The Steg Chronicles: How to Easily Send Secret Messages Using Steganography
I am absolutely opposed to a national ID card. This is a total contradiction of what a free society is all about. The purpose of government is to protect the secrecy and the privacy of all individuals, not the secrecy of government. We don’t need a national ID card. ~Ron Paul
Ifonly Ron Paul’s statement were, in fact, true, perhaps I wouldn’t feel compelled to write this article. What’s more, I now have a REAL ID, which is exactly the thing he said we don’t need as a country. Go figure! Perhaps if his statement were true then we wouldn’t have to worry about our own government and law enforcement agencies violating our privacy rights by passing legislature such as the latest PATRIOT Act extension that grants LEOs the ability to freely access ANY American’s private Internet browsing history from our Internet Service Provider (ISP) without a signed search warrant from a judge. That’s right, no warrant necessary. Tell me how that isn’t a direct violation of our Fourth Amendment rights? With Senator Lindsey Graham [R-SC] attempting to push his “Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2020” or the “EARN IT Act of 2020,” the government will mandate backdoors to all encrypted services under the guise of preventing online child sexual exploitation.
Now, preventing online child exploitation is certainly the right thing to do, however, creating backdoors to encryption for the government will be disastrous to everyone’s privacy. There is simply no other way to say it. These half-witted politicians just don’t understand the technology behind the issue enough to make an informed decision and the recent squabbles between the FBI, DOJ, and Apple for an iPhone encryption backdoor has inflamed the privacy argument to the point that we now are possibly looking at a government-mandated backdoor to every type of Tech company-produced encryption like Australia has. If this bill should pass, it would be extremely detrimental to the individual privacy of American citizens as well as other third-country nationals who use American Tech products and services.
We must then look to other forms of secret encrypted communication technologies such as mixnets, generative adversarial networks, or steganography that the authorities are not able to easily break or acquire encryption backdoors for. We must look at applications of technologies and services that are designed with privacy in mind and that are based outside of the U.S. that do not have to comply with U.S. anti-privacy laws. Virtual Private Networks (VPNs), encryption programs, email services, you name it. It has come down to the fact that if a technology is based in the U.S., it is either already compromised, already shared with the NSA as AT&T shares their data (not a secret), or will soon be compromised via encryption backdoors if laws such as the EARN IT Act are passed into law. Either way, it won’t bode well for your individual privacy.
Steganography, sometimes referred to as the “dark cousin” of cryptography, is the art of hiding information within plain sight. There are old-school steganography methods that involve null ciphers and several other methods that are beyond the scope of this article but further detail can be found in the additional resources links at the bottom of the article. Digital steganography has provided privacy-minded individuals with an unlimited supply of unique options using various embedding techniques to hide secret data within cover files in plain sight. This is optimal for the evasion of detection and optimal for data privacy.
Think about it this way. Would you rather send an encrypted email that will potentially raise the suspicion of authorities where they will be able to easily see the origin and destination IP address and possibly even decrypt the message depending on which type of crypto was used when it is decrypted and re-encrypted at various hops along the traceroute? Or, would you rather send an ordinary email with a photo of some boats on a beautiful lake, for example, that contains an encrypted, secret, hidden message that raises no suspicions and that is very hard to detect and impossible to decrypt without the password or passphrase? I don’t know about you but I’ll choose the latter.
But, Why Would I Need To Use Something Like This?
Privacy from snooping Internet Service Providers (ISP), governments, and Law Enforcement Organizations (LEOs) has never been more at risk than it is right now. It’s almost as if everything we do is being monitored when you factor other technologies that the Government and LEOs have access to such as Automated License Plate Readers (ALPR) and Facial Recognition Systems (FRS). With the latest reauthorization of the PATRIOT Act, LEOs are no longer required to get a search warrant signed by a judge to access your Internet browsing data from your ISP. Imagine that — you don’t even have to be a suspect in a criminal investigation for the FBI to snoop on your Web browsing history. Read the article link above for more information.
