2. Steganography – Definition and Origin
“The art of hiding messages in such a way that no one
but the sender and the intended recipient knows about
the very existence of the message”.
Greek Word, Steganos – “covered”, Graphie – “writing”
The word steganography is derived from the Greek
words steganos which means covered and graphie which
means writing. Thus, steganography literally means
"covered writing."
The strength of Steganography is “ Stealth”
3. Steganography Forms
Steganography comes in different forms:
Hidden information in Text Files
Hidden information in Image Files
Hidden information in Document Files
Hidden information in Video Files
Hidden information in Audio Files
Hidden information in E-Mails
4. Who’s Using It?
• Kinds of users include:
Trade fraud
Industrial espionage
Organized crime
Narcotics traffickers
Child pornographers
Criminal gangs
Individuals concerned about perceived government “snooping”
Those who want to circumvent restrictive encryption export rules
Anyone who wants to communicate covertly and anonymously
A message sent by a German spy during World War II read:
“Apparently neutral’s protest is thoroughly discounted and ignored. Isman
hard hit. Blockade issue affects for pretext embargo on by-products, ejecting
suets and vegetable oils.”
By taking the second letter of every word the hidden message “Pershing sails
for NY June 1” can be retrieved.
5. Some Known Uses of Steganography
Economic espionage - used to exfiltrate information from a
major European automaker
Political extremists - increasingly being used for secure
communications.
Fraud - used as a “digital dead drop” to hide stolen card
numbers on a hacked Web page
Pedophilia - used to store and transmit pornographic images
Terrorism - used to hide terrorist communications over the
Internet, e.g, Osama bin Laden’s alleged use of steganography
6. Terrorism
In a New York Times article that
was published in October of
2001, French defense ministry
officials reported the use of
steganography by terrorists that
were planning on blowing up
the U.S. embassy in Paris. They
were reportedly instructed to
communicate solely through
pictures on the internet, and
supposedly had connections to
Al Qaeda.
7. Terrorism
Alleged use of stego by
Osama bin Laden, (Feb
‘01)
Stego’d messages hidden
on Web sites to plan
attacks against the US
Maps, target photos
hidden in sports chat
rooms, pornographic
bulletin boards, popular
Web sites
8. Terminology
Steganography
It is the practice of disguising the existence of a message
stego-object
The combination of hidden data-plus-cover is known as
the stego-object
Cover
Generally, innocent looking carriers, e.g., pictures,
audio, video, text, etc. that hold the hidden information
Stegokey
An additional piece of information, such as a password
or mathematical variable, required to embed the secret
information
11. Steganography Today
Steganography Today, however, is significantly
more sophisticated than the examples above
suggest, allowing a user to hide large amounts of
information within image and audio files. These
forms of steganography often are used in
conjunction with cryptography so that the
information is doubly protected; first it is
encrypted and then hidden so that an adversary
has to first find the information (an often
difficult task in and of itself) and then decrypt it.
12. Steganography types
Steganography can be split into two types, these are Fragile and
Robust.
Fragile steganography involves embedding information
into a file which is destroyed if the file is modified. This
method is unsuitable for recording the copyright holder of
the file since it can be so easily removed, but is useful in
situations where it is important to prove that the file has
not been tampered with, such as using a file as evidence
in a court of law, since any tampering would have
removed the watermark. Fragile steganography
techniques tend to be easier to implement than robust
methods.
13. Steganography types
Robust marking aims to embed information into a file which cannot easily be
destroyed. Although no mark is truly indestructible, a system can be considered robust
if the amount of changes required to remove the mark would render the file useless.
Therefore the mark should be hidden in a part of the file where its removal would be
easily perceived.
There are two main types of robust marking. Fingerprinting involves hiding a unique
identifier for the customer who originally acquired the file and therefore is allowed to
use it. Should the file be found in the possession of somebody else, the copyright
owner can use the fingerprint to identify which customer violated the license
agreement by distributing a copy of the file.
Unlike fingerprints, watermarks identify the copyright owner of the file, not the
customer. Whereas fingerprints are used to identify people who violate the license
agreement watermarks help with prosecuting those who have an illegal copy.
