In a statement released by the United States, Steganography may be a tool terrorist
is using to foil attempts used to monitor them (1). A quote from February 2001,
Wired News (2):
USA Today reported on Tuesday that bin Laden and others "are
hiding maps and photographs of terrorist targets and posting instructions for
terrorist activities on sports chat rooms, pornographic bulletin boards and
other websites, U.S. and foreign officials say."
Another article written in a news website called the Guardian Unlimited, in
regards to the September 11, 2001 attacks on America, features an article titled
"Hidden web codes could be linked to Bin Laden"
that was written on October 2001. (3) In this article, they explain that the
authorities have discovered hidden, in normal internet files and music files,
"hundreds of such files, many containing Arabic
dates and names, which could be linked to the attacks." In
addition to this, they claim "Many of the coded
messages are hidden in pornographic images or MP3 music files and would remain
Bin Laden isn't the first to use this technique. Steganography has a deep history
that's goes as far back as Herodotus in ancient Greece, however, this is not
a history paper. This paper focus's on the forms of the actual technique and
a practical use example. Before we can understand how to use it, we should take
a look at what it means. A literal translation of the word Steganography is
Stegano - Steganos is Greek for hidden or secret
graphy - meaning writing or drawing
Steganography is the technique used to hide a secret message inside other messages
or images. With Steganography, also referred to as Stego, and should not be
confused with stenography, can be used to hide information in the following
- Microsoft Word Documents
- Text Documents
As well as many other formats.
Cryptography vs. Stego
Cryptography provides confidentiality but does not provide secrecy of the message.
In other words, you can see the encoded message, but can not understand it.
Cryptography is also referred to as crypto. However, with Stego, since the message
is hidden, you cannot tell that a secret message exists.
How Does it Work
First, you need a host file that will act as a cover for your secret message.
You will also need a secret message of course. A host file can be generated
at the moment or can be an existing file, perhaps a graphic on a web site. The
secret hidden message can be used to either generate a file or can be hidden
in come certain part of an existing file.
Stego works by embedding a secret message within an open or overt message.
Everyone can and will see the overt message and never know that it is a cover
for the real message which is hidden inside.
Types of Stego
There are three classifications of stego today. The first classification used
hides a message within a file, by either injecting it or embedding it. This
can and will increase the size of the file, thus making it noticeable to a trained
eye. A second option may be to replace certain information in a file. This method
would not increase the size and make it much harder to detect. This method is
often referred to as substitution. A final method is the newest technique. It
creates a new text file or image based on the secret information you want to
hide. Let's examine each of these options.
Using the method of injection, your secret message can be put in a host file
in such a way that when the file is actually read by a given program, the program
ignores the data. Almost all programs today like web browsers or Microsoft Office
programs have methods of placing data in a file that will be ignored or not
displayed when the program displays it to a user. A good example of this would
be a method I have seen done on many script kiddie(amateur) sites. I have illustrated
it in Figure 1.
Figure 1: Stego
In Figure 1, I have created a simple web page. When I view it, it displays
"This is a sample of Stego!" However, if I do a View/source on it,
I will see much more as Figure 2 shows us.
Figure 2: Stego2
If we look closely, you can see that a hidden message is actually in the source
code, and not displayed when my web browser views it normally. We can see the
hidden message "This is the hidden message".
Data in a file can be substituted or replaced with hidden text. Depending
on the type of file and the amount of data, it could result in a degradation
of the file. In order to make this technique undetectable to the human observer,
the technique usually replaces data in the host file. Using the substitution
method, no host file is needed. Also, if we wanted to, the hidden text could
actually be used to create a new file.
A sample that SANS (4) uses and I will also highlight is the best I have seen.
It uses a method to replace, in an image, the least significant bits. For example,
for an 8 bit file, each pixel is represented by 8 bits:
· The most significant bits (MSB) are to the left and the least significant
bits(LSB) are to the right.
· If you change the MSB it will have a big impact on the color, however,
if you change the LSB, it will have minimal effect.
Now to take this method a step further, if we change only 1 or 2 LSB's in the
image, it will have a minimal effect because the human eye can only detect around
6 bits of color. In other words, the human eye could not tell the difference
of the last 2 bits being changed. For example, if we take 10001100 and change
it to 10001111 or 10001110, it will all seem like the same color to the human
eye. So we would only embed data in those bits.
If our message converted to binary is 1101 0010, the first 8 pixels will be
modified as follows:
- 1100 0101 becomes 1100 0111
- 1111 0010 becomes 1111 0001
- 1010 1111 becomes 1010 1100
- 0010 0010 becomes 0010 0010
To the human eye, there would be no change.
Generate a New File
A second method to eliminate the need for a host file, a secret message can
be used to generate a new file. There are a few tools out there that perform
this by generating a random design, art, and hiding your secret message in it.
Also, unless the messages were to be exactly the same, every new output file
would be different.
There are many freeware tools to help you achieve this. My favorite, or the
one I was taught to use, is a program called S-Tools. It's available at many
FTP sites. S-Tools take Stego a step further. It will actually take your secret
message, encrypt it, and then embed it into a file for you. You can choose the
method of encryption and the secret key. Let's take a look at the tool in action.
Figure 3: STools Image
In Figure 3, we will use the Security Writers Guild (5) logo to embed a secret
message. So we launch S-Tools and drag a picture onto its work space. Then we
take our secret text document and drag that on top of our SWG logo in Figure
Figure 4: STools Encryption
In Figure 4, you will see the window that pops up after have drug our text
document over our image. It prompts us for our pass-phrase and the Encryption
Algorithm we wish to use to encrypt our secret message. The types of encryption
we can use with version 4 of S-Tools are:
- Triple DES
After we enter in our passphrase and choose our level of encryption, we click
the 'ok' button, we are faced with one final menu. This is the menu where we
choose the settings we want to take place to embed our secret text document.
Figure 5: STools Hiding Options
In Figure 5, we see that we can either convert our image to a 24 bit image
or attempt a color reduction scheme. If we choose the later, we can go into
yet another menu and get very specific. For this demonstration, I will accept
the defaults and just hit 'ok'.
Figure 6: STools Completed
In Figure 6, we will see our new image. As you can see, the two images are
identical. So let's examine their size and see what the difference is there.
Figure 7: STools Size
In Figure 7, we see there is a small increase in the size. This is the downside
to using the embed method, as you see in figure 7, our original GIF Image grew
after the embed process.
There are other Stego tools out there to handle very specific tasks. Some examples
- Jsteg - hides data in jpeg images using the DCT coefficients
- MPGStego - hides data in MPEG files
- S-MAIL - hides data in exe and dll files
- Invisible Secrets - hides data in banner adds that appear on web sites
- Stash - hides data in a variety of image formats
There are a few hang-ups to S-Tools. Of course we have already seen the size
method. But did you know that a normal BMP file has very few duplicate colors.
A BMP file that has a file embedded into it will actually have many duplicate
colors. Another method is if you have the original file, you could just look
at the size of the original and compare it to the suspect file.
Resources and In the News
(1) An article written on ABC news site that clearly talks about the use of
Stego b terrorist can be found at:
(4) www.sans.org SANS is the world leader
in certification for the computer security industry. SANS covers Cryptography
and Steganography in the Advanced Incident Handling and Hacker Exploit class.
(5) www.securitywriters.org -
A website containing text documents and materials relating to computer security.
This site contains papers in many different languages.
A site for more history and usage can be found at:
A book that I recommend to anyone interested in cryptography and touches on
the topic of Steganography is 'Applied Cryptography' written by Bruce Schneier.