Posted on 09/24/2001 2:01:59 PM PDT by ThePythonicCow
COMMENTARY--Guess what? Osama Bin Ladin uses steganography. According to nameless "U.S. officials and experts" and "U.S. and foreign officials," terrorist groups are "hiding maps and photographs of terrorist targets and posting instructions for terrorist activities on sports chat rooms, pornographic bulletin boards and other Web sites."
Simply put, steganography is the science of hiding messages in messages. Typically, a message (either plaintext or, more cleverly, ciphertext) is hidden in the low-order bits of a digital photograph. To the uninitiated observer, it's just a picture. But to the sender and receiver, there's a message hiding in there.
It doesn't surprise me that terrorists are using this trick. The very aspects of steganography that make it unsuitable for normal corporate use make it ideally suited for terrorist use. Most importantly, it can be used in an electronic dead drop.
If you read the FBI affidavit against (accused spy) Robert Hanssen, you learn how Hanssen communicated with his Russian handlers. They never met, but would leave messages, money and documents for one another in plastic bags under a bridge. Hanssen's handler would leave a signal in a public place--a chalk mark on a mailbox--to indicate a waiting package. Hanssen would later collect the package.
That's called a 'dead drop'. It has many advantages over a face-to-face meeting. One, the two parties are never seen together. Two, the two parties don't have to coordinate a rendezvous. Three, and most importantly, one party doesn't even have to know who the other one is (a definite advantage if one of them is arrested). Dead drops can be used to facilitate completely anonymous, asynchronous communications.
Using steganography to embed a message in a pornographic image and posting it to a Usenet newsgroup is the cyberspace equivalent of a dead drop. To everyone else, it's just a picture. But to the receiver, there's a message in there waiting to be extracted.
To make it work in practice, the terrorists would need to set up some sort of code. Just as Hanssen knew to collect his package when he saw the chalk mark, a virtual terrorist will need to know to look for his message. (He can't be expected to search every picture.) There are lots of ways to communicate a signal: timestamp on the message, an uncommon word in the subject line, etc. Use your imagination here--the possibilities are limitless.
The effect is that the sender can transmit a message without ever communicating directly with the receiver. There is no e-mail between them, no remote logins, no instant messages. All that exists is a picture posted to a public forum, and then downloaded by anyone sufficiently enticed by the subject line (both third parties and the intended receiver of the secret message).
So, what's a counter-espionage agency to do? There are the standard ways of finding steganographic messages, some of which I have outlined in a previous essay. If Bin Laden is using pornographic images to embed his secret messages, it is unlikely these pictures are being taken in Afghanistan. They're probably downloaded from the Web. If the NSA can keep a database of images (wouldn't that be something?), then they can find ones with subtle changes in the low-order bits. If Bin Laden uses the same image to transmit multiple messages, the NSA could notice that. Otherwise, there's probably nothing the NSA can do. Dead drops, both real and virtual, can't be prevented.
Why can't businesses use this? The primary reason is that legitimate businesses don't need dead drops. I remember one company talk about a corporation embedding a steganographic message to its salespeople in a photo on the corporate Web page. Why not just send an encrypted e-mail? Because someone might notice the e-mail and know that the salespeople all got an encrypted message. So send a message every day: a real message when you need to, and a dummy message otherwise. This is a traffic analysis problem, and there are other techniques to solve it. Steganography just doesn't apply here.
Steganography is good way for terrorist cells to communicate, allowing communication without any group knowing the identity of the other. There are other ways to build a dead drop in cyberspace. For example, a spy can sign up for a free, anonymous e-mail account. And Bin Laden probably uses those, too.
Bruce Schneier is CTO of Counterpane Internet Security, Inc. He publishes a free monthly security newsletter.
Unfortunately, this one seems to form the foundation for the claim that only the bad guys need it, because the good guys don't need to conceal themselves from each other. I don't like where this line of commentary leads ...
Seriously though, this seems to reinforce the issue raised a week or so ago about one or more terrorists using chat rooms and other media (the horoscope section of the Boston Phoenix) to communicate.
Actually, blind steganalysis techniques can be used to determine whether a steganographic message is contained in a carrier file. JPEGs are most vulnerable to the technique. WAV files are a lot harder.
Once you have reason to believe a message is embedded in a file, then you have to figure out how to extract and decrypt it.
We need to reopen Napster.
The amount of traffic needed to send secret messages is extremely small. They ARE a bunch of hypocrites.
I finally managed to re-route the stuff to an abandoned mail-box so it would bounce back.
