Tip

Using steganography for securing data, not concealing it

    Requires Free Membership to View

There's more than one way to receive Threat Monitor

Listen to this steganography tip on your computer or MP3 player.
Although encrypted data is difficult to decipher, it is relatively easy to detect. Encryption only obscures a message's meaning, not its existence. Therefore, steganography, a technique that hides the existence of a message, is often used to supplement encryption. It's easy to use and works by replacing bits of unused data in computer files or communication channels, such as telephone lines or radio broadcasts.

Steganography use: Advantages and Disadvantages
Steganography is beneficial for securely storing sensitive data, such as hiding system passwords or keys within other files. However, it can also pose serious problems because it's difficult to detect. Network surveillance and monitoring systems will not flag messages or files that contain steganographic data. Therefore, if someone attempted to steal confidential data, they could conceal it within another file and send it in an innocent looking email.

So what can an organization do to ensure this practice isn't used maliciously? Let's review some tools and tactics to help detect hidden messages.

Detecting steganography misuse
There are two methods for detecting steganographically-encoded data: visual steganalysis and statistical steganalysis. The visual method compares a copy of the source file with the suspect file by running a hash against the source file and checking that it matches the hash on the suspect copy. Statistical steganalysis compares theoretically expected frequency distributions of message content with the frequency distribution of the suspected file. Because the covertext has to be modified to store the hidden data, there are usually detectable signs within the covertext's normal characteristics that can be used to reveal the hidden message. For example, when running a histogram on an image, there should be random spikes, but if the histogram is flat or has one large spike, it's likely the image contains hidden information.

More on steganography

This article from Information Security magazine examines  steganography abuse.
There are tools available, such as Stegdetect, that analyze content for hidden information. Stegdetect is capable of detecting several different steganographic methods used to embed hidden information in JPEG images.

Steganography-detection: Enterprise best practices
To detect hidden messages, an organization must actively monitor network traffic, which is time- and processor-intensive. However, those who are familiar with the network's normal traffic patterns can simply look for changes, such as increased movement of large images across the network, which may warrant further, detailed investigation. It's also wise to have -- and actively enforce -- a security policy that clearly outlines acceptable usage, what data types can and can't be sent across the network and how it should be protected. Also, restrict unauthorized programs, ban the use of unauthorized encryption and steganography in the workplace and consider limiting the size of mailboxes.

Finally, consider determining whether employees who deal with confidential information should have access to large media files, particularly image, video or audio files that are to be posted on your Web site. Malicious parties could use steganography to pass information via such files to a third party with access to your site. Why not consider using steganography to your advantage by using digital watermarks, a form of steganography, to copyright your Web-accessible media files? You can even use it to hide system passwords or keys within other files to provide a more secure storage location.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity's Messaging Security School and, as a SearchSecurity.com site expert, answers user questions on application securityand platform security.

This was first published in December 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.