Why steganography should scare you

The word steganography is of Greek origin and means “concealed writing.” With our ever-increasing focus on security, data breaches and fraud, very few companies have put a strategy in place to deal with this. We have firewalls, intrusion detection systems, intrusion prevention systems, virus protection and spam filtering. As an industry we are moving towards the encryption of data on our laptops and desktops and through our computer security policies we block the writing of data to our USB devices, yet as an industry we completely ignore the threats posed by steganography. I am not aware of any company that monitors for this type of traffic going out of their network.


First we need to understand the problem, which can easily be put as follows:  any employee can use the corporate network to send out anything they wish through email. Many companies employ a type of email monitoring which scans the email for key phrases to try to detect if someone is sending out intellectual property. Other companies will block the sending of word or excel documents and allow only PDF documents to be sent out. What if I were to tell you that it is possible to send out any type of document hidden under a legitimate-looking one? What if you could send out a protected drawing, a formula, or quite frankly, any type of intellectual property that you may have? As company owners and security people, that should scare us. Even scarier is the fact that we have no idea how big the problem is, since we do not look for it.

As of August 2010 there were 742 known steganographic programs available, an increase of 225 since August of 2007. Many, like the program “S-Tools” are freely available on the Internet and are very easy to use. 

Steganography is primarily used for illegal purposes by criminals and by those who wish to steal data from your corporate network without being detected. Back in 440 BC, in ancient Greece, a message would be written on a wooden panel and then covered in wax. A second message would then be written on the top portion of the wax. These tablets were commonly used for writing, so hiding a message in such a common medium drew little suspicion. During times of armed conflict, runners would take these messages from the king or ruler of the day and communicate messages to the troops. The “false” message was the message on top, with the “real” message being hidden underneath the first layer of wax. During World War II it would be common to communicate secret messages using a newspaper publication. If one were to take the second letter of every word in every paragraph of an article, the letters would have meaning to the reader. To someone simply reading the article, they would be none the wiser that there was a hidden message contained in the article. These types of schemes are fairly easy to detect if one knows how to look for them.

These and other methods of hiding communications are nothing compared to what we can do today with the advent of computer technology. It is now so much easier to hide information and so much harder to detect it. We know that steganography has been used by both terrorist and organized crime groups for communication in today’s times. Child pornography is now starting to be distributed inside of other pictures, and covert communications between criminals are becoming more prevalent.

---

Here is how it works. If you want to communicate a message to a group of people, you can tell them that on Saturday, between 12 and 12:30 p.m. they should download the picture of the bicycle that you will have posted on eBay or on a website that you control. Inside that picture will be the hidden message that they will extract. Now, prior to 12 noon the picture will not contain any hidden messages. At exactly noon, the communicator will upload a “special” picture that looks absolutely identical to the previous one, yet has a hidden message inside. At 12:30 p.m. the “special” picture will be replaced with the original. In this scenario, there is very little risk of detection.

The key advantage of steganography over encryption schemes is that the messages do not attract attention to themselves. An encrypted message, no matter how secure, will arouse suspicion and may in and of itself be incriminating. Encryption is even illegal in some countries. Steganography, on the other hand, is a technique that does not draw attention to itself and can easily stay under the radar.

But what does this all mean for the corporate security world today? We have been entirely focused on what causes us the most pain. We have been solely focused on the protection of our environment that we have given little thought to information leaving our premises. Think of the risks that steganography poses to your organization. Your employee can easily take a document, hide it inside a picture using freely available stegonagraphic tools and send out company confidential information to your competitors. Now think of the possibility that your new employee or contractor is just a plant for the competition and is working covertly for them, sending out the latest strategy documents, business plans or new product offerings.

Marty Musters is the Director of Forensics for CFI (Computer Forensics Inc) and can be reached atr mmusters@computerforensics.ca