Hiding in Plain Sight

No, really. And a pint to the first reader who spots it, too. I'm no steganography expert, but I do find the field fascinating, although the art of concealing data within other information is far from new.

Pete Simpson from Clearswift relates a story about a Greek messenger who had his head shaved and information written on his scalp, allowing the message to pass undetected (once his hair had grown back!) in public until at the far side his head was re-shaved and the message read. We've come a long way since then, but the basic idea is still the same; hide data somewhere other people, whether casual observers or serious opponents, won't spot it. Steganography's always been of interest to me, and a recent interview with Simpson highlighted just how complex a subject it has become.

It's a fascinating field. Steganography is not encryption, but it suffers from the same shortfall of many encryption schemes, in that the sender has to communicate the method of concealment to the recipient, which risks interception. Assuming you can achieve that initial exchange relatively safely, it's easy to achieve very strong results. That's a good thing and a bad thing; you can use it to communicate messages secretly, but it can also be used to spirit trade secrets out of your company.

There are lots of ways to achieve this. Obvious techniques are flipping bits in images. You can conceal an awful lot of data in image files (especially compressed ones like JPEGs) without it being obvious that anything beyond the original picture is there at all. An obvious place like a corporate homepage would be the perfect vehicle for such a tactic, and a lot harder to detect than an employee emailing suspect Word documents out of the building.

That same example can also work for you. Putting a concealed message on your home page means it's readily accessible to everyone who needs to see it. More to the point, no one knows it's there. Encrypted mail is rare enough that it sticks out in transit, and because the headers are not encrypted, this alone tells snoopers a fair bit; that Alice has something secret she needs to tell Bob, and that either may be a better target to attack than Cathy. Narrowing the field of attack is a standard part of any hack, and you've just done that for them.

Would this matter if all mail was encrypted? No, because nothing would stand out. But it isn't, nor will it be any time soon. A poignant message to a mailing list I read (the discussion focused on digitally signed and encrypted mail at the time) said: "This message is signed. Do you care?" And of course, if all mail were encrypted, how would you ever spot that secret message anyway? But then you couldn't spot the breach either. There are more double-edged swords in this game than a medieval museum.

There are interesting legal angles, too. Under order, I must yield my encryption keys to a law-enforcement agency. But the agency has to find the encrypted file in order to demand the key, and if it's hidden in plain sight, I have the advantage of deniability. I have a VCD collection of my kids playing in the park. So what? That's several gigabytes of perfectly legal, innocent data, officer.

What do you do about it? That depends on who you are - a CSO has different motivators than a government agent. Obviously the same absolutes apply to steganography as they do to any other security field - complete integrity is unattainable. If someone really wants to move information into and out of your company, there's no certain way to prevent it.

For every clever detection-and-prevention scheme dreamed up, there's a cleverer concealment plan on the drawing board. And realistically, there are so many places to hide something that it's just impossible to cover them all. Fortunately, not every steganographer is a mathematics professor with a side interest in intellectual property violation. As with your usual hacking, by far the bulk is basic, mass-market stuff. And that is not hard to spot: there are techniques to identify the common forms, and because there are freely available tools on the Net, these are the ones that crop up most often.

For most companies, putting safeguards in place to identify and guard against stenography is simply too resource-intensive to pay dividends. It's just not enough of a threat - yet. For now, it's an interesting theoretical field that has limited (but useful) application in the field. But so was mail encryption once; I have a feeling this is a curiosity that will pick up momentum and carve a niche for itself in the future.

Jon Tullett is U.K. editor and online editor for SC Magazine (www.scmagazine.com).