Paid Advertising
web application security lab

Anti Internal Memos Steganography

While I was working for my last enterprise company I got this sneaking suspicion that something was going on with our corporate email. In particular, I thought that someone was embedding information into the emails to be tracked at a later date. This was in an attempt to stop employees from sending corporate confidential emails to third parties without concent - particularly (the owner of which now runs Adbright, as an aside) and (which is down now), among others.

I’m not typically a very paranoid person, I’m just really good at knowing when and where Big Brother is waiting around the corner. One day I finally had enough information to test my theory. Someone sent me a copy of one of the memos that was send out to one of the larger groups. It detailed the transition of a very important vice president to “special projects”. For those of you not accustom to the corporate world, that is double talk for the professional equivalant of the round file. So it was exactly the kind of dirt that these types of website and indeed investors would want to know.

Since I had two copies of the same memo, I got out my trusty cygwin install and ran a diff against the plaintext of both memos. Sure enough, differences! Subtle differences! Firstly, there were differences in the stars at the bottom of the memo, which looked something like this:


Confidential memo, do not distribute! Extremely proprietary!

On one there would be 50 stars and on another there would be 48 stars, or 47 stars or some other number. Then there were other subtle things like a sentance that would state something like, “Our two companies COMPANYA and COMPANYB are both doing well this year.” And on another one it would be switched, “COMPANYB and COMPANYA“. Other things like strip off the last word of a sentance, like “COMPANYA did well this year and COMPANYB was not far behind, likewize.” where “, likewize” may or may not be there since it is a word that does not change the meaning of the sentence.

There were about half a dozen iterations in that one email alone (easily enough to cover all the permutations necessary to cover all of the employees of the company). I got another email copy from another employee and sure enough, it too was different. Then I started doing research on emails since then and low and behold all the confidential emails were marked in this way. Sometimes the names of people that would be switched in order. But every version of every email was different. The stenographic information was simply a unique number associated to the version of the email. Once the email was copied and sent to the third party and published openly, it could easily be tracked back to either the person who had sent it, or at minimum the person who sent it to the person who published it.

What does that mean for people who believe in full disclosure at whatever cost? Either use someone else’s email with their unique identifying marks in it, or write some algorythm to try to deduce what is different in the email and change it enough so that it cannot be tracked back to you.

Comments are closed.