Watermarks are typically hidden to prevent their detection and removal
14. One of the most widely used applications is for so-
called digital watermarking. A watermark,
historically, is the replication of an image, logo, or
text on paper stock so that the source of the
document can be at least partially authenticated. A
digital watermark can accomplish the same function;
a graphic artist, for example, might post sample
images on her Web site complete with an embedded
signature so that she can later prove her ownership
in case others attempt to portray her work as their
own.
In these days, watermarking is popularly used as a proof of
ownership of digital data by embedding copyright statements
into the digital media. It's also used for fingerprinting and
broadcast monitoring (in case of illegal broadcasting) etc.
15. Steganography and Cryptography
Steganography and Cryptography
Unknown message passing Known message passing
Steganography prevents discovery of Encryption prevents an unauthorized
the very existence of communication party from discovering the contents
of a communication
Little known technology Common technology
Technology still being developed for Most of algorithm known by all
certain formats
Once detected message Strong current algorithms are
is known currently resistant to attack, larger
expensive computing power is
required for cracking
Steganography does not alter the Cryptography alter the structure of the
structure of the secret message secret message
17. Algorithms and Techniques
There are three different techniques you can use to hide
information in a cover file
1. Injection or insertion
2. Substitution
3. Generation
18. Algorithms and Techniques
1-INJECTION (or insertion). you store the data you want to hide
in sections of a file that are ignored by the processing application.
By doing this you avoid modifying those file bits that are relevant
to an end-user—leaving the cover file perfectly usable. For
example, you can add additional harmless bytes in an executable
or binary file. Because those bytes don't affect the process
the end-user may not even realize that the file contains additional
hidden information
However, using an insertion technique changes file size
according to the amount of data hidden and therefore, if the file
looks unusually large, it may arouse suspicion
19. Algorithms and Techniques
2-SUBSTITUTION. Using this approach, you replace the
least significant bits of information that determine the
meaningful content of the original file with new data in a
way that causes the least amount of distortion. The main
advantage of that technique is that the cover file size does
not change after the execution of the algorithm. On the
other hand, the approach has at least Two Drawbacks
First, the resulting stego file may be adversely affected by
quality degradation—and that may arouse suspicion.
Second, substitution limits the amount of data that you
can hide to the to the number of insignificant bits in the file.
20. Algorithms and Techniques
3- GENERATION. Unlike injection and substitution, this
technique doesn't require an existing cover file this
technique generates a cover file for the sole purpose of
hiding the message
The main flaw of the insertion and substitution
techniques is that people can compare the stego file
with any pre-existing copy of the cover file (which is
supposed to be the same file) and discover differences
between the two. You won't have that problem when
using a generation approach, because the result is an
original file, and is therefore immune to comparison
tests
21. How Is Hiding Typically Done?
• The simpler techniques replace example
the least significant bit (LSB) of
each byte in the cover with a
single bit for the hidden message
• Frequently, these are encrypted
as well
Hidden message
10110010
…
11100101 01001110 10101101 10010111 … 01011010
Least Significant Bit
Cover
23. Need for Improved Detection
Growing awareness of data hiding techniques and
uses
Availability and sophistication of shareware and
freeware data hiding software
Concerns over use to hide serious crimes, e.g.,
drug trafficking, pedophilia, terrorism
Frees resources currently spent on investigating
cases with questionable/unknown payoff
Legislative calls
24. Some Indicators of Data Hiding
Activity
Evidence of steganography software on
computer
Forensics examination
Hashes of well-known files don’t match originals
Transmission logs
Excessive/unusual e-mails involving pictures,
sound files, etc.
Discernable (visual) changes
Statistical analysis
25. Detection
Can steganography be detected?
Sometimes…many of the simpler steganographic
techniques produce some discernable change in the
file size, statistics, or both. For image files, these
include:
Color variations
Loss of resolution or exaggerated noise
Images larger in size than that to be expected
Characteristic signatures, e.g., distortions or patterns
However, detection often requires a priori knowledge
of what the image or file should look like
26. Detection Challenges (1/2)
Stego software developers understand their
products’ weaknesses and have made significant
improvements:
minimal carrier degradation makes embedded data
harder to perceive visually
better modification immunity e.g., affine
invariance, immunity to channel noise, compression,
conversion
use of error correction coding ensures integrity of
hidden data
These improvements have led to even greater
difficulty in detection
27. Detection Challenges (2/2)
Lack of tools and techniques to recover the
hidden data
No commercial(effective) products exist for detection
Custom tools are analyst-intensive
Few methods beyond visual analysis of graphics files
have been explored
Usually, no a priori knowledge of existence
No access to stegokey
Use of unknown applications
28. Steganalysis
Several on-going research activities for
improving steganographic analysis methods
Some research is focusing on processing
techniques to reveal features in files that will:
Blindly, with no a priori knowledge, indicate the
presence of hidden data
Uniquely identify known stego packages
Some explaining follow...
