Thursday, 18 April 2013

Picture This - Secrets Lost Before Your Eyes

A picture is said to be worth a thousand words. Today, businesses wanting to guard against the potentially serious hazard of vitally important data being maliciously leaked to unauthorised people outside or even inside the organisation, need to get to grips with an alarming reality: a picture can also conceal a thousand words.

More than enough, at any rate, to betray all your most precious and commercially sensitive data. You name it: locations of newly-discovered oil fields; formulae for synthesising newly-discovered molecules of breakthrough drugs costing millions to develop; designs of revolutionary products you’re planning on being the first to bring to market; ultra-sensitive lists of hard-won customers; or whatever else.

Data concealed in pictures? If it sounds like science-fiction or the basis of a plot sequence in the next Mission Impossible movie, maybe it is. But unfortunately for organisations, that doesn’t make the threat any less dangerous.

Wax Tablets Used For Writing In Roman Empire
The technique is called steganography, from the Ancient Greek words meaning ‘hidden’ or ‘covered’ writing’, just as that lumbering dinosaur the stegosaurus is so named because its back was covered in those large bony plates whose real purpose is a mystery even today.

Steganographia Published circa 1499

But steganography wasn’t a mystery to the Ancient Greeks; indeed they most likely invented it. The Greek historian Herodotus records that in 312 BC, Histaeus of Miletus commanded the head of his most trusted slave to be shaved and tattooed with a vitally important secret message on it. Once the slave’s hair had grown, hiding the message, Histaeus used him as an emissary to a friendly power via enemy territory to instigate a revolt against the Persians. 

This example from history shows why steganographic writing is such a dangerous threat to security. Friends who betray us are always a more potent threat than people who we recognise as enemies from the outset, and steganographic messages look friendly and innocent. You could devise a simple steganographic message by agreeing with your recipient that your real message will consist of the first letter of every word of your apparent message. ‘Bring us your invoice by Monday’, for example, would really mean ‘BUY IBM.’

In steganographic writing the apparent message is known as the covertext and the real message is called the plaintext. The innocuous appearance of the covertext in the example illustrates why steganographic writing doesn’t tend to set alarm bells ringing. It looks innocent, whereas the message ‘BUY IBM’ encrypted in a simple code that consisted, say, of substituting each letter for the next letter in the alphabet - ‘CVZ JCN’ - obviously looks dodgy and would be certain to awaken the suspicions of even the most credulous member of an organisation’s industrial espionage prevention team.

The point is that any encrypted message will tend to raise suspicions because even though it can’t readily be read you will know it’s been encrypted and will instantly conclude that something fishy’s going on.

In the highly competitive ocean of modern business, the threat of steganography has recently become a major issue in corporate life. It’s been important for several years due to the increased computing power available on everyone’s desktop, but people have been distracted by publicity about cryptography and steganography has rather remained in the background. It’s a particularly worrying threat now because of the enormous computing power on desktops today, the massive volume of electronic communications, and the number of freely available tools that allow even a routine user to employ steganographic techniques.

The Film Character Gordon Gekko
By far the biggest threat is the potential for concealing steganographic writing within computerised images. With Windows you can literally drag and drop your hidden text onto a picture and the deed is done. As Gordon Gekko reminded us in the film Wall Street (1985), the most valuable commodity of all is information. And it’s precisely that which can so easily be given away today - or sold - using image-based steganographic techniques.

But what is actually happening when you carry out what looks like a simple drag and drop?

Closeup Of Pixels On  Laptop Screen
An electronic image is comprised of thousands of ‘picture elements’ or ‘pixels’. A pixel is a binary number that provides information on the colour or (in a black and white picture) the shade of grey that should be displayed in that particular pixel. The binary number will look something like this: 10011011 etc depending on the pixel in question. The individual numbers (the ‘1’ or the ‘0’) are known as ‘bits’ and the further along you go to the right the less significant the bits become in defining the precise colour of the pixel.

The opportunity for steganography occurs because the less significant bits towards the right can be changed without a significant change to the appearance of the pixel in the image. Indeed, there will probably not be any discernible change at all. But every time a bit is changed slightly a piece of data can be hidden in that changed bit. In a computerised image whose size is 256 by 256 pixels, making a total of 65,536 pixels, there would easily be room to conceal say, about 5,000 words of data.

Bit twiddling is the most common way to conceal text within a computerised image. There are many more techniques, though, particularly when using image formats such as the now ubiquitous ‘jpeg’ which many will have encountered through their digital cameras.

And so an apparently innocuous picture of - say - an employee’s child’s first day at school taken with a standard family digital camera could easily be used to conceal a leak that turns out to be so fatal to the organisation that by the time that school term ends, thousands of other mums and dads at the business from which the information was leaked have had to find new jobs - if they can.

What’s the best way to guard against the hazard of modern image-based steganographic betrayal? The first step is to recognise that it is a potential problem and get help to understand what tools are likely to available to a malicious team member. You also need to know the manner in which these tools can be used because not only is it hard to find the results of what the tools do but the tools themselves often leave little trace of their presence – some are even termed ‘zero footprint’ because they are.

Yet there is some help at hand because, just as those who have been building the steganography tools have released them onto the internet, a dedicated team of experts have been making available tools to help detect hidden messages through the science of ‘steganalysis’. Or perhaps it would be better to call steganalysis an art. The trouble is that the methods of detecting where and when steganogaphy has been used tend to rely on statistical techniques, and these by their very nature deal in probabilities rather than certainty. This means that the detection tools can, and do, give ‘false positives’. You may accuse a trusted employee of sending hidden confidential information only to find that it was, after all, only a picture of their child’s first day at school.

The detection tools need to be used so that the appropriate steganalysis tool is used in the appropriate situation. Admittedly, this is not easy, when the range of steganography tools and the steganalysis counterparts have proliferated and are proliferating just as the threat from viruses did when they first emerged into the IT environment.

Taking the threat of betrayal by apparently innocuous pixels seriously will lead you to put into the measures necessary to defend against it. And you do need to take this threat very seriously indeed. The stegosaurus may be long extinct, but steganographic treachery is, unfortunately, here to stay.