Cyber Security Expo
 
Steganography by Charles Hornat on 04/09/02

In a statement released by the United States, Steganography may be a tool terrorist is using to foil attempts used to monitor them (1). A quote from February 2001, Wired News (2):

USA Today reported on Tuesday that bin Laden and others "are hiding maps and photographs of terrorist targets and posting instructions for terrorist activities on sports chat rooms, pornographic bulletin boards and other websites, U.S. and foreign officials say."

Another article written in a news website called the Guardian Unlimited, in regards to the September 11, 2001 attacks on America, features an article titled "Hidden web codes could be linked to Bin Laden" that was written on October 2001. (3) In this article, they explain that the authorities have discovered hidden, in normal internet files and music files, "hundreds of such files, many containing Arabic dates and names, which could be linked to the attacks." In addition to this, they claim "Many of the coded messages are hidden in pornographic images or MP3 music files and would remain undetected".

Bin Laden isn't the first to use this technique. Steganography has a deep history that's goes as far back as Herodotus in ancient Greece, however, this is not a history paper. This paper focus's on the forms of the actual technique and a practical use example. Before we can understand how to use it, we should take a look at what it means. A literal translation of the word Steganography is as follows:
Stegano - Steganos is Greek for hidden or secret
graphy - meaning writing or drawing

Steganography is the technique used to hide a secret message inside other messages or images. With Steganography, also referred to as Stego, and should not be confused with stenography, can be used to hide information in the following formats:

  • Images
    - BMP
    - JPG
    - GIF
  • Microsoft Word Documents
  • Text Documents
  • MP3
  • EXE
  • DLL


As well as many other formats.


Cryptography vs. Stego

Cryptography provides confidentiality but does not provide secrecy of the message. In other words, you can see the encoded message, but can not understand it. Cryptography is also referred to as crypto. However, with Stego, since the message is hidden, you cannot tell that a secret message exists.


How Does it Work

First, you need a host file that will act as a cover for your secret message. You will also need a secret message of course. A host file can be generated at the moment or can be an existing file, perhaps a graphic on a web site. The secret hidden message can be used to either generate a file or can be hidden in come certain part of an existing file.

Stego works by embedding a secret message within an open or overt message. Everyone can and will see the overt message and never know that it is a cover for the real message which is hidden inside.


Types of Stego

There are three classifications of stego today. The first classification used hides a message within a file, by either injecting it or embedding it. This can and will increase the size of the file, thus making it noticeable to a trained eye. A second option may be to replace certain information in a file. This method would not increase the size and make it much harder to detect. This method is often referred to as substitution. A final method is the newest technique. It creates a new text file or image based on the secret information you want to hide. Let's examine each of these options.


Injection

Using the method of injection, your secret message can be put in a host file in such a way that when the file is actually read by a given program, the program ignores the data. Almost all programs today like web browsers or Microsoft Office programs have methods of placing data in a file that will be ignored or not displayed when the program displays it to a user. A good example of this would be a method I have seen done on many script kiddie(amateur) sites. I have illustrated it in Figure 1.


Figure 1: Stego

In Figure 1, I have created a simple web page. When I view it, it displays "This is a sample of Stego!" However, if I do a View/source on it, I will see much more as Figure 2 shows us.


Figure 2: Stego2

If we look closely, you can see that a hidden message is actually in the source code, and not displayed when my web browser views it normally. We can see the hidden message "This is the hidden message".

Substitution
Data in a file can be substituted or replaced with hidden text. Depending on the type of file and the amount of data, it could result in a degradation of the file. In order to make this technique undetectable to the human observer, the technique usually replaces data in the host file. Using the substitution method, no host file is needed. Also, if we wanted to, the hidden text could actually be used to create a new file.

A sample that SANS (4) uses and I will also highlight is the best I have seen. It uses a method to replace, in an image, the least significant bits. For example, for an 8 bit file, each pixel is represented by 8 bits:
· 10001100
· The most significant bits (MSB) are to the left and the least significant bits(LSB) are to the right.
· If you change the MSB it will have a big impact on the color, however, if you change the LSB, it will have minimal effect.

