4 - 1
Encryption and Exploits - SANS
©2001
1
Steganography
Security Essentials
The SANS Institute
Now that we have taken a detailed look at cryptography, lets take a look at another related area,
which is steganography or data hiding. Steganography (“stego”) is related to cryptography
(“crypto”) because with both fields you do not want someone to be able to read your message, but
stego does it with a slightly different approach. With crypto, the message is garbled in such a way
that someone cannot read the message, but they can tell that the message is encrypted. In certain
environments, this could raise the suspicion to an unacceptable level. With stego, the real message is
hidden in an overt message so someone can not even tell that you are sending a secret message. As
you will see in practice, the two are often used together.
Stego is a new area and hopefully you will find it exciting. We will also show you several of the
tools that exist for hiding information and give you links where you can download the tools and try
them out for yourself.
4 - 2
Steganography - SANS
©2001
2
Steganography (Stego)
• Steganography, abbreviated as stego, not to be confused
with stenography.
• Involves concealing the fact that you are sending
“sensitive” information
•Data hiding
• Relatively new field
• Can hide in a variety of formats
–Images

•Bmp, Gif, Jpg
–Word Documents
–Text Documents
– Machine Generated Images
•fractals
Steganography is a fairly new, but very interesting field. It involves hiding data within another
image, so that the meaning of the message and the fact that a message is being sent is concealed.
There are methods where data can be embedded in a wide range of file types using a variety of
methods.
4 - 3
Steganography - SANS
©2001
3
Crypto vs. Stego
• Cryptography (Crypto) provides
confidentiality but not secrecy.
• It is fairly easy to detect that someone
is sending an encrypted message, it is
just very hard for someone to read it.
• With stego, you do not even know
someone is sending a message, you are
hiding the true intent.
Lets quickly compare cryptography to steganography. With crypto, an unauthorized party cannot
read the message but they can tell that the data has been encrypted. With stego, since the message is
hidden, someone cannot even tell that a secret message is being sent.
4 - 4
Steganography - SANS
©2001
4
Detecting Cryptography

• It is very easy for both humans and
computers to detect that a message is
encrypted. For example “test” becomes
eJrMIedoDcgYmK7/XwY6Q+7RAeuPDSe0FziMLDU1GyUhc0WPcatAaIpw+Urc0MUX
l257b1q11gFZN4S0rXwAKg2Tzqn9ois7+1pJHOdxI2fH9LCQmxtRBpZ79oFh+wFw
cuPV3wW4Mgoh1HL2JQ7SarrJuZixgRoV+IW/HtoWx2Mvop+4CACHtTxbv8SjchhN
FLaQNVQA1o00UgR+m7bJh42bWfR5cdGBYkVTzglbu5QXzFodk3PmtG+ghqNCz2CZ
5VZv3H581bSeydcM5zjK7DUd4OZEDSa9kF+9xKdyDMCfvFW5DyhlJkOBUVo8jvQM
n/3nO8vGcx/5CcDVV6MF4xh5hPbV6NfP2OaOyNVXcHwn9n6/swH4OnrBciX8MCgF
JCyXrwnlYl1GK7RBO67zw0imUkBABfAqc+Jwnbv2HJAAU0NDC+Vd+d9I4UZN6QJd
7RN821ID10ScXelDNiqCq8hxXHJM8qaP5gQp5iC2ExoPfFPl8KRsbOKcK5XPP57T
• A human can infer that this is
unreadable.
As you can see, a human can quickly detect that a message is encrypted. Based on this fact, it is easy
for someone to infer information about two parties that are communicating. For example, if two
parties periodically send a large number of encrypted messages and the next day a major terrorist
event occurs even though I can not tell what the 2 parties are talking about, I can infer that they
were involved with the questionable activities.
4 - 5
Steganography - SANS
©2001
5
Detecting Cryptography (2)
• Cryptography basically randomizes the
characters in a message.
• A histogram shows the frequency of
characters.
• A normal document has a non-predictable
histogram.
• An encrypted document has a flat histogram,

since with randomization, all characters
should appear the same amount of times.
By nature of how encryption works, when a message gets encrypted the distribution of characters
becomes randomized. This provides a unique signature that can be used to detect encrypted text.
4 - 6
Steganography - SANS
©2001
6
Histograms
Encrypted Text
1
21
41
61
81
101
121
141
161
181
1 2 3 4 5 6 7 8 9 1011121314151617181920212223242526
Frequency
Normal Text
0
20
40
60
80
100
120

140
160
180
200
1234567891011121314151617181920212223242526
Frequency
The histogram for encrypted
text is very flat and easy for
an automated program to
detect.
The histogram for “normal”
text is very non-uniform and
easy for an automated
program to distinguish
between encrypted and
unencrypted information.
As you can see with an encrypted message the frequency of characters is very uniform, with each
character (1=A, 2=B,……26=Z) appearing the same number of times. By nature of how the English
language works, we know that this does not occur with normal text. With a normal document,
certain letters appear more often than others. For example the letters E and S will appear more often
than the letters Q and Z.
4 - 7
Steganography - SANS
©2001
7
How Steganography Works?
• Stego requires a host file and the
hidden message.
• Host file can be generated on the
fly or use an existing file.

