Steganography – Definition and Origin “The art of hiding messages in such a way that no one but the sender and the intended recipient knows about the very existence of the message”. Greek Word, Steganos – “covered”, Graphie – “writing” The word steganography is derived from the Greek words steganos which means covered and graphie which means writing. Thus, steganography literally means "covered writing." The strength of Steganography is “ Stealth”
Steganography FormsSteganography comes in different forms: Hidden information in Text Files Hidden information in Image Files Hidden information in Document Files Hidden information in Video Files Hidden information in Audio Files Hidden information in E-Mails
Who’s Using It? • Kinds of users include: Trade fraud Industrial espionage Organized crime Narcotics traffickers Child pornographers Criminal gangs Individuals concerned about perceived government “snooping” Those who want to circumvent restrictive encryption export rules Anyone who wants to communicate covertly and anonymouslyA message sent by a German spy during World War II read:“Apparently neutral’s protest is thoroughly discounted and ignored. Ismanhard hit. Blockade issue affects for pretext embargo on by-products, ejectingsuets and vegetable oils.”By taking the second letter of every word the hidden message “Pershing sailsfor NY June 1” can be retrieved.
Some Known Uses of Steganography Economic espionage - used to exfiltrate information from a major European automaker Political extremists - increasingly being used for secure communications. Fraud - used as a “digital dead drop” to hide stolen card numbers on a hacked Web page Pedophilia - used to store and transmit pornographic images Terrorism - used to hide terrorist communications over the Internet, e.g, Osama bin Laden’s alleged use of steganography
TerrorismIn a New York Times article thatwas published in October of2001, French defense ministryofficials reported the use ofsteganography by terrorists thatwere planning on blowing upthe U.S. embassy in Paris. Theywere reportedly instructed tocommunicate solely throughpictures on the internet, andsupposedly had connections toAl Qaeda.
Terrorism Alleged use of stego by Osama bin Laden, (Feb ‘01) Stego’d messages hidden on Web sites to plan attacks against the US Maps, target photos hidden in sports chat rooms, pornographic bulletin boards, popular Web sites
Terminology Steganography It is the practice of disguising the existence of a message stego-object The combination of hidden data-plus-cover is known as the stego-object Cover Generally, innocent looking carriers, e.g., pictures, audio, video, text, etc. that hold the hidden information Stegokey An additional piece of information, such as a password or mathematical variable, required to embed the secret information
Formula for steganographic process: cover_medium + hidden_data + stego_key = stego_medium
Formula for steganographic process:
Steganography TodaySteganography Today, however, is significantlymore sophisticated than the examples abovesuggest, allowing a user to hide large amounts ofinformation within image and audio files. Theseforms of steganography often are used inconjunction with cryptography so that theinformation is doubly protected; first it isencrypted and then hidden so that an adversaryhas to first find the information (an oftendifficult task in and of itself) and then decrypt it.
Steganography typesSteganography can be split into two types, these are Fragile andRobust. Fragile steganography involves embedding information into a file which is destroyed if the file is modified. This method is unsuitable for recording the copyright holder of the file since it can be so easily removed, but is useful in situations where it is important to prove that the file has not been tampered with, such as using a file as evidence in a court of law, since any tampering would have removed the watermark. Fragile steganography techniques tend to be easier to implement than robust methods.
Steganography typesRobust marking aims to embed information into a file which cannot easily bedestroyed. Although no mark is truly indestructible, a system can be considered robustif the amount of changes required to remove the mark would render the file useless.Therefore the mark should be hidden in a part of the file where its removal would beeasily perceived.There are two main types of robust marking. Fingerprinting involves hiding a uniqueidentifier for the customer who originally acquired the file and therefore is allowed touse it. Should the file be found in the possession of somebody else, the copyrightowner can use the fingerprint to identify which customer violated the licenseagreement by distributing a copy of the file.Unlike fingerprints, watermarks identify the copyright owner of the file, not thecustomer. Whereas fingerprints are used to identify people who violate the licenseagreement watermarks help with prosecuting those who have an illegal copy. Watermarks are typically hidden to prevent their detection and removal
One of the most widely used applications is for so-called digital watermarking. A watermark,historically, is the replication of an image, logo, ortext on paper stock so that the source of thedocument can be at least partially authenticated. Adigital watermark can accomplish the same function;a graphic artist, for example, might post sampleimages on her Web site complete with an embeddedsignature so that she can later prove her ownershipin case others attempt to portray her work as theirown.In these days, watermarking is popularly used as a proof ofownership of digital data by embedding copyright statementsinto the digital media. Its also used for fingerprinting andbroadcast monitoring (in case of illegal broadcasting) etc.
