Protect yourself from the risks of steganography

Embedding sensitive data files within other files such as an MP3 or JPEG is a form of steganography. The technique has been around for a while, but the programs that create these files are more prevalent than ever. Take a look at what you should know. 

Since the days of the Greeks and the Romans, there has been a hidden writing technique for passing sensitive information called steganography, or steg for short. As kids, many of us played with disappearing ink made from common kitchen items such as lemon juice. In various wars, there have been microdots, or codes hidden in letters by arranging the letters into a chain of words. Today's steganographers use software to hide instructions and information in digital pictures, sound files, and Web pages. I will explore how this can be done and why you need to be aware of the techniques involved.

A typical steg scenario
Sean comes into the office wearing his typical headset tied back to his MP3 player. But this is not a typical day for Sean. Once everyone in his office leaves for lunch, he gets to work. Over the last few weeks, Sean has collected a variety of the newest designs and production notes for new ad projects at his company. He has been offered a substantial amount of money if he can pass these files off to a competitor.

He plugs his MP3 player into his computer and brings it online to receive files. Sean also takes out his USB memory key ring and inserts it into the USB port of the PC. He then starts up a program from the key ring called Steganography, which is from SecureKit and works with images or sound files. His goal is to embed the production files into a series of MP3 songs. He knows that MP3s do not use the entire audio range, so there is some space on the high side of the frequency to stash data of his own. Once the files have been embedded, Sean copies them up to the MP3 player into a custom play list. He then removes the USB memory and sticks it back onto his key ring. The headset goes back on and when his coworkers return, they find Sean listening away to his tunes. That night when everyone leaves the office, they go by the security desk and Sean, wearing his headset with music playing, is waved on through. The company's most recent plans and designs for a new advertising job have just walked out the door.

How it works
In Figure A, we see the Steganography program in operation, hiding a terminal server configuration text file in the music MP3 file "You're No Good."

Figure A

It could just as easily be an Excel spreadsheet or a Word document.

In the scenario above, the use of the MP3 player avoids the trap of network log files showing an FTP session to somewhere on the Internet. The use of the key chain USB memory stick avoids having the Steganography executable program show up in a daily application scan of the company desktops. Other MP3 tools Sean could have used are MP3Stego and, for image files, Invisible Secrets.

Sean's steg tool took advantage of the fact that MP3s do not use the entire audio range that humans can hear. This is one of the reasons that MP3s can be so much smaller then a WAV file. MP3s remove quite a bit of data when compressing sound, so the steg tool works in reverse by putting data back into the MP3 file in areas the human ear cannot hear.

So, how can steganography be detected?