While doing research into Steganography I looked at a couple of sources on wikipedia on organized crime and some of their applied uses. Organized crime still hasn’t fully adopted technology but is slowly getting there. Phishing scams and other online fraud schemes are netting a pretty penny now a day.
My point is not to illustrate organized crime as a "good" example of how to do things. My point IS to illustrate how an organization that relies on absolute secrecy to exist applies the principals that we have discussed in theory into practice.
Wikipedia has a prison tattoo section explaining prison tattoos and their meaning. Prison Tattoo’s in this context are a means to communicate social status and other intentions or proclamations. Tattooed illustrations containing metaphors such as status in a criminal gang or their intention to escape is one example. Japanese Yakuza publicly display the name of their gang on their storefront and on their clothing to identify themselves as a part of a gang.
La Cosa Nostra utilized a form of slang that baffled the FBI for a long time until the full lexicon of mafia terms was eventually discovered.
These examples show how Steganography was applied to mundane speech, body art and clothing styles that in the criminal context had a different meaning. The problem with this secret communication is that though the medium was secret, the information was not and thus vulnerable to discovery and interpretation by a third party.
It also illustrated to me the fatal flaw in Steganography which is security by obscurity which is a mantra often chanted by security guru's when addressing insecure weak proprietary security systems. However this being said, Steganography DOES buy time and help overcome passive discovery so when combined with good crypto it can be a part of a balanced communication strategy. Kind of like buying a box of SUPER ULTRA SUGAR SMACKS for your kid because its the only way you can get them to have milk in their diet.
http://en.wikipedia.org/wiki/Criminal_organization
http://en.wikipedia.org/wiki/Criminal_tattoo
http://en.wikipedia.org/wiki/Steganography
Many confuse security by obscurity with steganography.
ReplyDeleteThe two concepts are not the same
From an information security perspective, Security by Obscurity is hiding the inner working of a security mechanism and then making the claim that since the inner workings are unknown then it is secure - this is a severe flaw.
On the other hand, Steganography is hiding the existence of the secret message. The inner workings and algorithm of the steganographic technique may be known (as in cryptography) and good steganography (again like crypto) would be difficult to find even if the hiding technique is known.
Good point!
ReplyDeleteThe concepts of "security by obscurity" and "hiding the presence of a secret communication" are technically different concepts.
What I meant was that hideing things by itself in general is not a good way to guarantee information 's security. Of course when combined with crypto this would help guarantee the security of the information.
I'll keep this in mind in the future.
Thanks !