In the summer of 2015 he decided to tell experts from Europol about his research and ideas. He wanted to take advantage of his stay at the Delft University of Technology in the Netherlands. “I was living in the Hague and almost every day I drove past the headquarters of various organisations whose work is related to security and cybersecurity,” he says. “I thought that I might never have the opportunity to be so close to such institutions. I found contact details for several people from Europol and sent them an article on the development trends in hiding information.”

The article “Information Hiding as a Challenge for Malware Detection”, written in cooperation with Luca Caviglione, PhD, from CNR in Italy, appeared in the March-April issue of the prestigious “IEEE Security and Privacy Magazine” journal.

Idea for cooperation

Mazurczyk didn't receive an answer to the message he sent to Europol staff for a long time. Finally, at the end of his stay in the Netherlands, he was invited to a series of meetings. “The entrance to the building was like those at airports: guards, search...,” he reminisces. “One of the employees came to escort me. We're walking and talking, then we enter the room, and there are ten people waiting, each wearing a tie and with a laptop. And here I am sitting in front of them, a researcher from Poland in the only, let's say, half-formal shirt that I took on the trip. And I start explaining.”

The people from Europol were interested in the possibility of conducting training for their employees. That's because one of the operating units there - the European Cybercrime Centre (EC3) - investigates crimes committed using technology. However, already during the first meeting Mazurczyk also presented an idea of creating an initiative to fight cybercrime. The goal was to monitor how the said criminals use information hiding techniques and to develop methods aimed at effectively counteracting similar practices. “I proposed reuniting experts from different disciplines: researchers, businesses, specialists from the security services,” he says.

Researchers from the University of Technology conquer Europol

In the following months, Mazurczyk assisted Europol in the creation of short newsletters for the service's own use and for all the countries that cooperate with the organisation. “These are the, so-called, Cyber Bits, one or two pages at most, containing basic knowledge on techniques used by cybercriminals to hide information and current trends,” he explains.

In January 2016, the researcher from the Warsaw University of Technology and another employee of the Department of Electronics and Information Technology, Krzysztof Cabaj, PhD Eng., conducted specialised training for more than 30 Europol employees. It consisted of lectures and workshops, with each subsequent task more difficult and complicated than the previous one. These received very positive reviews.

Mazurczyk and Cabaj also attended meetings of advisory groups operating with Europol.

The details associated with the establishment of an interdisciplinary and international initiative aimed at making expediting exchange of information on the activities of criminals were also still under consideration.

Finally, on 17 June 2016, the Criminal Use of Information Hiding (CUIng) initiative was officially established. Mazurczyk is not only the initiator, but also the coordinator of the entire project. “At the moment, we are in the start-up period, which currently includes more than 40 experts from around the world,” he says. “The idea is for each expert to work independently, but for information and experience to be transferred between them quickly. I hope that such a ‘mix’ of people from different parts of the world and various backgrounds, combined with an exchange of experience, will allow us to better understand our needs and effectively respond to the actions of cybercriminals. Maybe it will also result in shared projects, for example, within the EU's Horizon 2020 programme.”

The objective of the initiative is also to raise awareness and provide education within the scope of techniques used to hide data by cybercriminals. “At the moment I see CUIng as a collection of experts, but I'm getting signals that there are institutions that know little on this subject, but want to join us to learn more,” says the project coordinator.

Knowledge of the activities undertaken by cybercriminals is especially important for companies that are working on innovative projects. “If even one computer in a corporate network is infected, it’s possible to slowly, but systematically ‘trickle out’ data over a long period of time in a manner that is difficult to notice, with the goal of ‘extracting’ confidential information, which will in turn translate into a real financial loss,” Mazurczyk explains.

Ahead of cybercriminals

Cybercriminals are becoming more and more cunning, but scientists try to stay one step ahead of them in the “arms race”. Currently used techniques aimed at hiding information, however, are only one of the elements that can be used by cybercriminals.

They use them to cover up their “real” activities. They like to hide data in images. The infected graphic file has the same visual quality as before information was hidden inside. That's why detection of irregularities is so difficult. A large number of identical pictures stored on an inspected computer can serve as a hint for the security services.

Network traffic is also increasingly more popular as a means of hiding data. “Let's say we're talking on Skype,” illustrates Mazurczyk, “and at a certain point in our communication, an attacker connects and slightly modifies the network traffic that is sent between us. Before the data reaches the target, the criminals extract what was previously embedded. And all this is done without our knowledge.”

Such situations are a problem for the security services because Poland, Europe and the whole world don’t yet have precise regulations determining who should be accused of committing a crime in such a case.

“There are also techniques that combine digital media and network traffic,” says the Warsaw University of Technology scientist. “That is the case with IP telephony, where we are dealing with sound and network traffic.”

Cybercriminals can also take advantage of very popular and theoretically safe tools. “We recently investigated how so-called cloud services can be used to exfiltrate confidential data and we identified a number of vulnerabilities in this area,” Mazurczyk says. He adds that for every method used by cybercriminals, a counter method is created. The crux of the matter is that they can employ thousands of means of hiding data. It's for this reason that collaboration between specialists from various fields is so important and valuable.

Cybersecurity is a sector that needs new specialists. There's still a shortage, in all of Europe actually. Such work, however, also carries a risk.

“We provide expertise or pass information on to the security services, but we don't meet cybercriminals directly,” underlines Mazurczyk. “A slight risk always exists. But does this mean we should do nothing?” 

Agnieszka Kapela

Office for Promotion and Information