The Steg Chronicles: Information Hiding 101
*Note: This article was originally published by the author on April 4, 2021.
Chances are you’ve already heard about information hiding at some point or another. On the off chance that you haven’t, I offer here a quick down and dirty as to what it is and how it works. Essentially, digital computing inherently makes it trivial to hide information in plain sight by abusing well-known aspects of digital file systems and commonly used internet protocols. Enter the shadowy world of digital steganography, a subject I have researched and written about extensively for several years (i.e., see Additional Resources below). There is a lot to unpack but I’ll do my best to keep it simple.
Real-Life Historical Instances of Information Hiding
History contains numerous examples of information hiding from ancient Greeks and Romans to modern-day PC and mobile phone uses but most recently we’ve seen several cybercriminal group malware developers use digital steganography to conceal the existence of malware or some component of the malware’s communication to command and control (C2) servers. I wrote a Master’s thesis in which I detailed several notable examples in which malware authors used digital steganography to conceal the presence of their malware and evade anti-malware detection. Malware such as Duqu, Regin, Hammertoss (Wojciech & Wendzel, 2018), and even the recent Sunburst malware used a form of information hiding by way of re-encoding ASCII text. Encoding is not the same as steganography, but it is a closely related information hiding technique.
We’ve seen instances of Russian spies using digital steganography to secretly communicate back to the Kremlin. In 2010, the FBI arrested 11 covert Russian spies posing as Americans who were found to have been hiding secret information within image files sent back to Russia (Jackson-Higgins, 2010). The information hiding method the Russian spies used is commonly referred to as Least Significant Bit (LSB) steganography in which information can be embedded into image files by substituting the least significant bits throughout an image file and replacing it with the secret information bits. Depending on the specific file system, a Byte contains 8-bits, such as 01011101. But if we substitute the last bit, known as the least significant bit, for a bit from another file, then we can embed secret information within an image without noticeable distortion or “noise” when done hundreds or thousands of times throughout an image file. Think of this as being like the Superman movie “salami embezzlement” penny fraction shaving attack perpetrated by Richard Pryor or the same in the Office Space movie that shaved off fractions of pennies and deposited those fractions into a bank account.
The end result is that there is no visible degradation to the image file and the secret information, called the ‘stego file’, is embedded into the image. Quite frequently, I’ve found in the course of my research that the stego file must be opened by the same steganography application that was used to create it. It can also be encrypted with a password or passphrase using very strong encryption which makes decryption extremely difficult and unlikely in the wild. I’d be remiss if I didn’t mention the case in which Al Qaeda used digital steganography to conceal terrorist operations manual text files within a porn video but didn’t password-protect the hidden messages (Gallagher, 2012).
Recently, Magecart criminal hackers used the Magento framework to capture payment card information stolen from retailer websites to include credit card numbers, names, home addresses, phone numbers, email addresses, and embed the exfiltrated data into JPEG images (Ilascu, 2021). The stolen payment card data can then be used by perpetrators to make fraudulent credit card purchases or sold to other criminals for their use. This recent example highlights how prevalent information hiding has become in modern cybercrime. If you work within information security, you should be looking for this stuff. It’s not easy to detect but there are methods of detection.
Many people still aren’t aware that printer manufacturers include tiny microdots not visible to the naked eye printed into corners of documents. This was a technique used in newspapers and other communique by the Nazis during World War II. One microdot could contain several pages of textual information. Microdots used by modern printers even today still contain binary code set to a graph that helps law enforcement authorities identify some characteristics of the type of printer used, exact date/time the document was printed which authorities can then use to further narrow down the scope of the investigation by looking at the exact printer logs to determine which user actually printed the document. This technology is believed to have been used to track down NSA leaker Reality Winner (Turton, 2017).
Additionally, another application of information hiding that is seldom discussed due to its obscene nature is that pedophiles have used it to traffic illicit images on the internet. One insidious pedophile ring steganography case that made international headlines was the case of the Shadowz Brotherhood in which an online child porn ring run by a group of UK men was discovered to be using encryption and steganography in combination with constantly switching Internet Service Providers (ISP) to evade law enforcement authorities (Dodd, 2002). They still were caught though as I detail in another piece I published here.
Last but not least, there are instances in which digital steganography has been used by privacy-concerned citizens to communicate in secret in various locales around the world perhaps where governments or regimes monitor electronic communications for anyone who is critical of the government and apprehend them for saying bad things about the government of North Korea, for example. As you can see there are lots of different applications of information hiding and not all of them are for evil purposes. That’s an important distinction to make with all of this information hiding stuff. Steganography, like many forms of technology, can be used for both good and bad purposes. It all depends on the individual user.
Great, But How Do I Actually Hide Information?
