Hiding Secrets With Steganography On FreeBSD

BSD Forums writes "Bad guys in the movies all keep their wall safes hidden behind paintings. Is there a metaphor in there for your sensitive files? OnLamp's Dru Lavigne explores steganography, or hiding secret messages in images or sounds, with the outguess and steghide utilities on FreeBSD."

Steg is fairly useful, but it is crackable

[j0keralpha]

I use steg sometimes to pass messages i dont want out in plaintext or overtly encrypted, but it has to be passed in such a way that it isnt apparent that a message is there (i.e. email to brother 'See these pics of grandma!'). It is not a foolproof method, but its very useful when you realize you cant trust the encryption itself to hide the message.

Re:Steg is fairly useful, but it is crackable

[grub]

You can encrypt a message then hide the encrypted text within a file with steganography. Casual browsing wouldn't reveal the existance of the encrypted info.

Re:Good stuff, but...

[Phigs]

When he attached the files, he also encrypted them didn't he (with the passphrase). In the article he made a point to showing off all of the encryption standards supported by the utility.

Re:Good stuff, but...

[VargrX]

so sayeth Realistic_Dragon:

You can always encrypt first then hide later.

good point. I need more coffee before I reply to these things... :)

Steganographers Need To Hide Their Tools Too

[Anonymous Coward]

I have yet to see a good treatment of the necessity of hiding the fact that one may have knowledge of or tools capable of implementing steganography. While hiding data is a nifty thing, it's not of much practical use unless you can also hide the code - the tools that you use to embed and deembed your steganographically hidden files.

Adding hooks to libraries and hiding executable code in data areas and coming up with slick ways of calling into that code when you actually do some stega processing is an area ripe for exploration. It may be more challenging than data hiding as well, especially when you consider the huge libraries of md5sums for all known executables and libraries that are maintained and distributed by computer forensics people.

Re:No...

[Anonymous Coward]

So your instructions on how to be a cat burglar would be:

1. Find safe
2. ???
3. Take stuff from safe

And how is that different than...

[Anonymous Coward]

Posts/books/whatever that say "My webserver is Linux" (No it is not. It is Apache) "How to use LInux to serve Windows files" (No, you are using SAMBA and LDAP.) "Robot runs on Linux" (No, its some custom code that runs ON the GNU/Linux environment)

Where have YOU posted objecting to abuses like the above?

Well?

Re:The great thing about being disorganized...

[Lumpy]

you got modeed funny but this is a very useable and strong way of hiding. Not only files but attacks and most anything else.

If I upload 500 photos a month to the net Each of them contain something in the photo (results of /dev/random in random lengths) and then I fire off one photo in a group of others that has real information, the chances of it being found or even noticed is lower than having a encrypted file cracked.

I've seen this used many times and is used in nature by birds and fish...

a school of 500 fish makes it impossible for a predator to single out one specific fish.

Re:No...

[Lumpy]

Yes and no. I dare you or anyone else to locate my valuables in my house. hell they're not even in a safe.

I used to use hollowed out books in college for safe storage from the idiot friends my roommate had, same as the trick of the first 4 bottles of beer in the fridge were filled with piss, the pattern of real beer versus piss was changed weekly by the beer owner. It kept the mooch friends out of the beer, although was a bit wierd to have bottles of piss in the fridge as far as I was concerned.

You can blend in if you make that elephant look like it belongs there... release a herd of elephants and your elephant will not be noticed.

It's the same trick as the fake rock holding your house key.

Re:Not so good..

[Lumpy]

and it becomes 100% useless if you make it trigger tons of false positives.

if EVERY picture on a website trigger's it's detection and yet you find nothing in them you begin to suspect the usefulness of the tool.

here lies the true power in stenagraphy.

He's keeping your ass free

[Anonymous Coward]

By raising the background chatter, he is making it difficult to find any true use of stego. Pictures with messages like "Donald Rumsfeld can eat my ass with gravy as a sidedish" or "GEORGE BUSH SHOULD DIEt (He's getting chubby)" waste resources which would normally be spent reading YOUR email.

He's making himself a target so you don't have to. Ass.

Re:No...

[johndiii]

The analogy isn't security through obscurity, it's finding a better place than behind the painting to hide the safe. Or, perhaps more accurately, securing one's valuables in something that is not recognizable as a safe. If the burglar had to look at a thousand books to determine if even one of them had a secret compartment, it would be a much more effective security measure than a safe behind a painting.

If you are using stegged files (they do not have to be images) to communicate with others, then you are hiding the channel. This is a potentially very useful mechanism against automated monitoring tools, particularly if the data is first encrypted. Isolated information in high-volume channels can be very hard to detect. Another use would be to help defeat traffic analysis.

