The tickle of curiosity. The gasp of discovery. Fingers running across the keyboard.

Monday, May 11, 2020

Hiding in Plain Sight—The secrets behind steganography

Hooray! Today, we get to hang out with my dear friend Chris
Patchell.

Chris Patchell is the award-winning, USA Today Bestselling author of six novels. A former tech worker turned author, Chris pens suspense novels set in the Pacific Northwest. Her novels have been praised by New York Times Bestselling author, Kevin O'Brien and #1 Amazon Bestselling author, Robert Dugoni. Her rich complex plot lines and well-drawn characters will keep you turning pages well into the night.
When I first started learning about steganography, I was thinking about it in the modern sense—the kinds of digital attacks that lurk on the internet, but I was surprised to learn that this practice had a long and fascinating history—from spies who hid their messages by writing them in invisible ink, to secret messages hidden in pieces of art by masters including Leonardo Da Vinci, to messengers who tattooed information on their heads and then grew back their hair to hide the message.

Hiding secret messages in plain sight is becoming an even more common and popular form of cyber-attack. The modern-day trojan horse, the concept of steganography is simple—hiding content by embedding it into something else. It can be used in all sorts of clever and sometimes malicious attacks. Steganography has been used to carry out insider trading information by hiding it inside an image file. There was a fascinating case where malware was embedded on Microsoft Windows machines, where it gathered information and sent it over the Internet to its command and control center. Thirty-six days after it was embedded, the malware removed itself, essentially covering its tracks.

There are so many ways to hide digital data! In my first book, Deadly Lies, one of my characters chose to employ a method of steganography similar to the one used by the insider trading case mentioned above. This character embedded information in an image that was emailed to a detective investigating a murder. On the surface, the image was about as innocuous as you could imagine—a cute cat seated in a toy car with a caption that read “Have a Nice Day!” But there was another message embedded in the image, written in the same color of ink as the background, and it wasn’t until the text was located and the color changed, that the message became clear.

But this isn’t the only way to hide content in image files. Pixel values can be manipulated, filter settings can be changed to affect the image’s aesthetic. Hackers can also embed code that changes how the image appears.

Information can also be hidden in network transmissions in applications including Skype, Bit Torrent, and Google search. With so many people suddenly working at home during the Pandemic, Zoom Bombing has become a thing. Hackers have been known to hide data in audio files. Transcoding describes one such method whereby speech data is compressed so it takes up less space, and the space that was freed up is used to carry covert data. Secret data can be encoded into the silence between words in an audio file.

Steganography can be used for a number of reasons, running the gamut from legitimate and illegal. It can be used to avoid censorship or embed messages in photographs that can be posted to social media. But in this age of Photoshop, how do you find the difference between an image that was manipulated on purpose, and one that contains nefarious information? Security professionals sometimes look at a file size or checksum information as an indicator. If a file size is way bigger than the content would justify, it could set off alarm bells that necessitate a deeper look.

Not surprisingly, cell phones are particularly vulnerable to steganography attacks because mobile operating systems don’t have the same security layers that other operating systems have. Microsoft and Apple have spent years detecting and preventing virtual attacks while the proliferation of cell phones and cell phone apps are a relatively new and ever-expanding playing field.

But as the kinds of steganographic attacks become more varied, so does the challenge of staying one step ahead of the bad guys. Computer users have become more aware of the dangers of clicking on random files or links. This is a good thing, because in order for a phishing attack to be successful, it requires someone to click on a link or download a file. There are tools designed to detect malware. Typically they focus on a predefined set of files that are known to be problematic. Software also exists that normalized traffic being broadcasted in the hope to prevent network attacks. As detection methods become more sophisticated, so do the countermeasures.

In Vow of Silence, my oh-so-crafty and morally

ambiguous character, Jill Shannon, uncovered a different form of Steganography being used by characters in the book. A covert group was sending coded messages in what looked to be garden-variety spam. If you’re like me, you get junk email (a.k.a. spam) all the time. But in this particular scenario, the group used spam to communicate details of their secret meetings. It was a fun solution to a technical problem that fit my fictional needs.

In this day and age, there are so many ways to hide everything from coded messages to malware in electronic format. While we mere mortals need to beware of the digital landmines awaiting us in the wide world of the Internet, it’s a virtual playground to explore for fictional bad guys looking to do bad things. With all the digital tools at our disposal, there’s no need for a hideous tattoo to send secret messages. 😊

Here are a few links if you’re interested in reading more.

https://www.computerworld.com/article/2576708/steganography--hidden-data.html

https://towardsdatascience.com/steganography-hiding-an-image-inside-another-77ca66b2acb1

Thank you so much Chris for sharing that information with us!


You can learn more about Chris and check out all of her books on her Amazon Page.  Load up your Kindle!

This article was written in May 2020 during the time of Covid-19. One of the best things you can do for the world is stay home and read!

Be well,
Fiona




No comments:

Post a Comment