Makes me wonder if it was just some crank doing it to those attached to christian and propehcy sites, or if there was something more sinister involved.?
Any advice out there?
Steganography: Truths and FictionsBottom line is, if it's unsuitable for its intended use by anyone other than terrorists, as it might have been used by OBL, well...draw your own conclusions. Not saying I agree with him, but it's still a good subject for discussion.
Steganography is the science of hiding messages in messages. In the ancient world, it might mean tattooing a secret message on the shaved head of a messenger, and letting his hair grow back before sending him through enemy territory. In the computer world, it has come to mean hiding secret messages in graphics, pictures, movies, or sounds. The sender hides the message in the low-order bits of one of these file types -- the quality degrades slightly, but if you do it right it will hardly be noticeable -- and the receiver extracts it at the other end.
Several commercial and freeware programs offer steganography, either by themselves or as part of a complete communications security package. Here's the rationale: If Alice wants to send Bob an e-mail message securely, she can use any of several popular e-mail encryption programs. However, an eavesdropper can intercept the message and, while he might not be able to read it, will know that Alice is sending Bob a secret message. Steganography allows Alice to communicate to Bob secretly; she can take her message and hide it in a GIF file of a pair of giraffes. When the eavesdropper intercepts the message, all he sees is a picture of two giraffes; he has no idea that Alice is sending Bob a secret message. She can even encrypt it before hiding it, for extra protection.
So far, so good. But that's not how it really works in practice. The eavesdropper isn't stupid; as soon as he sees the giraffe picture he's going to get suspicious. Why would Alice send Bob a picture of two giraffes? Does Bob collect giraffes? Is he a graphic artist? Have Alice and Bob been passing this same giraffe picture back and forth for weeks on end? Do they even mention the picture?
The point of steganography is to hide the existence of the message, to hide the fact that the parties are communicating anything other than innocuous photographs. This only works when it can be used within existing communications patterns. I've never sent or received a GIF in my life. If someone suddenly sends me one, it won't take a rocket scientist to realize that there's a steganographic message hidden somewhere in it. If Alice and Bob already regularly exchange files that are suitable to hide steganographic messages, then an eavesdropper won't know which messages -- if any -- contain the messages. If Alice and Bob change their communications patterns to hide the messages, it won't work. An eavesdropper will figure it out.
This is important. I've seen steganography recommended for secret communications in oppressive regimes, where the simple act of sending an encrypted e-mail could be considered subversive. This is bad advice. The threat model assumes that you are under suspicion and want to look innocent in the face of an investigation. This is hard. You are going to be using a steganography program that is available to your eavesdropper. He will have a copy. He will be on the alert for steganographic messages. Don't use the sample image that came with the program when you downloaded it; your eavesdropper will quickly recognize that one. Don't use the same image over and over again; your eavesdropper will look for the differences between that indicate the hidden message. Don't use an image that you've downloaded from the net; your eavesdropper can easily compare the image you're sending with the reference image you downloaded. (You can assume he monitored the download, or that he searched the net and found the same image.) And you'd better have a damn good cover story to explain why you're sending images back and forth. And that cover story should exist before you start sending steganographic messages, and afterwards. Or you haven't really gained anything.
Steganography can also be used to hide files on your hard drive. This is also problematic. Say the secret police arrest you and start going through your hard drive. You've got a bunch of pornographic pictures on your hard drive, so you've got a decent cover story. But you've also got the steganographic program on your hard drive, so the secret police are suspicious. They might try to download the same pictures from the net and look for the telltale differences that indicate a hidden message. Or they might just assume that you've got some messages hidden somewhere. There's some advantage here over straight encryption -- at least in free countries you can argue that the police have no real evidence -- but you have to think it out very carefully.
OBL, [scowl]
OBL's assistant, "Sorry boss, here's the latest message."
LOL
But I agree this wouldn't work in an oppressive regime, where personal web sites are likely ver boten.
And if the surveillance team were good and were actually already focused on you, it could likely hack into your computer when it happened to be online and find out whatever it wanted. That or get a court order and seize the computer and search it at their leisure.
The family web site could help one avoid getting noticed in the first place, however.
On another track, since one of the tools I saw could hide messages in HTML files, could one send brief hidden messages using steganography in the very HTML messages such as I am typing now, in this Freeper response?
Detecting a concealed message can be made arbitrarily difficult, because there is a threshold at which the detectors will be overwhelmed with "false positives". Again, the "Bible Codes" fuss provides a classic example of an over-tuned detector.
The Grasshopper Lies Heavy. East Wind Rain. Peccavi.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.