What is Steganography?

January 08, 2025

Introduction

Steganography is cryptography in plain sight. This can be very helpful, as attackers may not know that something contains sensitive information. This can also be helpful because attackers may obtain sensitive information, but not know how to use it.

Traditional Steganography

Steganography can be anything from hiding passwords inside of images to creating passwords out of ordinary objects. Sometimes, steganography can take a form many people are familiar with, where a large body of text exists, but only some of the characters are useful.

For example, if a letter written to somebody says

“Hi,

Everyone calls me John.

Let me call you Bill.

Let me know if you want me to call you something else.

Okay?”

In this example, the first letter of each line could be part of an encrypted message. In this case, the encrypted message would be “HELLO.” This has been used to send secret messages in seemingly innocuous things and is a particular favorite among spies and spy agencies.

How can the average user use steganography?

Although traditionally, steganography has been used for message passing and letter writing, it has many applications in cybersecurity that are often overlooked. It can be used for hiding information in obvious places that attackers may not know to look for. It also can be used to disguise information as something else; it can be used for making passwords look like normal documents or normal text. A normal form stored in an obvious location, such as a documents folder, would often be overlooked by intruders. But inside the form, maybe using the first letter of each line like shown above, passwords can be hidden, and intruders are very unlikely to find them.

How can companies use steganography?

Steganography can often be difficult to do at a large scale. Small-scale steganography can easily obfuscate small amounts of data or protected information. However, larger clusters of data and larger files will be more likely to draw attention from hackers. An entire user list and corresponding passwords won’t be easy to encode into something in plain sight, and the large file size associated could easily draw attention from intruders. These lists should also have encryption and security measures preventing intruders from accessing them, but these measures make the file look more suspicious to intruders. This is why a technique exists where fake sensitive data is used in a file. This is done so that an intruder will access this data and think they have gathered everything they can from the file. At the same time, there is hidden information inside the file that they will overlook due to finding the obvious information and believing the purpose of the encryption was to protect the information they have already found. Unless they know what they are looking for, intruders will often stop there and miss the important information you are trying to protect.

An Example of Good Steganography

Another good example of steganography can be seen in the popular cloud cybersecurity company Cloudflare. They take advantage of the randomness of real life to hide their encryption codes in plain sight. For some further context, random number generators in programming are not truly random. There’s always a way to determine what number will be generated if you are willing to take enough time and effort. Sometimes, it will be done based on something as simple as the time of day, and sometimes, it will be because of a complicated set of factors, but it is always predictable in some form. Cloudflare gets around this by using real-life lava lamps and converting the shapes created by the lamps to generate encryption codes that can’t be predicted at all.

Conclusion

Steganography is a very useful tool for cybersecurity. In a time when intruders and defenses are having a virtual arms race, any tool can make the difference between losing everything and keeping intruders away from sensitive information. Steganography, when used in combination with other cybersecurity techniques, can be the tool that makes that difference and prevents intruders from taking advantage of files they may obtain.

Hayden Duplantier, Associate Information Security Analyst

Hayden is beginning his cybersecurity career as an Associate ISA on Team Atlas, starting out performing remote social engineering tests. He is currently earning a Bachelor of Science in Computer Science from Louisiana State University, expected to graduate in May 2025. He is currently working toward his Security+ certification, and also plans to pursue a Masters in Cybersecurity from LSU.