Open source hides secret data

985

Author: Mikael Vingaard

The art of hiding information from anyone except from the intended receiver has been used for many centuries. Hiding information by embedding it in other, seemingly innocuous information is known as steganography, a word that means “covered writing” in Greek. Today, steganography applications can hide one file within another on a computer. Steganography applications are available on many different platforms, including Windows, Linux, and *BSD.

You need two files in order to use steganography. The first one is the innocent-looking file, called the “cover file.” A cover file can be in many graphical or audio file formats, such as.bmp,.jpeg, and.wav.

The second file is the secret file you want to hide in to the cover file. There are no restrictions on the file format of the secret file.

Cover file formats are often associated with large files sizes, which is important in getting steganography to work properly. To hide a secret text of 200KB, the cover file must often be at least 1MB in size. Most stego applications will deliver a warning if the cover file size is too small to effectively hide the secret text.

A successful steganography file must never raise any alarms when a person looks or listens to the file with the embedded secret file. Without such an alarm, detailed inspection is rare; how often does you inspect the attachments your corporate firewall handles?

Steghide

Steghide is an open source steganography program for Windows and Linux that can hide data in image and audio files. The current version 0.5.1 offers compression, encryption, and an integrity check of the embedded data.

To use Steghide to embed the file secret.txt into example.bmp, you’d use the following command:

$ steghide embed -cf example.bmp -ef secret.txt
  Enter passphrase:
  Re-Enter passphrase:
  embedding "secret.txt" in "example.bmp.". done

The -cf argument specifies the cover file and -ef the embedded file.

The default encryption algorithm is AES/Rijndael with a keysize of 128 bits. However, if you want another encryption algorithm, you can run the steghide encinfo command to see all supported encryption algorithms.

If you have received a cover file that contains a file that has been embedded with Steghide, use the extract command to reveal the hidden file with an -sf argument:

$ steghide extract -sf example.bmp
  Enter passphrase:
  wrote extracted data to "secret.txt."

These are just basic examples of how to use Steghide. You can read the project’s documentation to learn about several other useful commands.

mp3stego

MP3Stego is another open source steganography program that uses.MP3 music files as a preferred cover file format. Few administrators will investigate an audio file in order to find a secret file. MP3Stego is currently available only on the Windows platform.

To embed the file secret.txt into stego.mp3 using stego.wav as input, go to the Start menu, choose run, and enter cmd to bring up a command-line window. Then use the command:

encode -E secret.txt -P password stego.wav stego.mp3

To decode the file, run:

decode -X -P password stego.mp3

It is virtual impossible to hear that any different between the normal audio file and the same file with steganography embedded.

It’s difficult for IT security staff to detect steganography in action. Only a few products are available to detect stego, and most products can detect it only when it’s embedded in.jpg files; they can’t scan.bmp or audio files. However, if you want to play amateur spy decoder, Niels Provos’ Stegdetect is one automated tool for detecting images with steganography embedded messages. It can find hidden messages in several different types of JPEG images. Another application is Wetstone Stego Suite. The suite has a audio and image analyzer and a password cracker for automated detection and retrieval of the hidden data. However, Stego Suite is a commercial product that comes with a price tag of $1,995.

Conclusion

As we often see with security tools, steganography can be used for either a good or a bad purpose. A good use might be a system administrator embedding a list of passwords for various Web sites and services in a holiday picture. It can also be used to secure and enforce copyrights for an individual by placing a hidden mark in a file. This technique is often referred to as “digital watermarking.” However, steganography can also be use to smuggle highly confidential data out of your company disguised as innocent pictures.

Now might be a good time to familiarize yourself with steganography tools and techniques before you find them used in unacceptable ways on your network.