty and autonomy in a democratic constitutional state, DPI should be critically assessed.

The common man is king of his castle and its borders should not be violated.  DPI could be accepted as a necessary addition to the investigative tools used by law enforcement already if used properly.  The power of DPI to run roughshod over the rights of the suspected requires a fundamental rethinking of what legal protection is afforded here.

Society needs substantial new checks and balances to counterbalance the increase in government power over its citizens.

The company Phorm uses DPI to peek into the web surfing habits of end users in order to serve targeted advertising.  It is suspected that the National Security Agency (NSA) has inserted sophisticated DPI equipment into the network backbone of the Internet so that it can sweep up huge volumes of domestic emails and Internet searches.

While privacy activists and computer geeks are up in arms, the vast majority of Internet users either don't seem to care or don't fully understand what is happening.

Without encryption, e-commerce wouldn't be possible.

The cryptographic technology of SSL is built into every web browser.  The security of Amazon, eBay, PayPal, and every online bank depends upon the consumer being able to make purchases and conduct transactions over the Internet confidently and securely.

Most web surfers do not realize how much of their information flows nakedly over the network, nor how easy it is for others to snoop on their web surfing.

The predecessor of the Internet, the ARPANET, was once a happy and safe place in the 1960s and 1970s, when the first packets were sent between government contractors and research institutions.  Those early hundreds of participants knew each other well and trusted each other.

It is no longer the case.  It is the wild west, unbridled, and without a sheriff to keep us safe.

There are evil forces out there, be they hackers, spies, underage script kiddies, or unscrupulous broadband providers.  The good guys must deploy cryptographic technologies to protect the general public.

But DPI can also be perceived as a bad thing and a possible threat to the privacy of individuals.  It is clear that DPI is a potentially dangerous tool.  The solution to the problem of Internet privacy is not just legislation making snooping illegal, but the industry-wide adoption of cryptography by default.  Nothing will protect our privacy or security from deep packet inspection more than encryption.

Broadband providers increasingly use deep packet inspection technologies that examine consumers' online activities and communications in order to tailor advertisements to their unique tastes.

Users of Google's free Gmail email service find that the advertisements on the right side reflect the contents of their email.  Friends find the same is true with Facebook.  It's no wonder that privacy concerns remain, despite the assurances that this data is not collected and sold.

Nothing prevents providers from simply altering their policies.  DPI operates invisibly.  Broadband providers can collect our online communications and sell them and their contents - including medical data and private correspondence - to employers, insurance companies, credit bureaus, and landlords.  They could become powerful data brokers of our online communications.

Another concern is the government's ability to subpoena the digital surveillance of a person's online life from broadband providers.  Consumers deserve to be heard before the disclosure of such information to the governmental agencies or commercial entities.

The courts have held that DPI can violate individuals' important property or liberty interests.  It's a taking of privacy, as if their house was being searched.  Consumers may choose to curtail their online communications rather than give up their personal data.  This would chill the development of our ideas and free speech.

Broadband providers hide notice of their deep packet inspection practices in the densely worded legalese of the privacy policy boilerplate.  If some providers switch to an opt-in approach or reject DPI entirely, consumers still cannot totally control the use of DPI technologies by those with whom they communicate.

Governments should ban the use of DPI for commercial benefit and create a "Do Not Track" list to protect consumers.  Broadband providers should be required to disclose their data collection practices.  DPI can be used for constructive purposes, such as to combat spam, without compromising consumer rights and privacy.

Data is always in one of two states: at rest or in motion.

Data is at rest on a hard drive of a single computer.  Data is safe when the host computer and its network connections are secure from intruders.  Data can be secured further by encrypting it.  Data that is in motion is traveling over a network.

This traveling data makes many hops and travels through numerous subnets, network appliances, routers, and IDS.  This gives numerous opportunities for interception or capture of the TCP/IP packets at possible weak security points.

The process of packet capture is turning data in motion into data at rest by grabbing data that is moving across a network link and storing it for parsing and examination.  It can be compared to the use of cameras by toll roads to verify the vehicle is assigned to the transponder in that car by capturing the license plate as the vehicle passes through the toll booth.

There is software - legitimate and illegal, open-source, shareware and freeware, for free and for sale - available for the performance of packet capture.  Such freeware or shareware includes Wireshark (Ethereal), Metasploit, and Nmap.

Conclusion

There exists a hidden level of communications where data can be sent and received under the noses of the common man.

These covert channels exist unknown to the layman and can be used to protect electronic communications.  This Internet exploit exists to be used for good or bad.

Until this channel is blocked, it will exist to be used by anyone willing to utilize this capability.