Sunday, 11 July 2010


I’ve been variously involved in securing mainframe data over many years. I’ve looked at encryption of data, External Security Managers (ESMs), certificates, and public key encryption at various times. I’ve only recently become aware of steganography and how that can be used to send covert information in plain sight!

Steganography means concealed (the “stegano” bit) writing (the “graphy” bit), and there was a book about it written in 1499 by Johannes Trithemius – although not published until 1606. Trithemius was Abbot of Sponheim, but, even so, the Catholic Church banned the three volumes of his book (called Steganographia) for almost 300 years. So that must give you a clue as to how difficult it would be to control the use of hidden messages by ordinary people – you and I really!

Here’s an example – this week’s shopping list:
Allspice, lemon, banana, avocado, peanuts, strawberry, pomegranate, sweets, anchovies.
You’d look at that and think there’s nothing hidden in that list. Now look at it again:
Allspice, lemons, bananas, avocado, peanuts, strawberry, pomegranate, sweets, anchovies
It says LEAVE TOWN. Obviously more complicated messages could be included if I had a longer shopping list – but you get the idea.
But there’s an even better and more modern method of steganography – and that’s using images. You can hide messages in the least significant bit in an image. I have hidden a message in the photo below. Can you read it?

 If you want to create your own hidden message, you can have a go at You can also read hidden messages by clicking on “tools” from the menu and “decrypt”.

The pixels in 24-bit images have their colour defined using three numbers. There’s one for red, one for green, and one for blue (RGB). Making a small change to a pixel alters its colour but not so much that the human eye will detect the change. These small changes can be combined to give the ASCII code for a letter – and those letters when put together give a word, a sentence, a complete hidden message. It would be completely plausible that the images in an innocent Web site could contain messages for banned organizations. Those pictures on the MI5 Web site could actually be coded messages to UK operatives (with Internet access) across the globe. But think how many other Web sites could contain coded messages – just who could those messages be for?
Almost any message that can be send – any picture, any digital message, any written or printed message – could contain a hidden message in it.
I’m not trying to make your paranoia worse, I just thought it might be worth checking those images, or reading every second character in a list (or third or fourth!), and making sure someone isn’t sending a message from your Web site that you don’t expect.
Sleep well!

No comments: