In the physical world, Steganography (literally "covered writing") involves invisible inks or messages in hidden places. Herodotus, the ancient Greek historian, relates how a messenger had his head shaved and then had a secret message written on his scalp. With newly grown hair, he traveled to the targeted destination where his head again shaved revealed the message. In the virtual world, the digital process inserts messages into graphic, sound, and even text files. By using apparently harmless GIF, BMP, JPEG, or WAV files, steganography creates a formidable security threat with the hiding of pornography or the disguising of corporate espionage.
How does steganography work? Think of a graphic image as a host (the "container") composed of pixels (picture elements). Each pixel’s color depends upon a numerical value ranging from 0 to 255. An 8-bit base two number represents that value to the computer; for example, the byte 00000000 equals "0." The rightmost bit becomes the least significant bit (LSB), because the seven bits to the LSB’s left contain enough information to establish the correct pixel color. Swapping out the LSB’s value has no effect on the pixel’s appearance to the eye. So, a steganographic program inserts the message’s bits into the LSB for each byte of the graphic image. Just visualize substituting one brown egg for a white egg in a white egg carton. At a distance a group of "substituted" white egg cartons will still have an overall white appearance. The same diluting principle works for sound and text files.
According to Neil F. Johnson’s article, "Steganography," a 640 X 480 image that utilizes 256 colors could hold a nearly 300 KB message or image. With a 24-bit image 1024 X 768 three bytes determine each pixel’s value, so each pixel contains three bits of the message resulting in a 2 MB file. Steganographic images have large capacities in which to hide contraband images or illicit data.
Hiding pornography is a leading use of steganography. In a May 26, 1997 U.S. News and World Report, the U.S. Customs Service indicated that child pornographers were employing steganographic techniques to mask their illegal traffic. Legal adult erotic web sites also encourage access to steganography. The site www.stego.com distributes open source code for steganography and has links to the sponsor’s adult entertainment site and to the Steganos proprietary steganographic site.
Steganos Security Suite offers double protection: steganographic and cryptographic protocols. A user first encodes a message or image with strong crypto and then hides it in a container. Even if the steganographic layer gets compromised, the crypto layer of protection remains.
The technology has legitimate uses; for example, proprietary graphics or images can receive a digital watermark to establish ownership and to deter "image piracy" on the web. Yet, beyond assisting pornography, steganography allows industrial spies to hide information thefts. Neil F. Johnson suggests that a spy working within a company could bring in a favorite art or music selection and "mix" in a highly sensitive file containing proprietary data. The spy would then have the options of e-mailing this "container" or taking it out on a diskette. Or, more cleverly, the spy places the graphic on the company’s web site. Constituting a covert channel, the graphic serves as a "spy drop" that is downloadable at will and difficult to detect on complex web sites. For the spy, however, any of the options pose little risk given conventional security measures.
Security managers have several remedies to combat the abuses of steganography:
1. If a company can ban cameras and video equipment without a permit, the same goes for steganographic programs. No employee should be allowed to use these programs on company property without a specific permit.
2. Graphic, image, or sound files posted to the company’s web site or sent, as e-mail attachments (from sensitive areas), need to be filled with trusted digital watermarks first. The watermarks will overwrite any previous messages.
3. Firewalls need filters to limit the importation of pornography into the company. Employees who generate an unusual amount of non-business related e-mail with frequent graphic attachments need scrutiny. Those that send an inordinate amount of 24-bit images also require close examination.
4. Prohibit the introduction of "outside" graphic, image, or sound files onto PCs that handle highly sensitive data.
Ronald L. Mendell is a Certified Internet Security Specialist. Living in Austin, Texas, he works as a writer and researcher specializing in security and investigative issues. His most recent book, Investigating Computer Crime: A Primer for Security Managers, was published by Charles C. Thomas in 1998.
SecurityPortal is the world’s foremost on-line resource and services provider for companies and individuals concerned about protecting their information systems and networks.
The Focal Point for Security on the Net ™