Steganography and Cryptography Steganography and CryptographyUnknown message passing Known message passingSteganography prevents discovery of Encryption prevents an unauthorizedthe very existence of communication party from discovering the contents of a communicationLittle known technology Common technologyTechnology still being developed for Most of algorithm known by allcertain formatsOnce detected message Strong current algorithms areis known currently resistant to attack, larger expensive computing power is required for crackingSteganography does not alter the Cryptography alter the structure of thestructure of the secret message secret message
Algorithms and TechniquesThere are three different techniques you can use to hideinformation in a cover file1. Injection or insertion2. Substitution3. Generation
Algorithms and Techniques1-INJECTION (or insertion). you store the data you want to hidein sections of a file that are ignored by the processing application.By doing this you avoid modifying those file bits that are relevantto an end-user—leaving the cover file perfectly usable. Forexample, you can add additional harmless bytes in an executableor binary file. Because those bytes dont affect the process the end-user may not even realize that the file contains additionalhidden informationHowever, using an insertion technique changes file sizeaccording to the amount of data hidden and therefore, if the filelooks unusually large, it may arouse suspicion
Algorithms and Techniques2-SUBSTITUTION. Using this approach, you replace theleast significant bits of information that determine themeaningful content of the original file with new data in away that causes the least amount of distortion. The mainadvantage of that technique is that the cover file size doesnot change after the execution of the algorithm. On theother hand, the approach has at least Two DrawbacksFirst, the resulting stego file may be adversely affected byquality degradation—and that may arouse suspicion.Second, substitution limits the amount of data that youcan hide to the to the number of insignificant bits in the file.
Algorithms and Techniques3- GENERATION. Unlike injection and substitution, thistechnique doesnt require an existing cover file thistechnique generates a cover file for the sole purpose ofhiding the messageThe main flaw of the insertion and substitutiontechniques is that people can compare the stego filewith any pre-existing copy of the cover file (which issupposed to be the same file) and discover differencesbetween the two. You wont have that problem whenusing a generation approach, because the result is anoriginal file, and is therefore immune to comparisontests
How Is Hiding Typically Done? • The simpler techniques replace example the least significant bit (LSB) of each byte in the cover with a single bit for the hidden message • Frequently, these are encrypted as well Hidden message 10110010 …11100101 01001110 10101101 10010111 … 01011010 Least Significant Bit Cover
Detection and Analysis
Need for Improved Detection Growing awareness of data hiding techniques and uses Availability and sophistication of shareware and freeware data hiding software Concerns over use to hide serious crimes, e.g., drug trafficking, pedophilia, terrorism Frees resources currently spent on investigating cases with questionable/unknown payoff Legislative calls
Some Indicators of Data Hiding ActivityEvidence of steganography software on computer Forensics examination Hashes of well-known files don’t match originalsTransmission logs Excessive/unusual e-mails involving pictures, sound files, etc.Discernable (visual) changesStatistical analysis
DetectionCan steganography be detected? Sometimes…many of the simpler steganographic techniques produce some discernable change in the file size, statistics, or both. For image files, these include: Color variations Loss of resolution or exaggerated noise Images larger in size than that to be expected Characteristic signatures, e.g., distortions or patterns However, detection often requires a priori knowledge of what the image or file should look like
Detection Challenges (1/2)Stego software developers understand their products’ weaknesses and have made significant improvements: minimal carrier degradation makes embedded data harder to perceive visually better modification immunity e.g., affine invariance, immunity to channel noise, compression, conversion use of error correction coding ensures integrity of hidden dataThese improvements have led to even greater difficulty in detection
Detection Challenges (2/2)Lack of tools and techniques to recover the hidden data No commercial(effective) products exist for detection Custom tools are analyst-intensive Few methods beyond visual analysis of graphics files have been exploredUsually, no a priori knowledge of existenceNo access to stegokeyUse of unknown applications
SteganalysisSeveral on-going research activities for improving steganographic analysis methodsSome research is focusing on processing techniques to reveal features in files that will: Blindly, with no a priori knowledge, indicate the presence of hidden data Uniquely identify known stego packagesSome explaining follow...
