An old adage says that a picture is worth a thousand words, and steganography certainly stretches that notion to the extreme. Webster's dictionary defines steganography as the art of writing in cipher; however, most people interpret the term to mean hiding information within other information. For example, you can encode a secret message into the pixels of a digital image, into the bits of an audio file, or into the text of an apparent spam email message. The possible hiding places are plentiful.
Cryptography has been used for countless centuries to hide information, but leaving an encrypted message to appear obviously encrypted exposes a communication for what it truly is: an encrypted message. However, when you hide data within other data, you place a facade over the hidden data to help obscure its existence, which makes detecting it as an encrypted message more difficult.
Organized crime, terrorists, and various other groups that operate covertly use steganography to hide their activities. Federal law enforcement agencies allege that such groups routinely use steganographically obscured data in images on Web sites and in messages on popular public message forums. To detect these encoded messages, various law enforcement agencies either already have, or are currently developing, software that detects data hidden within other data. The officers study the native formats of various file structures (e.g., .gif, .jpg, .wav, .mp3, .au) and the nature of known steganography tools to identify patterns. If something seems out of place, or irregular, the data might contain a steganographic message.
Wired news ran a great story this week about Neil Johnson, a man who focuses on uncovering hidden messages. In the story, Johnson says he's working on technology for an unnamed law enforcement agency that will detect steganography in digital media. Although Johnson said he couldn't name his benefactor, I can't resist the thought that such technology would be a great complement to the FBI's DCS1000 software (formerly named Carnivore). Anyway, the story is a great read because it provides insight into what you can expect using steganography—it's not as safe as you might think. Be sure to read the news story at Wired.
If you're interested in steganography as a means to bolster your information security, be sure to visit the SourceForge StegHide Web site, where you'll find links to lots of related information. And, if you're looking for steganographic software, be sure to stop by Fabien Petitcolas' Web site, where you'll find his MP3 Stego software (which hides data within MP3 files) and links to similar tools that support other file types and formats. Until next time, have a great week!