•Steganography comes from the Greek root words “steganos” and “graphein”, which literally means “covered writing” •The primary goal of steganography is to hide the fact that communication is taking place.

•Steganography is used to hide the presence of a message or communication, whereas cryptography is used to obscure a message or communication so that it cannot be understood. •It’s common practice to use cryptography to obscure a message prior to using steganography to hide it.

•A simple example of steganography is to use a specially crafted cover-text to hide the message. •This steganographic system relies on prior knowledge of the system in order to decode the message. •Using this method, you have to specially craft your cover-text, which may result in improbable sentences or suspect communication which could potentially give you away.

•Our previous example is an example of a traditional method of steganography. •Traditional methods have generally relied on the secrecy of the encoding method.  An excellent example of this is shaving a messenger’s head, tattooing a message on it, then waiting for the hair to grow back before sending the messenger.  •With traditional methods, once the system is known, it is trivial to detect thus breaking the steganographic system.

•When most people think of modern methods of steganography, they consist of ways to digitally embed the message data into cover data, however those are not the only methods available. •A goal of modern digital methods is that they attempt to only be detectible if a shared secret or key is known.  This is similar to the common understanding in cryptography that the security of a cryptographic system should lie solely in the key information because the protocol and algorithm should be assumed to be publicly known.  Like cryptography, you should assume that the steganographic protocol and algorithm are publicly known.

•Some of the more popular plain text methods in the days of print media were to design a steganographic system by pre-determining which characters or words in a given cover text were to be used to re-construct the message, much like our previous example of selecting the first letter from each word. •Now that electronic media is prevalent, other methods have arisen such as introducing white-space characters like extra spaces and tabs. •Many applications like word processors and web browsers tend to compress sequences of multiple white-space characters so that they do not display and appear to the naked eye.  The applications can detect these and know they are there, but a human just looking at the display most likely will not.

•Snow uses spaces and tabs as bits, representing ones and zeros, and will append up to 7 white space characters to the end of every line of a text file. •Snow gets it’s name from it’s method, which stands for steganographic nature of white-space.  What they’re referring to is that human eyes probably won’t detect it. •Snow uses the ICE encryption algorithm to encrypt the message prior to embedding it in the cover-medium.

•Because hypertext is usually marked-up plaintext, most plaintext methods can be applied to the hypertext. •You can also use hypertext tags that will not display in a browser to hide messages, such as the html comment tag (<!–- comment -->), hidden form fields, etc. •Also, the placement or existence of certain content in the presentation of a webpage can be used to convey a message, such as if an image exists or appears in a certain place or if the navigation menu is ordered in a certain way.

•The human-inaudible audio spectrum can be used to transmit a message that a computer would be able to detect, or •Musical tones and lengths of notes in the actual audio can be used to convey messages. •Morse code is a simple example of an audible encoding that could potentially be included in a musical track, such as creating the entire musical score out of quarter and eighth notes, representing dashes and dots. •And of course, you can digitally embed a message into the bits of the data file itself.

•Media formats in general tend to be very inaccurate data formats because they don’t need to be accurate.  The human ear is not very good at differentiating sounds. •For example, recording the same orchestra performance with two separate recording devices will produce vastly different recordings when viewed digitally, but will generally sound similar if recorded in a similar manner. •Changes in an audio bit-stream can be done so slightly that when played back the human ear won’t be able to distinguish the difference between the cover-audio file and the stego-audio file. •With Audio, you can use the least-significant bits from each byte of the data as the redundant bits with which to embed data.

•Obviously using this method, the cover-medium needs to be at least 8 times the size of the message in order to make embedding the entire message possible.

•It can operate on both audio and image files, but we’ll be using it for an audio example using a WAV file.

•anomaly1.wav is about 270k.  If you’ll notice, the amount of embedded data it can hold is roughly 1/8th of that.

•Drag the message that you are embedding directly onto the cover-medium as displayed in S-Tools, which will bring up the Hiding data dialog. •Notice that it supports multiple types of encryption with which to obscure your message prior to embedding it. •After selecting the type of encryption you want to use and entering a pass phrase, it will perform the steganographic process and the hidden data object will appear.

•Note that the waveforms are nearly identical.  Only very detailed manual analysis or a digital analysis would uncover the difference.

•Type in your pass-phrase and SELECT THE SAME ENCRYPTION ALGORITHM USED WHEN EMBEDDING!

•You can also use some of the hypertext techniques since video is a visual medium such as presence or absence of objects in the recorded environment. •Other visual clues can be used to convey a message such as hand or foot positions or eye blinks from the recorded subjects. •And of course you can digitally embed a message in the bits of the video file itself.

•A good example of using slightly different colors to hide a message is the logo for the SNOW tool we discussed earlier. •Notice the ample amount of white-space above the word SNOW in the logo.  There is actually an image hidden there. •This is the image’s color table from Photoshop 7.  Most digital image manipulation tools will have something similar to view an images color palette. •By looking at the color palette for the image, we can see there are actually two separate white values with only a single bit difference (FFFFFF & FFFFFE).  The difference between the two whites is indistinguishable to the human eye.

•By changing the color value for the second white value to something with more contrast, the image becomes visible.

