Steganography– Hiding in Plain Sight: Business Data Security through Obscurity– Art of Covert Communication, Hide-See…k

Steganography is based on a kind of camouflage: where the familiar and superficial draws attention away from the occluded and hidden. Do they see the leopard’s spots, or the leopard? ~Stowe Boyd

Steganography is the art and science of hiding information by embedding messages within other seemingly harmless messages. It works by replacing bits of useless or unused data in regular computer files (e.g., images, graphics, sound, text…) with bits of different, invisible information… Since rise of the Internet one of the most important factors of information technology and communication is security of information.

Cryptography was created as a technique for securing the secrecy of communication and many different methods have been developed to encrypt-decrypt data in order to keep messages secret. Unfortunately sometimes it may not be enough to keep the contents of a message secret, it may also be necessary to keep the existence of the message secret.

The technique used to implement this, is called steganography, and it differs from cryptography in the sense that where cryptography focuses on keeping the contents of a message secret, steganography focuses on keeping the existence of a message secret.  For example; a firm suspected that an insider was transmitting valuable intellectual property out of its network, and after checking mail logs, investigators found the smoking gun; two e-mails with harmless-looking image attachments… It turned out, that the images were hiding important company intellectual property (IP) by using steganography…

Currently, steganography represents a classical paradox: It’s next to impossible to convince people to look for something they cannot see and do not think anyone is using, because there is no large body of empirical data to prove that steganography is being used to transmit information outside of corporate networks…

In the article Steganography by Bojana writes: The rise of the Internet brought many advantages to our society but modern users also face various risks. Our virtual lives are under a constant threat from someone breaking into our computers or account, so it’s essential that all our sensitive data is properly secured…

Encryption is a great way of preventing third parties from accessing data illegally, but the most effective protection would be to hide the fact– that such data even exist. In its original form, steganography refers to making hidden messages in such a way that only a sender and a recipient have access to them. When it comes to digital data, steganography is a common method of data protection and includes; concealing data within encrypted or random files.

Steganography allows you to conceal important data within other files on your devices in such a way that they don’t attract attention to themselves. Basically you can code a message within an MP3 song or a photo and no one ever needs to know that there is something more important beneath the surface. Stenography occupies certain bits of audio or image files, so they can be opened regularly without anything to point out that they contain a secret message…

In the article Steganography for Dummies by Scott Berinato writes: Steganography works not by beating security, but by avoiding it all together. In a risk-based security program, a picture appears to pose no risk and thus bypasses further scrutiny. In order to get to the secret message you must: 1) know that it’s there, 2) have software to extract it, 3) know the password required to extract it.

But the larger point is you can spend all the money you want on security technology with super-complex algorithms for determining what is suspicious and it won’t flag or inspect a picture, image– it’s a secret message. For example, a person could have been delivering this week’s betting lines for an online gambling ring they mastermind, or a map to the spot where to pick up a drug shipment, or trading hard copies of product development data at an airport…

Or, if they wanted even more security, they could have opened an online picture-posting account (e.g., Flickr) and put 1,000 images there, with certain ones containing documents… All that’s required is that the ‘cipherer and decipherer’ communicate– what to look for? where to look? For example, an e-mail with the subject ‘new pictures’ could be a code for ‘secret messages’…

In the article Protect Your Organization from Steganographic Data Theft by Tom Olzak writes: It appears that steganography is a growing challenge for forensics investigators and organizations using content monitoring or filtering to protect sensitive data. The art and science of steganography has been around for centuries. It’s used to write hidden messages in a way that prevents anyone but the recipient from interpreting them.  

According to Russell Kay; steganography strips less important information, ‘bits’, from digital content and injects hidden data in its place. This ‘bit’ replacement is typically performed across the entire image. Once the text is inserted in the image, the ‘stego-medium’ is locked with a password… According to Gary C. Kessler; details methods to detect and defend against theft by steganography include:

  • Looking for markers like the slight image color difference…
  • Large number of duplicate colors in an image can be indicator…
  • When ‘suspect image’ is larger than ‘base image’, there might be hidden information…

In the article Steganography by Hassam writes: Data security has been a cat-and-mouse game between those for whom data hiding is the ultimate goal and for those who would prefer being capable of deciphering hidden data. The history of this goes back centuries as substitution cipher was practiced in ancient battlefronts. Such schemes are called encryption in which useful information is transformed in such a way that only authorized persons can decrypt information. But the problem is that even this encrypted or scrambled form of information is a tell-tale sign that something fishy is going on.

