Code Wars: Steganography, Signals Intelligence, and Terrorism

Аuthor: Maura Conway.
Source: http://doras.dcu.ie/494/1/know_tech_pol_16_2_2003.pdf

This paper discusses the process of secret communication known as steganography. The argument advanced here is that terrorists are unlikely to be employing digital steganography to facilitate secret intra-group communication as has been claimed. This is because terrorist use of digital steganography is both technically and opera¬tionally implausible. The position adopted in this paper is that terrorists are likely to employ low-tech steganography such as semagrams and null ciphers instead.

Introduction

In "A Few Words on Secret Writing" (1841), Edgar Allen Рое writes that "we can scarcely imagine a time when there did not exist a necessity, or at least a desire, of transmitting information from one individual to another in such a manner as to elude general comprehension" (as quoted in Rosenheim, 1997: 171). Today, only a relatively small number of people worldwide employ strong security in their personal communications. However, an increasing amount of our social, economic, and work lives are conducted electronically—through e-mail, Net postings, electronic banking, e-commerce, etc.—and this has led to an increasing interest in questions of cybersecurity and online privacy, and pushed the issue of secret writing to the fore.

Perhaps when you were a child you used lemon juice to write on paper and then allowed the paper to dry, which resulted in the disappearance of your text. Your writing would magically reappear on the apparently blank sheet of paper when you heated it. This is an example of steganography: the science of secret writing or the art of hiding messages within other messages. "Steganography...has until recently been the poor cousin of cryptography .

The goal of steganography is to hide the existence of a message; the goal of cryptography is to scramble a message so that it cannot be under¬stood, although its existence may be detected (Karp, 2002). The advantage of steganography over cryptography is that it can be employed to secretly trans¬mit messages without the fact of the transmission being discovered. In fact, it is common for steganographers to encrypt their hidden message before plac¬ing it in the cover message, although it should be noted that the hidden mes¬sage does not have to be encrypted to qualify as steganography. A message can be in plain English (or any other language for that matter) and still consti¬tute a hidden message.

Nonetheless, those that employ steganography in their communications are generally careful to make use of the extra layer of protec¬tion that encryption provides. This is because covert information is not neces¬sarily secure, just as secure information is not necessarily covert (Cochran, 2000: 15).

According to the article's author, Jack Kelley, the messages were being hidden in images posted on the Internet. Kelley gave the example of images posted on the Internet auction site eBay. There was very little evidence to substantiate these claims provided in the newspaper articles; nonetheless, in the wake of 9/11, media outlets worldwide picked up the story. This paper explores the plausibility of the claims made by Kelley in his articles.

The paper is divided into five sections. Section one details the histori¬cal background to steganography, while section two outlines some of the tech¬nical details pertaining to digital steganography. The third section describes the alleged use of steganography by terrorists as reported in newspapers and magazines. In section four, I describe and discuss the process of steganalysis— the science of detecting hidden messages—one of the reasons why terrorists might be unwise to use steganography to conceal their communications. Fi¬nally, section five is devoted to an analysis of what alternative methods of clandestine communication via the Internet terrorists might employ instead.

The argument advanced here is that terrorists are unlikely to be employing digital steganography to facilitate secret intra-group communication as Kelley and others have claimed. This is because terrorist use of digital steganography is both technically and operationally implausible. The position adopted in this article is that terrorists are likely to employ low-tech steganography such as semagrams and null ciphers instead.

A Brief History of Steganography

Steganography means covered or secret writing in Greek.1 It is a form of information-hiding that has a long and established pedigree. The earliest known examples of steganography were recorded by the Greek historian Herodotus and date back to ancient times. The Greek tyrant Histaeus was held prisoner by King Darius in Susa during the fifth century ВСЕ. Histaeus wanted to send a message to his son-in-law Aristagoras in Miletus, so he shaved the head of a slave and tattooed a message on his scalp. When the slave's hair grew long enough to conceal the message/tattoo, he was dispatched to Miletus {Byte, 1997/8).2 Herodotus provides us with another example of steganography from antiquity. The Greeks often communicated by writing on wax-covered tablets. When Demeratus needed to secretly notify the Spartans that Xerxes intended to invade Greece, he scraped the wax off of a tablet and wrote the message on the wood underneath. He then recovered the wooden tablets with wax. On inspection, the tablets appeared blank and unused, thus ensuring that Demeratus' message remained undiscovered.

