[ISN] FC: Reply to Politech challenge: Stegograms found on azzam.com

From: InfoSec News (isnat_private)
Date: Fri Jul 12 2002 - 06:01:42 PDT

  • Next message: InfoSec News: "[ISN] Sharp's Zaurus PDA suffers security holes"

    ---------- Forwarded message ----------
    Date: Thu, 11 Jul 2002 23:21:04 -0400
    From: Declan McCullagh <declanat_private>
    To: politechat_private
    Subject: FC: Reply to Politech challenge: Stegograms found on azzam.com
    
    Keep in mind that these claims of bin-Laden-stego are closer to unsourced 
    speculations than verifiable fact. Perhaps an enterprising prankster has 
    been posting attack-at-dawn plans in stego form, for instance. And when 
    some politicos have used 9-11 as an excuse to talk about encryption 
    restrictions, it makes sense to be appropriately skeptical, though not 
    entirely dismissive.
    
    Some of this looks like old news. I wrote about a similar claim in Feb 
    2001, as a followup to a USA Today article:
    http://www.wired.com/news/politics/0,1283,41658,00.html
    
    Since then it has been a recurring theme:
    http://www.politechbot.com/cgi-bin/politech.cgi?name=steganography
    
    Previous Politech message:
    http://www.politechbot.com/p-03735.html
    
    -Declan
    
    PS: Brian sent me his list as an attachment. I've put it at the end of this 
    message.
    
    ---
    
    Date: Thu, 11 Jul 2002 22:48:15 -0400
    From: Brian Ristuccia <brianat_private>
    To: "Richard M. Smith" <rmsat_private>, declanat_private
    Cc: list-geekat_private
    Subject: al-Qaeda stego on azzam.com
    
    Richard, Declan, Fellow Geeks:
    
    Preliminary checking with a tool called stegdetect shows that a large number
    of images on azzam.com may have hidden information encoded using an
    algorithm called jphide.
    
    The site at http://66.197.135.110/~azzam has roughly 580 images and yields
    some 70 hits almost all for jphide. Note that running stegdetect against
    some 2300 miscellaneous images including digital camera pictures and other
    junk on my personal web site and web mirrors yielded only a handful of low
    probability hits for steghide and outguess. 12% versus 1% is probably
    significant, at least enough so to warrant further investigation.
    
    The stegdetect package includes a program called stegbreak, which will
    attempt to extract the images from potential stego files. The process is
    computationally expensive and I'm not sure how long it will take or if it's
    even possible with the meager compute resources at my disposal. I'll be
    scrounging compute resources to try to extract the (probably encrypted)
    contents of at least some of these files and will keep you all posted on my
    findings.
    
    Thanks.
    
    -- 
    Brian Ristuccia
    brianat_private
    bristuccat_private
    
    ---
    
    From: Mark Collins <meat_private>
    To: declanat_private
    Subject: Re: FC: Politech challenge: Decode Al Qaeda stego-communications!
    Date: Wed, 10 Jul 2002 16:58:42 +0100
    In-Reply-To: <5.1.1.6.0.20020710085405.01b30590at_private>
    
    This whole "Terrorists using Steganography" thing is BS. A company called
    iomart is, as far as I can tell, the only people actually claiming to have
    discovered anything related to terrorism in images, and even then, their
    results are a lil' questionable.
    
    ===
    Mark 'Nurgle' Collins
    http://www.thisisnurgle.org.uk
    Stupid IRC quote of the <variable time period>:
    <keyDet79> fortunately the outside world (with which u are obviously not
    familiar with) fears script kiddies,
    
    ---
    
    Subject: Re: FC: Politech challenge: Decode Al Qaeda stego-communications!
    From: Shaya Potter <spotterat_private>
    To: declanat_private
    Date: 10 Jul 2002 14:12:15 -0400
    
    repost?
    
    message on politech
    
    http://www.politechbot.com/p-02638.html
    
    research of ebay (same time period) yes it could have changed, but
    where's the evidence.
    
    http://www.citi.umich.edu/u/provos/stego/abc.html
    
    on the issue of azzam.com I think I read about this a bit ago, wasn't
    this the site that the pictures changed (such as bin laden facing
    different directions) and the appropriate agencies felt that this was
    meant for giving messages.  If so, its basically a one time pad which
    can't really be broken, until one gets rid of that property by
    accumulating lots of data points.
    
