added a research item
The DICOM (Digital Imaging and COmmunication in Medicine) standard provides a framework for a diagnostically-accurate representation, processing, transfer, storage and display of medical imaging data. Information hiding in DICOM is currently limited to the application of digital media steganography and watermarking techniques on the media parts of DICOM files, as well as text steganographic techniques for embedding information in metadata of DICOM files. To improve the overall security of the DICOM standard, we investigate its susceptibility to network steganographic techniques. To this aim, we develop several network covert channels that can be created by using a specific transport mechanism – the DICOM Message Service and Upper Layer Service. The bandwidth, undetectability and robustness of the proposed covert channels are evaluated, and potential countermeasures are suggested. Moreover, a detection mechanism leveraging entropy-based metrics is introduced and its performance has been assessed.
Message Queuing Telemetry Transport (MQTT) is a publish-subscribe protocol which is currently popular in Internet of Things (IoT) applications. Recently its 5.0 version has been introduced and ensuring that it is capable of providing services in a secure manner is of great importance. It must be noted that holistic security analysis should also evaluate protocol’s susceptibility to network covert channels. That is why in this paper we present a systematic overview of potential data hiding techniques that can be applied to MQTT 5.0. We are especially focusing on network covert channels that, in order to exchange secrets, exploit characteristic features of this MQTT version. Finally, we develop proof-of-concept implementations of the chosen data hiding techniques and conduct their performance evaluation in order to assess their feasibility in practical setups.
In recent years, malware is increasingly applying means of hidden communication. The emergence of network-capable stegomalware applies such methods to communication networks. In this paper, we introduce and evaluate two covert channels that utilize reconnections to transmit hidden information in WiFi networks. We implement these covert channels in the 802.11 protocol by abusing the authentication mechanism of these networks. Furthermore, we propose detection methods and countermeasures for both covert channels. Our implementation and quick-start guide are available as open source code on GitHub to aid replicability.
Cyber-physical Systems (CPS) have raised serious security concerns and thus have been subjected to intensive security research lately. Recent publications have shown that there is a potential to transfer hidden information through CPS environments. In comparison to these existing studies, we demonstrate that CPS cannot only be used to covertly transfer secret data but also to store secret data. Using an analogy to the biological concept of animal scatter hoarding behavior we exemplify CPS secret data storage using automated buildings.1
Full-text: http://www.wendzel.de/dr.org/files/Papers/thesis_with_cover.pdf Network information hiding is the research discipline that deals with the concealment of network transmissions or their characteristics. It serves as an umbrella for multiple research domains, namely network covert channel research, network steganography research, and traffic obfuscation research. The focus of this thesis lies primarily on network steganography and network covert channel research. This thesis was motivated by the fact that network information hiding requires a better scientific foundation. When the author started to work on this thesis, scientific re-inventions of hiding techniques were common (similar or equal techniques were published under different names by different scientific sub-communities). This is, at least partially, rooted in the non-unified terminology of the domain, and in the sheer fact that the ever-increasing number of publications in the domain is hardly knowable. Moreover, experimental results and descriptions for hiding techniques are hardly comparable as there is no unified standard for describing them. This is a contrast to other scientific domains, such as Chemistry, were (de facto) standards for experimental descriptions are common. Another problem is that experimental results are not replicated while other scientific domains have shown that replication studies are a necessity to ensure the quality of scientific results. Finally, there is an imbalance between known hiding techniques and their countermeasures: not enough countermeasures are known to combat all known hiding techniques. To address these issues, this thesis motivates and proposes methodological adjustments in network information hiding and lays the foundation for an improved fundamental terminology and taxonomy. Moreover, hiding techniques are surveyed and summarized in the form of abstract descriptions, called hiding patterns, which form an extensible taxonomy. These hiding patterns are then used as a tool to evaluate the novelty of research contributions in a scientific peer-review process. Afterwards, this thesis addresses the problem of inconsistent descriptions of hiding techniques by proposing a unified description method for the same, including hiding patterns as a core component of every description. This thesis also introduces the WoDiCoF testbed as a framework to perform replication studies. Afterwards, the concept of countermeasure variation is introduced to address the problem of not having countermeasures available for certain hiding patterns. Finally, the proposed pattern-based taxonomy is enhanced to demonstrate the extensibility of the taxonomy and to integrate payload-based hiding techniques which were not foreseen in the earlier version of the taxonomy.
“Smart” has gradually infiltrating all areas of people's daily life and the environments where we lead our life. The term of “Smart Industrial Environment” can be used to refer to each aspect of the industrial environments focused on the future, being smart vehicles, smart systems of transportation, smart devices (wearables and smartphones), smart services (such as just-in-time production pipelines adjusted to the requirements of the supply-chain), smart grids, smart factories and smart plants management utilizing information technology. It includes the inter-connection of all the smart technologies, involving every type of political and technological borders besides being a term that involves all the aspects.