Encryption poses a risk for the business to be successful, which is why they try to identify and restrict any encrypted data that attempts to travel in or out of a defined security parameter. But here comes the real twist in the story: what about the situation when it becomes very difficult to actually identify the presence of encrypted data?

The study of steganography explains this as the events of hiding valuables in unsuspecting places to ward off robber’s attention… In the digital world as well, where an apparent normal file, say an image, document, sound file… is used as a host to hide information in it. Since these files are exchanged very frequently, over the internet and other communication channels, it becomes very time-consuming to scan each and every file to detect the presence of hidden communication…

Several industrial uses of steganography include; bookmark information to thwart copyright infringement, proof of ownership of digital content, exchanging confidential data over insecure protocols…

In the article Steganographic Cipher: What This Means for Business? by Mott Marvin Kornicki writes: Cryptography protects the contents of a message, and steganography can be said to protect both messages and communicating parties. Steganography includes concealment of information in computer files. In digital steganography, electronic communications may include steganographic coding inside of a transport layer, such as; document file, image file, program or protocol.

Media files are ideal for steganographic transmission because of large size. For example; a sender might start with an innocuous image file and adjust color of every 100th pixel to correspond to a letter in the alphabet, a change so subtle that someone not specifically looking for it is unlikely to notice it… Digital steganography techniques include:

  • Concealing messages within the lowest bits of ‘noisy’ images or sound files…
  • Concealing data within encrypted data or within random data…
  • Concealed messages in tampered executable files…
  • Pictures embedded in video material…
  • Blog-Steganography: Messages are fractionalized and (encrypted) pieces are added as comments…

Steganography provides a means of secret communication which cannot be removed without significantly altering the data in which it is embedded. The embedded data will be confidential unless an attacker can find a way to detect it.

Steganography is still not widely used, and in the rare instances when it is used it is hard to identify. That’s what makes it so appealing… If you need to transmit data from one person to another or simply hide the very existence of data on your hard disk, steganography in combination with encryption is a good attempt.

On the other hand, enterprises need to be aware of this type of attack, as it poses a serious data leakage problem. The problem is that many companies don’t deploy countermeasures to steganography because they’re not aware of the problem.

According to Wood; steganography is more akin to obfuscation than serious security, however, if the data has been encrypted and mixed in with the host data then it is harder – but there are tools that use various techniques to spot content.

In a Frost & Sullivan report says; as steganography continues on its evolutionary path, researchers have unearthed new platforms where steganographic techniques could be employed to hide information seamlessly. Such efforts have rekindled the research and development efforts oriented toward steganography platforms and steganalysis and a number of researchers are working toward discovering new platforms that miscreants could potentially use to hide information. 

Researchers have shown that voice over Internet protocol (VoIP) could emerge into a popular platform for steganography, owing to its ubiquity and the difficulty in detecting hidden information in VoIP streams. In addition to VoIP, platforms such as images and other multimedia content will be widely used for concealing information.

New analysis finds that steganography is gradually gaining attention from the business community and steganalysis tools could slowly find a place in both medium- and large-sized enterprises that are concerned about protecting intellectual assets. Steganography is also gaining traction as a legitimate technology, used for covert communications, copyright marking, data security…

According to Gaurav Sundararaman; apart from the traditional platforms such as; audio, video, images… researchers are looking for additional platforms/digital media through which information can be hidden. An interesting idea under consideration is to have a separate steganographic channel in a network to send messages. Although each platform has many benefits, it’s very difficult to ascertain the single best platform to send hidden messages. Steganography is capable of mitigating piracy by aiding copyright marking…

In future, digital camera manufacturers could implement steganographic features of camera firmware to annotate pictures with the photographer’s copyright information. Going forward, legitimate applications such as tagging of multimedia content with hidden information could become an important application area for steganography.

According to Achyuthanan; there is a distinct lack of awareness about steganography, particularly among the business community… it’s a technology to keep an eye on – both from the perspective of the enterprise needing to protect sensitive information, as well as; the individual who wants to transmit data via one of the safest ways possible…