Invisible inks are not simply children's playthings; they have been a popu¬lar method of chemical steganography for centuries. The ancient Romans would write between the lines of a text using invisible inks concocted from such readily available substances as fruit juices, urine, and milk. In fact, invisible inks were used in military conflict as recently as World War II (Byte, 1997/8; Sellars, 1999: 4). Gaspari Schotti was the author of the earliest book on steganography. His 400-page tome, entitled Schola Steganographica, was published in 1665. Schotti drew extensively upon the work of Johannes Trithemius (1462-1526), a Ger¬man monk and early researcher in steganography and cryptography. Steganographic research continued to develop in the fifteenth and sixteenth centuries. Bishop John Wilkins—later the master of Trinity College, Cam¬bridge—devised a number of steganographic processes that ranged from cod¬ing messages in sheet music and string knots to invisible inks. Auguste Kerckhoff's Cryptographie Militaire appeared in 1883 and was followed by Charles Briquet's Les Filigraines (1907), a historical dictionary of watermarks (Cochran, 2000: 11-12; Sellars, 1999: 4-5).

It was during the twentieth century that steganography came into its own, however. The British employed Lord Robert Baden-Powell, the founder of the Boy Scout movement, as a scout during the Boer War (1899-1902). His job was to record the location of Boer artillery positions. To avoid suspicion were he captured, Baden-Powell worked his maps into drawings of butterflies. On casual inspection the drawings appeared innocuous; however, certain mark¬ings on the wings actually indicated the positions of enemy installations.

World War II ushered in a period of intense research and experimentation in steganography and associated fields. Invisible inks were employed in the early war years; later, null ciphers (i.e. unencrypted messages) were used to convey secret messages. The null cipher, which had the appearance of an innocent message about everyday occurrences, was thought unlikely to arouse suspi¬cion and therefore to be less prone to interception. Duncan Sellars gives the example of the following message sent by a German spy during WWII: Apparently neutral's protest is thoroughly discounted and ignored. Isman hard hit. Block¬ade issue affects pretext for embargo on by-products, ejecting suets and vegetable oils. Decoding this message (by lifting the second letter in each word) reveals the following secret text: Pershing sails from New York June 1 (Johnson, 1995; Sellars, 1999: 5-6).

Document layout was also used to conceal secret informa¬tion: by modulating the position of lines3 and words,4 messages could be marked and identified. In addition, techniques such as writing messages in typewriter correction ribbon, and using pin punctures to mark selected letters were also popular (Sellars, 1999: 6; Stallings, 1998: 27). J. Edgar Hoover, the director of the FBI, dubbed the German invention of the microdot "the enemy's masterpiece of espionage" (Dembart, 2001).

Microdots are photographs reduced to the size of a period, which have the clarity of standard sized typewritten pages. Using microdots, secret messages could be photographically reduced and affixed as the dot for the letter 'i' or other punctuation on any document containing text. Microdots permitted the secret transmission of large amounts of data, including technical drawings and photographs.

The existence of the microdot was discovered by the Allies in 1941 on a typed envelope carried by a German agent. At that time, fears about the transmission of secret messages were so intense that, in the United States, the international mailing of postal chess games, knitting instructions, newspa¬per clippings, and children's drawings were banned. It was also illegal to send cables requiring that specific types of flowers be delivered on a specific date, and eventually the U.S. and British governments banned international flower deliveries altogether (Byte, 1997/8; Johnson, 1995; Sellars, 1999: 6).

During the 1980s, the then-British Prime Minister Margaret Thatcher be¬came so angered at press leaks of cabinet documents that she had the word processors in Westminster programmed to encode ministers' identities in the word spacing, so that those responsible for leaks could be identified (Ander¬son, 1996: 39-40; Anderson and Petitcolas, 1998: 474).

More recently, the digital age has revolutionized steganography. In fact, according to some, the Internet has become the modern version of the "dead drop," a slang term describing the location where Cold War-era spies left maps, pictures, and other information, for collection by their handlers (Denning and Baugh, 2001: 133; Kelley, 200land & 2001b).

Digital Steganography

The classic model for invisible communication in the modern scientific lit¬erature has been traced to G. J. Simmon, who in 1983 formulated it as the "Prisoners Problem." The scenario is this: Alice and Bob5 are in jail, and wish to concoct an escape plan. However, all their communications pass through the warden, Willie; and if Willie detects any encrypted messages, he will ne¬gate their plan by restricting them to solitary confinement. The upshot of this is that Alice and Bob must find some way of hiding their ciphertext in an inno¬cent-looking covertext; in other words, they must establish a subliminal chan¬nel (Anderson, 1996: 39; Anderson & Petitcolas, 1998: 474; Katzenbeisser, 2000: 17-19).

Alice could, for example, create a picture of a purple horse grazing in a red meadow and send this piece of modern art to Bob. If success¬ful, Willie will have no idea that the colors of the objects in the drawing trans¬mit information.