Recently, new methods were discovered to secretly store information in network protocol caches by exploiting functionalities of ARP and SNMP. Such a covert storage cache is referred to as a "Dead Drop". In our present research, we demonstrate that hidden information can also be stored on systems with an active NTP service. We present one method based upon ephemeral associations and one method based upon the most recently used (MRU) list and measure their storage duration and capacity. Our approach improves over the previous approach with ARP as it allows to transport hidden information across the internet and thus outside of local area networks. The preliminary results for both Dead Drops indicate that more than 100 entries with secret data can persist for several hours. Finally, we discuss the detectability and countermeasures of the proposed methods as well as their limitations.
Today, digital forensics experts must operate in a multidisciplinary environment that requires mastery of many disciplines, including law, computer science, finance, networking, data mining, and criminal justice. Meanwhile, cybercriminal activities often compel law-enforcement agencies to investigate across international borders, which means dealing with different jurisdictions and legal systems. Also, computing and networking infrastructures are increasingly intricate, further complicating investigations and activities related to digital forensics. For instance, clues pointing to illegal digital activities are often buried in large volumes of data, making criminal activity that much more difficult to detect and document with suitable evidence.
Die Digitalisierung von Unternehmen ist unter anderem von zwei besonders aktuellen Themenfeldern, dem Internet of Things (IoT) und den Smart Contracts, betroffen. Wir befassen uns in diesem Kapitel mit Sicherheitsaspekten dieser beiden Themenfelder. Es handelt sich hierbei um ein Kapitel mit zusammenfassendem Charakter, das gewonnene Erfahrungen eigener Publikationen und Forschungsprojekte in den Kontext von Unternehmen setzt, um dem Leser einen Überblick über diese Themen zu ermöglichen. Insbesondere zeigen wir Reaktionsmöglichkeiten für selektierte Risiken auf, die im Zusammenhang mit diesen beiden Technologien stehen.
The practice of hiding ill-gotten data in digital objects is rising among cyber thieves. New initiatives serve to educate, train, and thwart these activities. Full-text: http://cacm.acm.org/magazines/2018/1/223894/fulltext
Cyber-physical Systems (CPS) have raised serious security concerns and thus have been subjected to intensive security research lately. Recent publications have shown that there is a potential to transfer hidden information through CPS environments. In comparison to these existing studies, we demonstrate that CPS cannot only be used to covertly transfer secret data but also to store secret data. Using an analogy to the biological concept of animal scatter hoarding behavior we exemplify CPS secret data storage using automated buildings.
Nachdem das neue IT-Sicherheitsgesetz des Bundes in Kraft trat, bestehteine gegenwärtige rechtliche Verpflichtung vor allem für Betreiber sogenannter „kritischer Infrastrukturen“, innerhalb von zwei Jahren entsprechende IT-Sicherheitsmaßnahmen zu implementieren. Zu den kritischen Infrastrukturen zählen auch zahlreiche automatisierte Gebäude, die häufig IT-Sicherheitslücken aufweisen. In diesem Beitrag stellen wir unser Konzept des sicheren Alterns vor. Es basiert auf der Anwendung von maschinellen Lernverfahren zur Anomalieerkennung im BACnet-Netzwerkverkehr. Aus den Ergebnissen werden Entscheidungsregeln für das Filtern der Datenpakete abgeleitet. Damit wird ein selbstlernendes System erzeugt, das in der Lage ist, auch auf bisher unbekannte Angriffe angemessen zu reagieren. Unser Fokus liegt dabei auf der Evaluierung der Effektivität verschiedener maschineller Lernverfahren. Insbesondere zeigen wir, welche Methoden für die Erkennung bereits bekannter Anomalien sowie für die Entdeckung neuer Angriffe am besten geeignet sind.
A building automation system (BAS) is the IT equipment within a building that monitors and controls the building (e.g., measuring temperature in a room to configure the heating level within the same room). We discuss the potential and the use of botnets in the context of BAS. Our botnet concept and scenario is novel in the sense that it takes advantage of the phyiscal capabilities of a building and as it has to adapt to a specialized environment being highly deterministic, predictable, simplistic and conservative. These properties make anomalies easy to detect. Smart building botnets allow the monitoring and remote control of (critical) building automation infrastructure in public and private facilities, such as airports or hospitals. We discuss why building automation botnets could thus enable attackers to cause various critical damage on whole regions and economies. Hiding the command and control communication is a highly beneficial step to adapt botnets to the BAS environment. We show that this is not necessarily a big hurdle and can be solved using existing covert channel techniques.