Hide your crypto like a real spy

The German government employee recently arrested for spying for the US hid his encryption software using a kind of steganography.

Not many of us have good reasons to go to a lot of trouble to hide our software or content. But some people do need to hide things, and there are good ways and bad ways to do it. A current news event reminds of one of my favorites.

It's part of the story of a German employee of the country's foreign intelligence service (BND) being arrested for spying for the United States. According to the German magazine Der Spiegel, the employee had a special encryption program hidden in another program (warning, the English translation is not very good).

The employee's computer had a weather app on it. When you asked for the weather for New York, it opened a secret crypto program. It's not clear whether this computer is a full desktop or a phone or whatever. Nor is it clear whether the secret crypto program was found by the German authorities or given up by the employee. (If the authorities found it, then it's not so clever after all.)

This, it seems to me, is a form of steganography, the art and science of hiding things inside other things. The classic example of steganography is to hide a secret message inside a JPG file. JPGs can be large without arousing suspicion. If every 500th bit in the JPG were really the content of the message, the JPG would be visually indistinguishable from the original, but the message could be extracted by another party that had a shared key. Search for "Steganography software" and you'll find several examples of programs to do this.

By contrast, if you have clearly encrypted files on your system and it's searched, those files will arouse suspicion. In some places, if you refuse to turn the password over the police they can lock you up.

The idea of hiding programs inside other programs is also really clever, although I can think of general ways to defeat it. Assuming the "app" in question is a hacked version of a well-known app, the hack would break a digital signature or CRC on the file. A good whitelisting system works by checking these values for files against known-good ones, so it would likely detect a hacked program. If it's not a well-known app, that too might look suspicious.

It's always been a general rule that steganography is best used for small amounts of data, but the rule doesn't work quite as well as it used to. It doesn't look fishy anymore for you to have a folder on Google Drive with 50GB of shared family photos and videos, but you can hide a lot in those files.

(via Bruce Schneier)