1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

The dark world of steganography

Discussion in 'Programming' started by healzer, May 20, 2017.

  1. healzer

    healzer Jr. Executive VIP Jr. VIP

    Joined:
    Jun 26, 2011
    Messages:
    2,632
    Likes Received:
    2,274
    Gender:
    Male
    Occupation:
    RevEngineeringMon$y
    Location:
    Somewhere in Europe
    Home Page:
    This is part 2 of "How social media networks can combat spam, bots and digital theft".
    Part 1 can be read here: https://www.blackhatworld.com/seo/h...at-spam-bots-and-digital-theft-part-1.940364/


    A few months back I read an article about steganography.
    Back then I did not know what steganography was, but the information blew my mind.

    What is steganography?

    It's a way of encoding (aka storing) information to an image, without ANY visible loss/changes to the image itself.
    This strategy does not alter the image file, but it alters the pixels themselves, such that the information is stored inside the image.
    This is a crazy method and it CANNOT be detected. It's a very dangerous method and can be used by criminals and terrorists to communicate using Instagram, Pinterest, Facebook, Tumblr, Imgur, ... without revealing their message. It is quite scary since these organizations/individuals can appear as regular users.

    How does it work?

    Allow me to illustrate how powerful steganography really is.
    Take a look at the next two images, can you spot the 10 differences?

    [​IMG]

    [​IMG]

    Let me disappoint you but there are no differences, at least not to the human eye.
    However, the first image contains data encoded into its pixels, and this is the content:

    [​IMG]

    In this demo, it stores a text file with the message as shown above. But it can store anything, it could even be an EXE file, a zip file, another image file, a PDF file,... you name it. Although the files we encode into the images should be small in size, otherwise there is the possibility that the image's pixels become visibly corrupted/altered (but I have not tested this yet).

    Try it yourself

    I have used the Java code, found on this repository:
    https://github.com/leoxiong/image-steganography

    The owner of the code has provided a short YouTube tutorial which you can watch:


    You can try to re-upload the image with encoded data to some image sharing site (e.g. imgur), and then re-download it, decode it and verify the decoded message. I have tried this with Imgur and Pinterest. Thus to stop terrorists, these sites should definitely consider doing research on a detection mechanism (which would be incredibly hard to realize).

    Why is this a risk for bots and spammers?

    Social media sites, allow you to upload images, gain followers and grow your brand.
    However, there is an ongoing debate about using/stealing content of other people, and how such a crime can be punished in an effective manner.

    In part 1 of this series, I have proposed a system that can identify fake profiles from real ones.
    Using that knowledge we can further let social media sites exclude all fake profiles from rankings and feeds, basically isolating them to die out.

    Steganography offers an incredibly powerful way to reward original uploaders and punish content thieves. And it would work like this:
    1. Some user uploads an image onto his favorite social media site.
    2. That website will apply steganography to encode his profile information (unique user ID) into the image.
    3. Everyone who now attempts to steal and re-upload this image will be categorized as "thief" and we can lower their chances of appearing on any feed. If the "thief"-level becomes high, the website can decide to ban/isolate the account entirely.
    The beauty of steganography is that encoding information to an image is quick and easy, but extracting it is very hard if you don't know the algorithm that was used (only known to the website itself and hidden in the code on a server).

    Even if the user edits the image, such as, applying a watermark or adding a logo, chance is pretty high that the unique user ID can be decoded from the image. Even if you attempt to make a screenshot of the image, the information will still be in there.

    Problems

    A major problem with this is that you can easily create unique images, that remove the encoded data, by re-saving the image in a different format or apply image compressions. But also when you apply a filter or edit it in Photoshop for instance, then the information will be lost.

    The above statement is only true for the code which I've used to play with (see link above).
    Maybe, but I haven't don't my homework, it could be possible to develop a steganography algorithm which withstands compressions, re-saving and even filters (to a certain degree).

    You can read more about this method in this paper:
    http://ieeexplore.ieee.org/document/6714170/
     
    • Thanks Thanks x 10
  2. healzer

    healzer Jr. Executive VIP Jr. VIP

    Joined:
    Jun 26, 2011
    Messages:
    2,632
    Likes Received:
    2,274
    Gender:
    Male
    Occupation:
    RevEngineeringMon$y
    Location:
    Somewhere in Europe
    Home Page:
    I forgot to mention a very important fact.
    Most of you are aware of the fact that social media sites, "can", use a hashing function (such as MD5) to compute a unique hash string, given some image.
    Some tools/people attempt making their images unique by slightly changing a few pixels, and then the MD5 hash becomes unique.
    This may seem like a great method to trick sites and make them think that you've uploaded a unique piece of content, right? :)

    However, steganography is much more advanced and even if the MD5 hashes do not match (original image vs edited image), the hidden/encoded data in the pixels can be detected by the social media sites. Fooling them will only become harder.
     
  3. tux

    tux Jr. VIP Jr. VIP

    Joined:
    Jul 11, 2016
    Messages:
    1,095
    Likes Received:
    597
    Gender:
    Male
    Well this is certainly interesting and makes sense. I would suggest you to implement this in your own Instagram bot so people like me can test it
     
  4. healzer

    healzer Jr. Executive VIP Jr. VIP

    Joined:
    Jun 26, 2011
    Messages:
    2,632
    Likes Received:
    2,274
    Gender:
    Male
    Occupation:
    RevEngineeringMon$y
    Location:
    Somewhere in Europe
    Home Page:
    I am definitely considering adding a feature that applies random filters & color beautification to uploaded images.
    This will most likely remove any/all steganography encoded data by social media sites (if they are using it at least).
    Even if they are not using it, it will guarantee a new md5 hash (I hope they are not using this though).

