The mass media anointed 2011 as the "year of the hack"23 due to the numerous accounts of data security breaches in private companies and governments. Indeed, the sheer volume of stolen data was estimated in petabytes (that is, millions of gigabytes).2
A large fraction of the security breaches that year could be attributed to the so-called Operation Shady RAT.49 These actions were targeted at numerous institutions around the world and the inflicted damage lasted, in many cases, for months. The mechanism of infection was mainly by means of conning an unaware user to open a specially crafted email message (phishing) and implanting a back door on the victim's computer. The next step was to connect to a website and download files that only seemed to be legitimate HTML or JPEG files. What cybercriminals had actually done was encode commands into pictures or crafted Web pages so they were invisible to unaware third parties, and smuggled them through firewalls into the system under attack. These control commands then ordered a victim's computer to obtain executable code from remote servers, which in turn permitted an outsider to gain access to local files on the compromised host.32 In numerous cases, the side channel to the confidential resources remained accessible for months, thus deeming the security breach severe. The villains were so daring they did not even put much effort into obscuring the fact that information hiding techniques were involved in the attack. One of the pictures used as a vector for control commands was the famous "Lena," a cropped picture of a Playboy model, which is the standard test image for any digital image processing or steganographic algorithm.
The following letter was published in the Letters to the Editor in the May 2014 CACM (http://cacm.acm.org/magazines/2014/5/174361).
In their Review Article "Trends in Steganography" (Mar. 2014), Elbieta Zieliska et al. included a good survey of the history of data hiding and a comprehensive list of methods for inserting bits into cover objects but omitted an important actor from the scene the enemy. In computer security, a system is secure only if it prevents the enemy from achieving certain specified goals. If the primary aim of steganography is to communicate covertly (as the article said correctly), then the enemy is someone a "steganalyst" who is able to monitor communications to detect covert communication. Such a scenario reflects reality in light of today's pervasive monitoring of the Internet by intelligence agencies and criminals.
Researchers would do well to identify new media that supports covert communication but only if they also prove it is not actually detectable by an enemy using the tools (such as statistical analysis and machine-learning algorithms) needed to unmask hidden data. I would not want a Communications reader to imagine steganographers forget they indeed have enemies, far from it. But few steganography methods survive long once researchers start trying to detect them through statistical methods. The only exceptions are ultra-low-bandwidth mechanisms that find perfectly random parts of the cover (where hiding is trivial) or highly refined methods that exploit coding theory and distortion minimization applied (at least in recent years) to image steganography.
Trends in steganography research have advanced past finding new bits to twiddle in communications streams, focusing instead on the enemy and asking important theoretical questions: Can a steganographer use information theory to provide an upper bound on an adversary's powers? (Yes.) Must the number of steganographic changes be proportional to the size of the hidden message? (Surprisingly, no.) Can a researcher say something about secure capacity relative to the size of the cover? (Yes.) And can a steganographer identify parts of the cover medium that are better to hide in? (Yes, but at the moment only heuristically.) Answers lead to further fascinating game-theoretic questions: If a steganographer embeds secret information only in the "best" places, the enemy would likely look only there and catch it out, so steganographer and steganalyst alike should randomize their behavior. The questions also represent today's most interesting research challenges.
Andrew D. Ker
Displaying 1 comment