Stego Framework

It’s Friday, and that means geek time. (Why? Because I said so.)

In a nutshell, steganography (stego, for short) is the art of hiding a message’s existence. If you’ve ever played the game where you take a paragraph, circle the first letter of each word, and come out with a secret message, then you’ve seen stego. Another oft-cited example is that of ancient Roman commanders who would shave a soldier, tattoo messages on their scalp, then let the hair grow back. The enemy would not know of the message, but the target Senator or such would know where to look.

There are a handful of good tools out there to do this sort of thing. Most of them focus on images (GIF or JPEG files) as the carrier, or cover, for the message. Relatively new is the use of MPEG or MP3 files, as well as using executable files themselves to contain a message. Additionally, there is space in network protocols where messages can be hidden if you know where to look.

Bear in mind that this is not cryptography. Crypto works to scramble a message so someone in the middle can’t read it. Stego works to hide a message so someone in the middle doesn’t know to read it. These two complement each other well, and secret messages are often encrypted before being hidden.

What I’m toying with, then, is the notion of trying to pull this all together into a framework similar to Metasploit but for stego. You would select a carrier, a method, and a message or payload, then press go. It would be interesting to try and implement some of the techniques myself, or to at least integrate a few open-source projects in one umbrella.

Oh, and for Mom – we’re cooking fajitas this weekend, so I’ll have a steak recipe soon.