Battling Steganography

An anonymous reader submitted a fairly thin little story about a researcher who is Battling Steganography. I can certainly see the appeal of the study but it really seems like a needle in a hay stack sort of project. And when you actually can detect one technique, new and better techniques will crop up and take its place.

Wait a minute

Was it just me, or did the article make it seem like anyone that would use steganography would be a criminal? Since when in a 'free' country should the ability to hide a message be of interest to the "legal community"?

Re:Wait a minute

Was it just me, or did the article make it seem like anyone that would use steganography would be a criminal?

The article didn't say this at all. In fact, the types of criminal activity that were mentioned were "political and corporate espionage or illegal pornography."

Talking on the phone is not criminal, but wiretaps are used all the time in fighting organized crime.

Re:Wait a minute

You are right, the article did have that feeling.

We might expect this of a promotional article. Breaking crypto to fight perverts sounds more exciting than studying paterns to detect private messages. Others have proposed better promotion, like making crypto stronger by breaking weak methods.

A good analogy to fight the underlying assumption of the negative promotion is cloathing. The assumption is that only criminals have something to hide. Bull. Try working words like "naked" and "bare" into your thoughts. Examples: "What, are you still sending naked email?", "Are you foolish enough to trust bare telnet logins?". People will get the idea.

Society does not work, and it's individuals are debassed when privacy is eliminated. It's impossible to have frank disscusions when you may be overheard by people who may missuderstand. It's impossible to invest or plan without privacy.

Re:Wait a minute

Go ahead and make the nudists look like criminals

We have to! It's for the children!

Who writes these captions ?

... The secondary image, woven into the primary one, would not be possible to detect by peeling up one corner of the main image (as has been done here merely for illustrative purposes).

Excuse me ? Did I wander into The Onion [theonion.com] by mistake ?

Patterns in lowest bits

I haven't actually done any digging on this, but I suspect that for almost any graphic image there are detectable patterns in the ordering of the lowest bits. There will of course be some files (particularly small ones) where there isn't enough information to identify patterns, and there will be others where the distribution truly is random, but that just means that identifying files with steganographically-encoded information won't be a 100% accurate process.

That lack of certainty really isn't that big an issue, because with a good idea of what percentage of images are false positives it would be fairly simple to look for image sources where the percentage was well outside the norm.

All of this would of course be very resource intensive and would require access to large amounts of data (Omnivore, anyone?) but it's far from outside the capabilities of most governments.

Possibly also of interest to people is Benford's Law, which relates to the distribution of numbers - turns out that in many areas it's very simple to identify real data vs random data, because real data has some definite non-random properties.

stegdetect already does this

I am bit surprised. I released stegdetect [outguess.org] in early February this year. It automatically detects steganographic content in images. It can even determine which program was used to embed hidden content.

You might also want to check the techreports [umich.edu] that I published about my research.

At HAL 2001, I presented on Detecting Steganographic Content on the Internet [umich.edu]. You might like that.

Dartmouth certainly seems to know how to do PR. I would just like to know where their publications are.

What about deniability?

Suppose one gets caught with such an image. According to him, the technique has a 90% chance of success. So what about the 10%, wherein, one has no message encoded in an image, but triggers tha alarms anyway? If you get caught by the FBI, what can you say?

You might say that 90% is no pretty significant. But considering how many actual images are there out there with actually no steganographic message, I think you'll actually end up persecuting more innocent people.

I just more more eveidence than this is required for a warrant to be issued.

Impossibility

Steganography is nothing new. People have been hiding secret messages in innocuous objects since time began. Naturally, various people want to prevent this, but the method's very nature makes it almost impossible to simply track.

Not Quite Useless

While it's true that human beings can interpret images to mean something that a machine could never pick up on, that's not the thrust of the research being done here.

He is doing research into a very particular kind of steganography, whereby messages are concealed within an image via slightly altering the least significant bits of an image.

When you encode information in this way, somebody knowing how to extract it can pull out a message which is not subjective (as in the example of interpreted images given by another poster), but rather is very concrete.

There is some evidence that this form of encoding has been used to communicate information throughout terrorist cells.

What the researcher is doing is developing a method to detect when the LSB's in an image have been manipulated slightly. He is not trying to decode the message, but only to flag particular images as being suspicious.

Decoding would be a matter for someone completely different -- like the FBI, for instance.

His method does have applications, and if it is through alteration of LSB that a message is embedded in an image, it will apparently detect such 90% of the time.

This is a vast improvement over any existing methods I know of for detecting LSB manipulation.

So he's not quite looking for a needle in a haystack. He's examining millions of haystacks, and pinpointing the ones that probably *do* have needles in them.

Quite a large difference, really.

