Hide in Plain Sight

Hide messages in images with simple steganography tools.
In the Histories, written by the ancient Greek Herodotus, there’s a wonderful story about Histiaeus: Histiaeus was being held prisoner by King Darius and wanted to give his son-in-law Aristagoras a message to lead a revolt. After much thought, he shaved the head of his most trusted slave and tattooed a message upon the man’s scalp. Once the slave’s hair grew back, he sent the slave to Aristagoras, who shaved the slave’s head and beheld the message. As a result, the revolt began, and Histiaeus was released (see http://classics.mit.edu/Herodotus/history.5.v.html).
Histiaeus’ story is one of the earliest examples of steganography, which literally means “hidden writing.” Histiaeus used the flesh of his slave to hide his message, but nowadays we hide data inside pictures, digital music, or even text documents. You’ll find that steganographic tools are some of the easiest, yet coolest, things you can use with Linux.
There are several software choices for creating steganograph messages, but let’s focus on the command-line program Outguess. At this time, Outguess can hide data inside PPM, PNM, and JPEG files, which means that you could post an innocent-looking JPEG file on your web site that contains a wealth of secret information and no one would be the wiser.
To try Outguess, head over to http://www.outguess.org, grab the source code, and compile it. You can also try finding binaries for your distribution. Debian users, for instance, can just type apt-get install outguess.
Let’s say you want to squirrel away a file named passwords.txt within a picture of your dog, libby.jpg. On the command line, cd into the directory that contains the two files and run:
$ outguess –d passwords.txt libby.jpg libby_secret.jpg
When the program finishes, take a look at the newly created libby_secret.jpg. Can you see a list of passwords hidden in there? Didn’t think so!
FIGURE ONE: A cute little dog, or an enemy of the state?

One thing to keep in mind: the image that contains the secret data will be larger than the original image. For instance, passwords.txt was less than 1 KB and libby.jpg was about 18 KB, while the resulting libby_secret.jpg was around 21 KB. The more data you try to hide, the larger the final image, so don’t try to pass off a 20×20 pixel JPEG of 500 KB or someone might get suspicious.
To extract passwords.txt from the picture, use this command:
$ outguess –r libby_secret.jpg secret_message.txt
The end result is a file named secret_message.txt that you can view and use (but, obviously, rename it first!).
Another interesting stegonography tool is spammimic, a web-based application powered by Linux available at https://www.spammimic.com (ignore the warnings about an invalid security certificate). Enter a short message, and spammimic outputs an email that looks like the most generic spam in the world. Send that to a friend, and then she can use spammimic to decode the message.
For instance, the James Bond-ish “It’s raining in London. Alert the eagle.” turned into this monstrosity…
Dear Friend , Especially for you - this red-hot announcement ! We will comply with all removal requests ! This mail is being sent in compliance with Senate bill 1620 ; Title 3 ; Section 309 ! This is NOT unsolicited bulk mail ! Why work for somebody else when you can become rich within 48 weeks . 
… and so on for 50 more lines. You can also encode your words into fake PGP text, so that the previous message turns into:
Charset: ISO-8859-1 Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

Now that’s pretty cool!
Outguess and spammimic are pretty darn easy to use, and they’re totally fun. (And there are plenty of others. Just do a Google search.) Give them a whirl, and you’ll find them to be useful tools in your arsenal.
However, don’t bet your life on any steganography tools. Unfortunately for Histiaeus, steganography only gave him a temporary respite from bondage. Eventually he was captured and crucified by Artaphernes. His head was embalmed and delivered to Darius. There’s no record about his scalp had tattooing on it, though.

R. Scott Granneman teaches at Washington University, consults for Bryan Consulting, and writes for SecurityFocus and Linux Magazine. His latest book, Don’t Click on the Blue E!:Switching to Firefox, has just been published. You can reach him at class="emailaddress">scott@granneman.com.

Comments are closed.