Steganography

Michael Desrosiers

As you might have noticed the look, smell and taste of the monthly ITSecure SecurityFacts e-newsletter is the same. What has changed is our name. We are extremely excited about our new name, m3ip and hope that our new format will provide a better understanding of what our firm can do for you regarding risk mitigation and management consulting.

This informational e-newsletter is intended to raise the level of awareness within the user community. If you deem it to be spam or irrelevant in your environment just send us an email at mdesrosiers@m3ipinc.com and in the body of the message type in "no mas". We will not take it personally.

This month's topic is about steganography, the art of hiding information by embedding messages within other seemingly harmless messages. After last weeks latest patch from Microsoft regarding the extremely critical .wmf Metafile error handling vulnerability, we think now would be a good time to explain how these types of exploits could be used in a so called "zero-day" scenario using steganography.

Steganography which basically means covered writing, dates back to ancient Greece where common practice consisted of etching messages in wooden tablets. There are numerous steganographic methods that everyone is familiar with, ranging from invisible ink and Morse Code to a hidden message in the last letter of each word of a large body of text and spread across the full spectrum of a radio transmission. With computers and networks, there are many other ways of hiding information, such as:

Hiding files in "plain sight";
Covert channels between hackers and compromised systems;
Null ciphers;
Hidden text within certain web pages.

Let's take what constitutes a null cipher. If myself and another person had previously agreed that when we correspond by email that just the first letters of our paragraph's words would have meaning, we could decrypt the information that was truly meaningful.

Below is an example that I found on the on-line encyclopedia site, Wikipedia:

From:

News Eight Weather: Tonight increasing snow. Unexpected precipitation
smothers eastern towns. Be extremely cautious and use snowtires especially
heading east. The highway is not knowingly slippery. Highway evacuation
is suspected. Police report emergency situations in downtown ending near
Tuesday.

To:

Newt is upset because he thinks he is President.
 

There are a number of uses for steganography. One of the most widely used applications is for digital watermarking. A watermark historically is the replication of an image, logo or text on paper stock so that the source of the document can be at least partially authenticated. A digital watermark can accomplish the same function. A graphic artist for example, might post sample images on her Web site complete with an embedded signature so that she can later prove her ownership in case others attempt to portray her work as their own. There also is another method or use, which is currently being used by the cracker community. There are several examples that they are using steganography to embed messages for their groups within images that are posted to known web sites.

Steganography is significantly more sophisticated than the examples above suggest, allowing someone to hide significant amounts of information within image and audio files. These forms of steganography often are used in conjunction with cryptography so that the information is doubly protected, first it is encrypted and then hidden so that an individual has to first find the information and then decrypt it.

Below is a great website for more information on this subject:

http://www.petitcolas.net/fabien/steganography/stego_soft.html

There you have it. Steganography is a really interesting subject and outside of the mainstream cryptography and system administration that most of us deal with on a daily basis.

To respond to this or previous newsletters or to inquire about an on-site presentation, please feel free to call us at 508-995-4933 or email us at mdesrosiers@m3ipinc.com.

Regards,

Michael Desrosiers
Founder
m3ip, Inc.
We Manage Risk, So You Can Manage Your Business
(O)508-995-4933
(C)774-644-0599
mdesrosiers@m3ipinc.com
http://www.m3ipinc.com

More Articles by Michael Desrosiers

Jump to Comments

Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.