Obfuscation

(OBJ 1.4)

Obfuscation Techniques in Data Security

• They all operate under the principle of hiding information, either by embedding it within something else, replacing it with tokens, or altering it to protect the genuine data.

Steganography

• Derived from Greek words meaning "covered writing," and it is all about concealing a message within another so that the very existence of the message is hidden

• Involves altering image or data elements to embed hidden information

• Primary goal is to prevent the suspicion that there’s any hidden data at all

  • Example: Adding a hidden message inside a cat image

• Used alongside encryption for added security

• Detection is challenging due to hiding data in plain sight

  • Old spy movie: A spy takes out a classified ad in the newspaper, and the first letter of each word makes up the secret message, something like, "Meet at six,", this is a version of Steganography.
  • Data isn't encrypted when you do this, it is just hidden inside another message.
  • If anybody knows where to look they can easily pull that data back out.

• Steganography Lab:

  • Go to https://stylesuxx.github.io/steganography/
  • Select a file (png)
  • Type a secret message to encode
  • Click "Encode"
  • You will see the original version and the "Message hidden" version which will look exactly the same as the original.
  • Download files and look at both side by side
    • Look at the dimensions of the image, they are the exact same.
    • Look at the file size of both, it changed, the message version is lighter? did the file shrink? It is just the way they re-encoded it to make sure the images looked exactly right in the compression they used, but sometimes the file size can get bigger as well, but it is very infrequent to see the same file size.
  • To see the message change to the "Decode" tab on the website and select the message file
  • Click "Decode"
  • Out hidden message will come right back!

Tokenization

• Substitutes sensitive data with non-sensitive equivalents, called tokens, which have no meaningful value
• Original data securely stored elsewhere and only specific systems can map the tokens back to the original values.
  • Example: When you buy something with your credit card, the store doesn't actually store your credit card details, but instead, they store a tokenization version of your credit card details.
  • If a data breach occurs, hackers are only going to find that useless token.
• Tokens have no intrinsic value
• Reduces exposure of sensitive data during transactions
• Commonly used for payment systems to comply with security standards

Data Masking (Data Obfuscation)

• Used to protect data by ensuring that it remains recognizable but does not actually include sensitive information.
• Disguises original data to protect sensitive information
• Maintains data authenticity and usability
• Used in testing environments, especially for software development
• Reduces the risk of data breaches in non-production settings
• Common in industries handling personal data
• Masks portions of sensitive data for privacy, e.g., credit card digits, social security numbers
  • Example: Changing client person names with fictional but realistic-sounding ones or their customer addresses might be altered slightly so they don't point to real locations.
  • Example: The first 12 digits of your credit card number are always "covered" or masked so managers can't see it. Instead employees can only read the last 4 digits as a way to identify the payment method that you used.
  • Example: Health data masking the first 5 digits of your Social Security Number. Identifying just with the last 4 digits