Northern Ohio Information Technology Roundtable

Independence, Ohio
6 June 2002

Steganography - An Introduction to
Data Hiding Techniques
Michael Panczenko, Director, E-Crime
The Windermere Group, LLC
2000 Windermere Court
Annapolis, MD 21401
 Who We Are
■ The Windermere Group, LLC:
an Annapolis, MD-based
information technology
company
■ Provide specialized techniques
and tools for high-technology
crime investigation and security
consulting, critical
infrastructure assurance, and
surveillance
■ Offerings include:
» Computer and network forensics
» Data recovery, including
decryption
» Signal and data reconstruction,
e.g., audio and video
enhancement
» Intelligence collection and
analysis and unconventional
threat assessments
» Specialized security appliqués
 A Motivating Example

Here’s a highly
sensitive document

This is a classic example of steganography

 Agenda

■ Introduce the concept of steganography

■ Discuss common steganographic techniques and
their uses
■ Explain the challenges to security professionals
and the need for improved detection techniques
■ Present some readily-available techniques for
improving steganographic detection
 Terminology

■ Steganography
» Steganography comes from the Greek words for “covered writing”
» It is the practice of disguising the existence of a message
■ Cover
» Generally, innocent looking carriers, e.g., pictures, audio, video, text,
etc. that hold the hidden information
» The combination of hidden data-plus-cover is known as the stego-object
■ Stegokey
» An additional piece of information, such as a password or mathematical
variable, required to embed the secret information
 Classification of Hiding Techniques

I n f o r m a t i o n H i d i n g

C o v e r t C h S a t n e n g e a l ns o g r Aa pn ho yn y m C i t oy p y r i g h t M a r k

L i n g u i s tTi c e c h n i c a l R o b u s t F r a g i l e

F i n g e r p Wr i n a t it n e gr m a r k i n g

I m p e r c e p V t i i bs li eb l e

Ref: F.A.P. Petitcolas, R.J. Anderson, and M.G. Kuhn,

“Information Hiding - A Survey,” in Proc. Of the IEEE, vol.
87, No. 7, July 1999, pg. 1063
 Typical Scenario

Receiver
Sender Hides Decodes Secret Receiver
Transmitted
Sender Secret Message In Carrier Appears Message by Reads
a Cover Using a Removing the Secret
Innocuous
Stegokey Cover Using the Message
Stegokey
 Steganography vs. Encryption

■ Steganography should not be confused with

encryption
» Encryption disguises the content of a message. The
existence of the message is usually obvious
» Steganography disguises the existence of the message
■ However, additional security can be obtained if
steganography is combined with encryption
 Example

Encryption Steganography
(Contains embedded encrypted message)
Steganography Through History

Trithemius,
Ancient Greece, Steganographia,
5th-Century B.C. 1606
Tattooing secret message
on Gaspari Schotti,
slave’s head Schola
Steganographica,
1665

Invisible Inks Null ciphers — camouflaging

secret messages in innocent
sounding message
Apparently neutral’s protest
is thoroughly discounted and
ignored. Isman hard hit.
Blockade issue affects pretext
Pershing sails
for embargo on from NY June 1
byproducts, ejecting suets and
vegetable oils.
 An Innocent Web Page?

Ref: http://www.witsusa.com
 Why Steganography Works
■ Human Visual System (HVS) - characteristics
include:
» Insensitivity to gradual changes in shade
» Insensitive to high frequencies and blue region of
visible spectrum

■ Human Audio System (HAS) - characteristics include:

» Sensitive to additive random noise
» Inability to perceive absolute phase

But, poor human perceptibility≠ undectability

 Uses of Steganography

■ Steganography is primarily of use in maintaining

anonymity and it can be applied to virtually any digitized
audio, graphics, or text file
■ Uses include:
» Creating covert channels for private communications
» Data infiltration/exfiltration
» Digital signatures for file authentication (digital watermarking or
copyrighting)
» Web surfer tracking/direct marketing
 Digital Watermarking
■ Protection of intellectual property
rights/thwart software piracy
1). Watermark is
■ Watermarking has been proposed as embedded in noise of

rk
the “last line of defense” original image

ma
» Implements copy protection, e.g., =

te r
“never copy,” “copy once”

