Communicate Covertly and Hide Secret Messages in Plain Sight with Steganography

by April 18, 2011 04/18/11

Secret MessageThe advent of the Internet, including web-based banking, shopping, and all things financial, have created a popular culture that is at least trivially informed about cryptography. Most of us know to look for https:// or a lock icon in our browser before engaging in a sensitive transaction.

One major disadvantage of cryptography is that an encrypted channel sticks out like a sore thumb to an experienced digital sleuth. Enter the world of steganography, the art of hiding messages in plain sight and the advances in covert communication channels.

Using Photographs

The most rudimentary and widely known definition of steganography is hiding textual messages inside of photographs. If you think about today’s digital cameras, it isn’t uncommon for the average photographer to have inexpensive access to a 10, 12, or even 14 megapixel camera. An iPhone 4 uses a 5.0 megapixel camera that yields a .jpg measuring 2592 x 1936.

What if every 31,363 pixels were replaced with the byte equivalent of a character? That would yield a message about the same length of an SMS message, 160 characters. How many people would be able to visually detect the degradation of the photograph if 160 pixels out of 5 million were changed?

1s and 0s

Consider this: a bit is either a 0 or a 1 in the digital realm. A collection of just 6 bits provides 64 different combinations–enough space to include the upper-case English alphabet, numerals 0 through 10, and 28 open spots for punctuation; including a comma, period, colon, space, and carriage return.

Now consider an innocuous twitter account, where the posting includes an extra space after the last period to represent a 1, and no space to represent a 0. Every six tweets can effectively be mapped to a character. Sure, message delivery is slow in this arbitrary example, but the point remains. Even tweets and Facebook posts can carry secret messages!

Steganography Applications

Both the iPhone and Android offer users low cost steganography applications. For example, Spy Pix and Hide It In are two applications that each allows the user to hide one photograph inside of another. Personally, I’m skeptical that a $0.99 app implements a sophisticated enough algorithm to remain undetected from a nation state, but it is probably good enough to fool a run-of-the-mill PI if used judiciously.

If you’re interested in something along the lines of free, that doesn’t require an app, check out Mozaiq to encrypt any image on your hard drive and even assign it a password. To decrypt an image, simply visit this link.

The reality is that modern steganography techniques are far more superior to replacing every n bytes with a character, or ending a sentence with or without an extra space. Each pixel is comprised of RGB values, or red-green-blue. In graphics circles, we describe them as bit planes. In effect, every picture can be reduced to its red plane, green plane, and blue plane–and there are other ways distill a photograph beyond this rudimentary example.

Imagine bouncing around, seemingly randomly, across the bit planes, changing a bit here and a bit there when encoding a secret message into a photograph. Detecting bit plane manipulation in an automated fashion is more difficult than detecting outlying pixel values–but steganalysis is possible.

Steganalysis

Steganalysis is the practice of inspecting a medium to determine if it carries secret content. The Steganography Analysis and Research Center (SARC) focuses exclusively on steganography research and the development of advanced steganalysis products and services. According to their website, their clients range from the US Department of Defense, the CIA and metropolitan police departments. Suffice to say, as steganography advances, so do steganalytic techniques for detecting the use of steganography.

Consider this ultra-simplified example of steganalysis. Histograms are two-dimensional graphs that show how many pixels in an image contain a certain value. Knowing that the range of a byte is 0 to 254, inclusive, a histogram iterates over every pixel in the image and looks at pixel brightness.

The resulting bar graph is typically used by photographers to determine the distribution of tones inside of the photograph, from the darkest on the right to the lightest on the left. Randomly changing n pixels to a character value could (theoretically) stand out in a histogram.

Steganography and Terrorism

Right about now, you’re probably wondering if terrorists have considered using steganography to communicate among disparate cells. If you’re itching to read more about how terrorists might be using steganography, Wikipedia provides an interesting review of Alleged use by Terrorists.

