A tech explainer depicting steganography and its relevance with present-day web security.
Let’s start this with our favorite childhood game. 😀
Spot the difference:
Are you done?
What did you get? Nothing!
Don’t feel bad about yourself, as it would take Superman’s eyes to detect any dissimilarity.
But if you had fed these images to this (steganographic) decoder, you would get a text embedded in the first image.
This is steganography.
Okay, let’s backtrack a bit and start afresh.
What is Steganography?
Used for ages, steganography is an art of deception by hiding something into another to avoid detection.
For instance, I have encoded the first laptop image with the text “Geekflare is your trusted source for technology resources,” which you couldn’t see with the naked eye.
Similarly, there are sophisticated tools that you can use to hide a file type (text/image/audio/video) into another file of a similar or different nature.
It’s been in practice for a long time. One such example is the Greek ruler Histiaeus shaving the heads of his trusted servants to convey a classified message. Next, he used to wait for the hairs to grow back before asking the servant to go to the recipient, where the messenger would go through another round of head shaving to reveal the “secret” note.
This is the simplest form: physical steganography. Other such examples include the use of certain ink that reveals itself under certain light or temperature conditions or messages written under postage stamps.
At present, the process is much more efficient and digital, with multiple free and paid steganography tools at your disposal.
Overall, the idea is to conceal crucial information within any “standard” message or file.
Before putting a spotlight on the use and misuse of steganography for web security, the next section explains its types.
Types of Steganography
There are many ways to achieve this, which mainly depend on the medium of information transfer or the process itself. We will discuss some major types here.
#1. Text Steganography
Here, the information is hidden via specific formatting or character substitution. For instance, the alphabet letters A, B, C,…can be replaced with numbers 1, 2, 3,… making the code language look like harmless text.
Another such type is whitespace modification. In this case, the spacing between words or characters could be changed to pass on the intended information.
Or, the second character of every word can mean something entirely different than the original text.
Similarly, there can be endless patterns.
#2. Image Steganography
The opening example I took in this article is a type of image steganography. This technique changes (embeds with a secret message) a few parts of the image, having the least impact on the overall representation.
Technically, the Least Significant Bits (LSBs) of an image are altered to encode the confidential information. This process has minimal effect on the bytes representing RGB color space, which form image pixels.
Except for LSB, other methods include palette-based steganography, Discrete Cosine Transform (DCT), etc.
#3. Audio Steganography
As the name speaks, audio steganography is where the message is encoded in the sound samples without any noticeable difference to the human ear.
A few techniques include LSB modification, echo hiding, spread spectrum, and phase coding.
In short, audio steganography infuses subtle noise or makes changes to the waveform while maintaining a similar sounding output.
#4. Video Steganography
Video is a combination of images and audio. So, the techniques applied there can be used here too.
Secret information is embedded by changing frame-level data, which again is nothing but playing with the image LSBs. Similarly, methods like DCT can be applied.
Likewise, audio steganography can be deployed in the sound part of any video.
#5. Network Steganography
This is done by hiding data within network communication protocols or connection patterns.
It is broadly divided into two types: time-based steganography and storage-based steganography. The former is about tweaking the packet transmission patterns, and the latter embeds hidden data directly into the packets without much effect on the payload to avoid detection.
The specific techniques used are modifying packet transmission rate, putting information in unused fields, sending duplicate network packets, manipulating network headers, etc.
This concludes some of the best-known forms of digital steganography. In addition to these, the secret message can be encrypted for extra security, which means deploying cryptography (discussed later) besides steganography.
But since the internet is everywhere, knowing how it can affect the day-to-day web security is something we shouldn’t miss.
Steganography for Web-Security
The Good
- Data Security: Steganography can be used to store sensitive business data and transmit it without attracting unwanted attention. This data can include trade secrets or customers’ financial or health information. When used along with encryption, it paves the way for robust data security protocols.
- Anti-phishing: Browser-readable steganographic code can be embedded in critical websites like banks, which will alert the user upon landing on a fake replica. This will protect against the ever-common phishing attacks where a user enters sensitive information and ends up taking heavy financial losses or being an identity theft victim.
- Copyright Protection: Secret code can be included in any digital work, which can help trace its original source. This way, steganography can help prevent piracy for various forms of media such as images, audio, video, and even text.
The Bad
- Illicit Communication: Since steganography can hide information via everyday communication channels and mediums, criminals or spies can share unlawful information without law enforcement taking notice.
- Malware Distribution: Likewise, bad actors can send dangerous code via media, which can run malicious scripts on a user’s computer when opened.
- Illegal Content Distribution: Similar to distributing malware, criminals can share confidential data easily in disguise of sending innocuous media content.
See, the very strengths of steganography can be taken advantage of in an entirely opposite manner. And, unfortunately, there is little (discussed in the end) we can do about it.
For now, I will tell you a few things about its well-known cousin, cryptography.
Steganography Vs. Cryptography
They are two entirely different processes with a common goal to protect information.
While steganography does so by hiding such data, cryptography converts this into an illegible version (ciphertext) so that an onlooker can’t make sense even if it gets exposed.
Let’s summarize some telltale differences between these.
Feature
Steganography
Cryptography
Principle
Information obscurity
Data scrambling
Objective
Hiding the data within other data
Converting the data into an unreadable form
Detection
Tough, as the presence of such an act is not easy to spot if done well.
Easier, as the algorithms change the original data type
Decoding
Easy. Most such data can be easily read if found. At best, passwords can be used to prevent unauthorized access.
Not easy. It can be extremely complicated based on the encryption algorithm and key strength.
Security
Good, as it’s tough to detect.
Excellent, even if detected, unless it suffers from a poor algorithm or the encryption key is compromised.
Application
Watermarking, copyright protection, etc.
Online banking, encrypted emails, etc.
Both of these, if practiced together, make confidential information even more secure. However, they have some drawbacks, like increased file size, high detection risk, complex processes, etc.
Final Thoughts
By its very definition, (good) steganography goes undetected. Since it has positive use cases, too, it’s not entirely bad.
For the misuse, there isn’t a bullet-proof way to shield oneself from steganographic attacks. One can try to look at unusual file sizes and file types and ensure never to access anything from a dubious web source.
Finally, having a premium antivirus onboard is always a good move for an average user.