To Steg or not to Steg

Recondite49

Just been checking out a website called 'spam mimic' which as the name suggests can take a short message and encode it as text.

To anyone reading it, it appears to be a harmless junk message full of disparate claims about how to enlarge your organ and marry that Russian girl of your dreams.

I'm sure you're all also aware of tools like steghide which allow you to hide one image inside another for instance too, in order to send safely across the internet too.

Security experts seem to be divided on the usefulness of these methods.

I suppose the main worry would be to do with context - if you can trace the sender of an e-mail and find that a notorious drugs baron was sending e-mails claiming to be Ekaterina from St. Petersburg, something wouldn't add up.

The same applies if you tried to employ these methods and then encrypt the underlying data such as encrypting a supposed "spam" message in gpg, as there'd be no need usually to keep such sensitive data around.

Also the presence of stego tools on a suspect's computer would probably be enough to put law enforcement on your track.

This leads me to think that it would be best not to try your data in this way but make sure to have DVD's lying around with lots of steg tools so when the Plods come and bust down your door they have to trawl through every "Grow it Big" e-mail you've ever received?

Would welcome all thoughts on this.

syklops

I think many infosec professionals would consider stegonography to be security through obscurity. As you pointed out to encrypt or decrypt stego-hidden data you need steg tools and their presence indicates steganography is in use.

If you want to hide something from prying eyes encrypt it in a strong cipher. Both PGP and AES are considered strong. I prefer AES.

The question of NSA backdoors remains with both, but they are strong enough to keep your data secure from almost everyone else.

Recondite49

syklops wrote: »

I think many infosec professionals would consider stegonography to be security through obscurity. As you pointed out to encrypt or decrypt stego-hidden data you need steg tools and their presence indicates steganography is in use.

If you want to hide something from prying eyes encrypt it in a strong cipher. Both PGP and AES are considered strong. I prefer AES.

The question of NSA backdoors remains with both, but they are strong enough to keep your data secure from almost everyone else.

Hi skylops,

Thanks for your thoughts. I think you're right in terms of the fact there's no one standard for steganography and also that you have to conceal the particular tool you used or risk exposing everything.

Balancing that out you can choose to encrypt the hidden data (the tool I use gives you a choice between Twofish and AES), also you could run a live OS like TAILS and install the steg tools each time you needed it.

I am still not sure they're a good idea though because it comes down to the same dilemma you have when trying to use a One Time Pad to encrypt your data in that you need to meet with someone in secret and first agree to use a particular steganography tool and keep that information safe.

If you're going to the trouble of doing this anyway, you might as well set up and use a One Time Pad to encrypt your data which would provide much stronger security (although still not perfect if anyone discovers your 'pad' or the numbers aren't truly random). This would also eliminate problem of having to rely on on any one program or encryption algorithm.