    ---
    
    From: "Quinn, SallyAnn" <SallyAnn.Quinnat_private>
    To: "'declanat_private'" <declanat_private>
    Subject: RE: Politech challenge: Decode Al Qaeda stego-communications!
    Date: Wed, 10 Jul 2002 17:23:56 -0500
    MIME-Version: 1.0
    
    I can't believe this is back.  Niels Provos and Peter Honeyman
    at the Center for Information Technology integration at U Mich drove a stake
    through the heart of this rumor last fall by scientifically
    analyzing 2 million images from e-Bay and 1 million images from USENET.
    Their conclusion is:  "...we are unable to report
    finding a single hidden message."
    
    The study can be viewed at:
    http://www.citi.umich.edu/u/provos/papers/detecting.pdf
    
    Oh, Gina Kolata's stories are highly suspect.    She interviewed PGP's
    author Phillip Zimmerman after 9-11, and wrote an article
    insinuating the the algorithm was somehow the terrorists' best friend
    and that Phil was quite happy about it.
    
    
    Sally Ann Quinn, Software Test Engineer
    West
    50 East Broad St., Rochester, NY  14694
    Mail Drop A1-N135
    Tel (585) 546-5530 x3243
    
    
    ---
    
    Date: Wed, 10 Jul 2002 16:43:16 +0100
    From: Pedro F <pedrofat_private>
    To: Declan McCullagh <declanat_private>
    Sender: Pedro F <pedrofat_private>
    Subject: Re: FC: Politech challenge: Decode Al Qaeda stego-communications!
    
    Declan,
    concerning this subject, please see this old article from Newsbytes. I've
    made a search in the (old Newsbytes and now) TechNews.com but find nothing
    on this subject so I can't give you the link for the article.
    
    On this subject, see also the search page on Wired
    (http://search.wired.com/news/default.asp?query=Steganography). For a new
    application to be released this week, "known as Camera/Shy and is a
    browser-based steganography program that can hide data inside GIF images on
    any Web page", see "App Delivers Censored Content"
    (http://www.eweek.com/article2/0,3959,361950,00.asp).
    
    best wishes
    pedro
    
    
    No Hidden Messages At Pro-Bin Laden Site - Experts
    By Brian McWilliams, Newsbytes
    BLOOMSBURG, PENNSYLVANIA, U.S.A.,
    12 Dec 2001, 3:51 PM CST
    Photos at an anti-American Web site that provides information about Jihad
    are unlikely to contain hidden messages for terrorists, experts said today.
    
    A review today of dozens of photos at the Azzam.com Web site turned up no
    evidence that the images contained steganographic content, according to
    Niels Provos, an expert in the technology.
    
    A report in the Dec. 17 issue of Newsweek said British and U.S.
    intelligence sources suspected some of the site's photos and graphics
    contain secret messages for Al Qaeda terrorist operatives.
    
    Domain registration records indicate Azzam.com is operated by Azzam
    Publications of London, an organization believed to include Osama bin Laden
    supporters, according to the Newsweek report.
    
    Provos' findings were independently confirmed by a researcher at security
    consulting firm Bindview Corporation who goes by the nickname Simple Nomad.
    
    [...]
    
    ---
    
    To: declanat_private
    Subject: azzam.com Stego CONFIDENTIAL
    Date: Wed, 10 Jul 2002 19:19:48 -0400
    
    (Please don't put out my email address.)
    
    I tried a little stego searching on azzam.com. Seems like all the images were
    at 66.197.135.110 so I mirrored the whole thing with httrack and used
    stegdetect on all jpgs in the images directory. The list below are the
    promising images, but I don't have the time or expertise to try to crack
    them, and I don't know the reliability of stegdetect. Maybe someone else can
    take it from here.
    