Wa
» Copyright ownership and original,

rk
+

ma
authorized recipient can be
determined

ter
» Allows trace-back of illegally

Wa
produced copies for prosecution 2). Embedded
watermark can only
be retrieved by
recovery software
 SDMI

■ Secure Digital Music Initiative

(SDMI) - forum of more than
180 companies (IT, consumer
electronics, recording industry)
■ Attempting to prevent digital
piracy through watermarking

Ref: http://equip.zdnet.com/gear/mp3/news/16d7a/
technology
■ Some consumer electronics
manufacturers already
introducing SDMI compatible
products
 Digital Piracy

■ Annual global piracy losses are $11B

» 9 of 10 business software applications in China, Vietnam, Indonesia, and Russia are
pirated
» Asia leads the world in developing and selling pirated software
■ Piracy will continue to increase due to Internet distribution methods
» Global market for media and entertainment expected to be $1T by 2004 (PWC Report)
» Recorded music sales: $42B
» “Legitimate sales” of digital on-line music: $1.5B USD
■ Significant hacking activity by bootleggers to render watermarking
techniques useless
 How Is Hiding Typically Done?

■ The simpler techniques replace ■ More sophisticated methods include:

the least significant bit (LSB) » select robbed bytes using a random
number generator
of each byte in the cover with a » resampling the bytes-to-pixel mapping to
single bit for the hidden preserve the color scheme
message » hiding information in the coefficients of
the discrete cosine, fractal, or wavelet
■ Frequently, these are encrypted transform of the image
as well » spread spectrum
Hidden message » mimic functions that adapt bit patterns to
10110010… a given statistical distribution

11100101 01001110 10101101 10010111 … 01011010

Least Significant Bit

Cover
 LSB Substitution Example

As can be seen from these figures, 3-5 LSBs can be removed

and still provide acceptable image quality
 Who’s Using It?
■ Good question… nobody
knows for sure.
■ The whole point to
steganography is to disguise its
use.
■ However, anybody can use it to
hide data or to protect
anonymity
■ Likely users include:
» Trade fraud
» Industrial espionage
» Organized crime
» Narcotics traffickers
» Child pornographers
» Criminal gangs
» Individuals concerned about
perceived government “snooping”
» Those who want to circumvent
restrictive encryption export rules
» Anyone who wants to communicate
covertly and anonymously
Some Known Uses of Steganography

■ Economic espionage - used to exfiltrate information from a major

European automaker
■ Political extremists - increasingly being used for secure
communications, e.g., Germany
■ Fraud - used as a “digital dead drop” to hide stolen card numbers
on a hacked Web page
■ Pedophilia - used to store and transmit pornographic images
■ Terrorism - used to hide terrorist communications over the
Internet, e.g, Osama bin Laden’s alleged use of steganography
 Terrorism

■ Alleged use of stego by

Osama bin Laden, Muslim
extremists (Feb ‘01)
■ Stego’d messages hidden on
Web sites to plan attacks
against the US
■ Maps, target photos hidden
in sports chat rooms,
pornographic bulletin boards,
popular Web sites
 Scale of the Problem

■ Unknown...there is little public information on the use of data hiding

techniques by cybercriminals
■ Only recently has the security community started to concern itself with
this subject
» Lack of awareness
» Lack of developed analysis tools and techniques
■ It is believed that hiding techniques are predominantly used by more
advanced criminals (organized crime) and some emerging threats, e.g.,
terrorists, nation-states
■ Availability, new easy-to-use interfaces may increase attractiveness of
stego techniques for the average user
 Where Is It Coming From?
■ Over 140 data hiding
packages and services
currently available from
numerous Web sites
■ Platforms include:
» Windows
» DOS
» Java
» Macintosh
» OS/2
» Amiga Ref: http://members.tripod.com/steganography/stego.html
» Unix/Linux
 Increasing Awareness

■ Likely factors # of AltaVista Keyword Hits on “Steganography”

increasing awareness: (One hit/Website)

