SlideShare a Scribd company logo

SWF Data hiding

Download as PPT, PDF
A
alexzaharis

This document discusses data hiding techniques using the SWF (Shockwave Flash) format and spreading information through social networks. It presents two data hiding techniques in SWF files: 1) hiding files in unread key frames, and 2) hiding files in MP3 files imported into SWFs. These techniques allow large amounts of data to be hidden relative to the SWF file size. The document also discusses how information could be spread through popular social networks like Facebook and MySpace by uploading SWF files and sharing links. It proposes a detection methodology to analyze suspicious SWF files and detect hidden data. Future work discussed includes developing automated detection and data hiding tools.

TechnologyBusiness
1 of 27
Downloaded 60 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
~WDFIA 2009~ “Data Hiding in the SWF Format and Spreading through Social Network Services” Alexandros Zaharis, Adamantini I. Martini, Christos Ilioudis alzahari@inf.uth.gr, admartin@inf.uth.gr, iliou@it.teithe.gr
Index  Contribution  The SWF Adobe® Flash® Format  Social Networks and Illegal Communities  Proposed Data Hiding Techniques  Proposed Detection Methodology  Future Work & Conclusions  Questions
Contribution  Present a fresh Data Hiding Technique by exploiting the popular SWF Flash format.  Spread hidden information through the two most popular Social Networks while unveiling lack of detection.  Present Detection Methodology possibly used in a Forensics Investigation.
The SWF Format (1/2)  The file format SWF (standing for "ShockWave Flash“, later "Small Web Format"), open repository for multimedia and vector graphics, Adobe.  Small enough for publication on the Web, functions as the dominant format for displaying "animated" vector graphics.  Scripting Language ( ActionScript ).  SWF files can be generated from within:  Adobe products: Flash, Flex Builder.  Other : open source Motion-Twin ActionScript 2 Compiler (MTASC), SWiSH Max2 and Flagstone software.  SWF files can be played by the Adobe Flash Player, or be encapsulated with the player, creating a self-running SWF movie called "projector".  Based on an independent study ( Millward Brown ), over 99% of web users have an SWF plugin installed, with around 90% having the latest version.
The SWF Format (2/2) Files types included inside an SWF file can be: SWF 1. Image Files 2. Video Files 3. Sound Files 4. Fonts 5. Actionscript “An SWF is a container of Files” Supported formats to import inside SWF
SWF and security issues  Redirection by malicious SWF files. -2% of spam sites visited (August 08) -’GetURL’ attack.  Hiding malicious payload inside SWF files and attacking Flash Player.  Data hiding textual info inside actionscript.  Tools: SWF 1. SWFIntruder Multimedia 2. SWFDump Resources 3. Flare Security issues up to date Actionscript
Why Hiding in SWF ?  Easily Spread. SWF is used for: Multimedia  Web pages Our approach Resources  Banners (easy to exchange)  Games (innocent looking, easily spread in Social Networks) Actionscript  Presentations/Galleries  Applications SWF  No previous detection methodology.  Easy to hide and retrieve information.  Huge relative hiding ratio.  SWF files never altered when uploaded.  Game consoles, mobile phones friendly. 1kb 1kb - 10mb of hidden information :SWF file
Social Network Services  “A social network service focuses on building online communities of people who share interests and/or activities, or who are interested in exploring the interests and activities of others.“ (Credit: Compete.com)
Social Network Services facts }  Facebook * No. 1 photo sharing application on the Web “Huge * More than 14 million photos uploaded daily Quantity of * More than 6 million active user groups on the site data and  Myspace users to * 1.5 Billion images Monitor” * 8 Million images being uploaded per day *10 Billion friend relationships  100 million unique users play thousands of flash games across their network each month.
Illegal Communities & Social Networks  Communities have been reported to perform illegal activities such as:  Spreading illegal ideas/ideologies. (ex. pro-mafia groups)  Exchanging documents.  Recruiting new members.  Funding illegal groups.  Why exchanging information through social networks? 1. Anonymity. 2. Large amount of legitimate traffic to use as a cover. 3. Lack of information international laws.
Who would hide information in a Social Network? While terrorism (ex. eBay) is the worst scenario today, both good and bad parties, could use social networks and data hiding to keep their communications secret, including: 1. Intelligence services. 2. Corporations with trade secrets to protect. 3. People concerned about government eavesdropping. 4. Organized crime. 5. Drug traffickers. 6. Money launderers. 7. Child pornographers. 8. Weapons traffickers. 9. Criminal gangs.
Proposed Data Hiding Techniques  Proof of concept SWF game developed. (“TalkmeInto v1.0”) using Adobe Flash CS3  Two Data Hiding Techniques presented & tested.  The total size of the hidden files is 127,2 Kb while the total size of the game is 548 Kb. Files can be found here: •http://sites.google.com/site/greekforensicscommunity/Home/talkmeinto.rar
Data hiding Technique 1  Type: “Hiding inside unread SWF key frames”.  File types hidden: ai, png, bmp, jpeg, emf, gif, wmf, pct, qtif, tga, tiff, wav, mp3, aif, mov, avi, mpeg, flv, wmv.  Description: -Basic knowledge of Flash development needed. -Performed in any version of Adobe Flash. -Any secret file can be placed in a frame or frames that are not going to be accessible by the gamer/user of the flash application. -Size of hidden data unlimited. (theoretically) -Secret information hidden in plain site.
