Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

Steganography for Dummies

The security technique of hiding secrets in plain sight is becoming user friendly. Is that a good thing?

By

August 01, 2006CSO — My colleague Sarah Scalet took this photograph in Brooklyn.

It's lovely, isn't it? It's also carrying a secret message. Spread throughout this picture are bits of information that, when decrypted and assembled, create a text document that Sarah wanted me, and only me, to access. You'd never have known if I didn't say anything, and even now that I have said something, you can't find the secret message. In order to get to it you must: 1) know that it's there, 2) have software to extract it and 3) know the password required to extract it.

This is steganography, literally translated as covered writing. Practically translated as concealing a secret message in an otherwise innocuous object.

No security technique is new, and this one dates back to ancient Greece. Steganographic techniques Greeks used included shaving someone's head and tattooing it with a secret message, letting the hair grow back and then sending the coiffed messenger to deliver the tress-concealed message. Invisible ink used on otherwise boring, unimportant memos was a favored technique in World War II. One man developed a way to hide messages in sheet music. In the digital world, it's done exactly as seen above, by hiding important files in unassuming audio and graphical files, like pictures of Brooklyn sunsets.

Steganography works not by beating security, but by avoiding it all together. In a risk-based security program, this picture appears to pose no risk and thus bypasses further scrutiny. And even if you know it poses a riskI gave away the fact it's hiding a message and you can readily purchase steganography software, two of the three prerequisites to access the secretyou still need a password to get to it, and the password Sarah and I agreed on is strong enough that it "cannot be identified by the secret services," according to the software we used.

But the larger point is you can spend all the money you want on security technology with super-complex algorithms for determining what is suspicious, and it won't flag or inspect this picture. It's just laundry.

Only it's not just laundry. It's a secret message. I'm not telling what the message ensconced in this specific picture says, but I will say that it isn't nearly as interesting or important as what Sarah could have hidden in there. For example, Sarah could have been delivering this week's betting lines for an online gambling ring she masterminds. Or, she could have stashed a map to the spot where I am to pick up a drug shipment. Or, she could have hidden a presentation on a new product Coca-Cola is developing, a cleverer technique for sure than allegedly trading hard copies of product development data at an airport. (Of course, Sarah's secret message is none of these; she is a law-abiding citizen who sent me a perfectly legal document.)

RESOURCE CENTER