This is not to say that steganography is a magic means of information hiding. But it is one of the useful tools.

Yes, except

[Moderation abuser]

In some countries you can go to prison for using cryptography, in other more enlightened countries you can go to prison for not handing over the keys when asked by the guys in jack boots or for talking about the fact that you've been raided.

Great Observation

[nurb432]

This concept is lost to most people. And i agree it just proves how effective slow media manipulation of peoples attitudes is.

Just like calling downloaders 'pirates' and 'theft'. .Or 'the SUV killed.. ' in time people begin to belive it with out realizing it...

Re:I wonder . . .

[joto]

To completely decrypt it, you would have to be able to set the R,G, and B values to the correct ones, then de-steg it to get the message, then unencrypt it.

This is usually not completely reversible. You'd better experiment on the file before doing that, or you'll lose data.

Re:Good stuff, but...

[jmv]

Not exactly. As someone suggested, it's possible to encrypt first, but the real advantage is that if done properly, nobody can even prove you sent a message. Even if the interceptor knows the steganography method, unless they have the key, they can't prove the last bits of your wav file is a secret message and not just normal noise from your microphone.

Re:No...

[aallan]

The only problem here is to keep track of what is what. After a couple of files, it's going to be a pain to remember which file has your pr0n site passwords in it, versus Gramma's cookie recipe.

Well obviously you only have to keep track of one file, the one which holds the list of all the other files you've got with encrypted content.

. Al.

Re:Good stuff, but...

[Analogy Man]

This reminds me of the fake rocks folks use to hide an extra house key...

... The bad guys get the same catalogs you do!

Re:No...

[Ayaress]

Keep in mind that the article said that hiding messages in images is NOT a great way to hide important stuff by itself, but that it could be used as a second layer of security. Lets have four people, shall we? They all run servers, and they all have an important file on there they don't want other people to find. Johnny keeps his file unencrypted and unhidden. Billy keeps his encrypted, but unhidden. Mike hides his in an mp3, but unencrypted. Joe hides his in a jpeg after encrypting it. Johnny's most likely to have his stolen, obviously. But Billy's file is more likely to be found than either Mike or Joe's, even though Mike's has no encryption on the file itself. Even though the person who took Billy's file doesn't have the information in it, finding it it one step closer to stealing it. Now, Mike and Joe are both considerably less likely to have this file found, unless the data theif expects them to hide it in a media file like this. On the off chance that the hacker DOES find the file, though, Mike's is as good as stolen, just like Johnny's. However, Joe is the most secure of the bunch. Not only is his file encrypted, but it's also hidden, meaning it's unlikely that the hacker will even get the encrypted version. They can't crack what they can't find. Even after what Johnny did, he can go furthur. Encrypt his password, hide the text in an image, rename the image to a .dll or .o and hide it in a system directory. Sure, it's not 100% secure, but it's better than leaving even the most secure file laying around.

Re:Commercial for BSD!

[sremick]

Terrorists aren't the only ones who want encryption any more than shipping departments are the only ones who want box-cutters. Maybe we should blame the USPS and airlines for also aiding terrorism. Paper-shredder manufacturers too. They helped Enron break the law, didn't they?

Before you knock FreeBSD for supporting a form of encryption (encryption being something that every law-abiding citizen should be entitled to in order to protect his or her privacy), maybe you should tell us what OS YOU use so we can check to make sure it doesn't support encryption tools like the ones you're faulting FreeBSD for.

Re:Steg is fairly useful, but it is crackable

[Sloppy]

MIT proved that stenographic files can be detected nearly 100%

I don't believe that for a second.

If you want to earn that informative mod-up, provide a reference.

School of Fish

[a!b!c!]

I remember seeing an omni movie about sharks that found a school of fish, and ate them all. One at a time.

I thought the strategy behind the school of fish was: if there are 500 fish, and I am one of them, then my odds of me getting eaten during an attack is 0.2% The larger the group, the lower the chance that *I personally* get singled out.

I don't think the predator cares about going after a certain fish. Unless if finds one that has really cute eyes. It just wants a fish.

Re:Really, what do you guys need to hide?

[YankeeInExile]

There are lots of legitimate activities you may engage in that you want to keep to yourself, or a small cadre of conconspirators. Your correspondance with your paramour telling her that what she did last time really turned your crank, and could she bring the golden retriever again this week.

Or, suppose you are a member of a group citizens petitioning the government for redress, to change some statute you find out-dated, or overly opressive. There are enough hot-button issues that are so politically charged, that anyone who even has the temerity to suggest that they be changed, is branded a pervert, a criminal, a traitor, or worse. (e.g. issues around gun control, legalizing marijuana or prostitution, lowering the age of consent)

I posit that in the US at this moment, it is actually very difficult for citizens to engage in cogent public discourse on these topics, for fear of being branded. It would behoove you to do your political organizing in private.

