Hidden in plain sight

Watermarking tools can help you protect vital copyrights. Business Advisor hed: dek: by Matt Lake

In Edgar Allen Poe’s mystery “The Purloined Letter,” the famous detective Dupin figures out where a letter is concealed. It’s not, as the Prefect would suppose, hidden under the floorboards or in the cavity of a chair leg, but out in the open in a subtle, crumpled disguise.

The same trick applies to data you want to keep secret–the best defense against someone intercepting your private e-mail or Accounts file isn’t labeling it Top Secret! That’s an open invitation to hack it open. The real trick is hiding your data in plain sight, where people may see it but likely ignore it.

Spies have been doing this since World War II with the microdot–a tiny mark masquerading as the dot on a letter i but containing a microscopic photograph of secret documents. Anybody trafficking secret data these days has another option-concealing it inside a carrier file such as a graphics file or sound recording.

The technique is called steganography–a Greek term meaning hidden writing-and it works by changing bits in large files. Uncompressed sound files (in WAV format) and high-color graphics (in BMP format) have many unused or insignificant bits in them that can be used to carry extra data without affecting their appearance or sound. In fact, copyright holders often use this trick to watermark or insert copyright notices into digital media that’s distributed online. In steganography, the data can be anything you want to insert–a spreadsheet, Web page, or database–so long as it’s significantly smaller than the carrier file.

Get rich data, quick!

The quickest and easiest demonstration of hidden messages I’ve seen is also the most hilarious. At the Web site Spam Mimic, you enter a short message into a Web form, press a button, and a program at the Web site conceals your message in a fake junk e-mail message. Replete with typical spam clichés, including poor punctuation and grammar, the message (with your own message hidden inside it) is ready to cut and paste into your e-mail software and send in the usual way.

When your friends receive the message, they visit Spam Mimic’s decode page and paste the entire contents of the e-mail into the form there. When they press the Decode button, Spam Mimic extracts the hidden message.

Spam Mimic doesn’t use any serious security techniques–the site has no secure servers, and it doesn’t encrypt the message or provide password protection. But it’s still a good demonstration of how you can conceal messages in plain sight. And if you arrange with your friend to use a code word in the subject heading of messages, it’s also a practical way to exchange messages you don’t want other people to read. The only usability problem I encountered was in heavily formatted messages (with signature text at the end or bits of text from forwarded or replied-to messages). In these cases, it’s easy to cut and paste too much or too little text and get a “could not decode” message at the Spam Mimic site.

Stealth rockets

The real business of steganography, however, involves hiding data inside other files, and it requires a program running on your hard disk. There are dozens of such programs available for download, some free, some at a cost. (To get more of an idea of the programs available, just enter the word steganography at a good search site or shareware site.)

One of the most highly rated programs is the $49 Steganos Suite 3, which can encrypt data up to 128-bits using the Blowfish algorithm, and hide it in BMP and WAV files. This German shareware is excellent, though some of its screens occasionally suffer in translation from their original language. Unfortunately, it’s pricey and bogged down with a slew of other security features, which, while valuable by themselves, were excessive for my purposes.

I prefer the more pared-down and easy-to-use Invisible Secrets 3 from NeoByte Solutions. This $35 piece of shareware can encrypt and hide files inside carrier files in JPEG, PNG, BMP, HTML, and WAV formats, and is remarkably easy to use. After you’ve downloaded the 30-day trial or full version and installed it, the program is a cinch to operate. You locate a file to hide using Windows Explorer, right-click on it, and under the context menu’s new Invisible Secrets option, select Hide. (You can also encrypt or shred a file to delete it utterly from the Invisible Secrets option). This process brings up the program, which asks you to pick a carrier file from the supported list, then pick an encryption algorithm (from the huge supported list of Blowfish, Twofish, RC4, Cast128, GOST, Diamond 2, Sapphire II, and Rijndahl). You type in a password (twice, for safety’s sake), and the deed is done.

The program makes a copy of the carrier file under a new name, complete with its new cargo of encrypted data. You can send it to your recipient or upload it using FTP to a Web server. At the receiving end, the recipient downloads the carrier file and uses either Invisible Secrets or the free Unhide program to extract the hidden file from the carrier.

Invisible Secrets has a number of ease-of-use options that make it attractive. After it encrypts and hides a file, it can automatically delete the source file (thoroughly shredding it to the U.S. Department of Defense’s 5220.22-M specs, to prevent its being retrieved and read afterwards). One option allows the sender to just hide, not encrypt, files–so that the recipient doesn’t have to mess around with passwords to extract the data file from the carrier file. And the program contains a password list (itself password-protected) so that you can tailor passwords to specific recipients and keep track of them in a safe place.

For the truly paranoid, there’s a neat feature that generates fake encrypted files. Why? If you truly believe your e-mail is being intercepted, it pays to keep would-be spies occupied in decrypting nonexistent messages and hoping that the real messages get lost in the crowd (though you have to let your recipients know about this, or else they’ll be the ones scratching their heads).

Like all attempts to keep secrets, steganography is flawed. Real industrial spies have known about it for a while, and are equipped to extract messages from carriers (which isn’t that tough with the right software). Of course, decrypting messages is a lot harder, but again, there are tools that do it too. But the beauty of hiding files in pictures is that you and your buddies can keep your darkest secrets right on your Windows desktop as wallpaper. And isn’t that a delicious trick to play?

Quick encryption for your e-mail

It is a truth universally acknowledged that e-mail messages are about as secret as the contents of a postcard. That’s why I’ve long been a fan of key-encryption programs such as PGP that can make e-mail unreadable. But the cost and inconvenience of using key-encryption software has made it a tough thing to adopt. Hats off to Steganos GmbH (formerly DEMCom) for a new service that could change all that. The free-to-use and secure Steganos mail Web site encodes and decodes messages on demand. The Steganos mail site consists of two large-text forms. The first encrypts anything you type or paste into it using the secure 128-bit Blowfish algorithm and SHA-1. You enter a password or phrase-the longer you make the pass code, the more secure it is. You can click either the Encode button or Encode + Send-giving you the option of sending the document via your e-mail account or through Steganos’s servers.

The messages are typical blocks of incomprehensible characters, clearly labeled at both ends to make cutting and pasting easier. The second form decodes messages for the recipient-provided they can enter the password used. It’s not a perfect secrecy solution–it doesn’t use public and private key combinations, and although the site uses secure servers, you are translating your confidential information on someone else’s servers. But it is a good, quick-and-dirty way to send secure messages via notoriously insecure e-mail servers-and for that, the company deserves kudos and the site deserves a visit.

Related posts

Leave a Comment