Since the days of the Greeks and the Romans, there has been a hidden writing technique for passing sensitive information called steganography, or steg for short. As kids, many of us played with disappearing ink made from common kitchen items such as lemon juice. In various wars, there have been microdots, or codes hidden in letters by arranging the letters into a chain of words. Today’s steganographers use software to hide instructions and information in digital pictures, sound files, and Web pages. I will explore how this can be done and why you need to be aware of the techniques involved.

A typical steg scenario
Sean comes into the office wearing his typical headset tied back to his MP3 player. But this is not a typical day for Sean. Once everyone in his office leaves for lunch, he gets to work. Over the last few weeks, Sean has collected a variety of the newest designs and production notes for new ad projects at his company. He has been offered a substantial amount of money if he can pass these files off to a competitor.

He plugs his MP3 player into his computer and brings it online to receive files. Sean also takes out his USB memory key ring and inserts it into the USB port of the PC. He then starts up a program from the key ring called Steganography, which is from SecureKit and works with images or sound files. His goal is to embed the production files into a series of MP3 songs. He knows that MP3s do not use the entire audio range, so there is some space on the high side of the frequency to stash data of his own. Once the files have been embedded, Sean copies them up to the MP3 player into a custom play list. He then removes the USB memory and sticks it back onto his key ring. The headset goes back on and when his coworkers return, they find Sean listening away to his tunes. That night when everyone leaves the office, they go by the security desk and Sean, wearing his headset with music playing, is waved on through. The company’s most recent plans and designs for a new advertising job have just walked out the door.

How it works
In Figure A, we see the Steganography program in operation, hiding a terminal server configuration text file in the music MP3 file “You’re No Good.”

Figure A
It could just as easily be an Excel spreadsheet or a Word document.

Other steg tools

Other MP3 tools Sean could have used are MP3Stego and, for image files, Invisible Secrets.

In the scenario above, the use of the MP3 player avoids the trap of network log files showing an FTP session to somewhere on the Internet. The use of the key chain USB memory stick avoids having the Steganography executable program show up in a daily application scan of the company desktops.

Sean’s steg tool took advantage of the fact that MP3s do not use the entire audio range that humans can hear. This is one of the reasons that MP3s can be so much smaller then a WAV file. MP3s remove quite a bit of data when compressing sound, so the steg tool works in reverse by putting data back into the MP3 file in areas the human ear cannot hear.

Detecting steganography
Public steganography detection tools are few and far between. Nonetheless, the tools that are out there can help the consultant analyze content for hidden information. For JPEGs, there is a program for both Linux and Windows called Stegdetect, which works from the command line. You can use Stegdetect to look for certain steg programs such as jsteg, outguess, and others.

A different method of detecting embedded files is to run a histogram on the file and examine the pattern. For example, when you run a histogram on a picture, there should be random spikes here and there. If the histogram is very flat or has one large spike, then it’s likely something has been hidden inside it.

A second idea is to run a hash against the source file. DigestIT 2004 is a Windows application that generates an MD5 hash from within Explorer. When an unaltered file and the file with the hidden information no longer match, then the hash numbers will be different. However, you have to be careful with this technique since saving the picture can result in a new hash. Thus, anytime the picture is loaded and resaved, there is a high chance you will also lose the encrypted file.

For example, insert a data file into an image file and then resave it in a picture editor. When an editor resaves the image file, the application will be applying a different level of compression to the picture than when it was first created. Unfortunately, it takes only one resave to change the compression and blow away the hidden secret in the image.

Helping out the client
Many users are becoming more aware of personal security and are embedding personal records by using steganography. As a result, companies need to write better policies about the use of unauthorized encryption in the workplace. Consultants need to be aware of the levels of impact steganography has on their clients in order to help them develop these policies.