Data hiding Technique 1 Simple Action script used to stop movie on Frame1  Secret image (“papergirl.jpg”) is hidden inside: Scene 1 ->Movie Clip Instance ”back” -> “image” Layer -> Frame2
Data Retrieval  Step1: Decompile the SWF file, using a commercial or free SWF decompiler in order to list all the resources.  Step2: Browse the graphic resources, locate and save the previously invisible “papergirl.jpg”.  This steganalysis method can be described as “visual attack”, difficult to automate! Flash Decompiler Trillix demo version
Data hiding Technique 2  Type: “Mp3 steganography imported in SWF files”  File types hidden: All file types.  Description: Step1: Choose a file (all file types supported) in order to be hidden. Step2: Choose an mp3 file as your stego-carrier file. Step3: Use steganography tools to hide information inside the stego-carrier file. Step4A: Manually import the stego-carrier mp3 file inside an SWF file using any version of Adobe Flash. Step4B: Automatically import the stego-carrier mp3 file inside an SWF *mp32swfembedder program developed, utilizing Flagstone open source library. file using java code.*
Why Mp3 steganography?  Files when imported inside Flash are compressed or re-encoded.  Importing Steganography inside Flash fails for most of the supported formats.  Mp3 format is the only one not altered when imported.* * Few bytes added at the end of the mp3 Choosing carrier file types. file.
Data hiding Technique 2 Auto - import WEB S r d de T be m fe E 2 sw G p3 m Multi-Hiding process PC
Data Retrieval  Step1: Decompile the SWF file, using a commercial or free SWF decompiler to list all the resources.  Step2: Browse the audio resources, view and save the stego-carrier mp3 file.  Step3: “Tweak” the saved mp3 file in a proper way (optional step).  Step4: Apply inverse steganography (extraction) to obtain the secret file. Delete extra bytes to retrieve proper mp3 files!
Spreading Technique  In order to spread a stego-carrier SWF file <S>: *Step1: Upload <S> on an anonymous web-server or a SWF hosting service without unveiling his IP address. *Step2: Obtain the URL link directing to <S>. Step3: Create an anonymous email account <E> in order to use it to register on social network websites. Step4: Register with fake identity to the social networks which are going to be used to spread hidden information. Step5: Use special applications or html code in order to embed <S> to Illustration of both embedding techniques a profile page or group pages or other user pages. Step6: Invite/inform secretly other users. *optional steps
Examples - Facebook The native Facebook flash player approach:  Using the Flash Player application a user can upload SWF files on a Facebook hosting server.  SWF file is previewed inside the page created, along with other information added by the administrator/creator.  To make transaction more secure and less suspicious attract legitimate users not aware of the underlying hidden information.  Browser automatically downloads swf file on preview. The “TalkmeInto” public page can be accessed through the following URL: http://www.facebook.com/home.php#/pages/TalkmeInto/74719738815 or for direct SWF access here
Examples - Facebook Legitimate users as a cover
Examples - MySpace  In order to post links to SWF files anywhere inside a MySpace profile simple html embedding code is used.  The SWF file must first be uploaded on a third party server.  Links to SWF files can be posted as comments to users profile during a conversation making hidden information easy to spread.  A fake Myspace profile containing the “TalkmeInto” SWF game can be accessed through the following URL: http://www.myspace.com/458277409 <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" height="200" width="200"> <param name="allowScriptAccess" value="never" /> <param name="allowNetworking" value="internal" /> <param name="movie" value="http://photos-b.ak.fbcdn.net/photos-ak- snc1/genericv2b/284/81/01AwcA9kYVM5kAfakKAAAAEWWku78:.swf" /> <param name="wmode" value="transparent" /> <param name="quality" value="high" /> <embed type="application/x-shockwave-flash" allowScriptAccess="never" allowNetworking="internal" src="http://photos-b.ak.fbcdn.net/photos-ak- snc1/genericv2b/284/81/01AwcA9kYVM5kAfakKAAAAEWWku78:.swf" height="200" width="200" wmode="transparent" quality="high" /> </object>
Examples - MySpace Comment post helps spreading in different profiles
Proposed Detection Methodology  Step1: Locate/download suspicious SWF file.  Step2: Decompile the SWF file, using a commercial or free SWF decompiler in order Images to list all the resources embedded. Sounds  Step3: Manually inspect every file resource for suspicious files or evidence. (“visual Video attack”)  Step4: Check actionscript used by the SWF, Action script to locate suspicious text messages or textual evidence (ex. URL, passwords). SWF file  Step5: Collect mp3 files embedded.  Step6: Analyze all mp3 files to identify *SWF must be treated as a container of files. steganography using steganalysis tools.  Step7: Extract hidden data / evidence.
Conclusions & Future Work  As from now, SWF format becomes a popular data hiding medium that must be thoroughly examined during any Forensics Investigation.  Steganography can be uploaded on Social Networks and spread easily. Future work:  A detection tool must be developed in order to automatically detect steganography contained inside SWF files.  A tool for automatic hiding-posting-retrieving can be developed as a proof of concept.  A specific policy must be described, as far as the content uploaded, embedded and shared by social networks is concerned.
Questions?  Thank you. Alexandros Zaharis, Adamantini I. Martini, Christos Ilioudis alzahari@inf.uth.gr, admartin@inf.uth.gr, iliou@it.teithe.gr

