Recently in The Mail Bag Category

Question from a Reader: "Can people hide messages in pictures? Is this for real?"

Yes this is for real! It is not limited to just pictures, although this is one the common uses, but messages can be embedded in any number of digital media types. It can even be embedded into sound files.

This practice is called steganography, or stego for short. Steganography is the science of writing hidden messages in such a way that no one, except the intended recipient knows of the message.

Usually a steganographic message will appear to be something else: a picture, an article, a shopping list, or some other message - this is referred to as the covertext or in the case of digital file- the carrier.

Steganography is different than cryptography. With cryptography, encryption is the process of obscuring information to make it unreadable without special knowledge. In this case the message is not concealed just scrambled or obscured.

The obvious advantage of steganography over cryptography is that messages do not attract any attention. A coded message that is unhidden, no matter how strong the encryption, will arouse suspicion and may in itself be problematic. For example, in some countries encryption is illegal.

A common form of steganography is the use of jpeg files (a computer image) to hide the message. Research is already underway to create systems that can detect secret files or messages hidingwithin digital images.


Electronic images, such as jpeg files, provide the perfect ?cover? because they?re very common ? a single computer can contain thousands of jpeg images and they can be posted on Web sites or e-mailed anywhere. Steganographic, or stego, techniques allow users to embed a secret file, or payload, by shifting the color values just slightly to account for the ?bits? of data being hidden. The payload files can be almost anything from illegal financial transactions and the proverbial off-shore account information to sleeper cell communications or child pornography.

?We?re taking very simple stego techniques and trying to find statistical measures that we can use to distinguish an innocent image from one that has hidden data,? said Clifford Bergman, ISU math professor and researcher on the project. ?One of the reasons we?re focusing on images is there?s lots of ?room? within a digital image to hide data. You can fiddle with them quite a bit and visually a person can?t see the difference.?

?At the simplest level, consider a black and white photo ? each pixel has a grayscale value between zero (black) and 255 (white),? said Jennifer Davidson, ISU math professor and the other investigator on the project. ?So the data file for that photo is one long string of those grayscale numbers that represent each pixel.?

You can read more on the Ames Laboratory research here.

Curious users can also try stego software, but use at your own risk. You should be sure it is legal to use in your country. In some countries this type of software is illegal and carries stiff penalities for use.

Dound's Steganography Freeware. This software allows users to encode and decode messages of their choice with a keyword. The message is coded into a picture, which can be sent via e-mail, uploaded, and so on, and then decoded by the recipient with the keyword that it was encoded with. It's easy to use and you can't tell the difference between the original and the encoded pictures. It comes with a test picture, too.

Steganography Trialware. This application enables you to use digital data hiding techniques to hide as well as encrypt files within other files such as picture or sound files. This allows you to encrypt sensitive information, while at the same time hiding it in a file that will not look suspicious, so nobody even knows that there is encrypted information.

Steganos Security Suite: Trialware. $69 to Buy. Offers a complete encryption software package, which provides protection for users of PCs and laptops. The software features 256-bit AES encryption of an unlimited amount of data; e-mail encryption; the ability to use USB sticks as rewriteable mobile safes; the potential to track down a lost or stolen laptop; track shredding, a password manager; password quality control; a file shredding; and steganographic capabilities.

Question? What is the McCain Amendment as it relates to CAN-SPAM?
Level: Advanced

This is a tough one so I tracked down a real expert- Anne Mitchell, Esq., CEO of the Institute for Spam and Internet Public Policy, and a Professor of Law in California for the answer.

This interview is an attempt to try to clarify the news I reported here earlier coming out of TheInternetPatrol.com report on the lawsuit that went all the way up and down the chain.

It wasn't easy catching her as she was busy preparing for a workshop, but I think we have some solid answers for readers. (And thanks Anne for taking the time!) So to recap we're talking about the recent announcement by the Federal Trade Commission and California Attorney General Bill Lockyer that they have settled a lawsuit in which they went after a spammer both for the spam they sent, and for the spam which their affiliates sent. Let's dive in!

Did you know we had a Mail Bag? We do! Our team, including two MSFT Security MVPs, select good questions from the Mail Bag and give it our best shot.

Question: I receive lots of hot stock tips in my email. Are these legitimate stocks? Should I invest?

Disclaimer: We don't give investment advice...but what you are referring to is commonly called a Pump & Dump stock scam.

Like many people you probably get alot of spam- even with the better filters we have today. Have you ever noticed how many spams are touting a particular stock? Usually this is a slimly traded stock on a small exchange for only pennies a share. In a recent Honeypot studied it was found that 3% of all the spam collected were actually pump & dump scams! Still at pennies a share it seems so easy to make money! Not so.

New research was released recently about these "pump and dump" schemes. The way it works is the stock owners or holders send out massive amounts of spam touting their stock, somtimes resorting to pumping them on up on stock related message boards with false or misleading claims.

What was really interesting in this study is the researchers found that the more spam sent actually sent the stock of the price higher- naturally the scamsters unload the stock as it peaks and the regular investors are left holding the bag.

Answer: If you get e-mails like these simply hit delete. They are more than likely scammers tricks stacked against you in order to part you from your hard earned money. The only ones profiting from these "spam e-mail tips" are the senders themselves- in this case spammers.

For more on Pump & Dump Stock Scams read this illuminating article.

If you still aren't sure check out this savvy fellow who charted a variety of spam touted stocks and see for yourself just how "good" the returns where: Spamstocktracker.com. We suspect that some of these fraudsters might using botnets as spam relays so they can send out literally millions of these types of thinly traded, dubious equities.

Imagine that- a whole legion of zombie machines working OTC stocks. Again- hit delete and don't fall for it.

About this Archive

This page is a archive of recent entries in the The Mail Bag category.

Technical News Round Up is the previous category.

Tips and Tricks is the next category.

Find recent content on the main index or look in the archives to find all content.