Computer-based (i.e. digital) steganography is a relatively new process. Its usefulness is based on two simple principles. The first is that the files that contain digitized images or sounds may be subtly altered without compromis¬ing their functionality.

The second principle rests on the inability of minor changes in color or sound quality to be distinguished by humans (Johnson and Jajodia, 1998: 273). Digital steganography is usually based on randomness. There are many occurrences of randomness in computer-based information. Steganographic data can be hidden in this random information or noise. The merits of a steganographic method are judged on whether the addition of the steganographic data changes the randomness (Ballard et al., 2002: 996; Davern and Scott, 1996: 279).

Digital steganography schemes can be characterized using theories of com¬munication. The parameters of information hiding, such as the amount of data bits that can be hidden, the perceptibility of the message, and its robustness to removal can be related to the characteristics of communications systems: capacity, signal-to-noise ratio (SNR), and jamming margin.

The notion of capac¬ity in digital steganography indicates the total number of bits hidden and successfully recovered by the stego-system.

The SNR serves as a measure of detectability. In this context, the message one is seeking to conceal (i.e. the embedded signal) represents the information-bearing signal, and the cover image is viewed as noise. Contrary to typical communication scenarios where a high SNR is desired, a very low SNR for a stego-system corresponds to lower perceptibility and therefore greater success when concealing the em¬bedded signal. The measure of jamming resistance describes the level of ro¬bustness to removal or destruction of the embedded message, whether intentional or accidental (Marvel et al., 1998: 48).

All digital steganographic schemes/tools employ the same basic principles. Let us assume that one wishes to hide a secret message in an image: the mes¬sage is embedded in a digital image by the stego-system encoder, which uses a key or password, the resulting stego-image is transmitted in some fashion over a channel (e.g. the Internet) to an intended recipient, where it is processed by the stego-system decoder using the same key (see Figure l).7 During trans¬mission, unintended or hostile viewers may monitor the stego-image, but they should observe only the transmittal of the innocuous image without discover¬ing the existence of the hidden message (Ballard et al., 2002: 998; Katzenbeisser 2000: 18-19; Marvel et al., 1998: 49). The possible covers for hidden messages are innocent looking carriers; in terms of digital steganography, these will be images, audio, video, text, or some other digitally representative code, which will hold or cover the hidden information. A message is the information hidden and may be plaintext, ciphertext, images, or anything that can be embedded into a bit-stream. To¬gether the cover carrier and the embedded message create a stego-carrier. Hid¬ing information may require a stego-key, which is additional secret information (e.g. a password) required for embedding the information. When a secret mes¬sage is hidden within a cover image, the resulting product is a stego-image (Johnson and Jajodia 1998: 275).

According to Mercer et al., to be useful, a steganographic system/tool must provide a method to: • Embed data invisibly, • Allow the data to be readily extracted, • Promote a high information rate or capacity, and • Incorporate a certain amount of robustness to removal (Mercer et al., 1998: 49). The remainder of this section is concerned with data encoding in still digital images. This is because the media attention surrounding terrorist use of steganography has focused on the latter. Image steganography has made great strides in recent times with the development of fast, powerful graphical com¬puters. Images provide excellent carriers for hidden information and many different techniques and tools have been developed for just this purpose.8 These can be categorized into two groups: those in the Image Domain and those in the Transform Domain

Image domain tools encompass bit-wise methods that apply least significant bit (LSB) insertion and noise manipulation. These ap¬proaches are common in steganography and may be characterized as "simple systems." Typically, the image formats used in such steganography methods are loss-less and the data can be directly manipulated and recovered. The trans¬form domain grouping of tools include those that involve manipulation of algorithms and image transforms such as Discrete Cosine Transformation (DCT) and wavelet transformation.

These methods hide messages in more significant areas of the cover and may manipulate image properties (e.g. luminance). These techniques are generally far more robust than bit-wise techniques.

How¬ever, a trade-off exists between the amount of information added to the image and the robustness obtained. JPEG images use the DCT to achieve image com-pression Johnson and Jajodia, 1998: 276-277; see also Sellars, 1999: 9-13 and Wayner, 1996: ch. 9). There are a large number of stego-tools freely available on the Internet: Neil Provos' OutGuess is a universal steganographic tool that allows the insertion of hidden information into the redundant bits of data sources. It is freely avail¬able for download from . Another freely available steganography tool is Spammimic, which is available for download from ; this site, developed by Disappearing Cryptography (1996) author Peter Wayner, gives you access to a program that will encrypt a short message into spam. Similarly, a program known as "Snow" hides infor¬mation by adding extra white space at the end of each line of a text file or e-mail message.

