Steganography for Dummies

The security technique of hiding secrets in plain sight is becoming user friendly. Is that a good thing?

My colleague Sarah Scalet took this photograph in Brooklyn.

It's lovely, isn't it? It's also carrying a secret message. Spread throughout this picture are bits of information that, when decrypted and assembled, create a text document that Sarah wanted me, and only me, to access. You'd never have known if I didn't say anything, and even now that I have said something, you can't find the secret message. In order to get to it you must: 1) know that it's there, 2) have software to extract it and 3) know the password required to extract it.

This is steganography, literally translated as covered writing. Practically translated as concealing a secret message in an otherwise innocuous object.

No security technique is new, and this one dates back to ancient Greece. Steganographic techniques Greeks used included shaving someone's head and tattooing it with a secret message, letting the hair grow back and then sending the coiffed messenger to deliver the tress-concealed message. Invisible ink used on otherwise boring, unimportant memos was a favored technique in World War II. One man developed a way to hide messages in sheet music. In the digital world, it's done exactly as seen above, by hiding important files in unassuming audio and graphical files, like pictures of Brooklyn sunsets.

Steganography works not by beating security, but by avoiding it all together. In a risk-based security program, this picture appears to pose no risk and thus bypasses further scrutiny. And even if you know it poses a riskI gave away the fact it's hiding a message and you can readily purchase steganography software, two of the three prerequisites to access the secretyou still need a password to get to it, and the password Sarah and I agreed on is strong enough that it "cannot be identified by the secret services," according to the software we used.

But the larger point is you can spend all the money you want on security technology with super-complex algorithms for determining what is suspicious, and it won't flag or inspect this picture. It's just laundry.

Only it's not just laundry. It's a secret message. I'm not telling what the message ensconced in this specific picture says, but I will say that it isn't nearly as interesting or important as what Sarah could have hidden in there. For example, Sarah could have been delivering this week's betting lines for an online gambling ring she masterminds. Or, she could have stashed a map to the spot where I am to pick up a drug shipment. Or, she could have hidden a presentation on a new product Coca-Cola is developing, a cleverer technique for sure than allegedly trading hard copies of product development data at an airport. (Of course, Sarah's secret message is none of these; she is a law-abiding citizen who sent me a perfectly legal document.)

If she wanted even more security from detection, Sarah could have opened an online picture-posting account (e.g., Flickr) and put 1,000 images there, with certain ones containing documents she and I needed to take over our company. All that's required is that the cipherer and decipherer communicate what to look for where. For example, an e-mail with the subject "New Pictures of the Kids" could be code for "Secret Messages Here."

Even in the digital world, steganography isn't particularly new; rumors persist (never validated) that terrorists use it to communicate. What is new is how easy steganography is to use. It's approaching drag-and-drop easy. In fact, the vendor that makes the particular software we used here envisions security-conscious consumers and small businesses using steganography as a matter of course, to add a layer of security over their data or for watermarking documents.

That's the baby, but there's quite a bit of bathwater there, it seems. This reminds me of a column I wrote about Google maps in that what we're really talking about here is how ease of use changes the threat landscape. At some point a technology becomes so easy to use that it's opened up to the mass market. That seems to be where we are with steganography.

But the mass market is full of people whose intentions may or may not be honest. For security execs concerned with protecting intellectual property and preventing their networks from being used for illegal activities, easy-to-use steganography creates a considerable conundrum. Think of the options for controlling the use of steganography: One is to ban all audio and graphical files from the network. Good luck with that. Another would be to inspect and, in fact, alter every image and audio file that crosses the network, since altering these files can destroy the secret message inside. But that's not practical and, who knows, it may present legal complications. So what else can security execs do?

For law enforcement and national security interests, the questions are equally difficult. The vendor we spoke with did not know of any restrictions on the use or sale of its product and did not have any requirement to share unlocking mechanisms with government agencies. Can law enforcement demand that? Can national security be invoked to severely limit steganography's distribution the way, say, the distribution of currency printing machines is limited?

There are no easy answers here, and no one is suggesting putting the clamps on steganography. As this particular vendor pointed out, you don't stop selling something useful like knives because a few people use them to stab people. And if steganography can help keep private information private, well, that seems like a good thing.

But at the same time, let's not kid ourselves. It changes the threat landscape. Terrorists using steganography shouldn't be considered a shocking conclusion or written off as sensationalist conspiracy theory. We should, in fact, assume they're using it. And the more user-friendly the technology becomes, the more users it will attract, including terrorists, drug syndicates, pornographers, the mafia and anyone else with something to hide.

New steganography software gives them an easy, highly secure way to hide it. Right there in the laundry, or at least in the picture of the laundry.

Would you use steganography to secure documents? Let me know along with other thoughts on steganography at sberinato@cxo.com.

Copyright © 2006 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline