Archive for October, 2001

When a Picture is Worth a Thousand Secrets: The Debate Over Online Steganography

Wednesday, October 31st, 2001

In the weeks since the horrendous September 11 attacks on New York and Washington DC, investigators around the world have poured over tens of thousands of leads. With each turn, it seems, authorities explore new pieces of evidence that somehow fit into the giant puzzle that makes up the al Qaeda terrorist network.
As the news media continues its marathon coverage of the attack and subsequent U.S. retaliations, one accusation has received particular attention. Reports from ABC News, the Associated Press, the New York Times and Newsweek, among other media outlets, have alleged that terrorists associated with Osama bin Laden may have communicated covertly by imbedding secret messages into publicly available files on the Internet, including images from adult porn sites.
This allegation has yet to be proven — the FBI has stated in briefings that they don’t have evidence to back up these charges. But these media reports have re-ignited interest in this ancient cloak-and-dagger technique, adding more fuel to the fire in the searing debate over online civil liberties in a post-September 11 world.

Steganography: Hiding in Plain Sight

Steganography, the science of hiding secret messages within publicly accessible material, is by no means new. One of the first accounts of steganography in action dates back to the Greek historian Herodotus. In the fifth century BCE he documented the story of Demeratus, who struggled to find a way of alerting Sparta that the Persian Great King Xerxes was gearing up to invade Greece. Knowing that any overt message would be intercepted easily by the Persians, he scraped off the wax surface of a wooden writing tablet and scratched his warning into the underlying wood. Demeratus then re-coated the tablet with a fresh layer of wax, thus allowing the apparently blank writing tablet to be carried off to Sparta without arousing suspicion.
The term steganography dates back to 14th century. German mathematician Johannes Trithemius penned a book on black magic entitled Steganographia – Greek for “hidden writing.” Indeed, the controversial book was about hidden writing. Instead of being a treatise on black magic, the manuscript was actually a well-disguised essay on cryptography — so well disguised that it took half a millennia to crack it completely.
During the 19th century, spies used creative forms of steganography throughout the course of the legendary Great Game — the decades-long war of stealth conducted between imperial Russia and Great Britain as they competed for dominance in Central Asia. The famed British-Indian spies known as pundits used the accoutrements of itinerant monks to disguise the fact that they were mapping out the complex topographies of Tibet and Afghanistan. Pundits would carry a modified rosary made up of 100 prayer beads (instead of the 108 beads usually found in a Buddhist rosary), allowing them to secretly tabulate the number of paces as they walked in any given direction. The details of their covert surveying work would then be hidden amongst handwritten prayers contained in the center of the Tibetan prayer wheels they carried openly.
In modern times, steganography was used successfully during wartime as a way of transmitting messages in plain view. German and allied forces both employed steganography during the First World War; in one particular case, a German spy transmitted the following message:

Apparently neutral’s protest is thoroughly discounted
and ignored. Isman hard hit. Blockade issue affects
pretext for embargo on byproducts, ejecting suets and
vegetable oils.

A casual observer might easily ignore this seemingly innocuous message, but if you take the second letter in each word, you’ll soon discover a secret message:

Pershing sails from NY June 1.

A well-publicized example of steganography occurred during the height of the Vietnam War, when Commander Jeremiah Denton, a naval aviator who had been shot down and captured by North Vietnamese forces, was paraded in front of the news media as part of well-staged propaganda event. Denton knew he would be unable to say anything critical of his captors outright, so as he spoke to the media, he blinked his eyes in Morse code, spelling out T-O-R-T-U-R-E.

Perhaps the most public post-September 11 accusation regarding steganography occurred several weeks ago when the Arab-language news service al Jazeera broadcast videotaped statements by Osama bin Laden and his associates in their entirety. The Bush administration quickly responded by requesting that all media outlets use greater discretion when it came to airing statements from Al Qaeda, fearing that the unedited statements might contain secret messages — messages communicated by means of certain words or phrases being used, combinations of clothing or discrete nonverbal gestures.

Old Tricks, New Techniques

Steganography, as the above examples demonstrate, is not limited to one particular medium or technology — it’s simply a matter of disguising a covert message within an overt one, whether that overt message is an ancient wax tablet, a telegram or a person speaking through a television broadcast. So it should come as no surprise that the technique has also found its way onto the Internet. In fact, steganography tools are freely available for public use. Steganography software allows users to secretly incorporate data into various digital media – text, jpeg images, MP3 audio files, etc.
One relatively innocuous example of online steganography in action can be found at the Web site SpamMimic.com. This site allows users to encode and decode secret text messages in what appears to be rambling spam messages. For example, SpamMimic.com can produce a text message that looks like this:

Dear Friend , Especially for you – this breath-taking
news . If you no longer wish to receive our publications
simply reply with a Subject: of “REMOVE” and you will
immediately be removed from our club ! This mail is
being sent in compliance with Senate bill 1621 ; Title
6 , Section 301 ! This is a ligitimate business proposal
! Why work for somebody else when you can become rich
in 54 months….
(Note – the full message is longer than this paragraph and has
been trimmed for length. A complete copy of the message can
be found in the appendix at the bottom of this article.)