Now to take this method a step further, if we change only 1 or 2 LSB's in the image, it will have a minimal effect because the human eye can only detect around 6 bits of color. In other words, the human eye could not tell the difference of the last 2 bits being changed. For example, if we take 10001100 and change it to 10001111 or 10001110, it will all seem like the same color to the human eye. So we would only embed data in those bits.

If our message converted to binary is 1101 0010, the first 8 pixels will be modified as follows:
- 1100 0101 becomes 1100 0111
- 1111 0010 becomes 1111 0001
- 1010 1111 becomes 1010 1100
- 0010 0010 becomes 0010 0010

To the human eye, there would be no change.

Generate a New File
A second method to eliminate the need for a host file, a secret message can be used to generate a new file. There are a few tools out there that perform this by generating a random design, art, and hiding your secret message in it. Also, unless the messages were to be exactly the same, every new output file would be different.

Tools
There are many freeware tools to help you achieve this. My favorite, or the one I was taught to use, is a program called S-Tools. It's available at many FTP sites. S-Tools take Stego a step further. It will actually take your secret message, encrypt it, and then embed it into a file for you. You can choose the method of encryption and the secret key. Let's take a look at the tool in action.


Figure 3: STools Image

In Figure 3, we will use the Security Writers Guild (5) logo to embed a secret message. So we launch S-Tools and drag a picture onto its work space. Then we take our secret text document and drag that on top of our SWG logo in Figure 3.


Figure 4: STools Encryption

In Figure 4, you will see the window that pops up after have drug our text document over our image. It prompts us for our pass-phrase and the Encryption Algorithm we wish to use to encrypt our secret message. The types of encryption we can use with version 4 of S-Tools are:
- IDEA
- DES
- Triple DES
- MDC

After we enter in our passphrase and choose our level of encryption, we click the 'ok' button, we are faced with one final menu. This is the menu where we choose the settings we want to take place to embed our secret text document.


Figure 5: STools Hiding Options

In Figure 5, we see that we can either convert our image to a 24 bit image or attempt a color reduction scheme. If we choose the later, we can go into yet another menu and get very specific. For this demonstration, I will accept the defaults and just hit 'ok'.


Figure 6: STools Completed

In Figure 6, we will see our new image. As you can see, the two images are identical. So let's examine their size and see what the difference is there.


Figure 7: STools Size

In Figure 7, we see there is a small increase in the size. This is the downside to using the embed method, as you see in figure 7, our original GIF Image grew after the embed process.

There are other Stego tools out there to handle very specific tasks. Some examples are:
- Jsteg - hides data in jpeg images using the DCT coefficients
- MPGStego - hides data in MPEG files
- S-MAIL - hides data in exe and dll files
- Invisible Secrets - hides data in banner adds that appear on web sites
- Stash - hides data in a variety of image formats


Detecting S-Tools

There are a few hang-ups to S-Tools. Of course we have already seen the size method. But did you know that a normal BMP file has very few duplicate colors. A BMP file that has a file embedded into it will actually have many duplicate colors. Another method is if you have the original file, you could just look at the size of the original and compare it to the suspect file.


Resources and In the News

(1) An article written on ABC news site that clearly talks about the use of Stego b terrorist can be found at:
http://abcnews.go.com/sections/scitech/DailyNews/webwatch011011.html

(2) http://www.wired.com/news/politics/0,1283,41658,00.html

(3) http://www.guardian.co.uk/Archive/Article/0,4273,4274369,00.html

(4) www.sans.org SANS is the world leader in certification for the computer security industry. SANS covers Cryptography and Steganography in the Advanced Incident Handling and Hacker Exploit class.

(5) www.securitywriters.org - A website containing text documents and materials relating to computer security. This site contains papers in many different languages.


A site for more history and usage can be found at:
http://www.ise.gmu.edu/~njohnson/Steganography/

A book that I recommend to anyone interested in cryptography and touches on the topic of Steganography is 'Applied Cryptography' written by Bruce Schneier.

Rate this article

All images, content & text (unless other ownership applies) are © copyrighted 2000 -  , Infosecwriters.com. All rights reserved. Comments are property of the respective posters.