    # stegdetect ./*.jpg | grep "false\|\*"
    ./abubakr14.jpg : jphide(*)
    ./amarsmall.jpg : jphide(**)
    ./campxrayprisoners1.jpg : skipped (false positive likely)
    ./harithbahraini.jpg : jphide(*)
    ./iraqduniafalehsmall.jpg : skipped (false positive likely)
    ./iraqmuhammed.jpg : outguess(***)
    ./khartashoihomeruins.jpg : jphide(*)
    ./productspursuitsmall.jpg : jphide(**)
    ./productsrussianhell.jpg : jphide(*)
    ./shaheeddiraarsheeshani.jpg : jphide(***)
    ./shaheedhammamnajdi.jpg : jphide(***)
    ./shaheedharithbahraini3.jpg : jphide(**)
    ./shaheedjamaludeenaljazairi.jpg : jphide(*)
    ./shaheedkhalidqatari2.jpg : jphide(**)
    ./shaheedmuazqatari.jpg : jphide(*)
    ./shaheedmuslimturki.jpg : jphide(**)
    ./shaheedthabitdaheishi.jpg : skipped (false positive likely)
    ./shatoihomerussians.jpg : jphide(**)
    ./storiesharbi2.jpg : jphide(***)
    ./storieszubair1.jpg : jphide(***)
    
    Also in 66.197.135.110/~azzam/afghan/images/photos I get these possible hits
    ./tnchildwaits.jpg : jphide(***)
    ./tnjawad.jpg : jphide(*)
    ./tnsameera.jpg : jphide(*)
    
    ---
    
    To: declanat_private
    Subject: azzam.com Stego CONFIDENTIAL addition
    Date: Wed, 10 Jul 2002 19:28:39 -0400
    
    I just found that there are more possibles in
    66.197.135.110/~azzam/qoqaz/images, if you want to send my last email out,
    please copy and add this to it. Sorry :)
    
    More possibles here:
    66.197.135.110/~azzam/qoqaz/images
    
    ./child3.jpg : jphide(**)
    ./crimes12.jpg : jphide(***)
    ./crimes14.jpg : jphide(*)
    ./crimes22.jpg : jphide(*)
    ./crimes9.jpg : jphide(***)
    ./dag2.jpg : jphide(*)
    ./dag20.jpg : jphide(**)
    ./dag24.jpg : jphide(*)
    ./dag25.jpg : jphide(**)
    ./dag27.jpg : jphide(*)
    ./dag29.jpg : jphide(*)
    ./dag32.jpg : jphide(*)
    ./dag34.jpg : jphide(*)
    ./dag35.jpg : jphide(**)
    ./dag36.jpg : jphide(*)
    ./dag41.jpg : jphide(**)
    ./dag45.jpg : jphide(***)
    ./dag54.jpg : jphide(*)
    ./dag58.jpg : jphide(***)
    ./db4.jpg : jphide(*)
    ./dead3.jpg : jphide(*)
    ./dead4.jpg : jphide(*)
    ./eidopabuansar.jpg : jphide(*)
    ./grozsupp1.jpg : jphide(***)
    ./grozsupp11.jpg : jphide(*)
    ./grozsupp4.jpg : jphide(***)
    ./grozsupp6.jpg : jphide(***)
    ./injured2.jpg : jphide(*)
    ./injured3.jpg : jphide(*)
    ./mass4.jpg : jphide(*)
    ./mass5.jpg : jphide(*)
    ./poss2.jpg : jphide(**)
    ./poss4.jpg : jphide(*)
    ./russianfear1.jpg : jphide(**)
    ./shaheed7.jpg : jphide(*)
    ./talhasmall.jpg : jphide(*)
    ./trio1.jpg : jphide(***)
    ./triohoriz2.jpg : jphide(***)
    
    ---
    
    [From Brian. --Declan]
    