» Privacy/freedom of 7000

expression 6000

» E-Commerce 5000

# of Hits
» Encryption export 4000

concerns 3000

» Protection of intellectual
2000

capital
1000

» Perceived government

Jul-94

Jul-00
Jan-93

Jul-93

Jan-94

Jan-95

Jul-95

Jan-96

Jul-96

Jan-97

Jul-97

Jan-98

Jul-98

Jan-99

Jul-99

Jan-00

Jan-01
snooping Time
Example Steganography Programs
 BMP Secrets

■ Parallel Worlds, Kiev,

Ukraine
■ http://www.pworlds.com/
products/index.html
■ Replaces up to 65% of a true-
color BMP carrier with
hidden data
■ Inputs can be several
different formats, e.g., JPEG,
GIF; outputs true-color BMP
 StegComm

■ Features include:
» Multimedia steganography
(images, audio, video)
» Multi-level security and DES
encryption
» Built-in E-mail function
» Unlimited hidden data length
■ www.datamark-tech.com
Media Clip
 MP3Stego

■ Compresses, encrypts,
then hides data in an MP3 Greatest Hits
bit stream MP3

■ Developed by F.A.P.
Petitcolas, Computer
Laboratory, Cambridge
?
■ URL:
http://www.cl.cam.ac.uk/
~fapp2/steganography/mp
3stego/
 S-Mail and S-Split

■ Secure Software Development,

Ltd. (http://www.ssd-ltd.net)
■ Bahamian-based developer of
privacy software -- promotes
usage for offshore banking
■ Products include:
» S-Mail: encrypts and stegos data
in .EXE or .DLL files
» S-Split: works with stego software
to split files into multiple parts
 Spammimic

■ Encodes message into innocent-

looking spam mail
■ www.spammimic.com
■ (From the Web site) “Even if
Spammimic only gets 2 hits a day;
the fact that it's here might force
the snoops to process terabytes of
spam -- making them spend a little
less time on other mails.”
 Steganos III

■ Features include:
» Strong encryption (AES)
» Secure, hidden drive
» Internet trace destructor
» File shredder
» E-mail encryptor
■ www.demcom.com
■ “More than one million
users world-wide use
Steganos”
 Z-File

■ Features include:
» Strong encryption (up to 1024
bits)
» Multi-layer protection - up to 20
layers of recursive compression,
camouflage, and encryption
» Built-in E-mail function
■ Developed by INFOSEC
Information Security Co., Ltd.,
Taipei, Taiwan, ROC
» http://www.in4sec.com
» Cost: $14.50USD
Media Clip
 Secret Fax

■ MediaFair, Inc. (Monterey

Park, CA)
■ Secret Fax embeds secret
information into the carrier
image
» “Hacker or unrelated person
only received [sic] the carrier
image and can not recognized
[sic] any secret information
from it without the password”
■ http://www.mediafair.com
 Other Commercial Products

www.digimarc.com/

www.zeroknowledge.com/ www.digisafe.com.sg/steganography.htm

www.highwatersignum.com/
www.demcom.com/english/steganos/
Detection and Analysis
 Need for Improved Detection

■ Growing awareness of data hiding techniques and uses

■ Availability and sophistication of shareware and freeware data
hiding software
■ Concerns over use to hide serious crimes, e.g., drug trafficking,
pedophilia, terrorism
■ Frees resources currently spent on investigating cases with
questionable/unknown payoff
■ Legislative calls
» US Bill H.R. 850, Security and Freedom through Encryption (SAFE) Act
» UK Revision of Interception of Communications Act 1985
 Detection

■ Can steganography be detected?

» Sometimes…many of the simpler steganographic techniques produce
some discernable change in the file size, statistics, or both. For image
files, these include:
• Color variations
• Loss of resolution or exaggerated noise
• Images larger in size than that to be expected
• Characteristic signatures, e.g., distortions or patterns
» However, detection often requires a priori knowledge of what the image
or file should look like
 Detection Challenges (1/2)

■ Stego software developers understand their products’

weaknesses and have made significant improvements:
» minimal carrier degradation ⇒ makes embedded data harder to
perceive visually
» better modification immunity ⇒ e.g., affine invariance, immunity
to channel noise, compression, conversion
» use of error correction coding ⇒ ensures integrity of hidden data
■ These improvements have led to even greater difficulty in
detection
 Detection Challenges (2/2)

■ Lack of tools and techniques to recover the hidden data

» No commercial products exist for detection
» Custom tools are analyst-intensive
» Few methods beyond visual analysis of graphics files have been
explored
■ Usually, no a priori knowledge of existence
■ No access to stegokey
■ Use of unknown applications
 Steganalysis
Select Research Overview

■ Several on-going research activities for improving

steganographic analysis methods
■ Some research is focusing on processing techniques to
reveal features in files that will:
» Blindly, i.e., with no a priori knowledge, indicate the presence of
hidden data
» Uniquely identify known stego packages
■ Some examples follow...
 Twin Peaks Histogram Attack

■ Some stego packages produce Unstego’d O rig in a l 2 4 -b it F ile # 7

easily detectable double 800

histogram spikes
600

400

■ These spikes indicate isolated 200

colors in the image 0 50 100 150 200 250

Stego’d
■ Isolated colors occur when
S t e g a n o s 2 4 -b it F ile # 7
700

600
Note double spikes
certain bits are suppressed or 500

400

when the RGB colors of 300

200

original image are mapped to 100

limited set of smaller colors in 0 50 100 150 200 250

Ref: http://link.springer.de/link/service/series/0558/tocs/t1525.htm
stego image
 Stegdetect
■ Automated tool for detecting
steganographic content in images
■ Currently-claimed detection
schemes:
» Jsteg
» JPHide
» Invisible Secrets
» Outguess 0.1.3b
■ Windermere’s analysis shows
this program is extremely
unreliable and provides
excessive (i.e., near 100%) false-
positives
 Summary
Some Indicators of Data Hiding Activity

■ Evidence of steganography software on computer

» Forensics examination
» Hashes of well-known files don’t match originals
■ Transmission logs
» Excessive/unusual e-mails involving pictures, sound files, etc.
■ Discernable (visual) changes
■ Statistical analysis
Detection Countermeasures

Additional Challenges to the Forensics

Community
 Disk Wiping Programs
■ Several products currently
available on the Internet that are
designed to thwart forensic
examination by wiping critical
files on a hard disk
■ Example:
» Evidence Eliminator
» www.evidence-eliminator.com
» “Buy protection for just
$74.95(US) that will defeat
Forensic Analysis equipment
costing over $7000.00(US).”
 Zero Emission Pad
■ Ref: http://www.demcom.com
/english/steganos/zep.htm
■ “Since decades international secret services use
the fact that all electronic devices emit
compromising rays. These rays can be used to
recover a picture displayed by a monitor. Even if
these rays passed walls and the receiver is many
meters away. Together with our partner, the
University of Cambridge (Great Britain), we offer
to you the possibility to defuse these
compromising rays via software (patent-pending
"Soft-Tempest"). The text editor Steganos II Zero
Emission Pad is the world's first Windows editor
that supports the emission defusing display.”
 Trends

■ Increased convergence of Internet with telephony and

other media will likely increase development, impact of
new data hiding techniques
» Personal Digital Assistants
» Voice over IP
» PCS
■ Software piracy likely to increase ⇒ criminals will actively
work to develop new watermark attack techniques
 Summary

■ Steganography is primarily used to maintain anonymity and is easily

available to most anyone
■ Sophisticated tools are readily available on the Internet, and are easy-
to-use
■ Lack of both awareness and developed tools and analysis techniques
» Only recently has the security community started to concern itself with this
subject
» Little public information on the use of data hiding
■ Development/use of information hiding products far outpaces the
ability to detect/recover them; this situation is not likely to change
soon
 A Final Thought

“I think we are perilously close to a lose-lose

situation in which citizens have lost their privacy
to commercial interests and criminals have easy
access to absolute anonymity. That's not a world
we want.”
Philip Reitinger
Former Senior Counsel, US Justice Department
Computer Crime and Intellectual Property Division
Questions?