Hide your crypto like a real spy

Summary:The German government employee recently arrested for spying for the US hid his encryption software using a kind of steganography.

Not many of us have good reasons to go to a lot of trouble to hide our software or content. But some people do need to hide things, and there are good ways and bad ways to do it. A current news event reminds of one of my favorites.

It's part of the story of a German employee of the country's foreign intelligence service (BND) being arrested for spying for the United States. According to the German magazine Der Spiegel, the employee had a special encryption program hidden in another program (warning, the English translation is not very good).

Must See Gallery

Five of the best (and free) Android security apps

Worried about hackers and fraudsters gaining access to the data on your Android smartphone or tablet? You should be. But you can also reduce that risk by installing a security app on your device.

The employee's computer had a weather app on it. When you asked for the weather for New York, it opened a secret crypto program. It's not clear whether this computer is a full desktop or a phone or whatever. Nor is it clear whether the secret crypto program was found by the German authorities or given up by the employee. (If the authorities found it, then it's not so clever after all.)

This, it seems to me, is a form of steganography, the art and science of hiding things inside other things. The classic example of steganography is to hide a secret message inside a JPG file. JPGs can be large without arousing suspicion. If every 500th bit in the JPG were really the content of the message, the JPG would be visually indistinguishable from the original, but the message could be extracted by another party that had a shared key. Search for "Steganography software" and you'll find several examples of programs to do this.

By contrast, if you have clearly encrypted files on your system and it's searched, those files will arouse suspicion. In some places, if you refuse to turn the password over the police they can lock you up.

The idea of hiding programs inside other programs is also really clever, although I can think of general ways to defeat it. Assuming the "app" in question is a hacked version of a well-known app, the hack would break a digital signature or CRC on the file. A good whitelisting system works by checking these values for files against known-good ones, so it would likely detect a hacked program. If it's not a well-known app, that too might look suspicious.

It's always been a general rule that steganography is best used for small amounts of data, but the rule doesn't work quite as well as it used to. It doesn't look fishy anymore for you to have a folder on Google Drive with 50GB of shared family photos and videos, but you can hide a lot in those files.

(via Bruce Schneier)

Topics: Security, Government : US


Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.