SteganoGraphy — The related Cyber Piracy & Data Privacy issues, the Soft Tech bears.
In one of the recent London event emphasized the significance of cybersecurity and public relations, with keynote speakers from diverse domains like law, public relations, and forensics. What is most intriguing there discussed was the usage of Steganography and related Data Breach, Privacy Concerns and growing GDPR issues this soft tech offers.
Steganography — The Art of Hiding Information.
A brief idea on the word — Steganography is like “Stegano” — a greek word meaning hidden or covered and that of “Graphy” means what is written. so, Steganography is the act of hiding information inside a different message or item to evade discovery. Steganography is capable of concealing a wide range of digital stuff, including text, images, videos, and audio. The concealed information is then extracted upon reaching its intended location. Steganography involves the encryption of content before it is disguised inside a different file format. If the data is not encrypted, it may undergo processing to increase its level of concealment.
Steganography is sometimes likened to encryption as a means of concealed communication. However, steganography differs from other methods since it includes the encryption or decryption of data using a key during transmission or reception. An essential aspect of steganography is the need that the file concealing the message must not exhibit any readily noticeable alterations. The concealment of data inside the cover leads to the deterioration of the concealing media used. Consequently, the Stego-media and Cover-media will exhibit dissimilar characteristics. The Steganographic method becomes ineffective if the attacker notices this alteration, and there is a chance that the attacker will be able to retrieve or compromise the original message.
Let’s now get a brief analysis of the Fundamental Steganographic Model:
Cover File, ‘X’: This file will be used for concealing the information.
Message, ‘M’: This is the confidential data that we want to conceal inside ‘X’.
Stego-Key, ‘K’: Certain steganographic techniques require the use of certain keys, or data, in order to conceal and retrieve ‘M’ from ‘X’.
Upon obtaining this data, we may use the steganographic technique known as ‘f(X,M,K)’. The result obtained after using the technique is referred to as the “Stego-File”, symbolised by the letter ‘Z’.
To retrieve the message, we will use the opposite procedure using the same Stego-Key employed for concealing the message. It should be noted that the Cover File becomes irrelevant after the secret message has been obtained. Therefore, it is inconsequential if we are unable to retrieve the data that was changed for embedding the message.
Here, a term Robustness refers to the capacity of the concealed message to stay intact despite any alterations made to the stego-media, such as transformation, sharpening, linear and non-linear filtering, scaling, blurring, cropping, and other similar methods.
Another term Tamper-resistance refers to all the characteristics, this particular aspect has utmost significance. If the attacker manages to dismantle the steganographic approach, the tamper-resistance feature makes it arduous for the attacker or pirates to modify or harm the original material.
Ultimately, any implementation of Robust Steganography must guarantee the fulfilment of the aforementioned characteristics, namely improved perceptual transparency, resilience, and resistance to tampering, in order to preserve the integrity of the original content.
Following this brief introduction to steganography, I hope that you have gained a better comprehension of this domain. If you have any inquiries on this subject, kindly submit a comment below.
Now, we can get an idea prima facie on how the soft-technique of Steganography has the likelihood of enabling malicious actors to covertly embed sensitive information into photographs, evading detection and complicating the use of sophisticated methods such as steganography to establish covert channels for illegal data extraction.
The General Data Protection Regulation (GDPR) presents substantial obstacles to the management and adherence to rules, especially when it comes to safeguarding the personal information of staff, collaborators, and customers. A renowned company’s spokesperson recounted their firsthand encounter with a cyber attack, which left traditional communication means useless. In order to keep the attacker from becoming aware of their activities, they needed to establish covert and secure channels of communication and maintain a façade of normality.
The business commenced a forensic investigation to determine the extent of the assault, its consequences, and the techniques used. Following a few weeks, they acquired plenty data to reveal the hack, including the origin of the assault, precise instruments used, the sequence of operations executed, and the magnitude of the breach. They demonstrated their expertise in managing the situation by offering their company’s shares to the broader public.
The speaker also addressed the possible ramifications of customer data being released or divulged to the internet, dark web, or news outlets by an external entity prior to the organization’s knowledge. The advisable approach from a public relations perspective was to delay the issuance of an official statement until enough data could be gathered to provide a well-informed reply.
In the future, corporations will likely be compelled by the General Data Protection Regulation (GDPR) to safeguard their customers’ sensitive data via the use of steganography.
In order to avoid such scenarios, it is essential to enforce measures that force attackers to expose their identities by rendering sophisticated tactics to make steganography unfeasible. Deep Learning has the ability to efficiently uncover and discourage intruders, hence thwarting their use of sophisticated techniques to obtain sensitive data.
A fragment of the obscured javascript code was likely discovered in the first versions of this campaign.
Subsequently, the Privacy Team intervened and collaboratively examined the resulting consent string. Although it exceeds the normal length and lacks conventional segmentation, it seems somewhat persuasive at prima facie. The string was properly decoded in the TCF Consent String Decoder, however it resulted in an invalid consent string. The TCF did not include any references to objectives, suppliers, or version numbers that were non-existent. Undoubtedly, the party responsible for generating this consent string was not a registered CMP, therefore rendering any consent string they produced stood as invalid. There was an absence of programming to notify or engage with a user in order to document their privacy choices. The main objective of constructing this data structure was not to code a valid consent string but to monitor the user’s activity on that specific webpage. The TCF consent string’s validity is crucial for vendors working in that setting since it informs them about the user’s privacy choices, enabling them to determine if they have a legal justification for tracking. A deceitful consent string undermines the legal justification for the conduct of any vendor that gets it, raising doubts about their culpability and perhaps causing damage to the user who may thereafter be monitored without their explicit agreement. Only a certified Consent Management Platform (CMP) has the capability to generate a legally acceptable consent string. Similarly, only an authorised vendor may acquire consent or legitimate interest using the Transparency and Consent Framework (TCF) in order to monitor user activity.
The issue started when the Security Team detected a scan revealing indications of extensive obfuscation and browser fingerprinting. They started the process of scrutinising and unravelling the code, ultimately uncovering its purpose of constructing a TCF privacy permission string.
