Terrorists and steganography

ZDNet ^ | September 24, 2001 | Bruce Schneier

[Straight Vermonter]

COMMENTARY--Guess what? Osama bin Laden uses steganography. According to nameless "U.S. officials and experts" and "U.S. and foreign officials," terrorist groups are "hiding maps and photographs of terrorist targets and posting instructions for terrorist activities on sports chat rooms, pornographic bulletin boards and other Web sites."

Simply put, steganography is the science of hiding messages in messages. Typically, a message (either plaintext or, more cleverly, ciphertext) is hidden in the low-order bits of a digital photograph. To the uninitiated observer, it's just a picture. But to the sender and receiver, there's a message hiding in there.

It doesn't surprise me that terrorists are using this trick. The very aspects of steganography that make it unsuitable for normal corporate use make it ideally suited for terrorist use. Most importantly, it can be used in an electronic dead drop.

If you read the FBI affidavit against (accused spy) Robert Hanssen, you learn how Hanssen communicated with his Russian handlers. They never met, but would leave messages, money and documents for one another in plastic bags under a bridge. Hanssen's handler would leave a signal in a public place--a chalk mark on a mailbox--to indicate a waiting package. Hanssen would later collect the package.

That's called a 'dead drop'. It has many advantages over a face-to-face meeting. One, the two parties are never seen together. Two, the two parties don't have to coordinate a rendezvous. Three, and most importantly, one party doesn't even have to know who the other one is (a definite advantage if one of them is arrested). Dead drops can be used to facilitate completely anonymous, asynchronous communications.

Using steganography to embed a message in a pornographic image and posting it to a Usenet newsgroup is the cyberspace equivalent of a dead drop. To everyone else, it's just a picture. But to the receiver, there's a message in there waiting to be extracted.

To make it work in practice, the terrorists would need to set up some sort of code. Just as Hanssen knew to collect his package when he saw the chalk mark, a virtual terrorist will need to know to look for his message. (He can't be expected to search every picture.) There are lots of ways to communicate a signal: timestamp on the message, an uncommon word in the subject line, etc. Use your imagination here--the possibilities are limitless.

The effect is that the sender can transmit a message without ever communicating directly with the receiver. There is no e-mail between them, no remote logins, no instant messages. All that exists is a picture posted to a public forum, and then downloaded by anyone sufficiently enticed by the subject line (both third parties and the intended receiver of the secret message).

So, what's a counter-espionage agency to do? There are the standard ways of finding steganographic messages, some of which I have outlined in a previous essay. If bin Laden is using pornographic images to embed his secret messages, it is unlikely these pictures are being taken in Afghanistan. They're probably downloaded from the Web. If the NSA can keep a database of images (wouldn't that be something?), then they can find ones with subtle changes in the low-order bits. If Bin Laden uses the same image to transmit multiple messages, the NSA could notice that. Otherwise, there's probably nothing the NSA can do. Dead drops, both real and virtual, can't be prevented.

Why can't businesses use this? The primary reason is that legitimate businesses don't need dead drops. I remember one company talk about a corporation embedding a steganographic message to its salespeople in a photo on the corporate Web page. Why not just send an encrypted e-mail? Because someone might notice the e-mail and know that the salespeople all got an encrypted message. So send a message every day: a real message when you need to, and a dummy message otherwise. This is a traffic analysis problem, and there are other techniques to solve it. Steganography just doesn't apply here.

Steganography is good way for terrorist cells to communicate, allowing communication without any group knowing the identity of the other. There are other ways to build a dead drop in cyberspace. For example, a spy can sign up for a free, anonymous e-mail account. And bin Laden probably uses those, too.

[Aliska]

I think it could easily be done with no special software if you knew in advance where and how to collect the data. Also one must remember that coded pieces of the puzzle could be transmitted in a "collection", etc. One would have to gather all the various components to "see" the whole picture.

For example, someone could pose as a nutcase and write something different each day to a forum. Most would learn to ignore those type of messages but they could have meaning to someone else. Christian newsgroups would not be immune from that sort of thing. Or new age. Also ads in papers, etc.

[Le-Roy]

Check out S-Tools. Instructions with the files detail how to perform a test. You will be amazed.