Now ordinary people like you and I probably don’t have much of a need to hide information in their day-to-day lives but I can’t speak for everyone. We all have different personal security threat models and who knows? Maybe you do need to use information hiding techniques for some reason, hopefully for good purposes only. Maybe you’re on the run from an abusive spouse who has access to your personal email account or some other reason. Personally, digital steganography isn’t something I use on a regular basis but it is something I have studied extensively and that I have experimented with on numerous occasions.
I am also educated enough on the subject of information security to know that commercial email is not a secure communication medium even with add-ons like Pretty Good Privacy (PGP) encryption. In fact, in order for encrypted email to work properly, there are a number of factors both the sender and the recipient(s) need to properly configure before any email is truly encrypted. Then, there is the question of whether or not intelligence and law enforcement agencies have the means to decrypt something like PGP encryption? If they do, and they’re not going to tell us, then your encrypted emails are completely readable. So, there’s that to think about.
I explain here why ProtonMail email is the best option for privacy but again, if both the sender and the recipient aren’t using ProtonMail encrypted emails then it’s all for naught. Now you can easily hide information using the LSB steganography technique that I mentioned above by following the instructions I detail in this short guide.
It’s rather simple once you try it a few times and just Googling steganography applications will turn you onto many, many different application types and choices some of which are better than others. Some of those freely available steganography apps don’t work and are no longer supported by whoever wrote them. You’re trusting that they coded the steganography and encryption compression algorithms correctly when you use their tools. You can then just attach the hidden information within a picture of a regular, unencrypted email, and send it to your recipient who will need to know how to extract the embedded file from the image you sent them. I like to call this the poor man’s encrypted messaging system but it’s so much better because by encrypting your communications it is still possible for authorities to know the origination and destination IP addresses, and the packet size. With a hidden LSB stego file, it just looks like billions of other emails with image attachments. There are no telltale clues that anything is hidden within.
Hopefully, now that you are a little bit more educated on the topic of information hiding, you’ll also realize that there very well could be more going on behind the scenes than you realize on the internet. Suddenly, a whole new world opens up. Is that YouTube video really just a video about adorable bunny rabbits frolicking in the snow or does it contain secret messages about the Trump pee tape? Who posted it? What is the file size? Unless you have an original file to compare it against, how are you to know if any other files have been embedded within it?
You begin to see just how difficult it is to not only spot the use of digital steganography in the wild but also the small percentage that if discovered, anyone will be able to successfully extract the hidden information from it. Now that you are armed with this knowledge, it is your responsibility to use it wisely and for good purposes only. You should realize that some Internet Service Providers (ISP) also rename files and/or flatten them, or restrict which types of image, audio, and video files users can upload to the platform to prevent their platform from being abused in this way. In the Master’s thesis, I wrote, however, I detail how many major sites still allow for it. To learn about just how complex information hiding is, please check out some of the additional resource links below.
The Steg Chronicles: Stegware — The Dangerous Combination of Malware & Steganography
*Note: This article was originally published by the author on September 24, 2020.
The Steg Chronicles: How to Easily Send Secret Messages Using Steganography
*Note: This article was originally published by the author on
The Steg Chronicles — In the Beginning
*Note: This article was originally published by the author on November 10, 2019.
Digital Steganography as an Advanced Malware Detection Evasion Technique
A Masters Thesis | © Copyright 2018 | All rights reserved.
The Threat of Digital Steganography-cloaked Malware to U.S. Critical Infrastructure Systems
*Note: This article was originally published by the author on August 31, 2018.
ScarCruft APT Malware Uses Image Steganography
*Note: This article was originally published by the author on May 16, 2019.
PLATINUM APT Found Using Text-based Steganography to Hide Backdoor
*Note: This article was originally published by the author on June 6, 2019.
Using Digital Steganography to Protect National Security Information
*Note: This article was originally published by the author on November 26, 2018.
Gallagher, S. (2012, May 2). Steganography: how al-Qaeda hid secret documents in a porn video. Retrieved from https://arstechnica.com/information-technology/2012/05/steganography-how-al-qaeda-hid-secret-documents-in-a-porn-video/
Ilascu, I. (2021, March 16). Hackers hide credit card data from compromised stores in JPG file. Retrieved from https://www.bleepingcomputer.com/news/security/hackers-hide-credit-card-data-from-compromised-stores-in-jpg-file/
Jackson-Higgins, K. (2010, June 29). Busted Alleged Russian Spies Used Steganography To Conceal Communications. Retrieved from https://www.darkreading.com/risk/busted-alleged-russian-spies-used-steganography-to-conceal-communications/d/d-id/1133884
Turton, W. (2017, June 13). The history of the secret code that printers put on all your documents. Retrieved from https://theoutline.com/post/1713/the-history-of-the-secret-printer-code-that-may-have-caught-the-nsa-leaker
Wojciech, M., Wendzel, S. (2018, January). Information Hiding: Challenges For Forensic Experts. Communications of the ACM, Vol. 61, №1, pp. 86–94. Retrieved from https://cacm.acm.org/magazines/2018/1/223894-information-hiding/fulltext