Problems and challenges

Secret communication is used for a variety of reasons and by a variety of people:

  • Business people protecting company trade secrets while traveling.

  • Criminals transmitting child pornography.

  • Governments hiding information from their own civilians and from other governments.

  • Techno lovers sending secret messages to each other because they can for having some fun.

  • Terrorists sending attack plans.

  • Activists posting information to each other.

  • Hackers extracting and exfiltrating data from a system.

  • Phishing by nation-state adversaries.

In a world more and more on alert, the methods available to anybody who wants to hide information are bound to become more sophisticated, and will be used and misused.

Civil rights and privacy?

In response to the perceived threats, legislation appeared in several countries to allow governments to look at any online communication. Some countries can send you to jail if you refuse to give up your key to encrypted data. Law enforcement works together with ISPs all the time to get information about peoples’ online activities. Using steganography for keeping personal information private jumps to mind.

Securing businesses

Still too many companies and organisations seem to believe that using a single technology, such as Secure Sockets Layer (SSL) for online transactions, or network software with a firewall or VPN, is sufficient. Some may protect data in rest and then forget about protecting it in transit.

What is needed today to protect from information theft, and to detect encryption and hidden data used on a local network is an all-encompassing security strategy. Which seems to not be happening too much. While businesses and organisations do not share information when they are attacked, attackers share information all the time, learning from each other’s ideas and techniques, and developing new tactics. Defense in depth and mitigating and minimizing risk is needed, but staff and budget isn’t there because management does not seem to see the value (until the cost of breach hits, and even then).

Coming up

Cryptography is about encrypting messages so that they can be read only by someone who has the key. Steganography hides messages so that their very existence is undetectable. Both forms of secret communication are being used, overt and covert.

Like all security technology, steganography is not perfect. If someone knows it is there and knows the algorithm that was used to hide it, and if the message is not encrypted, he or she can read it. Even if the message is encrypted, in some cases just knowing that data has been hidden in a file is enough to raise suspicions.