A very common theme in action movies is walking away with the stolen goods in plain sight. Although popular in movies, the subject of hiding information is often overlooked in information security. Here is an analysis of how easy it is to hide valuable information in harmless files.
The art and science of writing hidden messages in such a way that no-one apart from the sender and intended recipient even realizes there is a hidden message is known as Steganography
Generally, a steganographic message will appear to be something else: a picture, an article, a shopping list, or some other message. This apparent message is the covertext.
There are many ways to use steganography in electronic communications: A hidden text can be transported in an image, a music file, another text file, executable file or even in the TCP/IP stream.
Here is an example
The following text file is hidden within the image.
Below is the original image used for hiding the file - a standard test image also known as Lenna (a cropped image from a Playboy magazine centerfold picture of Lena Söderberg)
Below is the image of Lenna with the hidden file inside it. The only user-detectable difference is the file size. But to most users, this difference means nothing and you'll need to find the untampered image to make a comparison.
The above hiding process is completed with StegoShare. The tool is simple, straightforward and very efficient. Ofcourse, it is limited to hiding data in lossless compression images and cannot hide data in other types of files (audio, documents).
Although steganography is not widely discussed on security forums, it can be used to efficiently bypass security measures, and here is why
- There is no straightforward detection method for finding hidden information in files unless you know exactly what you are looking for.
- There are multitude of open source tools for steganography that run in user space - no need for installation on the computer
- There are numerous channels by which a hidden file is able to transit (web, e-mail, usb, printout...)
Talkback and comments are most welcome