[alethia]

Not having watched the video all the way through, I wasn't sure if there were markings on some of the rocks, things arranged in a certain way. The sip of water at the end of the video -- while not steganography -- looked to be some sort of a message to little paranoid me.

Not being fluent in Arabic, I'm sure that messages can be held in the sequencing and articulation of various phrases -- almost like the radio codes used during WWII.

[Cicero]

Classified ads in newspapers are an ancient way to get the message out. They can be completely meaningless to anyone but the recipient, if it is agreed beforehand that one message or word means this, and another message means that. Hopefully the FBI will keep an eye on this possible channel, although I don't know how much they can do about it, other than alert the people who accept ads to watch out for suspicious calls--whatever that means.

[Aliska]

Good thinking. I noticed the formation of the rocks and wondered is a spy satellite might be able to "match" them.

Also little things like wearing the watch on his right wrist instead of left, etc. Invoking Allah in certain sentences and other things I don't care to waste my time analyzing.

[Aliska]

Good point. And you wouldn't necessarily have to subscribe to the periodical either. You could go to the local library or grocery store and look them up.

[general_re]

Yeah, that's another way. Actually, that's pretty close to what's known as a "dummy code". Basically the principle behind dummy codes is that you and I get together beforehand and agree on a location and a message - e.g., I leave a message on the "Word of the day" thread to you that says "John has a big hat."

And since you and I got together beforehand, we both know that "John has a big hat" means that all the hijackers are in place, and you should carry out your task first thing tomorrow morning (or whatever it is we previously agreed that it should mean).

Now, the advantage to a dummy code is that you can communicate in plain sight, passing messages back and forth for as long as you like, because the "code" is absolutely uncrackable to an outsider. Well, not totally uncrackable, but if you and I memorize the codes and don't write them down - thus preventing the code from falling into the wrong hands - the only way anyone will ever crack the code will be by literally beating it out of one of us...

[moonhawk]

I thought steganography was a typo... Very interesting stuff, but the part that cracked me up was the mental image of "Afghani porn."

[Aliska]

Yes, and there are other even more blatant, "in-your-face" ways I can envision but will leave it at that. It is interesting how one would go about "de-coding" the messages and knowing what to look for.

Shortwave radio would be another good way. I don't know how useful Morse code is these days but I wouldn't rule that out either.

[NovemberCharlie]

The part that cracked me up was the mental image of "Afghani porn."

I got hung up on the idea of the NSA maintaining a comprehensive database of pornographic images.

[NovemberCharlie]

Morse code is good, but it might be better to use a different encoding of dots and dashes, if you want to be more secure.

[general_re]

...and just as a quick follow-up to myself, if you caught the squib on the news earlier where Condi Rice called the news networks and asked them to be careful about airing video from bin Laden, then you understand that dummy codes are exactly what the White House is worried about - that in those videos there might be some innocuous-sounding phrase, or something simple like the color of his turban, or which hand his watch is on, or whatever, that seems perfectly ordinary to us, but that has a very special and specific meaning to his agents abroad...

Scary.

[drZ]

http://liquid2k.com/zox/now.jpg�
clean version

http://liquid2k.com/zox/now2.jpg�
digimarked version with text 1999,2001 encoded into image

[opus_bloom]

I wonder if there's a hidden message in here somewhere...

Here's the theory

[Fixit]

From the "Bert is Evil" site:

The Bert is evil Mirror site is working better than the original these days.

[NovemberCharlie]

or which hand his watch is on, or whatever, that seems perfectly ordinary to us, but that has a very special and specific meaning to his agents abroad...

Since he's a Moslem, I'd expect him to wear his watch on his right hand, since the left is 'unclean' and only to be used for wiping one's *ss.