And finally, and perhaps most importantly: Just because one wishes to hold something private with their compatriots, does not mean they are planning a terrorist attack or a bank heist. What I choose to keep private is not subject to debate.

Now, the second point you make - at the current state of the art, using strong encryption is sufficiently difficult, that it is, in and of itself, a "red flag" that something might not be kosher. The only solution for that is for more and more people to use it more and more frequently.

This is of course, not without political expense: If suddenly 80% of all person-to-person e-mail is encrypted, and all person-to-group e-mail is at least signed, encryption technology will be front page on the Wall Street Journal, and the political powers for the suppression of thought-crime will demand that it be tightly regulated.

Encryption technology is restricted under export rules as a "munition." Perhaps a case could be made under the second amendment, that our fundamental freedoms are dependant on not only the right to bear arms in the form of an SKS, but also in the form of PGP.

Re:Good stuff, but...

[HermanZA]

Well, all crypto is obscurity, but not all obscurity is cryptpto. Someone described crypto a s 10% math and 90% muddle...

Re:Is this limited to FreeBSD only?

[Rebar]

One facet of data security is deniability. Which would you rather the Department of Homeland Security find on your hard drive:
/documents/plan_for_world_domination.pgp
or
/wallpaper/cute_puppies.png?

A securely encrypted message, hidden in a file with ostensibly another purpose, such that there is no way to prove the existence of the hidden message would keep anyone from telling you: "Reveal the secret key to this obviously encrypted file, or face contempt of court and an automatic prison sentence."

Re:steganography isn't secure at all

[Inuchance]

I've written a stenography utility once (called bmphide, doubt it's still available for download anywhere), and the noise that resulted from using it was hardly detectable, especially on photographs. Plus, to solve the security issue, I threw in a simple XOR encryption method into it... It didn't have any methods to determine if it was decrypted successfully, so the only way to brute force it would be to try the file after every password and see what happens.

Main reason to use steganography:

[jeduthun]

You're missing the point.

The main reason to use steganography is that it hides the fact that you are hiding something. If you use straight encryption, it is obvious that you have something sensitive that you want to encrypt (most people don't go to the trouble of encrypting things otherwise). Steganography helps you fly under the radar and send encrypted data without people knowing that you are sending encrypted data in the first place.

If someone is already suspicious of you, then of course they can analyze your communications and perhaps notice any steganographic attempts. But if not, you may be able to escape notice longer by exchanging seemingly innocuous data than by exchanging industrial-strengh encrypted data.

Re:Commercial for BSD!

[pgr0ss]

Read the article. At the bottom, it says:

The only question you may be asking yourself is "why use such a utility?" Probably the most common use is to safeguard passwords. We all know that we should use different passwords for various tasks. For example, you should use a different password to log into your computer, another to retrieve email, another for online banking, and yet another for when you create an account on a web server. It can be very handy to make a text file of each password and its usage, and to safeguard that file by hiding it in a place no one would suspect to look.

Re:Commercial for BSD!

[sremick]

Ok, so you're a law-abiding citizen. And you have no need. So obviously, no one else who is law-abiding has a need, and the only the Bad Guys do? C'mon.

You say you "fail to see legitimate uses". Very well. Would you have a legitimate use for a safe? I will assume "yes"... we all have valuables. So let me ask you this: does it make more sense to put the safe in the middle of a wide open room, standing out, maybe even with a sign that says "The safe is here!" Or maybe instead, hide it somewhere. At least in the closet. Or behind a fake wall panel. Buried in the basement? Recessed in the wall behind a dresser?

Steganography is the equivalent of hiding the safe somewhere where it wouldn't be located or expected. If I have passwords on my computer... even if I encrypt them, does it makes sense to store them in /home/scott/topsecret/passwords.tgz or instead in /home/scott/junk/pics/mycat.jpg ? If someone somehow accessed my account, they'd know exactly what file to grab and could then make a concentrated effort to crack into it. While if I disguise the file as something it isn't, they'll pass over it. Why isn't this a legitimate use?

Steganography is neither in itself good or bad. It's a tool which can be used for good or bad. Like a steak knife. Don't condemn it just because all you can think of are the bad uses.

What I'd like to see

[phr1]

is for the standard version of mkfs to fill empty disk blocks with random data (from /dev/urandom) BY DEFAULT instead of zeroing them. That way you can run a stego file system in the unused blocks and it will be indistinguishable from ordinary randomized free blocks. If every BSD (and ideally every GNU/Linux) distro shipped with that feature turned on, there would be no way to tell a stego user from a non-user.