    I have a part 2 of this subject in mind, but I'm not sure if anyone has done any research on it.
    It's maybe too simple, so if I have a few spare hours I'll try it and and write about it :)
     
  5. littlewebdragon

    littlewebdragon Jr. VIP Jr. VIP

    Joined:
    Dec 30, 2007
    Messages:
    1,672
    Likes Received:
    829
    Occupation:
    Occupation
    Location:
    Location
    Thank you very much for posting this. I'm going to need to learn a bit more about this subject. I've done some testing with a project and it was a fail as I've cut out most of the header info from image (stupid, I know) and they looked like generated images to bots actually instead of photos. It took me a while to realize that.

    May I ask what lib are you using for image editing if you don't mind sharing? :)
     
  6. healzer

    healzer Jr. Executive VIP Jr. VIP

    Joined:
    Jun 26, 2011
    Messages:
    2,632
    Likes Received:
    2,274
    Gender:
    Male
    Occupation:
    RevEngineeringMon$y
    Location:
    Somewhere in Europe
    Home Page:
    I'm glad you liked the post :)

    I don't use any library, except the default binary/image buffers (you can also see how decode & encode functions work in that github project).
    However, if you are going to apply layers/watermarks/filters, then you're better off using some library of course.
    I don't know a good library to use right now, but I'll be looking for one in the coming few days (maybe I'll mention it here).
     
  7. PortScan

    PortScan Newbie

    Joined:
    Nov 26, 2015
    Messages:
    19
    Likes Received:
    2
    This could certainly be used to track quite a bit of copyright infringement. Probably use this to track all the fake facebook user profile photos...
     
  8. akr007

    akr007 Junior Member

    Joined:
    Dec 24, 2016
    Messages:
    193
    Likes Received:
    33
    Gender:
    Male
    Interesting fact!
     
  9. chimpcoder

    chimpcoder Newbie

    Joined:
    Sep 13, 2016
    Messages:
    24
    Likes Received:
    3
    Gender:
    Male
    Steganography is art of hiding data into media file either it is image or video. I just wonder if you modify image into photoshop do hidden data remains after editing?
     
  10. ScribScribScrib

    ScribScribScrib Jr. VIP Jr. VIP

    Joined:
    Mar 15, 2017
    Messages:
    335
    Likes Received:
    214
    Gender:
    Male
    Occupation:
    See Location
    Location:
    See Occupation
    Home Page:
    This is actually pretty cool, thanks for sharing.

    I'm already picturing a few methods to make money out of this!
     
    • Thanks Thanks x 1
  11. healzer

    healzer Jr. Executive VIP Jr. VIP

    Joined:
    Jun 26, 2011
    Messages:
    2,632
    Likes Received:
    2,274
    Gender:
    Male
    Occupation:
    RevEngineeringMon$y
    Location:
    Somewhere in Europe
    Home Page:
    Yes, my experiments have proven that the data remains.
    It depends on what kind of edits you do. If you apply filters, the data will certainly be invalidated.
    But if you add a watermark/logo to the image at an area that does not have any encoded pixel data then it will remain valid.

    There is research being done to encoding methods which make sure data remains valid even after applying filters, but these are highly experimental from what I've understood.
     
  12. curiouskt

    curiouskt Regular Member

    Joined:
    Apr 5, 2017
    Messages:
    235
    Likes Received:
    123
    Thankyou OP for a very interesting thread.
    I am sure many members would like to also know this....

    Does this apply when, for example, if we were to download some of the shutterstock images from the many sites for freee that the pixel is hidden in the image?
     
  13. healzer

    healzer Jr. Executive VIP Jr. VIP

    Joined:
    Jun 26, 2011
    Messages:
    2,632
    Likes Received:
    2,274
    Gender:
    Male
    Occupation:
    RevEngineeringMon$y
    Location:
    Somewhere in Europe
    Home Page:
    Yes of course it is possible.
    I do not know if websites such as Shutterstock are using this to track the real/original buyer, but it would definitely be a wise tactic.
     
    • Thanks Thanks x 1
  14. curiouskt

    curiouskt Regular Member

    Joined:
    Apr 5, 2017
    Messages:
    235
    Likes Received:
    123
    Thanks for that.

    So much fake news and conflicting evidence.
    I read that they put it on EVERY item, to track for piracy etc...
    yet when I read their forums yesterday, many photographers / contributors were very angry
    at their produce being so freely available, WITHOUT any tracking!!

    I am sure the truth lies somewhere in between.
     
  15. healzer

    healzer Jr. Executive VIP Jr. VIP

    Joined:
    Jun 26, 2011
    Messages:
    2,632
    Likes Received:
    2,274
    Gender:
    Male
    Occupation:
    RevEngineeringMon$y
    Location:
    Somewhere in Europe
    Home Page:
    Interesting, do you have any link(s) to these sources?
     
  16. curiouskt

    curiouskt Regular Member

    Joined:
    Apr 5, 2017
    Messages:
    235
    Likes Received:
    123
    I will search and post if I find them again
     
  17. terrycody

    terrycody Supreme Member

    Joined:
    Sep 29, 2012
    Messages:
    1,416
    Likes Received:
    386
    Occupation:
    marketer
    Location:
    Hell
    What a great reading, saved the bookmark, great share!
     
    • Thanks Thanks x 1
  18. Maks.KV

    Maks.KV Registered Member

    Joined:
    Jun 13, 2010
    Messages:
    53
    Likes Received:
    3
    @healzer, very valuable and interesting info. Thank you very much!

    This method can be used to protect intellectual property and identify leachers as well.
     
  19. Taegn

    Taegn Junior Member

    Joined:
    Jul 22, 2016
    Messages:
    171
    Likes Received:
    32
    I thought they were doing hashes? Anyway filtering it up ain't hard i built a tool to automate that the other day.