A picture
is said to be worth a thousand words. Today, businesses wanting to guard
against the potentially serious hazard of vitally important data being
maliciously leaked to unauthorised people outside or even inside the
organisation, need to get to grips with an alarming reality: a picture can also
conceal a thousand words.
More than enough, at any
rate, to betray all your most precious and commercially sensitive data. You
name it: locations of newly-discovered oil fields; formulae for synthesising
newly-discovered molecules of breakthrough drugs costing millions to develop; designs
of revolutionary products you’re planning on being the first to bring to
market; ultra-sensitive lists of hard-won customers; or whatever else.
Data concealed in pictures? If it
sounds like science-fiction or the basis of a plot sequence in the next Mission Impossible movie, maybe it is.
But unfortunately for organisations, that doesn’t make the threat any less
dangerous.
 |
| Wax Tablets Used For Writing In Roman Empire |
The technique is called steganography, from the Ancient Greek
words meaning ‘hidden’ or ‘covered’ writing’, just as that lumbering dinosaur
the stegosaurus is so named because its back was covered in those large bony
plates whose real purpose is a mystery even today.
 |
| Steganographia Published circa 1499 |
But steganography wasn’t a mystery to
the Ancient Greeks; indeed they most likely invented it. The Greek historian
Herodotus records that in 312 BC, Histaeus of Miletus commanded the head of his
most trusted slave to be shaved and tattooed with a vitally important secret
message on it. Once the slave’s hair had grown, hiding the message, Histaeus
used him as an emissary to a friendly power via enemy territory to instigate a
revolt against the Persians.
This example from history shows why
steganographic writing is such a dangerous threat to security. Friends who
betray us are always a more potent threat than people who we recognise as enemies
from the outset, and steganographic messages look friendly and innocent. You
could devise a simple steganographic message by agreeing with your recipient
that your real message will consist
of the first letter of every word of your apparent
message. ‘Bring us your invoice by Monday’, for example, would really mean ‘BUY IBM.’
In steganographic writing the apparent
message is known as the covertext and
the real message is called the plaintext.
The innocuous appearance of the covertext in the example illustrates why
steganographic writing doesn’t tend to set alarm bells ringing. It looks innocent, whereas the message ‘BUY
IBM’ encrypted in a simple code that consisted, say, of substituting each
letter for the next letter in the alphabet - ‘CVZ JCN’ - obviously looks dodgy
and would be certain to awaken the suspicions of even the most credulous member
of an organisation’s industrial espionage prevention team.
The point is that any encrypted
message will tend to raise suspicions
because even though it can’t readily be read you will know it’s been encrypted
and will instantly conclude that something fishy’s going on.
In the highly competitive ocean of
modern business, the threat of steganography has recently become a major issue
in corporate life. It’s been important for several years due to the increased
computing power available on everyone’s desktop, but people have been
distracted by publicity about cryptography and steganography has rather
remained in the background. It’s a particularly worrying threat now because of the
enormous computing power on desktops today, the massive volume of electronic
communications, and the number of freely available tools that allow even a
routine user to employ steganographic techniques.
 |
| The Film Character Gordon Gekko |
By far the biggest threat is the
potential for concealing steganographic writing within computerised images.
With Windows you can literally drag and drop your hidden text onto a picture
and the deed is done. As Gordon Gekko reminded us in the film Wall Street (1985), the most valuable
commodity of all is information. And it’s precisely that which can so easily be
given away today - or sold - using image-based steganographic techniques.
But what is actually happening when
you carry out what looks like a simple drag and drop?
 |
| Closeup Of Pixels On Laptop Screen |
An electronic image is comprised of
thousands of ‘picture elements’ or ‘pixels’. A pixel is a binary number that
provides information on the colour or (in a black and white picture) the shade
of grey that should be displayed in that
particular pixel. The binary number will look something like this: 10011011
etc depending on the pixel in question. The individual numbers (the ‘1’ or the
‘0’) are known as ‘bits’ and the further
along you go to the right the less significant the bits become in defining
the precise colour of the pixel.
The opportunity for steganography
occurs because the less significant bits towards the right can be changed without a significant change to the appearance of
the pixel in the image. Indeed, there will probably not be any discernible
change at all. But every time a bit is changed slightly a piece of data can be
hidden in that changed bit. In a computerised image whose size is 256 by 256
pixels, making a total of 65,536 pixels, there would easily be room to conceal
say, about 5,000 words of data.
Bit twiddling is the most common way to
conceal text within a computerised image. There are many more techniques,
though, particularly when using image formats such as the now ubiquitous ‘jpeg’
which many will have encountered through their digital cameras.
And so an apparently innocuous picture
of - say - an employee’s child’s first day at school taken with a standard
family digital camera could easily be used to conceal a leak that turns out to
be so fatal to the organisation that by the time that school term ends,
thousands of other mums and dads at the business from which the information was
leaked have had to find new jobs - if they can.
What’s the best way to guard against
the hazard of modern image-based steganographic betrayal? The first step is to
recognise that it is a potential
problem and get help to understand what tools are likely to available to a
malicious team member. You also need to know the manner in which these tools
can be used because not only is it hard to find the results of what the tools
do but the tools themselves often leave little trace of their presence – some
are even termed ‘zero footprint’ because they are.
Yet there is some help at hand
because, just as those who have been building the steganography tools have
released them onto the internet, a dedicated team of experts have been making
available tools to help detect hidden messages through the science of
‘steganalysis’. Or perhaps it would be better to call steganalysis an art. The
trouble is that the methods of detecting where and when steganogaphy has been
used tend to rely on statistical techniques, and these by their very nature
deal in probabilities rather than certainty. This means that the detection
tools can, and do, give ‘false positives’. You may accuse a trusted employee of
sending hidden confidential information only to find that it was, after all, only a picture of their child’s first
day at school.
The detection tools need to be used so
that the appropriate steganalysis tool is used in the appropriate situation.
Admittedly, this is not easy, when the range of steganography tools and the
steganalysis counterparts have proliferated and are proliferating just as the
threat from viruses did when they first emerged into the IT environment.
Taking the threat of betrayal by
apparently innocuous pixels seriously will lead you to put into the measures
necessary to defend against it. And you do need to take this threat very
seriously indeed. The stegosaurus may be long extinct, but steganographic
treachery is, unfortunately, here to stay.