This seemingly incoherent advertisement can then be transmitted to anyone on the Internet. For the average netizen, the message would undoubtedly find its way into the trash folder, but for people who know that it’s been encoded by SpamMimic, they can go to the Web site, select the “decode” option, and submit the full text (see appendix) to find this secret message:

Happy Halloween!

Of course, hiding brief text messages within larger text is limited by the overall size of the larger text: text files simply aren’t big enough to hide more complex data like images or audio files. A solution to this dilemma can be found in the availability of around 140 steganography software packages readily available over the Internet. Free download sites have collections of various steganography tools, including one called Invisible Secrets 3.0. Invisible Secrets leads users through a series of easy steps that allows them to encode a file secretly into another file.
As a demonstration, I’ve set up a simple Web page with three photos on it (see demo page). Here you’ll see two photos that look identical to each other – a public domain image of the space shuttle from NASA. The photo on the left is the original image, while the photo on the right has been altered steganographically: I’ve used the software Invisible Secrets 3.0 to hide a picture of my cat Winston inside of it. The steganography software scatters the data of my cat photograph, hiding that data amongst the bits and bytes that makes up the NASA photo. The result of this process is the second copy of the NASA photo, a covert kitten hidden within it, which I could share as publicly as I would like — emailing it to a listserv, placing it on my Web site, etc. To the unsuspecting viewer, it’s just a photo of the space shuttle, but to someone who knows I’ve altered it steganographically, it’s a secret envelope that can be used to deliver any piece of data I’d like — in this case, a picture of my cat.

Do Terrorists Dream of Steganographic Sheep:
When Rumors Lead to Bad Policymaking

Whether used for safeguarding business secrets, watermarking copyright-protected data or just for personal amusement, steganography was largely seen as just another aspect of Internet culture until the September 11 attack. Though news outlets such as USA Today and Wired News had reported earlier this year on speculation that terrorists like Osama bin Laden might use steganographic software for encoding secret messages into publicly available pornographic image files, rumors regarding such activities have caught on like wildfire in the weeks following the attack. All of these reports had one thing in common: they stated that authorities suspected that bin Laden and his associates might have used steganography.
There was no direct proof, however. Internet journalist Duncan Campbell reported in the online magazine Telepolis that FBI officials stated in two successive briefings that there was no evidence to suggest that terrorists had employed steganography. To date, the only comment from a government official implying a direct connection between terrorists and online steganography has come from an unnamed source formerly connected to the French defense ministry. The source, as noted in an October 30 story in the New York Times, claimed that a terrorist suspect named Jamal Beghal used the technique to plan a failed bombing plot of the U.S. embassy in Paris. Details about this alleged use of steganography remain scant, however.
Declan McCullagh, Washington DC correspondent for Wired News as well as one of the first journalists to report on allegations of terrorist online steganography, was also skeptical of the recent reports. “I’ve said in the past that we should assume for purposes of political debate that terrorists will use crypto and stego, because if they’re not now, they eventually will,” he wrote in an email to his Politech e-newsletter. “The September 11 attackers were cunning, if nothing else. But there is a huge difference between expecting that terrorists will eventually go in this direction — and accepting as fact vague and self-promoting reports that the 19 suicide-hijackers did.”
Adding to this skepticism is a recent report from University of Michigan computer scientists who scanned over two million online images for evidence of hidden messages using special stego-detecting software they had developed. (The art of detecting steganography, for those who are interested, is known as steganalysis.) Their sweep of these two million images identified no trace of steganography, whether for passing along secret orders between terrorist cells or for passing along the Mrs. Fields cookie recipe.
“I am not aware of evidence that indicates the use of encryption or
steganography,” explains Niels Provos, one of the authors of the University of Michigan study.
The issue is a growing concern among Internet civil libertarians who worry that these unsubstantiated claims of terrorists using steganography will serve as ammunition for politicians to put further restrictions on both steganography and encryption. Civil libertarians are already finding themselves being shouted down by policymakers determined to expand government surveillance activities and clamp down on tools used for hiding or scrambling information. In the Netherlands, legislators have moved to regulate public use of strong encryption on the Internet, backing off on a 1998 policy memorandum that stated, “The use of cryptography will remain permissible.”
In the United States, the sweeping anti-terrorism legislation signed into law by President Bush on October 26, among other things, greatly expands the ability of authorities to tap email accounts, access personal data and snoop through electronic voice mail. “This bill does not strike the right balance between empowering law enforcement and protecting civil liberties,” worried Sen. Russ Feingold (D-WI), the only senator to vote against the legislation. “I don’t know anybody in this country who’s afraid of their law enforcement people at this time — they’re afraid of terrorism,” responded Sen. Orrin Hatch (R-UT), one of the key supporters of the new law.
The law contains many provisions that are profoundly frustrating to civil libertarians, but this particular piece of legislation does not contain any specific challenges to steganography. This is not to say that future legislation will not attempt to curtail the rights of citizens to utilize or develop steganography software, however. The very fact that these public allegations of terrorists using steganography happen to contain a bizarrely seductive mix of political issues that are close to the heart of many a legislator (namely protecting national security and curtailing online pornography) suggests that proposals to limit access to steganography could be just around the corner.
Of course, the passage of such proposals would lead to the next inevitable question — would anti-stego legislation actually serve their intended purpose? If terrorists are indeed sophisticated enough to employ steganography software, it would not be surprising if they also possessed the sophistication to develop their own software should current stego tools become inaccessible, or if investigative authorities were granted even greater access to the decoding keys for these tools. So assuming that terrorists had the wherewithal to craft their own steganography tools, the only people who would truly feel the effects of anti-steg legislation would be law-abiding citizens who might wish to employ steganography to protect their online private interests. Additionally, if you consider the allegations regarding bin Laden’s supposed use of old-fashioned steganography in videotape broadcasts, cracking down on online steganography would do nothing to prevent terrorists or other criminal elements from using more traditional, analog means to pass along messages to each other.

