Computer enthusiasts have been searching for messages hidden in web site images following new claims that the al-Qaeda terrorist network is using this technique - steganography - to communicate.
However, one expert in the field warns the images that have been flagged up as suspicious after initial examination are almost certain to be cleared after full analysis. Peter Honeyman, at the University of Michigan, told New Scientist: "You get a lot of these. We call them false positives."
On 10 July, USA Today reported that US intelligence officers believe images hosted on a pro-Islamic and anti-American web site called Azzam contain secret messages. There are many free programs available that can be used to lock password-protected information into image files.
The claim prompted computer enthusiasts to scrutinise the images for signs that they have been altered, again using free programs available online. One US computer student has posted preliminary results of his search to the mailing list Politechbot, suggesting that there are many tampered images on the Azzam site.
But Honeyman says to confirm the existence of hidden messages it is necessary to crack the password used to insert the message. This is done by searching through all possible passwords until you find the right one and requires a large amount of computing power.
Niels Provos, who is one of Honeyman's students and has developed a number of steganographic tools says: "Web images are generally of poor-quality leading to a higher false positive rate." He adds that their small size limits their information capacity, making them unattractive for steganography.
The same USA Today report says that US officials also believe al-Qaeda operatives have uploaded 2300 images containing encrypted information to the internet auction site eBay since the start of 2002.
Honeyman and Provos are particularly sceptical about this claim because they conducted an extensive search of eBay in November 2001 and found absolutely no evidence of steganography.
I sent this letter to New Scientist. They didn't publish it
Re: "Hunt for hidden web messages goes on"
by Will Knight, 12 July 02
http://www.newscientist.com/news/news.jsp?id=ns99992543
Frankly, I expect a better command of logic and facts in something published in the "New Scientist".
> The same USA Today report says that US officials
> also believe al-Qaeda operatives have uploaded 2300
> images containing encrypted information to the
> internet auction site eBay since the start
> of 2002.
"Militants wire Web with links to jihad", USA Today, 10 July, 2002
http://www.usatoday.com/life/cyber/tech/2002/07/10/terrorweb.htm
NO it does not! The article says that:
"Earlier this year, officials say, they found
nearly 2,300 encrypted messages and data files in
a password-protected section of an Islamic Web
site that had been downloaded onto Zubaydah's
computer. The messages began in May 2000, peaked
in August 2001 and stopped Sept. 9, two days
before the attacks, officials say. They declined
to identify the Web site".
Here's what the article said about e-Bay:
"Lately, al-Qaeda operatives have been sending
hundreds of encrypted messages that have been
hidden in files on digital photographs on the
auction site eBay.com. Most of the messages
have been sent from Internet cafes in Pakistan
and public libraries throughout the world. An
eBay spokesperson did not return phone calls".
> Honeyman and Provos are particularly sceptical
> about this claim because they conducted an
> extensive search of eBay in November 2001
> and found absolutely no evidence of
> steganography.
That doesn't prove that the images on Azzam might not have secret messages -- only that the ones on e-Bay didn't -- at the time of the study. If you're going to look for secret communications from terrorists, why not look at a terrorist website, Duh.
As I understand the study, Provos & Honeyman were looking at e-Bay to establish a scientific control so when they found images that are altered by steganography they would have some statistical evidence to know the difference.
How important is Azzam.com for the enemy?:
"Above all is the web site of the main
ideological direction of the global
Jihad -- www.azzam.com -- Reuven Paz,
Institute of Counter-Terrorism, Research Scholar
http://www.ict.org.il/articles/articledet.cfm?articleid=436
I've written Reuven Paz and told him that it is actually broadcasting out of Pennsylvania.
I've also written BurstNET.net, the ISP responsible for the IP address of Azzam.com: 66.197.135.110. They tell me that someone inthe U.S. Customs Dept. (which has no authority over the web) is making them keep it up.
Then I wrote the U.S.Customs in Washington D.C. which had no knowledge when I queried them about it 3 months ago.
BurstNET does not want to host a terrorist web site. A system administrator at BurstNET told reporter Jeremy Reynalds:
"It would have been removed the instant we
found out about it, had we not been instructed
by the 'powers that be' to leave it
untouched ... We are a Jewish owned
corporation, do you really think we want
to host such crap?"
http://www.thepetitionsite.com/takeaction/530866253
So why is someone the U.S. Govt. keeping this site up? -- the knee-jerk reaction that they are 'monitoring' just doesn't make sense.
Azzam provided the global direction of Jihad long before Sept.11th and it continues to provide the global direction of Jihad 10 months after.
-- Johnathan Galt.
Footnote:
Azzam responded to the charges of 'Stegograms'
last December:
http://66.197.135.110/~azzam/afghan/news/news.php
Use the 'month view'.
13 December 2001 : Why is azzam.com being attacked in the media?
...
2) The second accusation is that the US officials 'fear
the site is embedded with secret codes and instructions
of use to militants including affiliates of Osama bin
Laden's Al-Qaeda network' using steganography
image-encrypting techniques. This is a laughable claim
that is made against any media organisation that exposes
the lies of the US. It was made before against Al-Jazeera
TV and now it has been made against us. The US has
apparently confirmed that this site is 'being monitored'
and this in itself is an answer to the baseless claim
above. What they are saying is that cells of terrorist
'sleepers' who try to hide themselves from society
and intelligence whilst they plan for their terrorist
attacks are going to go to perhaps the most well-known
English language site on Jihad, which is almost
certainly being 'monitored' by authorities, (having
their IP addresses tracked in the process), and then
download image files contain secret messages
containing their instructions. Common-sense would
dictate that such terrorists would stay away from
high profile sites altogether for fear that accessing
them might give them away. The real reasons for
hostility to the site are given below....
......