According to a rumor in computer security circles, earlier this year, someone at the United States Department of Justice smuggled sensitive financial data out of the agency by embedding the data in several image files. Defeating this exfiltration method, called steganography, has proved particularly tricky, but one engineering student has come up with a way to make espionage work against itself.
Keith Bertolino, founder of digital forensics start-up E.R. Forensics, based in West Nyack, N.Y., developed a new way of disrupting steganography last year while finishing his electrical engineering degree at Northeastern University, in Boston.
Steganography uses innocuous documents, usually an image file, as carriers for secret messages. Unlike encryption, steganography encodes the message while at the same time concealing the fact that a message is being sent at all. The Greek-derived name means ”covered writing.” The earliest steganographers were said to be Greek generals who tattooed sensitive information onto the shaved heads of messengers. Once the hair grew back, the messenger could travel without suspicion to the intended recipient, who ”decrypted” the secret message by shaving the messenger’s head again. In its current incarnation, steganography often makes use of e-mail, an ideal carrier for any corporate spy, disgruntled employee, or terrorist.
Steganography algorithms vary widely—digital forensics firm WetStone Technologies Inc., of Ithaca, N.Y., lists 622 applications—but they work on basically the same principle. To embed a message in an innocuous image of a cat, for example, a commonly used steganography algorithm called LSB takes advantage of the way computers digitally encode color. The algorithm hides the fugitive file inside the so-called noncritical bits of color pixels. Noncritical bits are just what they sound like—the least important information in a pixel. A gray pixel in the cat’s uniformly gray fur, for example, is coded as a number that looks something like 00 10 01 00. By changing the least significant bits—the last two—you introduce one-millionth of a color change, an absurdly subtle alteration that no human eye could detect.
The steganography application folds the secret message’s bits into the image’s least significant bits, but it typically leaves the image file unaltered in size or any other variable that would provide clues to infiltration. Compression does not affect the integrity of the stowaway data—the algorithms work just as well for lossy compression (for example, in a JPEG format) as they do for lossless compression methods. When the message reaches its intended recipient, an unlocking algorithm locates the stowaway bits in the cat image pixels and uses them to reconstruct the secret message.
Bertolino’s method turns this technology on itself. The key to jamming steganography, he says, is using steganography—what he calls ”double-stegging.” Double-stegging adds some noise, scrambling some of the image’s least-significant bits. ”As long as you’re damaging at least some part of the file,” Bertolino explains, the hidden file becomes garbled and cannot be deciphered. If the cat in the picture is just a cat, the file comes to no harm. But a hidden file, once processed by the double-stegging algorithm, will yield only gibberish. ”Our results are simple,” Bertolino says. ”An extremely high percentage of the hidden files were destroyed.” Though the jamming techniques were tested only on image file carriers, Bertolino is confident that his method can be extended to other file formats, like audio and video files, which can also carry hidden messages. Digital steganography relies on the same basic principles to hide data for any digital carrier. In January, Bertolino will present his research at the Defense Department’s annual digital forensics conference, the Cyber Crime Conference.