While irrefutable proof of modern terrorists using steganography is hard to come by, the reality is steganography isn’t new. In his excellent book The Codebreakers, David Kahn describes how German spies in World War II used steganography on a wide basis.

So, the next time you see a photo on Flickr–maybe, just maybe, the photograph isn’t really a photograph!

Editor-in-Chief’s Note: Be sure to check out our article main images from here on out on itstactical.com. We won’t be using passwords, but you’ll definitely want to give decrypting them a shot with Mozaiq. I’ve already said too much!


Are you getting more than 14¢ of value per day from ITS Tactical?

Please consider joining our Crew Leader Membership and our growing community of supporters.

At ITS Tactical we’re working hard every day to provide different methods, ideas and knowledge that could one day save your life. Instead of simply asking for your support with donations, we’ve developed a membership to allow our readers to support what we do and allow us to give you back something in return.

For less than 14¢ a day you can help contribute directly to our content, and join our growing community of supporters who have directly influenced what we’ve been able to accomplish and where we’re headed.

Click here to learn about all the benefits and Join!


JD Stankosky
JD Stankosky

If you are on a PC, you can easily hide zipped files inside of jpg's.

The process is:

- Place your zip file and any jpg image you want to hide it in, in the same place.

- Open a Command prompt and navigate to that directory/folder.

- Type the following:

copy /b pictureName.jpg + zipFile.zip newPictureName.jpg

- Check the folder to see if your new picture was made.

By all purposes, it will act as a regular image. You can post it online, email it, whatever. If you open up your zip program and tell it to open the image, you'll see the hidden files.

The only thing to watch for is the image's file size will increase when you add the zip archives to it.

Here's an example I made of an image that contains a zipped text file. Go ahead and see if your zip program will see the file hidden inside. It should be called "secret.txt".

http://jd.stankosky.com/misc/hidden.jpg

JD Stankosky
JD Stankosky

If you are on a PC, you can easily hide zipped files inside of jpg's. The process is: - Place your zip file and any jpg image you want to hide it in, in the same place. - Open a Command prompt and navigate to that directory/folder. - Type the following: copy /b pictureName.jpg + zipFile.zip newPictureName.jpg - Check the folder to see if your new picture was made. By all purposes, it will act as a regular image. You can post it online, email it, whatever. If you open up your zip program and tell it to open the image, you'll see the hidden files. The only thing to watch for is the image's file size will increase when you add the zip archives to it. Here's an example I made of an image that contains a zipped text file. Go ahead and see if your zip program will see the file hidden inside. It should be called "secret.txt". http://jd.stankosky.com/misc/hidden.jpg

Eric S.
Eric S.

Great article, I dig the Spy vs Spy stuff!

Pig Monkey
Pig Monkey

If you don't mind getting your hands dirty with some code, you might be interested in Real Steganography with TrueCrypt.

Les Wes
Les Wes

Interesting Article!

"steganography techniques are far more superior than" is grammatically incorrect, FYI. WC=sophisticated would work, or "far superior to"

Les Wes
Les Wes

Interesting Article! "steganography techniques are far more superior than" is grammatically incorrect, FYI. WC=sophisticated would work, or "far superior to"

johnyD
johnyD

Jason,

Really good article- I guess coming from a Comms background I'm personally intrigued by this kind of stuff, but as a primer for someone interested in the military or law enforcement, this is good information to keep them interested and in the right direction to pursue some time. Thanks!

johnyD
johnyD

Jason, Really good article- I guess coming from a Comms background I'm personally intrigued by this kind of stuff, but as a primer for someone interested in the military or law enforcement, this is good information to keep them interested and in the right direction to pursue some time. Thanks!

The Latest
Squawk Box

We just received our Silver Play Button plaque from YouTube for surpassing 100,000 subscribers on our YouTube channel! A huge shout out to all of you that made this possible! It’s a major award and we’re extremely proud to hang this on our wall. Here’s to the next 100,000!

2 days ago
Leave a Comment