-l

This is Wonderful News

The reason we have effective encryption (when it is implemented right) available to use is because of the large amount of research that has gone into breaking encryption. Because of the community of mathematicians and others actively trying to break weak algorithms we know the strengths and weaknesses of various ways to encrypt data.

Now we have more people looking at steganography. This can only make it more effective. Sure, the methods we have now might be broken but what about the next ones, the ones that don't show up on the statistical analysis that he appears to be using.

some thoughts

First, Taco's comment about "new and better techniques" is ill-informed. This is an information-theoretic method, where the inclusion of hidden information alters the nature of the information in the original document. What this technique does not give you is any hint on how to extract the hidden information.

Second, I'm not sure how to react to this. I don't use steganography to hide information, nor do I encrypt my email normally. I guess it's good to know if the techniques used to do this are detectable or breakable, but if it was actually used on a large scale you can bet I'd be screaming, "Big Brother!!!"

So this guy can predict hidden information?

The article stated that the guy used an algorithm to detect statistical variations and predict wether an image had steganographically hidden data 90% of the time.

How about a GIMP or Photoshop plugin to randomly insert junk data in any JPEG saved in order to make this technique useless? It'd be fun to the the NSA sit and fret over an image that apparently had a list of Warez traders and DMCA violators but instead contained the lyrics to 'Penny Lane'.

Better yet, how about an Apache module that does this same thing to every JPG it serves?

The point is, that as soon as it becomes common procedure to intercept images to check for steganography, those who use steganography will switch methods. I bet PGP data encoded in a JPG is a lot harder to detect, and infinitely harder to extract.

F u cn rd ths ...

u cn b a stngrfr!

Re:F u cn rd ths ...

If steganography can be made "turnkey", it'll work
for most of today's privacy requirements.

You might think that it'd be easy to detect,
or simple to prevent, but that's simply not true.
Unless someone lists all the ways in which one

can hide information, and a fantastically fast
approach to testing any given communication on the
net against those techniques. Otherwise, to

read a steganographically-encoded message,
each recipient will need to figure out which of
all the messages intercepted even includes the
data you're looking for, and what was used in

this particular instance. Hell, one might even
have two or more different techniques applied
in a single message. Like this message does.
Sort of.

....

How can you detect random noise?

Dislaimer: I'm not an encryption expert by any stretch of the imagination...

This is an interesting idea, but surely any good encryption produces an output which is indistinguishable from random noise. So, how can the algorithms mentioned in the article (which is interesting, but rather short on facts...) distinguish between the noise added by a steganographically embedded encrypted message and the noise caused by a slightly underspecced A to D converter?

I'm honestly curious... has anyone got any links to a more detailed report on this?

Re:How can you detect random noise?

So, how can the algorithms mentioned in the article (which is interesting, but rather short on facts...) distinguish between the noise added by a steganographically embedded encrypted message and the noise caused by a slightly underspecced A to D converter?

You're right, there isn't too much of a difference between random noise and an encrypted communication. If you had a pure digital stream that had just been converted from analog, you could stick data in the least significant bits and no one would be the wiser. For example, a CD is just a sequence of 16 bit words iterated 44,100 times a second; you could just replace the least significant bit in each word with bits from your hidden message and it would be indistiguishable from random noise.

The problem arises when you try to compress digital information. These compression algorithms use the most optimum way to represent data that they can find and discard the least significant data, so they would completely destroy the afore mentioned hidden message. To hide data in a compressed file you need to play with how the compression mechanism stores the data, and the resulting file is most probably not going to be optimally compressed when you're done. What this guy is doing is looking at how the information was compressed, extract the overlying data that was being stored, and making sure the compression algorithm was indeed optimal. If there are any odd quirks in the compressed data or it doesn't look like the compression was optimal, it may be because data is hidden inside.

I hope this is a good enough explanation. I'm short on the examples but the underlying ideas are pretty basic.

Resource Intensive

I agree with the "needle in a haystack" idea. It doesn't seem like this technique would be practical given the relation between bandwidth and image size.

Given a certain state of network bandwidth, the quality of images transferred over the network is likely to increase as the ability to transmit that data increases. This means that anyone trying a large scale data mining for steganographic data, for example in a Carnivore-type application, would need to have many times the bandwidth of ALL the senders/recievers in order to analyze that much data.

That would make it so the only real application of this method would be for people you already suspect of sending steganographic data. You could direct the search toward them. However, then it is still trial and error to find which steganographic protocol they used, etc., and you're back to square one.

Maybe if the steganographic checking system was actually *intergrated* to the Carnivore system you could get somewhere. It might be a good way to search for messages that were "suspicious".

It is interesting, though, that this method is possible without knowing the individual steganographic protocols. It just seems that it would be too resource-intensive to deploy on a wide scale, and a wide scale is the only place it would be really more useful than trial and error.