    ./66.197.135.110/%7Eazzam/images/campxrayprisoners1.jpg : skipped (false 
    positive likely)
    ./66.197.135.110/%7Eazzam/images/lands/worldsmall.jpg : jphide(***)
    ./66.197.135.110/%7Eazzam/images/productsrussianhell.jpg : jphide(*)
    ./66.197.135.110/%7Eazzam/images/productspursuitsmall.jpg : jphide(**)
    ./66.197.135.110/%7Eazzam/images/storieszubair1.jpg : jphide(***)
    ./66.197.135.110/%7Eazzam/images/shaheedkhalidqatari2.jpg : jphide(**)
    ./66.197.135.110/%7Eazzam/images/shaheedmuazqatari.jpg : jphide(*)
    ./66.197.135.110/%7Eazzam/images/storiesharbi2.jpg : jphide(***)
    ./66.197.135.110/%7Eazzam/images/shaheedhammamnajdi.jpg : jphide(***)
    ./66.197.135.110/%7Eazzam/images/abubakr14.jpg : jphide(*)
    ./66.197.135.110/%7Eazzam/images/shaheedthabitdaheishi.jpg : skipped (false 
    positive likely)
    ./66.197.135.110/%7Eazzam/images/shaheedmuslimturki.jpg : jphide(**)
    ./66.197.135.110/%7Eazzam/images/shaheedjamaludeenaljazairi.jpg : jphide(*)
    ./66.197.135.110/%7Eazzam/images/shaheedharithbahraini3.jpg : jphide(**)
    ./66.197.135.110/%7Eazzam/images/harithbahraini.jpg : jphide(*)
    ./66.197.135.110/%7Eazzam/images/shaheeddiraarsheeshani.jpg : jphide(***)
    ./66.197.135.110/%7Eazzam/images/iraqmuhammed.jpg : outguess(***)
    ./66.197.135.110/%7Eazzam/images/iraqduniafalehsmall.jpg : skipped (false 
    positive likely)
    ./66.197.135.110/%7Eazzam/images/amarsmall.jpg : jphide(**)
    ./66.197.135.110/%7Eazzam/images/khartashoihomeruins.jpg : jphide(*)
    ./66.197.135.110/%7Eazzam/images/shatoihomerussians.jpg : jphide(**)
    ./66.197.135.110/%7Eazzam/afghan/images/photos/worldsmostwanted.jpg : 
    skipped (false positive likely)
    ./66.197.135.110/%7Eazzam/afghan/images/photos/tnchildwaits.jpg : jphide(***)
    ./66.197.135.110/%7Eazzam/afghan/images/photos/tnsameera.jpg : jphide(*)
    ./66.197.135.110/%7Eazzam/afghan/images/photos/tnjawad.jpg : jphide(*)
    ./66.197.135.110/%7Eazzam/qoqaz/images/sarajevo2.jpg : jphide(*)
    ./66.197.135.110/%7Eazzam/qoqaz/images/toronto2.jpg : jphide(*)
    ./66.197.135.110/%7Eazzam/qoqaz/images/madrid1.jpg : jphide(**)
    ./66.197.135.110/%7Eazzam/qoqaz/images/madrid3.jpg : jphide(**)
    ./66.197.135.110/%7Eazzam/qoqaz/images/shaheedthabitdaheishi.jpg : skipped 
    (false positive likely)
    ./66.197.135.110/%7Eazzam/qoqaz/images/talhasmall.jpg : jphide(*)
    ./66.197.135.110/%7Eazzam/qoqaz/images/trio1.jpg : jphide(***)
    ./66.197.135.110/%7Eazzam/qoqaz/images/triohoriz2.jpg : jphide(***)
    ./66.197.135.110/%7Eazzam/qoqaz/images/grozsupp1.jpg : jphide(***)
    ./66.197.135.110/%7Eazzam/qoqaz/images/grozsupp6.jpg : jphide(***)
    ./66.197.135.110/%7Eazzam/qoqaz/images/grozsupp11.jpg : jphide(*)
    ./66.197.135.110/%7Eazzam/qoqaz/images/grozsupp4.jpg : jphide(***)
    ./66.197.135.110/%7Eazzam/qoqaz/images/dead3.jpg : jphide(*)
