Schneier on Stego, Dead Drops, bin Laden

Subcommander Bob bob at black.org
Tue Sep 25 12:15:16 PDT 2001 

[Reformatted for legibility.  Please take the few moments required to
clean up submitted text, wrapping and aligning text as necessary.
KMSelf]

Monday September 24 01:15 PM EDT

    Terrorists and steganography

    By Bruce Schneier, Special to ZDNet

    Security expert Bruce Schneier writes that terrorist groups may be
    using steganography to communicate, allowing communication without
    any group knowing the identity of the other.

    COMMENTARY--Guess what? Osama Bin Ladin uses steganography.
    According to nameless "U.S.  officials and experts" and "U.S. and
    foreign officials," terrorist groups are "hiding maps and
    photographs of terrorist targets and posting instructions for
    terrorist activities on sports chat rooms, pornographic bulletin
    boards and other Web sites."

    Simply put, steganography is the science of hiding messages in
    messages. Typically, a message (either plaintext or, more cleverly,
    ciphertext) is hidden in the low-order bits of a digital photograph.
    To the uninitiated observer, it's just a picture.  But to the sender
    and receiver, there's a message hiding in there.

    It doesn't surprise me that terrorists are using this trick. The
    very aspects of steganography that make it unsuitable for normal
    corporate use make it ideally suited for terrorist use.  Most
    importantly, it can be used in an electronic dead drop.

    If you read the FBI (news - web sites) affidavit against (accused
    spy) Robert Hanssen (news - web sites), you learn how Hanssen
    communicated with his Russian handlers. They never met, but would
    leave messages, money and documents for one another in plastic bags
    under a bridge.  Hanssen's handler would leave a signal in a public
    place--a chalk mark on a mailbox--to indicate a waiting package.
    Hanssen would later collect the package.

    That's called a 'dead drop'. It has many advantages over a
    face-to-face meeting. One, the two parties are never seen together.
    Two, the two parties don't have to coordinate a rendezvous. Three,
    and most importantly, one party doesn't even have to know who the
    other one is (a definite advantage if one of them is arrested). Dead
    drops can be used to facilitate completely anonymous, asynchronous
    communications.

    Using steganography to embed a message in a pornographic image and
    posting it to a Usenet newsgroup is the cyberspace equivalent of a
    dead drop. To everyone else, it's just a picture. But to the
    receiver, there's a message in there waiting to be extracted.

    To make it work in practice, the terrorists would need to set up
    some sort of code.  Just as Hanssen knew to collect his package when
    he saw the chalk mark, a virtual terrorist will need to know to look
    for his message. (He can't be expected to search every picture.)
    There are lots of ways to communicate a signal: timestamp on the
    message, an uncommon word in the subject line, etc. Use your
    imagination here--the possibilities are limitless.

    The effect is that the sender can transmit a message without ever
    communicating directly with the receiver. There is no e-mail between
    them, no remote logins, no instant messages. All that exists is a
    picture posted to a public forum, and then downloaded by anyone
    sufficiently enticed by the subject line (both third parties and the
    intended receiver of the secret message).

    So, what's a counter-espionage agency to do? There are the standard
    ways of finding steganographic messages, some of which I have
    outlined in a previous essay. If Bin Laden is using pornographic
    images to embed his secret messages, it is unlikely these pictures
    are being taken in Afghanistan (news - web sites).  They're probably
    downloaded from the Web. If the NSA can keep a database of images
    (wouldn't that be something?), then they can find ones with subtle
    changes in the low-order bits. If Bin Laden uses the same image to
    transmit multiple messages, the NSA could notice that. Otherwise,
    there's probably nothing the NSA can do. Dead drops, both real and
    virtual, can't be prevented.

    Why can't businesses use this? The primary reason is that legitimate
    businesses don't need dead drops. I remember one company talk about
    a corporation embedding a steganographic message to its salespeople
    in a photo on the corporate Web page.  Why not just send an
    encrypted e-mail? Because someone might notice the e-mail and know
    that the salespeople all got an encrypted message. So send a message
    every day: a real message when you need to, and a dummy message
    otherwise. This is a traffic analysis problem, and there are other
    techniques to solve it. Steganography just doesn't apply here.

    Steganography is good way for terrorist cells to communicate,
    allowing communication without any group knowing the identity of the
    other. There are other ways to build a dead drop in cyberspace. For
    example, a spy can sign up for a free, anonymous e-mail account. And
    Bin Laden probably uses those, too.

    Bruce Schneier is CTO of Counterpane Internet Security, Inc. He
    publishes a free monthly security newsletter.

http://dailynews.yahoo.com/h/zd/20010924/tc/terrorists_and_steganography_1.html

More information about the cypherpunks-legacy mailing list