Steganography: What Is It and How Does Steganography Work?
Steganography is the practice of hiding an image, message, or file within something that isn't a secret.
Kids even dabble in steganography. If you ever played with magic ink to bring secret notes to life, you've used it. And if you ever wrote your love a coded message inside something like a homework assignment, you've used a stenographic trick too.
But plenty of adults use steganography too. And sometimes, hackers use the technique to shield their attacks from your detection.
How Does Steganography Work?
There are literally dozens of ways to hide messages, and each one works differently. But most steganography experts rely on the same principles to do their work.
Steganography relies on several pieces, including:
- Payloads. What do you want to embed or hide?
- Carriers. What file or asset will hide your payload?
- Channels. What type of carrier will you use?
- Package. How will the carrier look or respond when buried with the payload?
- Key. How will the recipient decode your message and find the payload?
Without all of these elements, you can't execute any kind of steganography. But with them, you're ready to get started.
Steganography Past and Present
Modern technology takes steganography to new heights. But the practice is ancient.
The word steganographia was coined in 1499 in a book deemed so dangerous that it wasn't published until 1606. It offered plenty of ancient methods used to hide messages.
Even without a published manual, people figured out how to hide messages. Ancient methods involved:
- Wax. Notes were buried under multiple layers of material that could be melted away.
- Wordplay. The second or third letter in each word could be strung together to form secret messages.
- Pictography. Tiny animals or leaves represented family crests, and they could outline upcoming alliances.
- Ink. Notes were painted on soldiers’ bodies and could be revealed with juice or fluids.
Modern steganographers add or replace bits in files with secret data. For example, they might alter the file header of a document, attaching a few bits that only the recipient would look for.
Where Is Steganography Used?
Imagine that you have a secret note you must get to a colleague or enemy. What kind of channel can you use?
Steganography is used in almost every type of file you can imagine, including:
- Image files. A few pixels within the image are shifted, and each one represents a letter of the alphabet. An outsider might not see the changes, even when looking hard for them. But with the right key, a recipient can decipher the change. Some artists use this technique to prove ownership of their works.
- Sound files. A song or recorded sound could contain an image that's only seen via spectrogram. A casual listener may not notice the difference, but a few tiny bytes of the audible data have been changed.
- Social media posts. Someone changes the title of a shared video or image. People may also deliberately misspell words and phrases, delivering secret messages to those with the key.
- Videos. A picture embedded within a video is only visible when the file is played at a very slow or fast pace.
- IoT. Messages are placed in an image, which is sent along each time the IoT device shares data. Manufacturers might use this technique to prove that the device hasn't been altered or hijacked.
You could use cryptography to tackle many of the same tasks. Rather than changing a message and sending the code to your recipient, you could just alter the entire message instead.
But it's relatively easy to spot messages that have been encrypted. Steganography doesn't attract the same level of attention, and it's attractive for that reason. Rather than just hiding your message, you're concealing the fact that you have a secret to share.
Stenographic Attacks: Are You at Risk?
Hackers have plenty of secrets to share, and they don't want security professionals to find out about them. Steganography appeals to them as well.
Hackers use one of three techniques as they build their attacks.
- Least significant bit: The hacker evaluates the carrier and determines what's unimportant. Those bits are replaced with the secret code. A hacker might use this approach with images or downloadable files.
- Palette-based: Hackers stretch the palette of an image and hide their bits within. The payload is encrypted, so it's even harder to spot.
- Secure cover selection: Hackers compare the blocks of an image to the blocks of their message. The one with the closest match is the carrier, and it's fitted accordingly.
A hacker's message is typically malware. Interact with the altered files in any way, and the program springs to life and begins to work. You may never know the attack is happening.
Hackers can reach you via one of four methods.
- Digital media files: A hacker might embed malware in a photo on your website or in an email signature.
- Mimicry: The hacker spoofs a legitimate website, and doing anything on it starts the download.
- Ransomware: The hackers send an infected email demand, and clicking on it can start the malware process.
- Exploit kits: Hackers can infect banner ads or other website parts, and clicking them leads to a redirect of an infected landing page.
These attacks may seem sophisticated, but software makes embedding almost anything really easy. Free and available steganography programs include:
It's not easy to spot a steganographic attack. But because these threats exist, it's wise to remind your colleagues to avoid interacting with anything they can't verify. That email from an outsider or flashing ad in a website sidebar could be dangerous. It's not wise to click.
Help From Okta
Hackers get more sophisticated every year. Your protection methods should shift accordingly. Use our tools to surround your data with safety and know that you're monitoring everything closely to catch a problem as soon as it appears.
Learn how Okta can help keep your information, users, and data safe.
References
The Ancient Art of Hidden Writing. (July 2020). BBC.
Crash Course: Digital Steganography. (May 2011). Computerworld.
An Overview of Steganography for the Computer Forensics Examiner. (July 2004). The Federal Bureau of Investigation.
Securing Data in Internet of Things (IoT) Using Cryptography and Steganography Techniques. (January 2020). IEEE.
What Is Steganography and What Are Its Popular Techniques? (May 2020). EC Council.
With Cryptography Easier to Detect, Cybercriminals Now Hide Malware in Pain Sight. Call It Steganography. Here's How It Works. (November 2018). IEEE.
1-2-Steganography 2.1. Tucows Downloads.
Home. OpenStego.
Free Steganography Software. QuickCrypto.