Steganography

Steganography

Bahaa Aladdin

Steganography – Definition and Origin

“The art of hiding messages in such a way that no one but the sender and the intended recipient knows about the very existence of the message”.

Greek Word, Steganos – “covered”, Graphie – “writing”The word steganography is derived from the Greek words

steganos which means covered and graphie which means writing. Thus, steganography literally means "covered writing."

The strength of Steganography is “ Stealth”

Steganography comes in different forms:

Hidden information in Text Files Hidden information in Image Files Hidden information in Document Files Hidden information in Video Files Hidden information in Audio Files Hidden information in E-Mails

Steganography Forms

Who’s Using It?• Kinds of users include:

Trade fraud Industrial espionage Organized crime Narcotics traffickers Child pornographers Criminal gangs Individuals concerned about perceived government “snooping” Those who want to circumvent restrictive encryption export rules Anyone who wants to communicate covertly and anonymously

A message sent by a German spy during World War II read: “Apparently neutral’s protest is thoroughly discounted and ignored. Isman hard hit. Blockade issue affects for pretext embargo on by-products, ejecting suets and vegetable oils.” By taking the second letter of every word the hidden message “Pershing sails for NY June 1” can be retrieved.

Economic espionage - used to exfiltrate information from a major European automaker

Political extremists - increasingly being used for secure communications.

Fraud - used as a “digital dead drop” to hide stolen card numbers on a hacked Web page

Pedophilia - used to store and transmit pornographic images Terrorism - used to hide terrorist communications over the

Internet, e.g, Osama bin Laden’s alleged use of steganography

Some Known Uses of Steganography

In a New York Times article that was published in October of 2001, French defense ministry officials reported the use of steganography by terrorists that were planning on blowing up the U.S. embassy in Paris. They were reportedly instructed to communicate solely through pictures on the internet, and supposedly had connections to

Al Qaeda .

Terrorism

Alleged use of stego by Osama bin Laden, (Feb ‘01)

Stego’d messages hidden on Web sites to plan attacks against the US

Maps, target photos hidden in sports chat rooms, pornographic bulletin boards, popular Web sites

Terrorism

Steganography It is the practice of disguising the existence of a message

stego-objectThe combination of hidden data-plus-cover is known as the stego-

object

CoverGenerally, innocent looking carriers, e.g., pictures, audio, video,

text, etc. that hold the hidden informationStegokey

An additional piece of information, such as a password or mathematical variable, required to embed the secret information

Terminology

cover_medium +

hidden_data +

stego_key

=

stego_medium

Formula for steganographic process:

Formula for steganographic process:

Steganography Today, however, is significantly more sophisticated than the examples above suggest, allowing a user to hide large amounts of information within image and audio files. These forms of steganography often are used in conjunction with cryptography so that the information is doubly protected; first it is encrypted and then hidden so that an adversary has to first find the information (an often difficult task in and of itself) and then decrypt it.

Steganography Today

Steganography can be split into two types, these are Fragile and Robust.

Fragile steganography involves embedding information into a file which is destroyed if the file is modified. This method is unsuitable for recording the copyright holder of the file since it can be so easily removed, but is useful in situations where it is important to prove that the file has not been tampered with, such as using a file as evidence in a court of law, since any tampering would have removed the watermark. Fragile steganography techniques tend to be easier to implement than robust methods.

Steganography types

Robust marking aims to embed information into a file which cannot easily be destroyed. Although no mark is truly indestructible, a system can be considered robust if the amount of changes required to remove the mark would render the file useless. Therefore the mark should be hidden in a part of the file where its removal would be easily perceived. There are two main types of robust marking. Fingerprinting involves hiding a unique identifier for the customer who originally acquired the file and therefore is allowed to use it. Should the file be found in the possession of somebody else, the copyright owner can use the fingerprint to identify which customer violated the license agreement by distributing a copy of the file. Unlike fingerprints, watermarks identify the copyright owner of the file, not the customer. Whereas fingerprints are used to identify people who violate the license agreement watermarks help with prosecuting those who have an illegal copy.

Watermarks are typically hidden to prevent their detection and removal

Steganography types

One of the most widely used applications is for so-called digital watermarking. A watermark, historically, is the replication of an image, logo, or text on paper stock so that the source of the document can be at least partially authenticated. A digital watermark can accomplish the same function; a graphic artist, for example, might post sample images on her Web site complete with an embedded signature so that she can later prove her ownership in case others attempt to portray her work as their own.In these days, watermarking is popularly used as a proof of ownership of digital data by embedding copyright statements into the digital media. It's also used for fingerprinting and broadcast monitoring (in case of illegal broadcasting) etc.

Steganography and Cryptography

Known message passing Unknown message passing

Encryption prevents an unauthorized party from discovering the contentsof a communication

Steganography prevents discovery of the very existence of communication

Common technology Little known technology

Most of algorithm known by all Technology still being developed for certain formats

Strong current algorithms are currently resistant to attack, larger expensive computing power is required for cracking

Once detected messageis known

Cryptography alter the structure of the secret message

Steganography does not alter the structure of the secret message

Steganography and Cryptography

Encryption Steganography(Contains embedded encrypted message)

Example

There are three different techniques you can use to hide information in a cover file:

1. Injection or insertion

2. Substitution

3. Generation

Algorithms and Techniques

1-INJECTION (or insertion). you store the data you want to hide in sections of a file that are ignored by the processing application. By doing this you avoid modifying those file bits that are relevant to an end-user—leaving the cover file perfectly usable. For example, you can add additional harmless bytes in an executable or binary file. Because those bytes don't affect the process, the end-user may not even realize that the file contains additional hidden informationHowever, using an insertion technique changes file size according to the amount of data hidden and therefore, if the file looks unusually large, it may arouse suspicion.

Algorithms and Techniques

2-SUBSTITUTION. Using this approach, you replace the least significant bits of information that determine the meaningful content of the original file with new data in a way that causes the least amount of distortion. The main advantage of that technique is that the cover file size does not change after the execution of the algorithm. On the other hand, the approach has at least Two Drawbacks. First, the resulting stego file may be adversely affected by quality degradation—and that may arouse suspicion. Second, substitution limits the amount of data that you can hide to the to the number of insignificant bits in the file.

Algorithms and Techniques

3- GENERATION. Unlike injection and substitution, this technique doesn't require an existing cover file this technique generates a cover file for the sole purpose of hiding the message. The main flaw of the insertion and substitution techniques is that people can compare the stego file with any pre-existing copy of the cover file (which is supposed to be the same file) and discover differences between the two. You won't have that problem when using a generation approach, because the result is an original file, and is therefore immune to comparison tests.

Algorithms and Techniques

11100101 01001110 10101101 10010111 … 01011010

10110010…

Least Significant Bit

Hidden message

Cover

• The simpler techniques replace the least significant bit (LSB) of each byte in the cover with a single bit for the hidden message

• Frequently, these are encrypted as well

How Is Hiding Typically Done?

example

Detection and Analysis

Growing awareness of data hiding techniques and uses

Availability and sophistication of shareware and freeware data hiding software

Concerns over use to hide serious crimes, e.g., drug trafficking, pedophilia, terrorism

Frees resources currently spent on investigating cases with questionable/unknown payoff

Legislative calls

Need for Improved Detection

Evidence of steganography software on computerForensics examinationHashes of well-known files don’t match originals

Transmission logs Excessive/unusual e-mails involving pictures,

sound files, etc.Discernable (visual) changesStatistical analysis

Some Indicators of Data Hiding Activity

Detection

Can steganography be detected?Sometimes…many of the simpler steganographic

techniques produce some discernable change in the file size, statistics, or both. For image files, these include:Color variationsLoss of resolution or exaggerated noiseImages larger in size than that to be expectedCharacteristic signatures, e.g., distortions or patterns

However, detection often requires a priori knowledge of what the image or file should look like

Stego software developers understand their products’ weaknesses and have made significant improvements:minimal carrier degradation makes embedded data

harder to perceive visuallybetter modification immunity e.g., affine invariance,

immunity to channel noise, compression, conversionuse of error correction coding ensures integrity of hidden

dataThese improvements have led to even greater

difficulty in detection

Detection Challenges (1/2)

Lack of tools and techniques to recover the hidden dataNo commercial(effective) products exist for detectionCustom tools are analyst-intensiveFew methods beyond visual analysis of graphics files

have been exploredUsually, no a priori knowledge of existenceNo access to stegokeyUse of unknown applications

Detection Challenges (2/2)

Several on-going research activities for improving steganographic analysis methods

Some research is focusing on processing techniques to reveal features in files that will:Blindly, with no a priori knowledge, indicate the

presence of hidden dataUniquely identify known stego packages

Some explaining follow...