•Before we get into digitally embedding a message into an image’s data, we need to cover some basics. •Images vary between resolutions and how many colors they can display and as such some images are better suited to steganography than others.

•8-bit images use an index of colors rather than using actual color values to represent colors, and store the actual color values in a color table. •This color-mapping creates an entire set of unique problems to overcome when manipulating bits in the image. •A single bit change in a pixel value could potentially map to a completely different color which could drastically change the way the image looks. •We won’t be discussing methods for using steganography with 8-bit images in this presentation and will instead be focusing on 24-bit images.

•24-bit images are preferable to 8-bit images because each pixel has more bits within which to hide a message. •In a 24-bit image, each pixel is represented by 3 bytes, one byte each for Red, Green, and Blue, which allows the color values to be stored directly in the image and does not require the use of a color-table. •Slightly manipulating color values stored this way will result in a color who’s value is extremely close to the original. •A 24-bit 1024x768 image provides over 2 million pixels within which to hide a message, each pixel being three bytes each. •Obviously, a file with the characteristics that we’re talking about will be a fairly large image and is still rather uncommon on the Internet. •Compression may also be required to make an image this large feasible to transfer on low-speed connections or networks.

•Lossless compression allows the user to reconstruct the entire original image upon decompression, thus it does not interfere with a stego-image’s integrity. •Lossy compression however will loose some of the original image’s data, therefore it will interfere with your communication when uncompressed. •Some examples of formats using lossless compression are GIF and BMP.  An example of a lossy compression format is JPEG. •If you were to convert your stego-image from a GIF to a JPEG and back it will more than likely compromise the integrity of your stego-medium.

•Small color palettes don’t allow much opportunity for embedding data because there is not a lot of variation between values in the cover-image. •Large areas of solid colors are also difficult to embed within because the effects of manipulation are easily spotted.

•Lots of subtle color variations allow more opportunity for hiding the embedded data.

•Images that distract you make excellent cover-images.  Who would be thinking about looking for hidden data when viewing this image?

•Similar to the audio example we discussed earlier, you can use the least-significant bits of each byte to embed a message. •Because each pixel’s color value is represented by three bytes, you can hide three bits of data in each pixel. •This allows for a relatively large amount of data to be embedded within an image, however it’s still only 1/8th the size of the cover-image. •Compressing your message prior to embedding it can allow for an even larger amount of data to be hidden.

•Note again that when using the least significant bits of each byte, only about half of the values are actually changed.  On average this ratio holds true. •If needed, even the second least-significant bits could be used without the differences becoming noticeable to the human eye, which would double the amount of data an image could potentially hold.

* This is outguess’ description blurb.  Basically it says it’s a generic steganographic engine.

•The core of Outguess does the work of encrypting the message and inserting the message into the cover-medium. •Separate, independent “data-handlers” for individual cover-medium types handle the identification of redundant bits and selection of which redundant bits to use.

•Outguess employs a number of techniques to help prevent the detection of steganography in potential stego-mediums. •The primary thing it does for imagery is preserve image data statistics so that statistical analysis the images will not identify steganographic manipulations. •Studying the other techniques that Outguess uses in an attempt to reduce the chances of detection are left as an exercise for the curious.

•The variations in types of network traffic provide for many potential uses of steganography. •Using TCP sessions provide the potential for full-duplex communications due to it’s connection-oriented nature. •Multicast UDP or ICMP, for example, could be used for broadcast of a steganographic message.

•Yesterday intropy had an idea for this tool and I coded it up last night so we’d have another demo and some code to release. •It will basically take your message, convert it to hex, and send it as part of a GET request to a web server, which should log the request. •You can then use it to parse the web server logs on the receiving side to extract your message.

•Encryption not only provides another layer of protection for your message, it also makes the hidden message more difficult to detect.  •It has been discussed previously that uploading a stego-image back to the digital camera that took the original cover-image could help obscure it .  Pictures “still in the camera” may be less suspicious than pictures in a directory called “steg” on your computer. •By destroying the original cover-medium, there is less chance of an attacker being able to find it and compare it to the stego-medium to analyze the differences.

•Steganographic systems inherently leave detectable traces in a cover-medium’s characteristics, potentially allowing an attacker to detect it. •This detection reveals that covert communication is taking place, thus defeating the main goal of steganography.

•Steganalysis is the processes and methods of attempting to defeat steganography through analyzing potential stego-mediums for the traces of steganographic modifications. •Earlier I briefly touched on attempting to prevent against identification of your stego-medium through analysis. •These two competing aspects, Steganography and Steganalysis, foster an arms race of technology and techniques. •Steganalysis is a topic that can get as in-depth, if not more, than steganography itself and would make a good topic for a future presentation.

•These papers are excellent introductions to Steganography and a few of them get a little more technical than this presentation and are highly recommended if you are interested in further exploring technology. •The noted RFC’s are a bland read but you all already know them by heart anyway, right?  Take a look through these and other network protocol RFC’s and you’ll be amazed at the abundance of unused and reserved space in the protocol headers as well as header fields that are used for singular purposes and may be able to be used or modified without impact to their function.

•This is a list of tools that we’ve mentioned or covered in this presentation as well as a few you may want to evaluate on your own.