Although encrypted data is difficult to decipher, it is relatively easy to detect. Encryption only obscures a message's meaning, not its existence. Therefore, steganography, a technique that hides the existence of a message, is often used to supplement encryption. It's easy to use and works by replacing bits of unused data in computer files or communication channels, such as telephone lines or radio broadcasts.
Steganography use: Advantages and Disadvantages
Steganography is beneficial for securely storing sensitive data, such as hiding system passwords or keys within other files. However, it can also pose serious problems because it's difficult to detect. Network surveillance and monitoring systems will not flag messages or files that contain steganographic data. Therefore, if someone attempted to steal confidential data, they could conceal it within another file and send it in an innocent looking email.
There's more than one way to receive Threat Monitor
- Listen to this steganography tip on your computer or MP3 player.
So what can an organization do to ensure this practice isn't used maliciously? Let's review some tools and tactics to help detect hidden messages.
Detecting steganography misuse
There are two methods for detecting steganographically-encoded data: visual steganalysis and statistical steganalysis. The visual method compares a copy of the source file with the suspect file by running a hash against the source file and checking that it matches the hash on the suspect copy. Statistical steganalysis compares theoretically expected frequency distributions of message content with the frequency distribution of the suspected file. Because the covertext has to be modified to store the hidden data, there are usually detectable signs within the covertext's normal characteristics that can be used to reveal the hidden message. For example, when running a histogram on an image, there should be random spikes, but if the histogram is flat or has one large spike, it's likely the image contains hidden information.
There are tools available, such as Stegdetect, that analyze content for hidden information. Stegdetect is capable of detecting several different steganographic methods used to embed hidden information in JPEG images.
Steganography-detection: Enterprise best practices
To detect hidden messages, an organization must actively monitor network traffic, which is time- and processor-intensive. However, those who are familiar with the network's normal traffic patterns can simply look for changes, such as increased movement of large images across the network, which may warrant further, detailed investigation. It's also wise to have -- and actively enforce -- a security policy that clearly outlines acceptable usage, what data types can and can't be sent across the network and how it should be protected. Also, restrict unauthorized programs, ban the use of unauthorized encryption and steganography in the workplace and consider limiting the size of mailboxes.
Finally, consider determining whether employees who deal with confidential information should have access to large media files, particularly image, video or audio files that are to be posted on your Web site. Malicious parties could use steganography to pass information via such files to a third party with access to your site. Why not consider using steganography to your advantage by using digital watermarks, a form of steganography, to copyright your Web-accessible media files? You can even use it to hide system passwords or keys within other files to provide a more secure storage location.
More on steganography
- This article from Information Security magazine examines steganography abuse.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity's Messaging Security School and, as a SearchSecurity.com site expert, answers user questions on application securityand platform security.