More Related Content

PDF
Introduction to Internet Browsers
Prof Ansari
 
PPTX
WWW and web browser
Yansi Keim
 
PPT
Danger on Your Desktop
Andy Smith
 
PPTX
browsers MEZH
Paula Mogollón García
 
PPTX
Web browser
titigarcia
 
PDF
Hacking 09 2010
Felipe Prado
 
PDF
Research on Web Browsers
Sagar Agarwal
 
PPT
Internet Security
Nicholas Davis
 
Introduction to Internet Browsers
Prof Ansari
 
WWW and web browser
Yansi Keim
 
Danger on Your Desktop
Andy Smith
 
browsers MEZH
Paula Mogollón García
 
Web browser
titigarcia
 
Hacking 09 2010
Felipe Prado
 
Research on Web Browsers
Sagar Agarwal
 
Internet Security
Nicholas Davis
 

What's hot (12)

PDF
Modern cyber threats_and_how_to_combat_them_panel
Ramsés Gallego
 
PPTX
Operating Systems: Computer Security
Damian T. Gordon
 
PPTX
Basic Internet Concepts
Kiran Budhrani
 
PDF
The process of computer security
WritingHubUK
 
PDF
TH3 Professional Developper google hacking
th3prodevelopper
 
PPT
Ratzan2
MAFANTIRI SELLO
 
PPT
Ratzan2
haneefvf1
 
PPTX
Methods Hackers Use
brittanyjespersen
 
PPTX
Internet tools for students
Benjamin Garcia
 
PPTX
Empowerment Technology Lesson 2
alicelagajino
 
PPTX
Browsers
RamonMendoza20
 
PPT
Web browser
Abhijeet Shah
 
Modern cyber threats_and_how_to_combat_them_panel
Ramsés Gallego
 
Operating Systems: Computer Security
Damian T. Gordon
 
Basic Internet Concepts
Kiran Budhrani
 
The process of computer security
WritingHubUK
 
TH3 Professional Developper google hacking
th3prodevelopper
 
Ratzan2
MAFANTIRI SELLO
 
Ratzan2
haneefvf1
 
Methods Hackers Use
brittanyjespersen
 
Internet tools for students
Benjamin Garcia
 
Empowerment Technology Lesson 2
alicelagajino
 
Browsers
RamonMendoza20
 
Web browser
Abhijeet Shah
 
Ad

Similar to SWF Data hiding (20)

