[ISN] The case of the missing code

From: InfoSec News (isnat_private)
Date: Thu Jul 18 2002 - 05:02:29 PDT

  • Next message: InfoSec News: "[ISN] Hackers try a bank job"

    Forwarded from: Bob Adams <bobat_private>
    
    I know that the subject of steganography and its use by terrorists is
    a highly controversial topic out there and I have no background to get
    involved directly in the technical debate. However, I do think this is
    one of the most balanced, and least sensationalistic, articles I've
    read on the subject.
    
    Bob Adams
    http://www.globaldisaster.org
    
    -=-
    
    http://www.salon.com/tech/feature/2002/07/17/steganography/index.html
    
    By Farhad Manjoo
    July 17, 2002  
    
    If you were a terrorist schooled in fundamentalist Islam, mass
    violence, digital cryptography and, not least, the pack-rat ethos
    peculiar to eBay, in which corner of that vast auction site might you
    hide your plans for America's end?
    
    Would you favor the popular items, stuffing nuclear secrets into one
    of the nearly 4,000 Pez-related listings? Or would you go for
    something more obscure -- the date and time of al-Qaida's next
    operation concealed in a $3 glossy press photo from the old television
    sitcom "My Two Dads"? Or, displaying your flair for irony, would you
    conduct your terrorist business right under the kitsch-loving noses of
    the Americans who hate you most, those who would buy a "Boy Peeing on
    Osama" pickup-truck decal?
    
    Silly as they seem, U.S. intelligence agents consider these questions
    key to their victory in the war on terrorism, according to unnamed
    sources who have been quoted in media reports over the past year.  
    Since before Sept. 11, a series of articles have quoted experts
    suggesting that al-Qaida may be especially Internet-savvy and could be
    mounting a full-scale "cyberwar" against the United States.
    
    While much of it comes off as alarmist speculation, one hard-to-prove
    fact has slowly gained a patina of credibility: that terrorists are
    hiding coded messages in the image files on eBay and other sites that
    allow public posting. These images would appear normal to most eBay
    shoppers, but they are actually brimming with guile. A terrorist who
    knew their true purpose could download the files, decode them with his
    secret password and perhaps find out where to strike next.
    
    Jack Kelley, a veteran foreign correspondent for USA Today, has been
    at the forefront of these reports. In February 2001, Kelley reported
    that hidden "in the X-rated pictures on several pornographic Web sites
    and the posted comments on sports chat rooms may lie the encrypted
    blueprints of the next terrorist attack against the United States or
    its allies."
    
    His report prompted a flurry of follow-up stories in other
    publications, including one Wired News story in which a security
    expert said that his company, WetStone Technologies, had found several
    hidden messages on eBay and Amazon. After Sept. 11, dozens of
    newspapers, including the New York Times and the Washington Post,
    cited WetStone in reports that eBay may be crawling with terrorists.  
    These accounts were almost universally dismissed by Internet-rights
    types, who said that they wouldn't believe the stories until they saw
    proof that "steganography" -- the practice of digitally hiding
    messages in media files -- is indeed on the rise.
    
    On July 10, USA Today prompted renewed interest in the steganography
    debate by adding some meat to the eBay story. "Lately, al-Qaida
    operatives have been sending hundreds of encrypted messages that have
    been hidden in files on digital photographs on the auction site
    eBay.com," reported Jack Kelley. "The volume of the messages has
    nearly doubled in the past month, indicating to some U.S. intelligence
    officials that al-Qaida is planning another attack." Kelley added that
    eBay did not return his calls for comment.
    
    The USA Today article has raised plenty of eyebrows -- eBay for
    example, has no record of being contacted by Kelley, and stresses that
    no federal agency has alerted it to any potential problems. There also
    appears to be little, if any, publicly available hard evidence of the
    use of steganography in files on the auction site.
    
