Welcome to Definition Monday, where we define and explain a common technology or security concept for the benefit of our less experienced readers. This week: Steganography.
Steganography, a term derived from the Greek for “covered writing”, refers to techniques for hiding a covert message in an unsuspected object or communication. Historical examples abound – from the ancient Greeks tattooing messages on the scalps of trusted slaves to Boy Scouts using lemon juice as invisible ink to send hidden messages. In the modern parlance, it more often refers to “digital steganography”, the use of computers to embed messages into an innocuous file.
(A couple of vocabulary terms before we continue. “Stego” is a common abbreviation for steganography, both for the sake of brevity and because most spell checkers choke on the full word. The data that is being secretly conveyed is often called the “message” or the “payload”. The file that the message is hidden in is often called the “carrier”.)
It is important to note that there is a subtle difference between encryption and steganography. When two parties are communicating using an encrypted channel, there is still metadata available to an eavesdropper. For example, if you sent me an encrypted email, there would still be definitive proof that your email account was used to send some message to my email account. The purpose of stego, on the other hand, is to hide the fact that any message is being passed at all. If you upload an image with a hidden message embedded in it to your web gallery and then I download it, there is almost no way that anyone would correlate these events.
There are hundreds of different steganography applications available for all major operating systems – for the sake of example, I will look at OpenPuff. OpenPuff is a currently maintained Windows application designed to hide messages in a variety of different carrier types:
- Images (BMP, JPG, PCX, PNG, TGA)
- Audio support (AIFF, MP3, NEXT/SUN, WAV)
- Video support (3GP, MP4, MPG, VOB)
- Flash-Adobe support (FLV, SWF, PDF)
What this means is that someone can hide up to a quarter-gigabyte of data inside something that appears to be a bitmap or video file, upload it to a common media sharing site like Facebook or Flickr, and have an accomplice download the file and extract the data. And unless your corporate defenses are set up to capture someone uploading data to a social media site – a filter that would no doubt be overwhelmed by false positives in most environments – you would be none the wiser. Especially since OpenPuff is available as a Portable App these days, so it doesn’t even require install rights on the client machine.
Surprisingly, there have been very few cases of steganographic carriers spotted in the wild; lots of speculation about it as a threat, but very little proof. Then again, the point of the technology is to evade notice. Maybe it’s just really good at it.