29. "Blind" Steganography Detection
Blind detection:
attempts to determine if a message may be
hidden in a file without any prior knowledge of
the specific steganography application used to
hide the information. Several techniques may be
employed to inspect suspect files including
various visual, structural, and statistical methods.
30. Complications blind detection
Four Complications are possible when implementing blind detection
techniques for steganalysis:
The suspect file may or may not have any information hidden in it
in the
first place The hidden message may have been encrypted before
being hidden in the carrier file
Some suspect files may have had noise or irrelevant data encoded in
them which reduces the stealth aspect (i.e., makes it easier to detect
use of steganography) but makes analysis very time-consuming
Unless the hidden information can be found, completely recovered,
and decrypted (if encrypted), it is often not possible to be sure
whether the suspect carrier file contained a hidden message in the
first place- all the user end up with is a probability that the suspect
carrier file may have something hidden within it
31. Analytical Steganography Detection
The analytical approach to steganalysis has been developed by the Steganography
Analysis and Research Center as a byproduct of extensive research of
Steganography applications and the techniques they employ to embed hidden
information within files. The premise of this approach is to first determine if any
residual file and/or Microsoft Windows Registry artifacts from a particular
Steganography application exist on the suspect media.
•IF residual artifacts exist, then the application was probably installed
•The application was installed, then it was probably used
•IF the application was used, then something was probably hidden using it
The analytical approach attempts to determine if there is any evidence that a
steganography application ever existed on the suspect media.
Searching for files and registry entries that have been identified by the SARC
as belonging to a steganography application will identify these residual artifacts.
The goal is to determine what application was used, what type(s) of carrier files it
may have been used on, and finding what was hidden by that particular
application.
32. Steganography – Software Tools
Software tools – Freeware, Commercial.
S – Tools
Excellent tool for hiding files in GIF, BMP and WAV files
MP3Stego
Mp3. Offers quality sound at 128 kbps
Hide4PGP
BMP, WAV, VOC
JP Hide and Seek
jpg
Text Hide ( commercial)
text
Stego Video
Hides files in a video sequence
Spam mimic
encrypts short messages into email that looks like spam
http://spammimic.com
Steganos Security Suite (Commercial)
and Many Many More………………………………………………………….
33. Stegdetect
Automated tool for detecting
steganographic content in
images
Currently-claimed detection
schemes:
Jsteg
JPHide
Invisible Secrets
Outguess 0.1.3b
Windermere’s analysis shows
this program is extremely
unreliable and provides
excessive (i.e., near 100%)
false-positives
34. S-tools
Hides info in BMP, GIF, and WAV files.
just drag them over open sound/picture windows
hide multiple files in one sound/picture and your data is compressed before being
encrypted then hidden.
Encryption services come courtesy of "cryptlib" by Peter Gutmann (and others).
35. OmhiHide
Hide your Video or Audio File Behind Image
OmhiHide PRO is a powerful data-hiding utility
that allows you to hide files within other files.
The output files can be used or shared like a
normal file would be without anyone ever
knowing of the file hidden within it. That way,
your data totally stays safe from prying eyes
you want to hide it from.
37. Summary
Steganography is primarily used to maintain anonymity and is
easily available to most anyone
Sophisticated tools are readily available on the Internet, and are
easy-to-use
Lack of both awareness and developed tools and analysis
techniques
Only recently has the security community started to concern itself
with this subject
Little public information on the use of data hiding
Development/use of information hiding products far outpaces
the ability to detect/recover them; this situation is not likely to
change soon
38. A Final Thought
“I think we are perilously close to a lose-lose
situation in which citizens have lost their privacy
to commercial interests and criminals have easy
access to absolute anonymity. That's not a world
we want.”
Philip Reitinger
Former Senior Counsel, US Justice Department
Computer Crime and Intellectual Property Division