UOC researcher joins Europol group of experts on a quest to combat cybercrime

Cybercriminals are employing ever more sophisticated techniques to hide the information they wish to pass on to others. Principal investigator of the UOC’s K-riptography and Information Security for Open Networks (KISON) research group, David Megías, has been invited to join the Criminal Use of Information Hiding (CUIng) initiative, which works in conjunction with the Europol European Cybercrime Centre (EC3) to raise awareness about this increasingly potent threat and form a line of defence to combat its misuse.

Megías is one of the few experts in Spain with specialist knowledge of steganography, a highly sophisticated technique for concealing information within digital files. This technique is used to hide information in plain sight, concealed within images, videos, audio files, text documents and even communication protocols. It is the digital equivalent of invisible ink. “For example, you can post a photograph on Instagram that contains secret embedded information, which only someone who knows what to look for would be able to see”, explains the expert.

Steganography has been exploited by spies, as in the case of the Russian spy ring discovered in the United States in 2010, and terrorists, known to have used eBay and Reddit, as well as videos, to send coded messages. A memory card found in the possession of an al-Qaeda member arrested in Berlin in 2011 contained what looked like a pornographic video but, through the use of digital forensic techniques, it was later revealed that the video contained 141 hidden documents providing details of the terrorist organization’s operations and future plans.

Cybercriminals are another group that use these camouflage systems in cyberattacks, with the goal of introducing hidden malware into computer networks. Hammertoss, Stegoloader, Regin and Duqu are some of the most recent cases in which this kind of system hacking by Russian cybercriminals has been identified.

In this context, the CUIng initiative, established in 2016 and made up of various experts from academia, industry, law enforcement agencies and institutions, among others, is working to address this problem and thus prevent it from becoming more widespread. Its principal objectives include raising awareness of threats, tracking progress in the area, sharing strategic information with regard to potential threats, working together to develop effective countermeasures and integrate them on a global scale – or at least within the EU – and educating and training experts in these technologies.

“Through this initiative we are looking to highlight a problem that could otherwise go easily unnoticed. There are currently very few safeguards against this type of technique and it is important to be as vigilant as possible,” warns Megías, who also acts as the director of the UOC’s Internet Interdisciplinary Institute (IN3).

Steganography versus cryptography

Steganography is often confused with cryptography because both have a common purpose: to provide confidentiality. The difference is revealed by the etymology of the two words: in Greek, ‘steganography’ means ‘hidden script’, while ‘cryptography’ means ‘secret script’. The first one uses techniques to create a hidden channel of communication while the second, conversely, does not hide information but makes it unintelligible to unauthorized readers. In other words, one applies a methodology which maintains confidentiality in terms of the communication channel while the other focuses on making the message indecipherable. 

In steganography there are a number of ways of embedding secret information within digital files. “In the case of photographs, data can be camouflaged inside images by altering the specific properties of the pixels, for example. Essentially, the aim is to have the transmission of hidden information go totally unnoticed”, explains Megías. 

On a final note, the expert points out that this technique can also be used for beneficial purposes, such as to protect personal data or transmit confidential information within an organization or among employees, for example, to safeguard against industrial espionage.