Return-Path: <sentto-279987-2354-1001459921-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Tue, 25 Sep 2001 16:21:15 -0700 (PDT) Received: (qmail 7973 invoked by uid 510); 25 Sep 2001 23:20:00 -0000 Received: from n17.groups.yahoo.com (216.115.96.67) by 204.181.12.215 with SMTP; 25 Sep 2001 23:20:00 -0000 X-eGroups-Return: sentto-279987-2354-1001459921-fc=all.net@returns.onelist.com Received: from [10.1.1.224] by mq.egroups.com with NNFMP; 25 Sep 2001 23:19:41 -0000 X-Sender: fc@big.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-7_3_2_2); 25 Sep 2001 23:18:41 -0000 Received: (qmail 65593 invoked from network); 25 Sep 2001 23:18:36 -0000 Received: from unknown (10.1.10.27) by 10.1.1.224 with QMQP; 25 Sep 2001 23:18:36 -0000 Received: from unknown (HELO big.all.net) (65.0.156.78) by mta2 with SMTP; 25 Sep 2001 23:19:34 -0000 Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id QAA03622 for iwar@onelist.com; Tue, 25 Sep 2001 16:19:34 -0700 Message-Id: <200109252319.QAA03622@big.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL1] From: Fred Cohen <fc@all.net> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Tue, 25 Sep 2001 16:19:34 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Terrorists.and.steganography] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Terrorists and steganography By Bruce Schneier, ZDNet, 9/25/01 <a href="http://www.zdnet.com/zdnn/stories/comment/0,5859,2814256,00.html?chkpt=zdnnt092501co">http://www.zdnet.com/zdnn/stories/comment/0,5859,2814256,00.html?chkpt=zdnnt092501co> COMMENTARY--Guess what? Osama Bin Ladin uses steganography. According to nameless "U.S. officials and experts" and "U.S. and foreign officials," terrorist groups are "hiding maps and photographs of terrorist targets and posting instructions for terrorist activities on sports chat rooms, pornographic bulletin boards and other Web sites." Simply put, steganography is the science of hiding messages in messages. Typically, a message (either plaintext or, more cleverly, ciphertext) is hidden in the low-order bits of a digital photograph. To the uninitiated observer, it's just a picture. But to the sender and receiver, there's a message hiding in there. It doesn't surprise me that terrorists are using this trick. The very aspects of steganography that make it unsuitable for normal corporate use make it ideally suited for terrorist use. Most importantly, it can be used in an electronic dead drop. If you read the FBI affidavit against (accused spy) Robert Hanssen, you learn how Hanssen communicated with his Russian handlers. They never met, but would leave messages, money and documents for one another in plastic bags under a bridge. Hanssen's handler would leave a signal in a public place--a chalk mark on a mailbox--to indicate a waiting package. Hanssen would later collect the package. That's called a 'dead drop'. It has many advantages over a face-to-face meeting. One, the two parties are never seen together. Two, the two parties don't have to coordinate a rendezvous. Three, and most importantly, one party doesn't even have to know who the other one is (a definite advantage if one of them is arrested). Dead drops can be used to facilitate completely anonymous, asynchronous communications. Using steganography to embed a message in a pornographic image and posting it to a Usenet newsgroup is the cyberspace equivalent of a dead drop. To everyone else, it's just a picture. But to the receiver, there's a message in there waiting to be extracted. To make it work in practice, the terrorists would need to set up some sort of code. Just as Hanssen knew to collect his package when he saw the chalk mark, a virtual terrorist will need to know to look for his message. (He can't be expected to search every picture.) There are lots of ways to communicate a signal: timestamp on the message, an uncommon word in the subject line, etc. Use your imagination here--the possibilities are limitless. The effect is that the sender can transmit a message without ever communicating directly with the receiver. There is no e-mail between them, no remote logins, no instant messages. All that exists is a picture posted to a public forum, and then downloaded by anyone sufficiently enticed by the subject line (both third parties and the intended receiver of the secret message). So, what's a counter-espionage agency to do? There are the standard ways of finding steganographic messages, some of which I have outlined in a previous essay. If Bin Laden is using pornographic images to embed his secret messages, it is unlikely these pictures are being taken in Afghanistan. They're probably downloaded from the Web. If the NSA can keep a database of images (wouldn't that be something?), then they can find ones with subtle changes in the low-order bits. If Bin Laden uses the same image to transmit multiple messages, the NSA could notice that. Otherwise, there's probably nothing the NSA can do. Dead drops, both real and virtual, can't be prevented. Why can't businesses use this? The primary reason is that legitimate businesses don't need dead drops. I remember one company talk about a corporation embedding a steganographic message to its salespeople in a photo on the corporate Web page. Why not just send an encrypted e-mail? Because someone might notice the e-mail and know that the salespeople all got an encrypted message. So send a message every day: a real message when you need to, and a dummy message otherwise. This is a traffic analysis problem, and there are other techniques to solve it. Steganography just doesn't apply here. Steganography is good way for terrorist cells to communicate, allowing communication without any group knowing the identity of the other. There are other ways to build a dead drop in cyberspace. For example, a spy can sign up for a free, anonymous e-mail account. And Bin Laden probably uses those, too. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Pinpoint the right security solution for your company- Learn how to add 128- bit encryption and to authenticate your web site with VeriSign's FREE guide! http://us.click.yahoo.com/JNm9_D/33_CAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:49 PDT