PPTX
Flash it baby!
Soroush Dalili
 
PPTX
Lecture 1 introduction to flash
poleyseugenio
 
PPTX
Adobe Flash - Past, Present and Future
Iain Lobb
 
PPT
Multimedia Presentation
Rajesh R. Nair
 
PPT
Hacking The World With Flash
joepangus
 
PDF
Synopsis
guest41d2f5
 
PPT
Flash is your Friend
Wayne State University
 
PDF
Social Networking Security Workshop
Prathan Phongthiproek
 
KEY
Introduction to Games and Simulations
University of West Florida
 
PDF
Progressive Enhancement with Flash
spjwebster
 
PDF
Flash Web Development
Sanjida Afrin
 
PDF
What Technical Communicators Need to Know about Flash
Scott Abel
 
PDF
Bh32379384
IJERA Editor
 
PPT
Internet 2
Ayebazibwe Kenneth
 
PPS
CS101- Introduction to Computing- Lecture 33
Bilal Ahmed
 
PPT
Flash Security, OWASP Chennai
lavakumark
 
PDF
Flashack
n|u - The Open Security Community
 
PDF
Adobe Flash- Understanding flash
Fatima AlSaadi
 
PPTX
Cross Domain Hijacking - File Upload Vulnerability
Ronan Dunne, CEH, SSCP
 
DOCX
Task 1
teewally
 
Flash it baby!
Soroush Dalili
 
Lecture 1 introduction to flash
poleyseugenio
 
Adobe Flash - Past, Present and Future
Iain Lobb
 
Multimedia Presentation
Rajesh R. Nair
 
Hacking The World With Flash
joepangus
 
Synopsis
guest41d2f5
 
Flash is your Friend
Wayne State University
 
Social Networking Security Workshop
Prathan Phongthiproek
 
Introduction to Games and Simulations
University of West Florida
 
Progressive Enhancement with Flash
spjwebster
 
Flash Web Development
Sanjida Afrin
 
What Technical Communicators Need to Know about Flash
Scott Abel
 
Bh32379384
IJERA Editor
 
Internet 2
Ayebazibwe Kenneth
 
CS101- Introduction to Computing- Lecture 33
Bilal Ahmed
 
Flash Security, OWASP Chennai
lavakumark
 
Flashack
n|u - The Open Security Community
 
Adobe Flash- Understanding flash
Fatima AlSaadi
 
Cross Domain Hijacking - File Upload Vulnerability
Ronan Dunne, CEH, SSCP
 
Task 1
teewally
 
Ad

Recently uploaded (20)

PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Approach and Philosophy of On baking technology
30anthuong17
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
KodekX | Application Modernization Development
KodekX
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Teaching material agriculture food technology
LiaRayya
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Encapsulation theory and applications.pdf
gurumoop
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 