• Hidden message is either used to
generate a file or hidden in certain
parts of an existing file.
Stego works by embedding a secret message within an open or overt message. Everyone will see the
overt message and never know that it is a cover and the real message is hidden inside.
4 - 8
Steganography - SANS
©2001
8
General Types of Stego
• There are many ways to hide
information; lesson in creativity.
• General methods:
–Injection
– Substitution
– Generate new file
To hide data within an image, either the secret message can be embedded or injected within another
image. This will increase the size of the file and be easy to detect. Or certain information in a file
might be able to be replaced, which will not increase the size of the file. Also, a newer technique is
to use the secret message to generate a new text or image file.
4 - 9
Steganography - SANS
©2001
9
Injection
• Most file types have ways of putting
information in a file that will be
“ignored”.
• For example, hidden form elements in
html.

• Word documents also have hidden
information.
– Create a large document and remove data,
notice the file size is very large
With injection, data is put within a host file in such a way that when the file is actually read by a
given program, the program ignores the data. Most programs, like web browsers or Microsoft Word,
have ways of putting “hidden” data within a file, that exists in the file but is ignored when the
program displays it to the user.
4 - 10
Steganography - SANS
©2001
10
Injection Example
<body lang=EN-US style='tab-interval:.5in'>
<div class=Section1>
<p class=MsoNormal>Hello World</p>
<p class=MsoNormal><![if
!supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>
<p class=MsoNormal><![if
!supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>
<input type="hidden" name="SearchFunction" value="This is
a hidden message">
</div>
</body>
</html>
Browser displays
“Hello World” but by
viewing the source
reveals a hidden
message

.
Here is a simple example of injecting data within an html file. By using the hidden field, a message
can be embedded within the source file, but ignored when displayed by the browser.
4 - 11
Steganography - SANS
©2001
11
Substitution
• Data in a file can be replaced or
substituted with hidden text.
• Depending on the type of file and/
or the amount of data, it could
result in degradation of the file.
• Usually replaces insignificant data
in the host file.
Data in a file can be replaced or substituted with hidden text. Depending on the type of file and/or
the amount of data, it could result in degradation of the file. In order to make this technique
undetectable to the human observer, the technique usually replaces insignificant data in the host file.
4 - 12
Steganography - SANS
©2001
12
Generate A New File
• The hidden data can also be used
to generate a new file.
• No host file is needed.
• For example, the input text can be
used to generate fractals or
“human” like text.
Also, to eliminate the need for a host file, the secret message can be used to generate a new file. For

example, a file consisting of complex fractals can be generated based on the input file. This means
that each unique input file would generate a unique output file.
4 - 13
Steganography - SANS
©2001
13
Stego Example
• A common way to embed data in an image is
to replace the LSB (least significant bits)
• For an 8 bit file, each pixel is represented by
8 bits:
– 10001100
– The most significant bits (MSB) are to the left and
the least significant bits (LSB) are to the right.
– If you change a MSB it will have a big impact on
the color. If you change the LSB it will have
minimal impact.
This shows an example of how data can be embedded in an image file using a basic technique call
LSB. With this technique, the least significant bits of the image file are replaced with data. For an 8
bit file, each pixel is represented by 8 bits, 10001100. The most significant bits (MSB) are to the left
and the least significant bits (LSB) are to the right. If you change a MSB it will have a big impact on
the color. If you change the LSB it will have minimal impact.
4 - 14
Steganography - SANS
©2001
14
Stego Example (2)
• If we change only 1 or 2 LSB’s in the image,
it will have minimal impact because most
human eyes can only detect around 6 bits of

color.
• Regardless of what the last 2 LSB’s are, a
human eye can not tell the difference.
• If we take 10001100 and change it to
10001111 or 10001110, it will all seem like
the same color.
• This means we can embed data in those bits.
Since the LSB’s will have a minimal impact, we will change those bits for each pixel. Regardless of
what the last 2 LSB’s are, a human eye can not tell the difference. If we take 10001100 and change
it to 10001111 or 10001110, it will all seem like the same color. This means we can embed data in
those bits.
4 - 15
Steganography - SANS
©2001
15
Embedding Data in Pixels
• So if our message converted to binary is
1101 0010, the first 8 pixels will be
modified as follows
– 1100 0101 becomes 1100 0111
– 1111 0010 becomes 1111 0001
– 1010 1111 becomes 1010 1100
– 0010 0010 becomes 0010 0010
• To an observer, the image looks
normal.
The following shows how we would embed a data in the pixels of an image.
So if our message converted to binary is 1101 0010, the first 8 pixels will be modified as follows
1100 0101 becomes 1100 0111
1111 0010 becomes 1111 0001
1010 1111 becomes 1010 1100

0010 0010 becomes 0010 0010
To an observer, the image looks normal.
4 - 16
Steganography - SANS
©2001
16
S-Tools
• Embeds data in the LSB of the
color table for bmp files.
• Even if you have the original file,
the two images look identical.
• S-Tools is available from:
– />crypt/code/s-tools4.zip
Now lets look at an example of a popular tool that is used to embed data in images called S-Tools.
4 - 17
Steganography - SANS
©2001
17
S-Tools Example
The image to the left is the
original image and the
image below has a 10 page
document embedded in it.
Through visual observation,
they look identical. Or if
you only saw the one with
data hidden, it would not
look suspicious.
Here you can see that even though the two images are not the same, they look identical and the file
size is the same.

