[Written on February 27th 2004]
[Updated on April 5th 2005]
Steganography strength (is it easy to see there is hidden data?): Low
Cryptography strength (is it easy to recover the hidden data?): Low
A company called Skyjuice Software from Singapour is selling some softwares. I like their nice logo made with the kanji character for "water". One of their programs is supposed to be a steganography software, it's called Data Stash v1.1b. It costs from 20 US$ to 350 US$ depending on the license.
If you don't want to read the technical details, here is an abstract: it's another one of these programs doing fake steganography and fake encryption, and the security level is zero (yawn).
2. Reading the doc
The documentation on their website is surprisingly devoid of snake oil. Very down-to-earth and descriptive, no exagerated claim of "world-class" or "military grade" security. Damn. I cannot even have some fun.
For example, they say "Password protection using Blowfish encryption". Well. That sounds serious. But it's actually a joke, as we will see later. They don't encrypt your data.
And there is this claim: "Supports a wide variety of file formats" and that the carrier file can be "any file you'd like to use", which makes me guess it's still another of this kind of fake steganography that adds "hidden" information at the end of the carrier file, without checking any file format, with the hope that it won't mess up with anything. Then they say that: "The receptacle file remains fully functional, looks and behaves similar to what it was before". You wish.
Okay. Enough with this claim. I've read it too many times. Adding some stuff at the end of files does mess with some of them. A few file formats actually have fields that are defined from the end of the file, not the beginning. For example, ID tags in MP3 audio files. Here is a demonstration. It's a MP3 with or without data "hidden" with DataStash, playing in Windows Media Player. As you can see, when you add some bytes at the end with this "steganography" program, the player becomes unable to read the information inside the ID tag, like the title of the album, song and group names. Because it cannot read it, it displays the name of the file instead. It's just a simple example, there may be many more, and especially some cases where the file actually becomes totally unreadable.
2. How data is hmmm... "hidden"
No need to copy/paste some hexa dump here. This program works exactly the same way as two other ones I analyzed some time ago called Safe and Quick File Hide, and Steganography. Basically, the "hidden" files are actually included in a ZIP archive, and this ZIP archive is fused at the end of your carrier file.
But the funny part is coming now.
Let's test the Blowfish encryption option. If it was real, nobody should be able to decrypt the "hidden" information, because Blowfish is a serious strong crypto algorithm. You may see that there is hidden data (which, by the way, is enough to consider a steganography algorithm to be broken), but you would be unable to extract it if you don't have the password.
Of course here it's not the case. They think they encrypt your data, but they don't. Same basical error than with this odd program called Steganography.
On the following table I will compare the "hidden" information (a small text file called "hiddenmessage.txt") fused after a small JPG image file. For the first one I won't set a password. For the second one I will set a password, so the "hidden" data should become encrypted with Blowfish. Let's have a look. In white, the end of the JPG file. In yellow, the "hidden" ZIP file (how hidden!). In red, some stuff added by Data Stash at the end.
You already guessed what's wrong. Only the underlined bytes have changed. In other words, you set up a password, thinking you are using the secure Blowfish algorithm, and your data is not encrypted! I don't even know what these changing bytes contain, but I suspect it's the password itself, or some hash of it, probably encrypted (because nothing else changes). So you use a password to encrypt the password. A new concept, probably.
Well, enough laughs. If you want to extract the "hidden" data, with or without a password, just extract the yellow bytes in an hexa editor, rename this with a .zip extension, and open it with Winzip. Wow, that was tough to crack.
[Update 2005 April 5th : the new version 1.5 was very weak too, and once again didn't use Blowfish to encrypt the data. So the hidden files were very easy to retrieve. I didn't really have the time to write a technical article about it. The author was notified and DataStash is right now under re-development.]
Have a nice day!
Guillermito, February 27th 2004