Security through obscurity is one of the worst approaches someone might take when it comes to computer / network security. I’ve heard in real-world situations between students and professional programers say “Sure, the passwords are saved as plaintext, but the database table names are all obfuscated; no hacker will find them!”. Though I’m sure this isn’t the average case, it bothers me enormously that many universities and companies don’t do formal security training. Giving your programmers Code Complete is a great idea, but I don’t think it’s enough – programmers have to have it beat into us that obfuscation is NOT a valid security approach!

I won’t talk about how to fix this, there’s plenty of tools, academic resources, training programs, etc. to help programmers learn and improve their designs. What I will talk about is steganography. I heard some not-so-reputable sites such as 4Chan were encoding data and adding it to meta-data in images. At first I thought it was kind of silly; everyone could just open the file and see it… but then again, we live in the golden age of media-transfer on the web: who sees images on the web and thinks “Maybe there is something hidden in here” outside of what you actually see. Stenography is a method of obscuring data transmission by adding it through mediums one wouldn’t think acceptable for data. The GIF file format has an interesting structure such that there is a single or double byte pattern that declares the end of the file. If you put text after that, most image viewers and browsers would see the image and never report a corruption because nothing changed the formal structure; yet the hidden data is there and never seen by the image viewer.

So, to learn more, I hid some data through several levels of encryption, obfuscation, and stenography. In the following steps we will be taking a funny GIF image, and we will follow the white rabbit down the hole to wonderland. (Pardon the cheesy quote, I had to, ha)

1.  Check out this funny GIF of some ninja-wrestling moves; millions must exist on the web, and such technology is nothing new, dating back from the late-80s. You wouldn’t do anything with this file other than smirk, right? Well, lets dive in…
2. Download the gif and open it in any text editor of your choice; notice at the end there is constant ASCII strings?
3. Copy this string data (it’s a GnuPG message) and decrypt; password is “png”
4. The result is a png file (change file extension if needed)
5. Open png file, it is a multi-color QR code; if you attempt to decode it, you get junk data
6. Individually process each color channel in RGB order, meaning do a QR decode on the red channel first, then green, and finally blue
7. Put the QR decoded text together, you get a new GnuPG block; password is “steganography”
8. This result is the final data, i.e. the original message that was encoded

So what I learned is there are some serious ways and methods of hiding data easily through obfuscation tied with true security (i.e. PGP encryption); though I can’t imagine any use for this and general stenography for industry-level products and services, this is 100% legitimate spy-level information transfer. Stuck in North Korea and need to send a secret message? Attach the encrypted data to an innocent picture that will get past the censures and tada! Secret 007 mission accomplished.