"Blind" Steganography Detection Blind detection: attempts to determine if a message may be hidden in a file without any prior knowledge of the specific steganography application used to hide the information. Several techniques may be employed to inspect suspect files including various visual, structural, and statistical methods.
Complications blind detectionFour Complications are possible when implementing blind detectiontechniques for steganalysis: The suspect file may or may not have any information hidden in it in the first place The hidden message may have been encrypted before being hidden in the carrier file Some suspect files may have had noise or irrelevant data encoded in them which reduces the stealth aspect (i.e., makes it easier to detect use of steganography) but makes analysis very time-consuming Unless the hidden information can be found, completely recovered, and decrypted (if encrypted), it is often not possible to be sure whether the suspect carrier file contained a hidden message in the first place- all the user end up with is a probability that the suspect carrier file may have something hidden within it
Analytical Steganography DetectionThe analytical approach to steganalysis has been developed by the SteganographyAnalysis and Research Center as a byproduct of extensive research ofSteganography applications and the techniques they employ to embed hidden information within files. The premise of this approach is to first determine if anyresidual file and/or Microsoft Windows Registry artifacts from a particularSteganography application exist on the suspect media.•IF residual artifacts exist, then the application was probably installed•The application was installed, then it was probably used•IF the application was used, then something was probably hidden using itThe analytical approach attempts to determine if there is any evidence that asteganography application ever existed on the suspect media.Searching for files and registry entries that have been identified by the SARC as belonging to a steganography application will identify these residual artifacts. The goal is to determine what application was used, what type(s) of carrier files it may have been used on, and finding what was hidden by that particularapplication.
Steganography – Software Tools Software tools – Freeware, Commercial. S – Tools Excellent tool for hiding files in GIF, BMP and WAV files MP3Stego Mp3. Offers quality sound at 128 kbps Hide4PGP BMP, WAV, VOC JP Hide and Seek jpg Text Hide ( commercial) text Stego Video Hides files in a video sequence Spam mimic encrypts short messages into email that looks like spam http://spammimic.com Steganos Security Suite (Commercial) and Many Many More………………………………………………………….
Stegdetect Automated tool for detecting steganographic content in images Currently-claimed detection schemes: Jsteg JPHide Invisible Secrets Outguess 0.1.3b Windermere’s analysis shows this program is extremely unreliable and provides excessive (i.e., near 100%) false-positives
S-toolsHides info in BMP, GIF, and WAV files.just drag them over open sound/picture windowshide multiple files in one sound/picture and your data is compressed before beingencrypted then hidden.Encryption services come courtesy of "cryptlib" by Peter Gutmann (and others).
OmhiHide Hide your Video or Audio File Behind Image OmhiHide PRO is a powerful data-hiding utility that allows you to hide files within other files. The output files can be used or shared like a normal file would be without anyone ever knowing of the file hidden within it. That way, your data totally stays safe from prying eyes you want to hide it from.
Summary Steganography is primarily used to maintain anonymity and is easily available to most anyone Sophisticated tools are readily available on the Internet, and are easy-to-use Lack of both awareness and developed tools and analysis techniques Only recently has the security community started to concern itself with this subject Little public information on the use of data hiding Development/use of information hiding products far outpaces the ability to detect/recover them; this situation is not likely to change soon
A Final Thought “I think we are perilously close to a lose-losesituation in which citizens have lost their privacyto commercial interests and criminals have easyaccess to absolute anonymity. Thats not a worldwe want.” Philip Reitinger Former Senior Counsel, US Justice Department Computer Crime and Intellectual Property Division