    ./66.197.135.110/%7Eazzam/qoqaz/images/dead4.jpg : jphide(*)
    ./66.197.135.110/%7Eazzam/qoqaz/images/poss2.jpg : jphide(**)
    ./66.197.135.110/%7Eazzam/qoqaz/images/poss4.jpg : jphide(*)
    ./66.197.135.110/%7Eazzam/qoqaz/images/eidopabuansar.jpg : jphide(*)
    ./66.197.135.110/%7Eazzam/qoqaz/images/db4.jpg : jphide(*)
    ./66.197.135.110/%7Eazzam/qoqaz/images/shaheed7.jpg : jphide(*)
    ./66.197.135.110/%7Eazzam/qoqaz/images/injured2.jpg : jphide(*)
    ./66.197.135.110/%7Eazzam/qoqaz/images/injured3.jpg : jphide(*)
    ./66.197.135.110/%7Eazzam/qoqaz/images/russianfear1.jpg : jphide(**)
    ./66.197.135.110/%7Eazzam/qoqaz/images/child3.jpg : jphide(**)
    ./66.197.135.110/%7Eazzam/qoqaz/images/dag2.jpg : jphide(*)
    ./66.197.135.110/%7Eazzam/qoqaz/images/dag20.jpg : jphide(**)
    ./66.197.135.110/%7Eazzam/qoqaz/images/dag24.jpg : jphide(*)
    ./66.197.135.110/%7Eazzam/qoqaz/images/dag25.jpg : jphide(**)
    ./66.197.135.110/%7Eazzam/qoqaz/images/dag27.jpg : jphide(*)
    ./66.197.135.110/%7Eazzam/qoqaz/images/dag29.jpg : jphide(*)
    ./66.197.135.110/%7Eazzam/qoqaz/images/glossary/ak74.jpg : jphide(*)
    ./66.197.135.110/%7Eazzam/qoqaz/images/dag32.jpg : jphide(*)
    ./66.197.135.110/%7Eazzam/qoqaz/images/dag34.jpg : jphide(*)
    ./66.197.135.110/%7Eazzam/qoqaz/images/dag35.jpg : jphide(**)
    ./66.197.135.110/%7Eazzam/qoqaz/images/dag36.jpg : jphide(*)
    ./66.197.135.110/%7Eazzam/qoqaz/images/dag41.jpg : jphide(**)
    ./66.197.135.110/%7Eazzam/qoqaz/images/dag45.jpg : jphide(***)
    ./66.197.135.110/%7Eazzam/qoqaz/images/dag54.jpg : jphide(*)
    ./66.197.135.110/%7Eazzam/qoqaz/images/dag58.jpg : jphide(***)
    ./66.197.135.110/%7Eazzam/qoqaz/images/mass4.jpg : jphide(*)
    ./66.197.135.110/%7Eazzam/qoqaz/images/mass5.jpg : jphide(*)
    ./66.197.135.110/%7Eazzam/qoqaz/images/crimes9.jpg : jphide(***)
    ./66.197.135.110/%7Eazzam/qoqaz/images/crimes10.jpg : skipped (false 
    positive likely)
    ./66.197.135.110/%7Eazzam/qoqaz/images/crimes12.jpg : jphide(***)
    ./66.197.135.110/%7Eazzam/qoqaz/images/crimes14.jpg : jphide(*)
    ./66.197.135.110/%7Eazzam/qoqaz/images/crimes22.jpg : jphide(*)
    ./66.197.135.110/%7Eazzam/qoqaz/images/qzasplogosmall.jpg : skipped (false 
    positive likely)
    ./stegdetect/jpeg-6b/testimg.jpg : jphide(***)
    ./stegdetect/jpeg-6b/testimgp.jpg : jphide(***)
    ./stegdetect/jpeg-6b/testorig.jpg : jphide(***)
    ./stegdetect/jpeg-6b/testprog.jpg : jphide(***)
    
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    -------------------------------------------------------------------------
    Like Politech? Make a donation here: http://www.politechbot.com/donate/
    -------------------------------------------------------------------------
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Jul 12 2002 - 09:15:05 PDT