Steganography - The Art Of Deception & Concealment

The Message Must Get Through
-----------------------------
The year is 300A.D., and you're part of a war machine unlike anything the world has ever seen. You are a field General for the Roman Empire and charged with assimilating yet another non-Roman culture. Your current mission; get tactical information you've collected in the field to an outpost one hundred miles away. The land between you and the outpost is treacherous and filled with enemy. The information you've collected is critical to the success of the current campaign and must reach the remote outpost intact. This will call for ingenious deception.

You send for a messenger, who is in reality a Roman slave. The messenger's head is shaved clean, and the message for the outpost is tattooed on his head. Several weeks later, the messengers hair has grown in and completely concealed the secret information. The messenger departs and one week later reaches the outpost. A quick head shave and the outpost has the information needed to ensure yet another victory for Rome.

This is one of the earliest forms of Steganography on record. The art of hiding messages within another medium and avoiding detection.

The Ancient Technology Of Deception
A Modern Day Threat
-----------------------------------
Take a look at the following two images at http://www.defendingthenet.com/stgpic.htm. The first picture is quite normal. The second picture looks exactly like the first. However, the second picture is not a normal picture at all. It contains a portion of the article you are currently reading in the form of a Microsoft Word document. It has been embedded in the image using a Steganography program and is nearly undetectable. Not only can you not see a visual difference in the picture, the file size of the original and the Stego Medium (image with the hidden text) is exactly the same.

There are several programs on the Internet that may be able to detect a small anomaly in the picture, like "stegdetect", but the method used to embed the secret document is protected by a key, or password, as well.

The technology behind effective Steganography is quite complex and involves serious mathematical computations. Computers and technology make this a trivial task and make this art of deception a serious threat to the security of information. Company's that regard their information proprietary, and rely on the security and integrity of their intellectual property, could be at significant risk.

A Real World Example Of Steganography
-------------------------------------
Many organizations protect their internal network resources and information by using sophisticated security measures, such as firewalls. Many firewalls can block e-mail attachments such as executables, spreadsheets, and documents, and do so by looking for file extensions. Some security measures, or content filters, can actually determine if the particular file or attachment is actually the type to be blocked, a spreadsheet for instance, by analyzing the contents of the file. This helps prevent the transmission of file attachments that have had their extensions altered or removed.

But how many organizations block the sending of image files like, .jpg or .bmp images.

Imagine having someone on the inside of a company who secures a proprietary document. This person then embeds the document into a picture and sends it to an e-mail address on the Internet. The company's defense systems block many types of file attachments, but image files are not considered a risk, so they are allowed through. The sender and receiver previously agreed on the method and type of deception. Using a Steganography package freely available on the Internet the task was easily and securely executed. The company was completely unaware of the fact that important information was leaked.

Conclusion
----------
There are so many components to this form of deception, I could write ten pages on the subject alone. The purpose for this article is to make people aware of this form of deception and the threat it poses to digital security.

Steganography also has an impact on non-digital information as well. And, pictures are not the only medium that can be used. Sound files are another favorite host for embedding secret information. If you would like to see Steganography in action you can download "The Third Eye" from the following link http://www.defendingthenet.com/downloads/steg.zip. It is a freely distributable Steganography program and was used to create the two image examples referenced above. This download contains the two images above and you will be able to open the image with the hidden text and extract it. The zip file contains a README.TXT file that will give you full instructions on how to extract the hidden text in the image.

But first, you will need the password! Can you guess it? I'll give you a clue: What form of deception did the Roman General use to send his message?**

*The story "The message must get through" although based on documented information about a Roman General performing such an act of deception, is fictional and was written as illustration of such an event strictly for use in this article.

**You should be able to easily guess the password however I must point out that the password should be entered all "lower-case".

