I’ve long held an interest in developing systems for sending messages without anyone knowing the contents of that message, which is often found in the world of codes and ciphers. For those who don’t know, ciphers use a complex set of rules to turn letters into other letters, whereas codes use a complex set of rules to turn words into other words — both are meant as a means of turning a message written in understandable language into a message that only those in-the-know can read. Thus starts the beginning of my “Cryptography” category, one of my many interests.

Oddly enough, the first post in my “Cryptography” section will likely be one of the most technical. In this post, I want to write something that is related to codes and ciphers, but is not a cipher. This is the notion of steganography, or hiding a message in plain sight.

What is Steganography?

The most common example of steganography is the story from Herodotus from the 5th century BCE. In fact this example is so common, I think there might be some sort of mandated rule that any discussion of steganography discuss it. Anyways, in this story, a message (allegedly warning Greece about Persian invasion plans) was tattooed on a slave’s shaved head and hidden by the growth of his hair. The slave then went to the desired recipient, shaved his head, and exposed the message.

This plan has some pros, because unlike a regular encrypted message, no one seeing the slave thought anything about it — they did not suspect foul play at all. Whereas if you’re caught with an actual cipher, they might not know what the message means, but it won’t matter because they’ve stopped the message from reaching it’s target, and likely have someone to imprison.

However, modern technology gives us a lot more than just tattooing messages on heads. Rather than the restrictions on message size that a head provides, and the time delay because we have to wait for the slave’s hair to grow, we have computers. This means that we have millions of ways to hide a message, and steganographers get to have a field day. There is so much information travelling around the internet that it’s impossible to thoroughly analyze everything, especially if the data is well-hidden and doesn’t look suspicious in the first place.

Modern Image Steganography

While there is many thousands of ways of hiding a message I don’t have space here to mention, the most common in this digital age is hiding information in digital images. In order to do this, you first need an image. We will use the following image, a funny comic from the internet:

Now this image looks perfectly innocent… and it should, because I haven’t hid any information in it. But now consider this image:

This image secretly contains the entire second paragraph of the Declaration of Independence… but you won’t find that text anywhere. In fact, the two images look darn identical, and even a fairly thorough analysis of that second image won’t turn up any hint of the Declaration of Independence, though you might be able to detect something if you had the original image (which you do).

Chances are however, that if I did not explicitly tell you that this image had steganography in it, you never would have known, and never bother to look. This is the power of digital steganography. In fact, I could tell you that one other image somewhere on this site also has steganography, and I bet you could never figure out which image it is, let alone what text is hidden in that image. Trying to find steganography is called steganalysis.

How is It Done?

But what’s the secret behind this image lies in two facts. The first is that all colors are coded as a string of bits, for instance a perfectly red bit is “#FF0000″ in hexadecimal. The second is that if you take the last digit and slightly change it to… say… “#FF0001″, the human eye won’t be able to detect the difference. If you do this over every pixel of the image, you can hide a message. This is the least significant bit method of steganography.

To make things even better, you don’t have to go pixel by pixel to hide your message… instead, you can use a password to decide which pixels to hide which part of the message in, scattered all around the image, making the message even harder to detect.

Stego Software

However, you don’t have to worry about altering the pixels yourself. Instead, multiple computer programs downloadable for free can be used to do this for you, to different degrees of success and security. I, myself, like to use iSteg because of it’s good password security and deflection of steganalysis, but unfortunately it is for Macs only. I don’t know what Windows program to recommend, but I’m sure a good one is out there.

The next part of this essay will assume you have access to iSteg, but after that, the rest of the essay is applicable to steganography using pretty much any program.

Using iSteg to Hide a Message

Once you have iSteg downloaded, you simply open the application. You should be treated to the following screen:

The first line is for a password. This password needs to be shared to get the message out of the resulting image, and an image decoded with the wrong password outputs the same as an image decoded that has no hidden text at all. For my password, I used “ronaldreagan”, but you could use something more secure if you wanted.

Second, you need an image to encrypt or decrypt. For your trial decryption run, you can decrypt my sample output image using the above password, getting the second paragraph of the Declaration of Independence as your result. Click the “+” next to “Source Picture File” and then navigate to where you downloaded the sample image. Then click to uncheck the box next to “Encode”. Then click “Process”.