[Fixit]

oops, I blew the link there. Original Bert is Evil site

[general_re]

Well, okay - maybe not that particular signal ;)

[MilburnDrysdale]

Bold, sane mania. Alas! mad Bonnie. Noble, sad mania. An able domains. I am a noble sand. I am noble and as. I'm a noble and as. Able main and so. I'm an able and so. Is a damnable no. In a damnable, so. Is able and moan. Is male abandon. Anal snob media. Am an ideal snob. On a mad lesbian. Sod! an able main. Is a banal demon. Bold as in a mean. I damnable as on. A damnable ions. Moan in sad able. Sad able on main. I abandons male. Damnable as ion. On mad as in able. A bold, sane main. Am bold as inane. Is lame abandon. Anion as blamed. Bad moan aliens. Bad moans alien. I am a bland nose. I am a bland ones. Based on animal. Mad as in a noble. Is a damnable, on. I as damnable no. Old man in a base. Ban on maladies. O Man! in sad able. Able and on aims. I am banal nodes. I'm a banal nodes. A mile abandons. Boil and as mean. A mad, alien snob. On an able maids. A noble, sad main. A mad, inane slob. O Man! bad aliens. Bad as on menial. Able and I moans. Blonde as mania. I abandons lame. Abdominal, sane. Nob and malaise. I'm a sand on able. Noble and as aim. I'm a noble and as. Boils and a mean. On a dismal bean. Sod! animal bean. I am able and son. I'm a son and able. A blonde manias. I am a noble sand. Aims and a noble. I'm a snob and ale. A snob man ideal. Animal, sad bone. So and in a blame. Dim on as an able. I'm able and as no. I as banal demon. I am a sane 'n' bold. Blame sad anion. Anomalies band. Bias and on male. Amen! in as a bold. Am able and in so. Banal, mad noise. An. I am sane bold. An. I'm a sane bold. I am a lane bonds. I am a lean bonds. Deal snob mania. I am a land bones. On as I am a blend. I am a bends loan. Is banal, moaned. So banal maiden. A mania blondes. Abandon a slime. Abandon as mile. I am a sad 'n' noble. Anal bias demon. I'm sad, on an able. Able aids on man. Nob as ideal man. On bad as in male. One bad animals. No! mad as in able. Is mad, on an able. An. I am sad noble. An. I'm a sad noble. I a damnable son. Bad, animal nose. Bad, animal ones. So alien bad man. Disable on a man. Bead on animals. Base and on mail. I am an old beans. Bias and on lame. Able sod in a man. Able don manias. Am a bold, insane. Bodies anal man. Dial a mean snob. Laid a mean snob. Blame on an aids. On amiable sand. I am bald, sane no. I'm a bald, sane no. I an old man base. Animal beans do. I am able sand on. No! able, sad main. I'm an able, sad no. Able man on said. A damn able in so. I am an able dons. An. I am a blondes. I abandons meal. Man as noble aid. Snob and I a male. On an aid blames. Amiable and son. I'm bad, sane loan. Blades on mania. Band on malaise. Bed as on animal. Is a bean old man. Modal as in bean. Is an able, mad no. So mad, in an able. Able mania dons. Am an able in sod. Do in as able man. Banal as in mode. Sod! I banal mean. Blonde as a main. Alias mean bond. A noble man aids. Lobes and mania. Amen! as and boil. Snob mania lead. On a blamed as in. On and is a blame. So mean bad nail. Bad also in mean. Is bad, mean loan. Bled as on mania. I'm a base on land. Ideal ban moans. Able on a mad sin. On I'm able and as. So and I able man. Able as main don. Do an able mains. Banal moans die. So banal median. Aimed anal snob. Sane and a limbo. Nob as mad alien. So inane lambda. On bad as in lame. I am a bland nose. I am a bland ones. Alas! mean on bid. I'm a beans on lad. Animals do bean. Damn! I as on able. On mid as an able. No! I am able sand. No and able aims. Moan banal dies. Banal, side moan. O Man! banal dies. O Man! banal side. Banal son media. I'm a banal nodes. Does banal main. I'm banal as done. I'm banal as node. Damn! a sane boil. Mania bones lad. On and I a blames. A bald mean in so. wonder if there is a message in here??

[Fearless Flyers]

"To make it work in practice, the terrorists would need to set up some sort of code. Just as Hanssen knew to collect his package when he saw the chalk mark, a virtual terrorist will need to know to look for his message. (He can't be expected to search every picture.) There are lots of ways to communicate a signal: timestamp on the message, an uncommon word in the subject line, etc. Use your imagination here--the possibilities are limitless."

Placing personal ads in the National Enquirer could be great way to communicate. In final insult you could submit the ad in person and leave a special gift for the messenger.