About The Author
----------------
Darren Miller is an Information Security Consultant with over sixteen years experience. He has written many technology & security articles, some of which have been published in nationally circulated magazines & periodicals. Darren is a staff writer for http://www.defendingthenet.com and several other e-zines. If you would like to contact Darren you can e-mail him at darren.miller@paralogic.net or defendthenet@paralogic.net. If you would like to know more about computer security please visit our website. If someone you know has sent you this article, please take a moment to visit our site and register for the free newsletter at http://www.defendingthenet.com/subscribe.htm

Original URL
------------
http://www.defendingthenet.com/Newsletters/Steganography.htm

Daily Nation

Kenyan security forces kill militia commander: police AFP - 10 hours ago NAIROBI (AFP) — Kenyan security forces killed a militia commander,one of the most wanted rebel figures in the country, and four other fighters in a gun ... Charge top security men over torture, demands rights team Daily Nation Kenya: Claims of Torture By Army And Militia, As Food Shortages ... AllAfrica.com Rights commission requests torture probe United Press International Voice of America - Daily Nation all 53 news articles

KVEO-TV

Texas officials sue US over border fence The Associated Press - 3 hours ago WASHINGTON (AP) — Texas mayors and business leaders filed a class-action lawsuit Friday alleging Homeland Security Secretary Michael Chertoff hoodwinked ... Texas mayors, business leaderss sue federal government over border ... International Herald Tribune Texas cities sue to stop border fence Arizona Republic Some worry about border fence's ecological impact Houston Chronicle San Diego Union Tribune - guardian.co.uk all 306 news articles

US. to triple grants for Md. port security Baltimore Sun, United States - 4 hours ago By Matthew Hay Brown and Laura McCandlish | Sun reporters The federal government will more than triple its grant funding this year for port security in ... St. Louis City to manage $2.6M for port security Bizjournals.com DHS announces IPA grants Middle East Times all 11 news articles

DigitalJournal.com

Iowa: Lawsuit Filed Over Raid New York Times, United States - 1 hour ago The charges include accusations of aggravated identity theft, falsely using a Social Security number, illegally re-entering the United States after being ... Video: ICE Agents Raid Meat Packing Plant AssociatedPress Paying the Price of the Immigration Crackdown IRC's Americas Program Lawsuit: Immigration raid violated workers' rights The Associated Press The NarcoSphere - WHO-TV all 927 news articles

MSN India

Major Powers Finish Nuclear Incentives Offer for Iran Voice of America - 7 hours ago Officials here say the permanent UN Security Council member countries and Germany, the P-5+1, have finished the details of a revised incentive package and ... Tehran hands proposals to Russia, China on nuclear security - 2 RIA Novosti Iran calls UN Security Council sanctions illegal, proposes new talks International Herald Tribune Iran Calls UN Sanctions Illegal Fars News Agency ISNA - United Press International all 193 news articles

Gulf Times

Missing guards in Cabuyao bank heist under custody ABS CBN News, Philippines - 12 hours ago The two missing security guards employed at the bank where a deadly robbery incident occurred Friday are now under custody. Police said one of the security ... Thieves loot Philippine bank after killing 7 bank employees and a ... RTT News 8 killed in Philippine bank robbery, mostly bank employees International Herald Tribune 9 executed in bank robbery Sun.Star Scotsman - guardian.co.uk all 264 news articles

Security Council wants UN peacekeepers in Somalia The Associated Press - May 15, 2008 UNITED NATIONS (AP) — The Security Council unanimously approved a resolution on Thursday calling for a UN political presence in conflict-wracked Somalia for ... UN Security Council Supports Possible Peacekeepers for Somalia Voice of America Security Council express strong support for Secretary-General's ... ReliefWeb (press release) Resolution urges UN Somalia force Aljazeera.net AFP - PR-Inside.com (Pressemitteilung) all 91 news articles

eFluxMedia

Verizon wins Homeland Security contract ZDNet - May 15, 2008 Verizon picked up a huge contract from the Department of Homeland Security: a $670 million deal to provide IP and security services over 10 years, ... Verizon and AT&T Win Homeland Security Contract RedOrbit Verizon land 10-year deal to unify DHS networks Register Verizon to supply Homeland Security TeleGeography FOXBusiness - Reuters all 187 news articles

'Foolproof' security for Jaipur match Hindustan Times, India - 1 hour ago There will now be close to 3000 policemen in the stadium, alongside 500 security guards from a private agency. On the eve of the match, the only thing that ...

Hi-tech security system for crowded places soon Times of India, India - 6 hours ago The network would consist of a central command that would control the various subsystems assigned to a particular security parameter. ... Kapil Sibal unveils new technology to sanitize public places from ... Press Information Bureau (press release) all 5 news articles