For your trial encryption run, type in your desired password. Then click the “+” next to “Source Picture File” and find an image with the .jpg extension. iSteg only works on .jpg, and will not work on any other image format; not even the closely related .jpeg. Rename or convert accordingly. Then create a file with a .txt extension, and type up your desired secret message. Then go back to iSteg and click the “+” next to “Source Text File”, and navigate to your saved secret message. Then hit “Process”. You should now have an image with the secret text encoded, with everyone else hopefully none-the-wiser.

Where to Stash the Image?

Now that you have your secret image, you need some place to put it. You can upload it to your own site or to a message board, but as you can tell from the title of this essay “Steganography in Social Media”, I suggest stashing it on a social media site. Why? Because lots of pictures go up there everyday, so you have cover that makes your image look completely innocent. Additionally, your profile can be set up so that only your friends can see your image, making it so that access to steganalysis is limited.

However, there is something to watch out for — you can’t use this steganography technique on Facebook. Why? Facebook compresses all the images they receive, and the compression wipes out your secret text, making your secret communication worthless. However, there is a new social media site on the horizon these days… Google+. Google+ does not (yet) use the same compression techniques, and there you can upload your secret picture.

Here, my unsuspecting Google+ Friends think they just got a funny picture, but in reality, they got steganography. If I had secretly informed an intended recipient, they could go to that image, download it, change the extension from .jpeg to .jpg (Google seems to change the extension, but do no other kinds of compression), and then insert it in iSteg, enter the password “ronaldreagan”, and then read the message. BOOM.

Some Thoughts on Defeating Steganalysis

Chances are your Google+ photo albums will never be the target of intense steganalysis, but you never know. I suppose it’s now a good possibility my albums will be targeted, specifically because I wrote about steganography here on my personal blog, and told everyone about what I was up to. So there are some additional techniques to guard yourself.

The first is to share the photo only with your friends, and make sure not to friend any FBI agents. Actually, from a hiding messages point of view, the less friends you have who know what steganography is, the better. (And yes, I need to learn to take my own advice.) If only your friends and the Google team can get at your image, this places a lot less scrutiny on your picture.

Secondly, most steganalysis is preformed by comparing modified pictures to original copies. You can defeat this by only putting steganography in photos that have no publicly available original, like photography you took yourself. Luckily, social networks are perfect for photography you took yourself!

Thirdly, you can encrypt your message with a code or cipher before hiding it in your image. This means that even if your image is successfully detected and the message extracted, you still will have the protection of no one knowing what you said. Your message will still be potentially secure.

However, steganography honestly relies on there being no suspicion at all. The moment people think you are hiding text in your images, the cover is blown, and you might as well just communicate your text encrypted-in-the-open because all the advantages of steganography is gone the moment your suspected. So above all, just don’t be suspicious. Definitely don’t write about steganography on your personal blog.

Some Thoughts on Defeating This Approach

Now I have some ideas for the other side, so listen up steganalysists. The easiest way to block this approach is to stop it at the source — convince Google+ to do what Facebook does, and compress the images to destroy steganography. Unfortunately, this will just force would-be message hiders to flee somewhere else, like a message board. Still, doing this would make them lose all the advantages social media offers for cover.

Secondly, would be to look for suspicious signs, such as lots of periodic picture uploading, or people uploading photos that seem out of place. If you find any, make sure to flag them for future analysis. Then you can apply Steganography Detection techniques, such as available in steg-detect (from the same guys who made iSteg).

Thirdly, once you identify someone you think might be hiding messages, you could potentially spy on their computer by installing malware. If you do so, you could record them typing future messages into iSteg, or decrypting messages in iSteg, and get all their correspondence without needing to find out how it is hidden. Needless to say this approach is probably illegal, but it is an option for sufficiently rogue governments.

Other than that, I don’t have much advice. I think the steganography side is winning this war.

Final Conclusion

One might ask why I would bother sharing a method of hiding information, especially if it could be used by terrorists to help plan nefarious deeds. However, chances are good that the nefarious terrorists already knew about this technique, so it would make sense to bring it out to the open to raise more awareness. Regardless, the art of hiding messages is cool to write about just for academic purposes, and there’s no indication I know of that not talking about things reduces crime related to those things.

Still, I think that this essay lays out a technique for concealing a message with multiple layers of security — first encrypt the message so that no one knows what you’re saying, then hide it thoroughly in an image so that no one knows the message exists. Then hide that image in one of the most unsuspicious places possible, a social network where millions of pictures are shared. Then restrict access to that picture to your friends, so that FBI agents can’t even see the picture exists.

Be Sociable, Share!

•