Steganalysis

Blind detection:attempts to determine if a message may be hidden in a file without any prior knowledge of the specific steganography application used to hide the information. Several techniques may be employed to inspect suspect files including various visual, structural, and statistical methods.

"Blind" Steganography Detection

The suspect file may or may not have any information hidden in it in the first place The hidden message may have been encrypted before being hidden in the carrier fileSome suspect files may have had noise or irrelevant data encoded in them which reduces the stealth aspect (i.e., makes it easier to detect use of steganography) but makes analysis very time-consumingUnless the hidden information can be found, completely recovered, and decrypted (if encrypted), it is often not possible to be sure whether the suspect carrier file contained a hidden message in the first place- all the user end up with is a probability that the suspect carrier file may have something hidden within it

Complications blind detection

Four Complications are possible when implementing blind detection techniques for steganalysis:

The analytical approach to steganalysis has been developed by the Steganography Analysis and Research Center as a byproduct of extensive research of Steganography applications and the techniques they employ to embed hidden information within files. The premise of this approach is to first determine if any residual file and/or Microsoft Windows Registry artifacts from a particular Steganography application exist on the suspect media.•IF residual artifacts exist, then the application was probably installed•The application was installed, then it was probably used•IF the application was used, then something was probably hidden using itThe analytical approach attempts to determine if there is any evidence that a steganography application ever existed on the suspect media. Searching for files and registry entries that have been identified by the SARC as belonging to a steganography application will identify these residual artifacts. The goal is to determine what application was used, what type(s) of carrier files it may have been used on, and finding what was hidden by that particular application.

Analytical Steganography Detection

Software tools – Freeware, Commercial.

S – Tools Excellent tool for hiding files in GIF, BMP and WAV files

MP3Stego Mp3. Offers quality sound at 128 kbps

Hide4PGP BMP, WAV, VOC

JP Hide and Seek jpg

Text Hide ( commercial) text

Stego Video Hides files in a video sequence

Spam mimic encrypts short messages into email that looks like spam http://spammimic.com

Steganos Security Suite (Commercial)

and Many Many More………………………………………………………….

Steganography – Software Tools

Stegdetect Automated tool for detecting

steganographic content in images

Currently-claimed detection schemes: Jsteg JPHide Invisible Secrets Outguess 0.1.3b

Windermere’s analysis shows this program is extremely unreliable and provides excessive (i.e., near 100%) false-positives

S-tools

Hides info in BMP, GIF, and WAV files. just drag them over open sound/picture windowshide multiple files in one sound/picture and your data is compressed before being encrypted then hidden. Encryption services come courtesy of "cryptlib" by Peter Gutmann (and others).

Hide your Video or Audio File Behind ImageOmhiHide PRO is a powerful data-hiding utility that allows you to hide files within other files. The output files can be used or shared like a normal file would be without anyone ever knowing of the file hidden within it. That way, your data totally stays safe from prying eyes you want to hide it from.

OmhiHide

Xiad steganography

Summary Steganography is primarily used to maintain anonymity and is

easily available to most anyone Sophisticated tools are readily available on the Internet, and are

easy-to-use Lack of both awareness and developed tools and analysis

techniques Only recently has the security community started to concern itself with

this subject Little public information on the use of data hiding

Development/use of information hiding products far outpaces the ability to detect/recover them; this situation is not likely to change soon

A Final Thought

“ I think we are perilously close to a lose-losesituation in which citizens have lost their privacy to commercial interests and criminals have easy access to absolute anonymity. That's not a world

we want”.Philip ReitingerFormer Senior Counsel, US Justice DepartmentComputer Crime and Intellectual Property Division

Bahaa Aladdin