These are scary times we are living in. We are living in the midst of a pandemic (COVID-19), there is widespread protesting of police brutality against African Americans, and high-ranking officials within the current Administration have made it clear on more than one occasion that the Constitutional rights of all American citizens are no longer guaranteed. If you’re the cautious, privacy-minded type, there are other alternatives to secret communications but you’ll have to get a little more creative than in the past. Image steganography, also known as Least Significant Bit (LSB) steganography, is fairly simple to perform because there are hundreds of different applications that have been developed that perform the steganographic file compression, embedding, and encryption function all-in-one. Let’s say we pick a steganography application from the list of the 35 Best Free Steganography Software For Windows.
Doing the Secrecy Thing
- Select a steganography application. Choose any steganography you feel comfortable using, free, or paid. Some work with Windows or only-Linux, just read the ReadMe.txt file or the app info on the website prior to downloading. If possible, check the download file hash before installing the program against the publisher’s website if they were kind enough to provide a file hash to ensure you don’t accidentally download a malicious file that could install malware on your computer. Your anti-virus software may freak out on some of the installation files because some AV software might recognize steg app file types as malicious but that is not usually the case in my experience. If you’re confident the steganography application is legitimate and safe to download, then proceed with the installation. For the purposes of this article, I have chosen the free QuickStego steg application.
2. Generate a secret message. This could be any message or other type of file that you plan to embed within another file. For the purposes of this article, I will demonstrate how to easily embed a secret message within an image file (.bmp file extension). I’ve generated a fake secret message titled “Come With Me.txt” that I will use as the secret message that will be embedded into an image file.
The file properties of this secret message are:
3. Select a cover file. In this instance, I have chosen a simple image file that will serve as the cover medium for my hidden secret message. Notice that the image does not appear to be suspicious in any way. It appears to merely be a harmlessly beautiful picture of a lake with some boats. It looks very inviting and it certainly is not going to raise any eyebrows. Now you’re beginning to understand why malware developers like to use steganography to hide their malware… That is a different story that can be found in the additional resources section at the bottom of the article.
The file properties of the selected image cover file are as such:
The file has a SHA256 checksum (hash) value of: 7A993B00471B1FE3A1EFA637BDB6A83F24158812F24D23B3A52DF93063250F21
4. Embed the secret message into the image file. At this point, we’re ready to insert the secret text message I don’t want anybody else to read except for my target recipient(s) into the QuickStego GUI text box. I’ve opened my image cover file I want to use. Now, I select the “Open Text” button to insert my “ComeWithMe.txt” file I previously generated in Step 2.
The text message appears within the QuickStego GUI window text box.
Next, select the “Hide Text” button whereby the QuickStego application will then embed the secret message text into the image that you provided.
Now you should see confirmation that QuickStego has embedded the secret message into the image cover file.
Now, we just need to select the “Save Image” button. I named the file, “Awesome boats on lake photo.bmp.”
The file properties for the “awesome boats on lake photo.bmp” stego file are:
We see that the new stego image containing the secret text message is not distorted in any way (below image) and that it still looks the same. Very crisp. That is due to how only the Least Significant Bit or 01001000 of which there are typically 8-bits in a Byte of data, is changed to 01001001 in the embedding algorithm process. This is very simple and easy to do.
When we compare the original image file against the new stego file, we notice that the only differences are the filename, the file type (now a .bmp file type due to how QuickStego saves the stego files), and the size of the file has now increased from 96.0 KB to 1.36 MB disk size. If someone were to intercept the email and its image file attachment (i.e., the stego file), they would need to also have the original file we used to create the stego file to compare the SHA256 checksum hash values — which are clearly unique. The person intercepting the stego file is not likely to have the original file for which to compare properties.
Note: If we wanted to upgrade to the paid version of QuickStego, called QuickCrypto, you would then have the option of encrypting the text and hiding other types of data within the image cover file as seen in the image (below) of the paid version of the software, in addition to hiding text-only. The cost is not overly egregious, so it may be a worthwhile investment in your online privacy.