Conclusion: Much Ado About Nothing?
(or at least nothing visible without the assistance of stego software…)

The media hype surrounding bin Laden, steganography and pornography make for enticing copy — but the stories published to date simply don’t add up to actual proof, let alone successfully demonstrate that changing the law to curtail steganography would actually accomplish much in the war on terrorism. In these trying times, it would be difficult to challenge the sincerity of lawmakers as they use the tools at their disposal to combat terrorism and keep America safe. Yet alongside their duty to help preserve the security of the country is the equally important duty to recognize and preserve our civil liberties. This is no truer than in times of war, when emotion, fear and the desire for swift justice can cloud our constitutional judgment.

Related Links

SpamMimic
http://www.spammimic.com
Invisible Secrets 3.0
http://www.freedownloadscenter.com/Utilities/File_Encryption_Utilities/Invisible_Secrets.html
Steganographia, by Johannes Trithemius (in Latin)
http://www.esotericarchives.com/tritheim/stegano.htm
How Steganographia was cracked:
http://cryptome.unicast.org/cryptome022401/tri-crack.htm
Detecting Steganographic Content on the Internet
(Analysis by Neils Provos and Peter Honeyman at the University of Michigan)
http://www.citi.umich.edu/u/provos/stego
Coded Communications
http://www.msnbc.com/news/632358.asp
Veiled Messages of Terrorists May Lurk in Cyberspace
http://www.nytimes.com/2001/10/30/science/physical/30STEG.html?pagewanted=1
How the Terror Trail Went Unseen, by Duncan Campbell
http://www01.heise.de/tp/english/inhalt/te/9751/1.html
Bin Laden: Steganography Master?
http://www.wired.com/news/politics/0,1283,41658,00.html
USA-Patriot Act of 2001
http://www.epic.org/privacy/terrorism/hr3162.html



Appendix: Complete Text of SpamMimic Message
(Copy and paste this text into the SpamMimic Decoder to extract the secret message)

Dear Friend , Especially for you – this breath-taking
news . If you no longer wish to receive our publications
simply reply with a Subject: of “REMOVE” and you will
immediately be removed from our club ! This mail is
being sent in compliance with Senate bill 1621 ; Title
6 , Section 301 ! This is a ligitimate business proposal
! Why work for somebody else when you can become rich
in 54 months . Have you ever noticed nobody is getting
any younger & how long the line-ups are at bank machines
. Well, now is your chance to capitalize on this .
WE will help YOU use credit cards on your website and
use credit cards on your website ! You can begin at
absolutely no cost to you ! But don’t believe us .
Mrs Ames who resides in Massachusetts tried us and
says “I’ve been poor and I’ve been rich – rich is better”
! We are licensed to operate in all states ! Don’t
delay – order today . Sign up a friend and your friend
will be rich too . Best regards ! Dear Cybercitizen
; Thank-you for your interest in our briefing . If
you no longer wish to receive our publications simply
reply with a Subject: of “REMOVE” and you will immediately
be removed from our mailing list . This mail is being
sent in compliance with Senate bill 1618 ; Title 2
, Section 301 . This is not multi-level marketing !
Why work for somebody else when you can become rich
in 58 weeks ! Have you ever noticed people will do
almost anything to avoid mailing their bills plus most
everyone has a cellphone ! Well, now is your chance
to capitalize on this ! We will help you SELL MORE
and increase customer response by 170% ! You are guaranteed
to succeed because we take all the risk . But don’t
believe us . Mr Jones of Georgia tried us and says
“Now I’m rich many more things are possible” ! This
offer is 100% legal ! So make yourself rich now by
ordering immediately ! Sign up a friend and you’ll
get a discount of 60% . Best regards !

Originally written for the Benton Foundation’s Digital Beat e-newsletter.