    The frightful genius of steganography, though, is that, by design, you
    don't know when it's being used. Independent researchers have devised
    numerous methods to search for signs of its proliferation on the Web,
    and some have reported that they've found nothing, and there's
    consequently no reason to be afraid. But when you think about these
    studies, the results become about as comforting as homeland security
    advisor Tom Ridge's color-coded alert system. After all, if you search
    for hidden messages on the Web and find nothing, what should you
    conclude -- that there are no messages, or that the terrorists are too
    sophisticated, and your tools don't work?
    
    The answer to this question turns out to be a highly personal one, a
    matter of individual psychology and interest rather than a reasoned
    decision based on collective safety and the immutable laws of math.  
    Ask security types, or people who make software to aid security types,
    and they say that steganography is a grave threat to our safety.  
    Defenders of steganography, and its cousin cryptography, take the
    opposite view. These are people who become easily exercised over the
    prospect of the government monitoring the Web, and they say that if
    researchers haven't found secret messages, the messages are likely not
    there. But amid this politicking, one important question tends to get
    left by the wayside: if steganography is, or eventually becomes, the
    preferred tool of terrorists, can we ever thwart it? According to many
    experts, the answer is probably no.
    
    The USA Today article was the first to put a number on how many
    stego-messages were on eBay -- a number so high that many doubted it
    immediately. Kelley's was also the first story to suggest that the
    government is specifically watching eBay, as opposed to other public
    Web sites. The detail that the messages "have been sent from Internet
    cafes in Pakistan and public libraries throughout the world" suggested
    that the messages found inside the image files had been encrypted, and
    the only thing the government was able to determine about them was the
    IP address of their servers.
    
    The story had Internet libertarians crying foul. Technology reporter
    Declan McCullagh's Politech mailing list, one of the last bastions of
    circa-1995 government wariness on the Net, featured dozens of messages
    from readers who were sure the piece was bogus. Politech even
    challenged readers to find and decode an al-Qaida missive hidden in an
    image file on the Web.
    
    Libertarian skepticism does not appear to be misplaced; there are
    several reasons to question USA Today's story. Kevin Pursglove, an
    eBay spokesman, says that while it's possible that the company somehow
    missed Jack Kelley's phone call, Pursglove and his associates in P.R.  
    don't recall hearing from the reporter. Moreover, eBay has never been
    contacted by any government agency regarding possible terrorist
    communications on its site. "I'm not saying what he's reporting is not
    true," Pursglove said, "but it's just that nobody from the federal
    government has contacted us. We've got an investigations team here
    that has extensive contacts with federal authorities, with the FBI,
    the State Department, the CIA, the military. We have not had any
    contact at all about this."
    
    Salon called several federal agencies to see whether they were indeed
    watching eBay, but the calls went unanswered. Jack Kelley, too, did
    not return calls. But many security experts, even those who believe
    that terrorists use steganography, disputed the specifics of Kelley's
    report.
    
    Chet Hosmer, the president of WetStone Technologies, the company that
    first reported the possibility of hidden messages on eBay and which
    makes what many people say is the most advanced publicly available
    steganographic-detection software, said that in his research, very few
    messages on eBay show signs of being infected by terrorists. About one
    in 100,000 pictures "appears suspicious," but a much smaller number --
    "one in every 15 to 20 million files" -- is "something that we really
    believe is a real hidden message."
    
    Under this standard, for the government to have found 100 stego files,
    it would have had to have analyzed something on the order of 1 or 2
    billion images. According to eBay's first quarter financial results,
    the site hosted a record 138 million auctions last quarter.  
    Extrapolating that number out for the 300 or so days since Sept. 11,
    we see that there have been less than half a billion eBay listings
    since the attacks -- simply not enough to account for "hundreds" of
    hidden messages.
    
    Now, this back-of-the-envelope calculation rests on several
    assumptions; the most important is that the government isn't using a
    stego-detector more sophisticated than WetStone's. WetStone has
    received funding from the Department of Defense, but Hosmer says that
    the government could have much fancier technology, and so it could
    find stego-messages at rates much higher than one in 15 million.  
    There's also a chance that the feds have information that allows them
    to narrow their search to specific sections of eBay, which would make
    their job considerably easier.
    
