Howard sent round a bit of a plea for help on Friday. He’s writing a report for one of his clients looking at security issues, particular with Internet e-mail systems. They are particularly concerned about important corporate data being leaked via e-mail, whether intentional or not, and Howard was looking for as many different ideas as possible as to ways that information could be sneaked out.
Thinking about it, a lot of the ways that you could hide something would be obvious. For example, if you as an organisation knew that information was leaking, and an e-mail message in code, or even one with some sort of strange zipped attachment, or funny coloured text went through, that would arouse suspicions. What would be needed is a way to hide information in plain sight. What you’re looking at is some sort of steganographic solution. For example a phoney message where key words are identified in some way.
Having said that, the technique is not limited to hiding text within other text. Modern technology brings some much more high technology solutions. One which is reported to have be in common usage by terrorists (indeed in one episode of Sleeper Cell terrorists are sent to particular page on eBay where the plans are encoded into a picture of a rug) to pass information. Essentially what it does is take advantage of the fact that in digital files, even with modern compression techniques there is still some space in the file, for example in a bitmap dark areas of an image where a slight change in the level of darkness would not be discernible, so the image can be doctored to hide other digital data. In other file formats there are parts of the file structure that aren’t used at all. For example these techniques are used by digital watermarking processes to allow photographers to copyright their work electronically and invisibly.
By this point you’ve probably worked out that the slightly odd choice of picture above is no accident. Using a clever bit of software called iSteg, a front end to a command line tool called OutGuess I’ve encoded a second picture into the first. Obviously the spare capacity is limited, so the second image is a very small, and low quality version of a picture I took of Beth over the summer, however you get the idea. If you don’t believe me, you’ll need a copy of iSteg or an equivalent, and you’ll need to know the password which I have used to lock the secret image, which in this case is ‘test’. If you decode the image with that password, you should get this little snapshot of Beth come out at the end. As Beth said when I showed her, it seems just like the kind of stuff that occurs in sci-fi movies, all on your home computer!
Incidentally, as to the question of whether people are actually hiding information in this way, the people behind OutGuess have an ongoing project to try and detect the use of Steganography on the Internet. According to their site, the search of two million images from eBay auctions and more than a million images on newsgroups found not a single image. For those interested in the technical aspects, the site also includes an academic paper on the search.