SWF Data hiding

  • 1. ~WDFIA 2009~ “Data Hiding in the SWF Format and Spreading through Social Network Services” Alexandros Zaharis, Adamantini I. Martini, Christos Ilioudis alzahari@inf.uth.gr, admartin@inf.uth.gr, iliou@it.teithe.gr
  • 2. Index  Contribution  The SWF Adobe® Flash® Format  Social Networks and Illegal Communities  Proposed Data Hiding Techniques  Proposed Detection Methodology  Future Work & Conclusions  Questions
  • 3. Contribution  Present a fresh Data Hiding Technique by exploiting the popular SWF Flash format.  Spread hidden information through the two most popular Social Networks while unveiling lack of detection.  Present Detection Methodology possibly used in a Forensics Investigation.
  • 4. The SWF Format (1/2)  The file format SWF (standing for "ShockWave Flash“, later "Small Web Format"), open repository for multimedia and vector graphics, Adobe.  Small enough for publication on the Web, functions as the dominant format for displaying "animated" vector graphics.  Scripting Language ( ActionScript ).  SWF files can be generated from within:  Adobe products: Flash, Flex Builder.  Other : open source Motion-Twin ActionScript 2 Compiler (MTASC), SWiSH Max2 and Flagstone software.  SWF files can be played by the Adobe Flash Player, or be encapsulated with the player, creating a self-running SWF movie called "projector".  Based on an independent study ( Millward Brown ), over 99% of web users have an SWF plugin installed, with around 90% having the latest version.
  • 5. The SWF Format (2/2) Files types included inside an SWF file can be: SWF 1. Image Files 2. Video Files 3. Sound Files 4. Fonts 5. Actionscript “An SWF is a container of Files” Supported formats to import inside SWF
  • 6. SWF and security issues  Redirection by malicious SWF files. -2% of spam sites visited (August 08) -’GetURL’ attack.  Hiding malicious payload inside SWF files and attacking Flash Player.  Data hiding textual info inside actionscript.  Tools: SWF 1. SWFIntruder Multimedia 2. SWFDump Resources 3. Flare Security issues up to date Actionscript
  • 7. Why Hiding in SWF ?  Easily Spread. SWF is used for: Multimedia  Web pages Our approach Resources  Banners (easy to exchange)  Games (innocent looking, easily spread in Social Networks) Actionscript  Presentations/Galleries  Applications SWF  No previous detection methodology.  Easy to hide and retrieve information.  Huge relative hiding ratio.  SWF files never altered when uploaded.  Game consoles, mobile phones friendly. 1kb 1kb - 10mb of hidden information :SWF file
  • 8. Social Network Services  “A social network service focuses on building online communities of people who share interests and/or activities, or who are interested in exploring the interests and activities of others.“ (Credit: Compete.com)
  • 9. Social Network Services facts }  Facebook * No. 1 photo sharing application on the Web “Huge * More than 14 million photos uploaded daily Quantity of * More than 6 million active user groups on the site data and  Myspace users to * 1.5 Billion images Monitor” * 8 Million images being uploaded per day *10 Billion friend relationships  100 million unique users play thousands of flash games across their network each month.
  • 10. Illegal Communities & Social Networks  Communities have been reported to perform illegal activities such as:  Spreading illegal ideas/ideologies. (ex. pro-mafia groups)  Exchanging documents.  Recruiting new members.  Funding illegal groups.  Why exchanging information through social networks? 1. Anonymity. 2. Large amount of legitimate traffic to use as a cover. 3. Lack of information international laws.
  • 11. Who would hide information in a Social Network? While terrorism (ex. eBay) is the worst scenario today, both good and bad parties, could use social networks and data hiding to keep their communications secret, including: 1. Intelligence services. 2. Corporations with trade secrets to protect. 3. People concerned about government eavesdropping. 4. Organized crime. 5. Drug traffickers. 6. Money launderers. 7. Child pornographers. 8. Weapons traffickers. 9. Criminal gangs.
  • 12. Proposed Data Hiding Techniques  Proof of concept SWF game developed. (“TalkmeInto v1.0”) using Adobe Flash CS3  Two Data Hiding Techniques presented & tested.  The total size of the hidden files is 127,2 Kb while the total size of the game is 548 Kb. Files can be found here: •http://sites.google.com/site/greekforensicscommunity/Home/talkmeinto.rar
  • 13. Data hiding Technique 1  Type: “Hiding inside unread SWF key frames”.  File types hidden: ai, png, bmp, jpeg, emf, gif, wmf, pct, qtif, tga, tiff, wav, mp3, aif, mov, avi, mpeg, flv, wmv.  Description: -Basic knowledge of Flash development needed. -Performed in any version of Adobe Flash. -Any secret file can be placed in a frame or frames that are not going to be accessible by the gamer/user of the flash application. -Size of hidden data unlimited. (theoretically) -Secret information hidden in plain site.
  • 14. Data hiding Technique 1 Simple Action script used to stop movie on Frame1  Secret image (“papergirl.jpg”) is hidden inside: Scene 1 ->Movie Clip Instance ”back” -> “image” Layer -> Frame2
  • 15. Data Retrieval  Step1: Decompile the SWF file, using a commercial or free SWF decompiler in order to list all the resources.  Step2: Browse the graphic resources, locate and save the previously invisible “papergirl.jpg”.  This steganalysis method can be described as “visual attack”, difficult to automate! Flash Decompiler Trillix demo version