    There's no question that tools to hide messages in image files are
    easily available on the Web, and most of them are point-and-click
    simple to use. But as these tools scramble the message into different
    parts of the image file, they add some discernible "pattern" of bits
    -- detecting stego is all about finding that anomalous statistical
    pattern in the code of what looks like an otherwise normal image.
    
    Unfortunately, that process turns out to be what's known, in the
    jargon, as "computationally expensive." It's also somewhat buggy;  
    there's a high false-positive rate. Consequently, when an image is
    suspected to have some hidden info inside it, it could take as much as
    30 seconds, Hosmer said, to fully test it. That's why you wouldn't
    want to monitor all of eBay, as it would take quite some time to go
    through just one day's worth of images. "With our computer power, what
    we tend to look at is images that we may have sources saying are
    suspicious, and then test those. We would act like detectives in the
    real world," he said.
    
    Acting like a real-world detective requires thinking like a terrorist,
    and asking yourself hard questions: If you were a terrorist, where on
    eBay would you hide your loot? To describe the difficulty of the task,
    Hosmer once coined a phrase that is often repeated by others who study
    steganography: "It's not like finding a needle in a haystack. It's
    like finding the right piece of straw in a haystack."
    
    But the task is in fact more difficult than that, because after you
    find what you think is your piece of straw, there's really no way to
    know that you've got the right one. Earlier this year, Niels Provos, a
    graduate student at the University of Michigan, reported that after
    checking 2 million eBay listings, he'd found no suspect images. But
    when he described the study, he added, darkly, that "I can't answer
    the question of whether or not there is hidden content on the
    Internet. My negative result doesn't indicate that the hidden
    communications aren't there."
    
    More recently, in response to the Politech challenge, Brian Ristuccia,
    a computer science student in Massachusetts, reported that he'd run
    some tests on Azzam.com, a pro-jihad site, and found that it had a
    very high positive rate for stego-images. Because these could be false
    positives, he's trying to use a brute-force "dictionary attack" to
    break into the messages -- but he doesn't hold out hopes that he'll
    find anything of substance. If he manages to crack open an image and
    find a message inside, Ristuccia says he's sure the message will be
    encrypted. Would that mean he's found the right straw in the haystack,
    the straw that hints at future terror? Short of cracking the
    encryption scheme -- a tremendously computationally expensive task --
    he'll never know.
    
    While the challenges in fingering steganography may cast some
    suspicion over the USA Today report, they also don't help make a case
    for the libertarian argument that the technology is relatively
    harmless. Neil Johnson, a steganography expert, says that he's aware
    that stego could be harmful, but he says much good can come of it,
    too. There are many scenarios "where the observation that you and I
    are communicating could cause a problem for one or both of us," he
    said, suggesting dictatorial regimes, military missions, that kind of
    thing. The argument has the flavor of a gun-rights rant -- secret
    messages can be used for evil, but if everyone used them, society
    would, on balance, be better. Steganography doesn't kill people,
    terrorists do.
    
    For now, that argument doesn't seem especially crazy; but if, after
    the next terrorist attack, it's shown that the attackers used
    steganography to communicate with each other, governments are probably
    going to move against the technology.
    
    To prevent disaster, Hosmer says that commercial sites and ISPs should
    take it upon themselves, now, to scrub their sites free of
    steganography. He suggests that sites that accept public images for
    posting scan each new image. He admitted that "there's no question
    that that certainly benefits us, but really there is no other way to
    police this. There's no way you can scan all the current information
    for the presence of this. It's too vast to police it any way, but
    these companies could detect it early and come up with information
    before it's too late."
    
    EBay has no plans to do this, Pursglove said. "It would have such a
    negative impact on the site as a whole," he said, explaining that eBay
    doesn't host its own images, which would make such scans technically
    difficult. EBay already has many safeguards, including requiring
    sellers to provide a credit card and a physical address, which would
    leave a paper trail to any would-be terrorist. And, Pursglove added,
    if the government came to eBay and told the company about some
    suspicious material, "We would certainly cooperate with the
    authorities."
    
    
    About the writer
    
    Farhad Manjoo is a staff writer for Salon Technology & Business.
     
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Jul 18 2002 - 07:57:18 PDT