Steghide embeds messages in .bmp, .wav, and .au files, while MP3Stego does the same for MP3 files (McCullagh, 2001a). And they are surprisingly easy to use (see Karp, 2002).

Basically, all a terrorist needs to do is choose a tool, "stego" a message, and e-mail the message to a friend or post it to a publicly available site. Thereafter, an accomplice can retrieve this container message using the correct pass-phrase and the same software. Because steganography is not widely known, and tech¬nologically viable images are prolific on the Internet, it is very likely that the result image will go unnoticed as it reaches its destination (Ballard et al., 2002: 998). It is precisely this ease-of-use that has led many people to view steganography as an ideal terrorist tool.

On February 5, 2001, an article penned by Jack Kelley and headlined "Ter¬rorist instructions hidden online" appeared in USA Today. In the article, Kelley claimed that: Through weeks of interviews with U.S. law-enforcement officials and experts, USA To¬day has learned new details of how extremists hide maps and photographs of terrorist targets—and post instructions for terrorist activities—on sports chat rooms, pornographic bulletin boards and other popular Web sites...

Officials and experts say the messages are scrambled using free encryption programs set up by groups that advocate privacy on the Internet. Those same programs can also hide maps and photographs in an existing image on selected Web sites. The e-mails and images can only be decrypted using a "private key" or code, selected by the recipient. Kelley goes on to quote Ben Venzke, special projects director for iDefense, a cyberintelligence company: The operational details and future targets, in many cases, are hidden in plain view on the Internet... Only the members of the terrorist organisations, knowing the hidden signals, are able to extract the information.

The evidence? A quote from CIA Director George Tenet: To a greater and greater degree, terrorist groups, including Hezbollah, Hamas, and bin Laden's al Qaida group, are using computerised files, e-mail, and encryption to support their operations.9 The next day, February 6, Kelley followed up with "Terror groups hide behind Web encryption": Hidden in the X-rated pictures on several pornographic Web sites and the posted com¬ments on sports chat rooms may lie the encrypted blueprints of the next terrorist attack against the United States or its allies.

The evidence? A quote from the FBI Director, Louis J. Freeh: Uncrackable encryption is allowing terrorists—Hamas, Hezbollah, al Qaida and oth¬ers—to communicate about their criminal intentions without fear of outside intrusion... They're thwarting the efforts of law enforcement to detect, prevent and investigate illegal activities.10 Six months later, in July 2001, Kelley penned an article entitled "Militants wire Web with links to jihad." According to Kelley: Muslim groups are increasingly turning to the Internet to carry on their jihad, or holy war, against the West... The groups use Web sites to plan attacks, recruit members and solicit donations with little or no chance of being caught by the FBI or other law enforcement agencies...

Most of the information on the Web sites is written in Arabic and encrypted, or scrambled. The encrypted data is then hidden in digital photographs, which makes it difficult, if not impossible, to find or read... The groups regularly change the addresses of their Web sites to confound officials. It is in this article that Kelley charges that al Qaeda operatives have sent "hundreds of encrypted messages that have been hidden in files on digital photographs on the auction site eBay.com." This article also contains the first use of the term steganography by Kelley. According to the article: U.S. officials say that azzam.com contains encrypted messages in its pictures and texts— a practice known as steganography. They say the hidden messages contain instructions for al-Qaeda's next terrorist attacks. Mathematicians and other experts at the National Security agency at Fort Meade, Md., are using supercomputers to try to break the encryption codes and thwart the attacks.

The remainder of the article details the (freely available) contents of a num¬ber of Islamist Web sites. Approximately three months later, shortly after the attacks of 9/11, the ABC News show Primetime dutifully revived the rumor, essentially claiming that it had been substantiated, though no evidence was produced. A stegged photo was produced, but it was a demo, not in any way associated with terrorism (see Ross, 2001).

Shortly afterwards an Associated Press article entitled "Bin Laden's cybertrail proves elusive" appeared in USA Today. This article comes to rather different conclusions than those reached by Kelley and the producers at ABC. It's opening line reads: Despite warnings from top government officials that terrorists would use exotic technol¬ogy to communicate, suspected terrorist mastermind Osama bin Laden instead has used "no-tech" methods, foiling efforts to track him, former U.S. intelligence officials said.

In fact, according to this article, "Bin Laden relies on human messengers, safe houses and close-knit groups such as family members to send out his directives." Wayne Madsen, a former communications specialist for the Na¬tional Security Agency, is quoted as saying, "This isn't low tech. You'd have to really call it no-tech." In contrast to Bin Laden, Madsen admits that the 9/11 hijackers might have communicated via the Internet. He points to their pos¬sible use of seemingly innocuous messages posted on Web sites. For example, some minor change to a Web site might indicate the launch date of an attack, because they knew it in advance (see below).

