A new wave of criminal communication

In the book The CODE Breakers, David Kahn¹ tells the early story of Demaratus, son of Ariston, who while exiled in Persia carved a message in the wood of a wax tablet destined to be delivered to the Spartans in order to warn them of the impending invasion by Xeres. After carving in the message, he covered the tablet with a fresh coat of wax in order to evade detection by the guards who would have naturally examined any such writing tablet. If discovered his fate would have been much worse than death. The message did reach Sparta and after recovery of the message the Spartans successfully defended against the Persian attack. This served as the beginning of technology that we know today as “steganography” the only difference is the modern version can conceal much more than a simple message.

The risk and threat posed by steganography has been argued vigorously for over a decade. Whether you believe that this elusive cyber threat poses an imminent danger, or has been effectively utilized to conceal incriminating information, covertly communicate between operatives, or is utilized to exfiltrate vital information—there exist a couple of undisputed facts. First, the number of available programs to perform steganography has increased dramatically—in 1999 only a handful of programs existed—today over 250 unique programs have been cataloged, analyzed, and verified. Counting variants of individual versions we are currently tracking a total 1,000+ which provides concrete evidence of the direct support of a base of users. Second, as the evolution of new viable carrier types are created, the expansion of new steganography methods that address those types evolves in lock step.

If this is true, what is the lure to steganography? Why would criminals or terrorists utilize such technology especially since there are thousands of proven well documented encryption algorithms that are readily available to keep information private, some of which are built directly into our native operating systems?² The answer is quite obvious; the purpose of steganography is not to simply keep information private, but rather to hide the mere existence of such information or communications.

The next obvious question is why do methods continue to evolve in lock step with the evolution of new carrier types? There are a few drivers that we have witnessed; the first is size, as a general rule new carrier types are being created today to handle larger content or to move larger content more effectively. Larger content provides two key advantages—first larger content generally provides a channel for storage or transmission of larger payloads without disturbing the normal visual, auditory, or protocol characteristics of the channel. Note that other characteristics will be altered, however the primary objective of steganography is to exploit the weakness of our senses, and hide information in such a way that we as humans cannot detect any changes while viewing, using, or listening to the altered content. The secondary objective of steganography is to avoid detection through deeper technical analysis. The second driver is that the larger, highly utilized and popular carriers and transmission methods provide cover or maybe more accurately, a larger haystack. For example today, the Internet, (not counting cell phones, PDA’s, or personal computers) contains over a trillion images—and millions are being added each day. Identifying specific images that contain embedded steganography in that sizable haystack is a daunting task at best. New carriers also offer both an intellectual and nefarious challenge as they can be exploited in innovative ways. Since security is either the last thought or an afterthought, exploiting these new carriers offers new fertile ground for experimentation, exploitation, and financial gain.