  • 16. Data hiding Technique 2  Type: “Mp3 steganography imported in SWF files”  File types hidden: All file types.  Description: Step1: Choose a file (all file types supported) in order to be hidden. Step2: Choose an mp3 file as your stego-carrier file. Step3: Use steganography tools to hide information inside the stego-carrier file. Step4A: Manually import the stego-carrier mp3 file inside an SWF file using any version of Adobe Flash. Step4B: Automatically import the stego-carrier mp3 file inside an SWF *mp32swfembedder program developed, utilizing Flagstone open source library. file using java code.*
  • 17. Why Mp3 steganography?  Files when imported inside Flash are compressed or re-encoded.  Importing Steganography inside Flash fails for most of the supported formats.  Mp3 format is the only one not altered when imported.* * Few bytes added at the end of the mp3 Choosing carrier file types. file.
  • 18. Data hiding Technique 2 Auto - import WEB S r d de T be m fe E 2 sw G p3 m Multi-Hiding process PC
  • 19. Data Retrieval  Step1: Decompile the SWF file, using a commercial or free SWF decompiler to list all the resources.  Step2: Browse the audio resources, view and save the stego-carrier mp3 file.  Step3: “Tweak” the saved mp3 file in a proper way (optional step).  Step4: Apply inverse steganography (extraction) to obtain the secret file. Delete extra bytes to retrieve proper mp3 files!
  • 20. Spreading Technique  In order to spread a stego-carrier SWF file <S>: *Step1: Upload <S> on an anonymous web-server or a SWF hosting service without unveiling his IP address. *Step2: Obtain the URL link directing to <S>. Step3: Create an anonymous email account <E> in order to use it to register on social network websites. Step4: Register with fake identity to the social networks which are going to be used to spread hidden information. Step5: Use special applications or html code in order to embed <S> to Illustration of both embedding techniques a profile page or group pages or other user pages. Step6: Invite/inform secretly other users. *optional steps
  • 21. Examples - Facebook The native Facebook flash player approach:  Using the Flash Player application a user can upload SWF files on a Facebook hosting server.  SWF file is previewed inside the page created, along with other information added by the administrator/creator.  To make transaction more secure and less suspicious attract legitimate users not aware of the underlying hidden information.  Browser automatically downloads swf file on preview. The “TalkmeInto” public page can be accessed through the following URL: http://www.facebook.com/home.php#/pages/TalkmeInto/74719738815 or for direct SWF access here
  • 22. Examples - Facebook Legitimate users as a cover
  • 23. Examples - MySpace  In order to post links to SWF files anywhere inside a MySpace profile simple html embedding code is used.  The SWF file must first be uploaded on a third party server.  Links to SWF files can be posted as comments to users profile during a conversation making hidden information easy to spread.  A fake Myspace profile containing the “TalkmeInto” SWF game can be accessed through the following URL: http://www.myspace.com/458277409 <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" height="200" width="200"> <param name="allowScriptAccess" value="never" /> <param name="allowNetworking" value="internal" /> <param name="movie" value="http://photos-b.ak.fbcdn.net/photos-ak- snc1/genericv2b/284/81/01AwcA9kYVM5kAfakKAAAAEWWku78:.swf" /> <param name="wmode" value="transparent" /> <param name="quality" value="high" /> <embed type="application/x-shockwave-flash" allowScriptAccess="never" allowNetworking="internal" src="http://photos-b.ak.fbcdn.net/photos-ak- snc1/genericv2b/284/81/01AwcA9kYVM5kAfakKAAAAEWWku78:.swf" height="200" width="200" wmode="transparent" quality="high" /> </object>
  • 24. Examples - MySpace Comment post helps spreading in different profiles
  • 25. Proposed Detection Methodology  Step1: Locate/download suspicious SWF file.  Step2: Decompile the SWF file, using a commercial or free SWF decompiler in order Images to list all the resources embedded. Sounds  Step3: Manually inspect every file resource for suspicious files or evidence. (“visual Video attack”)  Step4: Check actionscript used by the SWF, Action script to locate suspicious text messages or textual evidence (ex. URL, passwords). SWF file  Step5: Collect mp3 files embedded.  Step6: Analyze all mp3 files to identify *SWF must be treated as a container of files. steganography using steganalysis tools.  Step7: Extract hidden data / evidence.
  • 26. Conclusions & Future Work  As from now, SWF format becomes a popular data hiding medium that must be thoroughly examined during any Forensics Investigation.  Steganography can be uploaded on Social Networks and spread easily. Future work:  A detection tool must be developed in order to automatically detect steganography contained inside SWF files.  A tool for automatic hiding-posting-retrieving can be developed as a proof of concept.  A specific policy must be described, as far as the content uploaded, embedded and shared by social networks is concerned.
  • 27. Questions?  Thank you. Alexandros Zaharis, Adamantini I. Martini, Christos Ilioudis alzahari@inf.uth.gr, admartin@inf.uth.gr, iliou@it.teithe.gr