[extropy-chat] Re: codes in scam letters

mail at harveynewstrom.com mail at harveynewstrom.com
Tue Sep 27 14:23:49 UTC 2005 

If done correctly, steganography can theoretically be undetectable.  
However, in practice, it is almost never done so well. 

In the real world, image programs leave signatures inside the picture data 
so you can tell what program created the image.  Often, this is explicitly 
stated within a tag that gives the program name, version, date, etc.  
Otherwise, the internal structure of the graphic can be analyzed to identify 
the original program.  The programs also contain compression signatures that 
indicate what level of compression and what algorithms were used to reduce 
the image size.  Again, this is often explicitly stated in a tag within the 
picture, or can be reverse-engineered by examining the internal structure of 
the compression. 

What this means is that it is trivial for a person to grab the image binary 
off the net, load it into the indicated program, and save it with the same 
compression level and method indicated.  This should produce the exact same 
binary, because all the structures, formatting and compression should 
already be exactly as that program and compression combination would produce 
them.  There should be no noise or randomness that has not already been 
optimized away.  If there is any change in the image when doing this, it 
indicates that the changed bits were tweaked after the original picture was 
produced and were not a natural product of the imaging software.  These 
changed bits can then be isolated, extracted, and analyzed separately from 
the overall image information. 

Thus, it is trivial in most cases to extract and analyze any random bits 
introduced to the imaging after processing.  Using this method, we can 
confirm that the vast majority of the pictures posted on the net are free 
from hidden messages.  One would have to use a non-standard or unknown 
graphics format with zero or non-standard compression to produce images with 
messages hidden in them.  Such a format could be detected as unusual. 

 --
Harvey Newstrom <www.HarveyNewstrom.com>
CISSP CISA CISM CIFI NSA-IAM GSEC ISSAP ISSMP ISSPCS IBMCP

More information about the extropy-chat mailing list