The paid version goes for £34.99 which is approximately $45 US dollars.
5. Mutual trust assurance. Ensure all intended recipients have downloaded, installed, and are familiar with how to decrypt the hidden message using your mutual steganography application which in this case was QuickStego. Perform some test trial runs before using it for real. You and your recipients, for this to work properly, will both need to be able to receive and decrypt the images with a common password. Maybe you agree that January’s agreed-upon password is Dec3mber!cicles and there is a new common password or passphrase for each month. Who knows, totally your call how sophisticated you want to go with this.
This will work with any email service provider (Gmail, Yahoo, Hotmail, Outlook). You simply need to attach the stego file as an email attachment to the email message and ensure that the recipient(s) on the other end have the password or passphrase and corresponding steganography application be able to decrypt the message. Of course, this should go without saying but you don’t want to send them the password to decrypt future stego files in an open email or other suspicious communique. Maybe call them up or send a letter (snail-mail) to accomplish that part of the task.
Potential Interception & Steganalysis
There is always the possibility that someone intercepts your email and gets hold of the stego image file. Perhaps law enforcement or some spy agency somewhere… What happens then? Before that, however, let me interject to tell you that you’re probably overexaggerating your value as a high-value target (HVT) that is being actively monitored in real-time by LEOs and/or some spy agency. I hate to be the one to break it to you, but chances are that these government agencies and police detectives are busy focusing their precious few resources elsewhere to concentrate on actual threats. But hey, you never know, so let’s wargame this out a bit shall we?
Using a tool like the free version of WinHex, made by X-Ways, I ran some analysis on the file properties of the “intercepted” stego file which did not result in any major, Earth-shattering discoveries that would yield any actionable intelligence information or the compromise of the secret message (see below images).
The hexadecimal-to-ASCII conversion yields a bunch of gobbledygook that is unintelligible. But what if we use WinHex to perform spectral noise analysis of both the original and stego file images? Will that reveal any of our secret message text? Hmm, let’s see… Sometimes it is possible to analyze the peak signal-to-noise ratio (PSNR) to measure the computing “noise” that could be used to identify disparities in the fidelity or integrity of a given file.
Notice that the original image file (left image) PSNR analysis results are quite different from the stego file (right image) spectral noise analysis results. If I were a digital forensics investigator that had access to the original file, I would definitely want to investigate this anomaly further to see what I could find. However, the compare and contrast revealed nothing just as the hexadecimal-to-ANSI ASCII text conversion analysis also revealed nothing substantive either. Without knowing exactly which steganography application that I used to embed the secret file into the image, there is a very slim chance of discovering what the secret text message actually says.
Essentially, the WinHex steganalysis attack did not yield any valuable intelligence this time despite the fact that the free version of QuickStego did not allow us to encrypt the hidden message with a password/passphrase. Anybody who knew that it was QuickStego that was used to embed the secret message could open the file and extract the hidden message. You see why that is not ideal, so you want to find an application that allows you to encrypt the hidden file or get the paid version which allows you to encrypt the payload. There are other, more sophisticated steganalysis tools that LEOs and Intelligence Community (IC) agencies have access to (that I obviously do not) but now we’re really splitting hairs on the probability of those expensive resources being used to detect and decrypt your hidden secret text message.
Hopefully, this was somewhat of an eye-opening experience for you and now you have a newfound appreciation for just how powerful a tool digital steganography can be when it is intelligently applied to even something very basic like sending a secret message within an email file attachment. How many emails are sent around the globe every day? Billions. How many of those are intercepted and inspected by some type of deep packet inspection firewall or steganalysis software? Very few, if any. We know that publicly available free email services like Gmail, Yahoo, and Hotmail are not secure. Google allows developers to read private Gmail messages for God’s sake, so why you would keep anything private there is beyond me. That is a given, even with Pretty Good Privacy (PGP) encryption which is also far from perfect. Therefore, to improve the secrecy of information we can use alternative methods such as LSB, or image-based steganography whenever we have something private but important to send to someone we trust.