Overview
Steganography is the art and the science of concealing a message, image, or file within another message, image, or file, and communicating in a way that hides the existence of the message and the communication. For example, a message can be hidden inside a graphic image file, an audio file, or other file format, in a way that it is difficult for steganography experts and impossible for all the others to find it.
The word steganography comes from the Greek words στεγανός (covered or concealed) and γράφω (write). Payload is the data that has been hidden, and carrier is whatever (like a file) hides the payload.
Steganography is different from cryptography. Cryptography is the art of secret writing, it makes a message unreadable by a third party, but it does not hide the existence of the message. Steganography is about concealing the message.
It is relatively easy to identify an encrypted file, but it is usually not so easy to decrypt it. The analysts might be able to identify the encryption method by examining the file header, identifying encryption programs installed on the system, or finding encryption keys (which are often stored on other media).
With steganography, everything is more complex and difficult. The analysts must first find the file that hides another encrypted file (looking for multiple versions of the same image, identifying the presence of grayscale images, searching metadata and registries, using histograms, and using hash sets to search for known steganography software), then the analysts might be able to extract the embedded data, and they still have to find the encryption key (as the hidden file is usually encrypted too).
Steganography can be very useful. Using digital watermarking, an author can embed a hidden message in a file so that ownership of the intellectual property can be proved. Artists can post artwork on a website, and if others claim the ownership of the work, the artists can prove ownership as they can recover the watermark. Steganography has also a number of nefarious applications. Criminals can easier hide records of illegal activity and financial crimes, and terrorists can easier exchange messages.
Steganalysis is the analysis of steganography, and involves the detection of hidden data, the extraction of the hidden message, and sometimes the alteration of the hidden message so that the recipient cannot extract it, or receive a different message.
Many steganalysis tools are signature-based (similar to antivirus and intrusion detection systems). There are also anomaly-based steganalysis systems, more flexible and better for new steganography techniques.
New complex steganography methods continue to emerge. Spread-spectrum steganography methods are similar to spread-spectrum radio transmissions (where the signal is spread across a wide-frequency spectrum rather than focused on a single frequency, in an effort to make detection and jamming more difficult). In spread-spectrum steganography, small distortions to images are less detectable in bright colors, so the hidden message is stored in bright colors only, not each color. You can also check the Biosteganography link at the top of the webpage.
Case study, steganography used in espionage, organized crime, and terrorism.
Consider the following scenario. Every Friday afternoon (for the target's time zone) a member of a foreign state-sponsored group puts an item for sale on eBay, and posts a photograph of the item. The item for sale is real, and it will be sold according to the rules of eBay. Bids are accepted, money is collected, and items are delivered. The photograph of the item hides a message, but this is just one from so many millions of photos that can be found at eBay. Anybody in the world can download the photo, but only members of the same foreign state-sponsored group know how to extract the encrypted message and how to decrypt it.
What can we do?
Corporate security and acceptable use policies, that detail what employees are authorized to do within the corporate environment, can always help and must be in the first line of defense. Awareness training for all employees, that explains the reasons they have to respect policies and includes the modus operandi and risks of steganography attacks is of paramount importance.
User policies explain what is prohibited, and they provide an organization with the legal means to punish or prosecute violators.
We must clearly explain in policies that every line of code or piece of software that is not approved, is strictly prohibited. In this way, we will avoid most of the following:
- anti-forensics tools (used to thwart digital forensic investigations, like drive wiping tools, cache and history erasers, file property and time alternators, VPNs, e-mail and chat log erasers),
- encryption or steganography tools (there are over 1,000 free steganography tools online, most of them very dangerous for everybody that downloads the "free" tool, or even visits these websites. In some websites we read: "This application does not require installation. You can copy the program files to an external data device, so as to run it on any computer you can get your hands on, with just a click of the button. It is not adding new items to the Windows registry or hard drive without your approval, as installers usually do, and it will not leave any traces behind"),
- exploit kits (programs designed to exploit a known vulnerability in a piece of software or online resource. They are often distributed as a package, which will enable attackers with limited knowledge to launch a sophisticated attacks),
- toolkits (that enable unsophisticated users to construct new malware applications, sometimes not detectable by standard signature-based virus scanning engines),
- keyloggers (designed to covertly monitor keystrokes on a device. Once a device has been compromised, all keystrokes, including passwords, can be monitored, and recorded),
- password cracking tools (designed to break password-protected files and accounts),
- sniffers (that capture and analyze network traffic. Many protocols, including FTP and chat, are not encrypted. These programs obtain cleartext information, and also collect packets that can be used to crack network passwords and find protected files, servers, and user accounts),
- spyware tools (for industrial espionage, unauthorized monitoring, and collection of proprietary data),
- piracy tools (that allow users to bypass copyright protection in various forms of media, making illegal copies, and saving to a storage medium).
There are unlimited methods of steganography, only imagination is the limit. We usually learn about encrypted messages hidden in large files (images, sound files, videos etc.), and nothing more. Although steganography is usually considered a technical problem, it is not. It is also a business intelligence (or just intelligence) problem. If we do not know where to look for hidden messages, it is very unlikely to find them. Only the cooperation of the public and the private sector can protect against these security threats.
You may also visit Cyberbiosecurity