Geekflare is supported by our audience. We may earn affiliate commissions from buying links on this site.
In Security Last updated: September 15, 2023
Share on:
Invicti Web Application Security Scanner – the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.

A tech explainer depicting steganography and its relevance with present-day web security.

Let’s start this with our favorite childhood game. 😀

Spot the difference:

Are you done?

What did you get? Nothing!

Don’t feel bad about yourself, as it would take Superman’s eyes to detect any dissimilarity.

But if you had fed these images to this (steganographic) decoder, you would get a text embedded in the first image.

stegano-decode

This is steganography.

Okay, let’s backtrack a bit and start afresh.

What is Steganography?

Used for ages, steganography is an art of deception by hiding something into another to avoid detection.

For instance, I have encoded the first laptop image with the text “Geekflare is your trusted source for technology resources,” which you couldn’t see with the naked eye.

Similarly, there are sophisticated tools that you can use to hide a file type (text/image/audio/video) into another file of a similar or different nature.

It’s been in practice for a long time. One such example is the Greek ruler Histiaeus shaving the heads of his trusted servants to convey a classified message. Next, he used to wait for the hairs to grow back before asking the servant to go to the recipient, where the messenger would go through another round of head shaving to reveal the “secret” note.

This is the simplest form: physical steganography. Other such examples include the use of certain ink that reveals itself under certain light or temperature conditions or messages written under postage stamps.

At present, the process is much more efficient and digital, with multiple free and paid steganography tools at your disposal.

Overall, the idea is to conceal crucial information within any “standard” message or file.

Before putting a spotlight on the use and misuse of steganography for web security, the next section explains its types.

Types of Steganography

There are many ways to achieve this, which mainly depend on the medium of information transfer or the process itself. We will discuss some major types here.

#1. Text Steganography

Here, the information is hidden via specific formatting or character substitution. For instance, the alphabet letters A, B, C,…can be replaced with numbers 1, 2, 3,… making the code language look like harmless text.

Another such type is whitespace modification. In this case, the spacing between words or characters could be changed to pass on the intended information.

Or, the second character of every word can mean something entirely different than the original text.

Similarly, there can be endless patterns.

#2. Image Steganography

The opening example I took in this article is a type of image steganography. This technique changes (embeds with a secret message) a few parts of the image, having the least impact on the overall representation.

Technically, the Least Significant Bits (LSBs) of an image are altered to encode the confidential information. This process has minimal effect on the bytes representing RGB color space, which form image pixels.

Except for LSB, other methods include palette-based steganography, Discrete Cosine Transform (DCT), etc.

#3. Audio Steganography

As the name speaks, audio steganography is where the message is encoded in the sound samples without any noticeable difference to the human ear.

A few techniques include LSB modification, echo hiding, spread spectrum, and phase coding.

In short, audio steganography infuses subtle noise or makes changes to the waveform while maintaining a similar sounding output.

#4. Video Steganography

Video is a combination of images and audio. So, the techniques applied there can be used here too.

Secret information is embedded by changing frame-level data, which again is nothing but playing with the image LSBs. Similarly, methods like DCT can be applied.

Likewise, audio steganography can be deployed in the sound part of any video.

#5. Network Steganography

This is done by hiding data within network communication protocols or connection patterns.

It is broadly divided into two types: time-based steganography and storage-based steganography. The former is about tweaking the packet transmission patterns, and the latter embeds hidden data directly into the packets without much effect on the payload to avoid detection.

The specific techniques used are modifying packet transmission rate, putting information in unused fields, sending duplicate network packets, manipulating network headers, etc.

This concludes some of the best-known forms of digital steganography. In addition to these, the secret message can be encrypted for extra security, which means deploying cryptography (discussed later) besides steganography.

But since the internet is everywhere, knowing how it can affect the day-to-day web security is something we shouldn’t miss.

Steganography for Web-Security

The Good

  1. Data Security: Steganography can be used to store sensitive business data and transmit it without attracting unwanted attention. This data can include trade secrets or customers’ financial or health information. When used along with encryption, it paves the way for robust data security protocols.
  2. Anti-phishing: Browser-readable steganographic code can be embedded in critical websites like banks, which will alert the user upon landing on a fake replica. This will protect against the ever-common phishing attacks where a user enters sensitive information and ends up taking heavy financial losses or being an identity theft victim.
  3. Copyright Protection: Secret code can be included in any digital work, which can help trace its original source. This way, steganography can help prevent piracy for various forms of media such as images, audio, video, and even text.

The Bad

  1. Illicit Communication: Since steganography can hide information via everyday communication channels and mediums, criminals or spies can share unlawful information without law enforcement taking notice.
  2. Malware Distribution: Likewise, bad actors can send dangerous code via media, which can run malicious scripts on a user’s computer when opened.
  3. Illegal Content Distribution: Similar to distributing malware, criminals can share confidential data easily in disguise of sending innocuous media content.

See, the very strengths of steganography can be taken advantage of in an entirely opposite manner. And, unfortunately, there is little (discussed in the end) we can do about it.

For now, I will tell you a few things about its well-known cousin, cryptography.

Steganography Vs. Cryptography

They are two entirely different processes with a common goal to protect information.

While steganography does so by hiding such data, cryptography converts this into an illegible version (ciphertext) so that an onlooker can’t make sense even if it gets exposed.

Let’s summarize some telltale differences between these.

FeatureSteganographyCryptography
PrincipleInformation obscurityData scrambling
ObjectiveHiding the data within other dataConverting the data into an unreadable form
DetectionTough, as the presence of such an act is not easy to spot if done well.Easier, as the algorithms change the original data type
DecodingEasy. Most such data can be easily read if found. At best, passwords can be used to prevent unauthorized access.Not easy. It can be extremely complicated based on the encryption algorithm and key strength.
SecurityGood, as it’s tough to detect.Excellent, even if detected, unless it suffers from a poor algorithm or the encryption key is compromised.
ApplicationWatermarking, copyright protection, etc.Online banking, encrypted emails, etc.

Both of these, if practiced together, make confidential information even more secure. However, they have some drawbacks, like increased file size, high detection risk, complex processes, etc.

Final Thoughts

By its very definition, (good) steganography goes undetected. Since it has positive use cases, too, it’s not entirely bad.

For the misuse, there isn’t a bullet-proof way to shield oneself from steganographic attacks. One can try to look at unusual file sizes and file types and ensure never to access anything from a dubious web source.

Finally, having a premium antivirus onboard is always a good move for an average user.

  • Hitesh Sant
    Author
    Hitesh works as a senior writer at Geekflare and dabbles in cybersecurity, productivity, games, and marketing. Besides, he holds master’s in transportation engineering. His free time is mostly about playing with his son, reading, or lying… read more
  • Rashmi Sharma
    Editor

    Rashmi has over 7 years of expertise in content management, SEO, and data research, making her a highly experienced professional. She has a solid academic background and has done her bachelor’s and master’s degree in computer applications…. read more

Thanks to our Sponsors
More great readings on Security
Power Your Business
Some of the tools and services to help your business grow.
  • Invicti uses the Proof-Based Scanning™ to automatically verify the identified vulnerabilities and generate actionable results within just hours.
    Try Invicti
  • Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.
    Try Brightdata
  • Monday.com is an all-in-one work OS to help you manage projects, tasks, work, sales, CRM, operations, workflows, and more.
    Try Monday
  • Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.
    Try Intruder