The above notwithstanding, Kelley's original allegations were picked up by Time Magazine. Adam Cohen, in his article "When Terror Hides Online," sug¬gested that A terrorist mastermind could insert plans for blowing up a nuclear reactor in, say, the nose of a puppy on a pet-adoption website. Operatives in the field, told which nose to look at, could then check for their marching orders.

Steganography is a fast, cheap, safe way of delivering murderous instructions. (Cohen 2001) Cohen suggests that bin Laden's followers may have learned of steganography "when it burst on the pop-culture scene in recent movies like Along Came a Spider." Controversy arose about Cohen's article when Mat¬thew Devost of the Terrorism Research Center charged that the writer had misrepresented him. It appears from the article that Devost believes that terror¬ists are using steganography on the Internet, but according to Devost: "I do not think that terrorists are using steganography on the Internet and I articu¬lated this belief very clearly to Mr. Cohen.""

Finally, in October 2001, an article composed by Reuter's staff, entitled "Researchers: No secret bin Laden messages on sites," appeared in USA To¬day. That short piece detailed how computer science researchers at the Univer¬sity of Michigan had written a program to detect messages hidden inside photos on the Web. Peter Honeyman, scientific director of the University's Center for Information Technology Integration, and graduate student Neils Provost ran a cluster of workstations against more than 2 million images on popular Web sites such as eBay, and attacked the candidates with a dictionary of more than 1.8 million words. They were prompted to do so by Kelley's original series of articles alleging that terrorists hide secret messages inside innocent looking photos on the Web. They found nothing (see Provos and Honeyman, 2001; also Manjoo, 2001).

This has not stopped some in the media pointing to terror¬ist use of steganography as fact (see Friedman, 2002; Lyman, 2001; McGrory, 2001: 11; Soloway, Nordland, and Nadeau, 2002), the most recent example being a headline in the New York Post that read "9/11 Plot Hidden in E-Porn" (Lathem, 2003).

Perhaps the goal is to manufacture an excuse for the failure to anticipate the events of September 11th. Perhaps it is preparing the ground for an attempt at bureaucratic empire-building via Internet regulation, as a diversionary activity from the much harder and less pleasant task of going after al-Qaida. Perhaps the vision of bin Laden as cryptic pornog-rapher is being spun to create a subconscious link, in the public mind, with the scare stories about child pornography that were used before September 11th to justify govern¬ment plans for greater Internet regulation. (Anderson 2001)

This is an argument put forward by a number of commentators as the reason for the widespread take-up of the allegations contained in Kelley's series of articles (see Leyden, 2001 and Rosenheim, 1997: 170). This is not the position explored here, however. Instead, the argument here is that terrorist use of digi¬tal steganography is both operationally unnecessary and technically risky.

Steganalysis makes terrorist use of steganography technically risky. Steganalysis is the science of detecting hidden messages and hence the sci¬ence of detecting steganography. Just as a cryptanalyst applies cryptanalysis in an attempt to decode or crack encrypted messages, the steganalyst is one who applies steganalysis in an attempt to detect the existence of hidden infor¬mation (Johnson, 2000: 80-81; Johnson and Jajodia, 1998: 275).

In cryptanalysis, portions of the plaintext (if it is available) and portions of the ciphertext are analyzed. In steganalysis, comparisons are made between the cover object, the stego-object, and possible portions of the message. In cryp¬tography, the end result is the ciphertext; in steganography, the end result is the stego-object. With steganography, the hidden message may or may not be encrypted, as noted earlier. If it is encrypted, then cryptanalysis techniques may be applied to further understand the embedded message on its extraction (Johnson, 2000: 81). Different tools vary in their approaches for hiding information. Without knowing which tool has been employed and which, if any, stego-key has been used, detecting the hidden information may become quite complex. However, some of the tools produce stego-images with characteristics that act as signa¬tures for the steganography method or tool used (Johnson, 2000: 80; Johnson and Jajodia, 1998: 277).

It has always been theoretically possible to produce a completely unbreakable code or completely secret channel, but only at con¬siderable inconvenience. Steganography is not foolproof. There are two methods of attack on steganography: detection of the embed¬ded message and destruction of the embedded message. Clearly detection de¬feats the goal of steganography, which is to hide the existence of an embedded message. Destruction advances a step further and prevents the intended recipi¬ent of the message from accessing the information contained therein. Digital images provide excellent covers for hidden information.