4 - 18
Steganography - SANS
©2001
18
Detecting S-Tools
• Since S-Tools, changes the colors
in the color table, it increases the
number of near duplicate colors.
• A normal bitmap (bmp) has very
few duplicate colors.
• A bmp with data embedded has a
large number of duplicate colors.
If you know what to look for, detecting S-Tools is fairly straightforward. When you embed data in a
bmp file, you are actually changing the colors in the color table. This is what the program uses to
look up colors for each pixel. Since S-Tools changes the colors in the color table, it increases the
number of near duplicate colors. A normal bitmap has very few duplicate colors. A bitmap with
data embedded has a large number of duplicate colors.
4 - 19
Steganography - SANS
©2001
19
Detecting S-Tools (2)
• A small program was written to print out the
number of duplicate colors.
• For a normal file, the following is the output:
– D:\DH\Data\BMP>bmpmap forest.bmp
– File Name: forest.bmp
– actual size: 66146 Reported: 66146
– Duplicate colors: 2
• For one with embedded data:

– D:\DH\Data\BMP\STools>bmpmap forest_h.bmp
– File Name: forest_h.bmp
– actual size: 66614 Reported: 66614
– Duplicate colors: 1046
I wrote a small program that will go through the color table and determine the number of near
duplicate colors. If the number of near duplicate colors is greater than 50, you know that data has
been embedded in the image. Notice that even though the file size is the same for the two images,
one has a larger number of duplicate colors.
4 - 20
Steganography - SANS
©2001
20
Stego Tools
• There are a wide range of stego
tools available from:
– />/stego/software.html
• There are over 200 stego tools
ranging from different platforms to
different techniques.
There are a wide range of tools available. Since this is a new field, most are fairly basic, but some
are fairly sophisticated. The bottom line is, if you do not know that they are being used, you will not
be able to detect even the simplest of tools.
4 - 21
Steganography - SANS
©2001
21
Stego Tools Examples
• The following are some example programs:
– Jsteg – hides in jpeg images using the DCT coefficients
– MP3Stego – hides in mpeg files

– S-Mail – hides data in exe and dll files
– Invisible Secrets – hides data in banner ads that appear on
web sites
– Stash – hides data in a variety of image formats
• As you can see, there are a wide range of tools.
• />contains tools for various operating systems.
The following are some example programs:
–Jsteg – hides in jpeg images using the DCT coefficients
–MP3Stego – hides in mpeg files
–S-Mail – hides data in exe and dll files
–Invisible Secrets – hides data in banner ads that appear on web sites
–Stash – hides data in a variety of image formats
As you can see, there are a wide range of tools.
4 - 22
Steganography - SANS
©2001
22
Defending Against Stego
• If you have the original source
image, it is easy.
– Perform a diff or file comparison and
see if they are different.
– Stego might not change the size or
make any observable changes, but it
does change the data.
If you have the original source image, than you can compare the two files and see if they are
different. In most cases, you will not be able to do this.
4 - 23
Steganography - SANS
©2001

23
Defending Against Stego (2)
• If you do not have the original source
image, a variety of checks can be run.
– Determine “normal” properties of an image
and look for changes.
– Remember S-Tools, it changes the number
of duplicate colors.
– Not easy to do.
– Usually requires determining statistics or
large number of clean files to come up with
unique properties.
Since stego embeds data in an image, it does change the properties of the image. So if you can
determine normal properties for images, you can see what falls outside of the normal, but this is not
easy to do. Unfortunately, there is no generic test that can be performed to see whether data has been
embedded.
4 - 24
Steganography - SANS
©2001
24
Defending Against Stego (3)
• Stego is just starting to become
popular.
• As more and more people become
concerned with privacy and more
and more regulations are being
passed, it will increase in
popularity.
Stego is just increasing in use and more and more people will start using it. Right now, very few
people can detect these simple techniques. What happens when they become more sophisticated?

As more and more people become concerned with privacy, and more and more regulations are being
passed, stego will increase in popularity.
4 - 25
Steganography - SANS
©2001
25
Stego Summary
• Reported uses for illicit activity and by
terrorist groups.
•Example:
– I embed data in a picture of a computer
– I post an ad to eBay selling the computer
– You browse and select used computers
– You happen to get my ad and my image gets
downloaded.
– You extract the secret message.
– How would you detect that?
• Is scanning all images on the Internet really practical?
If you do not think stego could cause big problems, think of the following scenario:
–I embed data in a picture of a computer.
–I post an ad to eBay selling the computer.
–You browse and select used computers.
–You happen to get my ad and my image gets downloaded.
–You extract the secret message.
–How would you detect that?
Is scanning all images on the Internet really practical?