Study Finds Low Use Of Steganography On Internet

schnippy writes: "New Scientist reports on new study from the University of Michigan that argues that steganography (the science of obfuscating communications) is not in wide use, or at least not on the 2 million images they scanned on eBay. Earlier this year, USA Today reported that Bin Laden was using steganography to disguise his communications. Full study is available here. Wonder how long before someone sets up a distributed computing client to help search for Bin Laden's secret communications? :p" Niels Provos' research was mentioned in Slashback not long ago, and this article is based on the same research.

Re:Face it

'Half of slashdot posts are encrypted evil plots for mass destruction.'

Moderators, beware! That post decrypts to "fr15t p0st!!!" It's not a funny post, it's off-topic! Don't let your points be spent carelessly!

Isn't that the point?

The whole point of stenography is that people CAN'T spot the fact that you're using it!

Re:Isn't that the point?

The whole point of stenography is that people CAN'T spot the fact that you're using it!

To elaborate... The whole point of good steganography is that people can't easily spot the fact that you're using it. If you use some common freeware steg. programs, people'll have no problem detecting it-- these programs make very little attempt to hide their trail if the files are carefully examined. In any case, except for the nefarious use by criminals, or a few people having fun, there's no reason to use steganography very much. The hope is not to be detected when you do use it.

As an aside, one imagines that with the hundreds of millions of dollars Bin Laden has access to, he can afford to create some half-decent steganography procedures... Perhaps using one-time-pads to conceal the data as noise.

Re:Isn't that the point?

There hasn't been much need for steganography so far.

But if encryption is outlawed, then steganography will enjoy considerable growth as people find that the only way to secure their data is to hide the fact that they are doing so.

With regards to Bin Laden, I continue to maintain that his use of high tech is overstated. (But making such statements is probably a great way to get government funding for fun stuff, make it look like "we're doing something", etc.)

Low-tech means of infrequent verbal communications, not in Western language and frequently not conducted over electronic means, are more than sufficient to hide covert activities.

Yeah, I can just see ObL and his gang firing up the diesel generators in their rural Afghan camp, setting up their satellite cell phones to upload and download complicated set of instructions that have been steganographically encoded. Give me a break. There are easier ways for him to communicate that are far less risky.

Jihad != terrorism

if I was conducting a Jihad, I wouldn't trust the internet either.

Jihad is not terrorism. In fact, the Qur'an prohibits [al-islam.com] terrorism against innocent civilians [al-islam.org]. Islam is a religion of peace, and jihad does not refer to a "holy war" but merely "struggle ... such as an internal struggle to follow Islam, a struggle against oppression, or a struggle for peace" (source: [al-islam.org]).

Re:Isn't that the point?

>...stenography ... people CAN'T spot the fact that you're using it!

but doesn't that wierd little typewriter [depo.com] usually tip everyone off?

steganography or stegnography?

i think the extinction of the dinosaurs wiped out steganography; the mysteries of how the stegasaurus learned to write with its' tail will never be known to any of us...

Re:steganography or stegnography?

You know, I read that as stenography and wondered just how bin Laden could possibly use court reporters to hide his communications.

I learnt a new wurd tuhday!

is it just me, or...

...does anyone else think that "steganography" is just the latest in annoying media-driven hysterics? Every month there's a new buzzword that exists simply to point out the "evils" of the internet...

MAYBE this is just another one of those words!! With so many other more effective and simple methods of encryption (read: PGP), why would anyone go to all the trouble?

Re:is it just me, or...

"With so many other more effective and simple methods of encryption (read: PGP), why would anyone go to all the trouble?"

You're comparing apples and oranges. Steganography isn't encryption -- it's concealment. If I send a PGP-encrypted message, regardless of whether or not they can break it, every eavesdropper knows that I just sent a PGP-encrypted message. If I use stenography to hide a message, an eavesdropper might miss the message, but would be able to decode it if it's discovered. If I use both, it's a win-win situation.

How do they know?

How can they know that the 2E+09 images on eBay don't contain hidden messages? They might not have detected them, but that doesn't mean they're not there. Perhaps these damn terrorists (gasp!) made their own software!

And who says that you have to post images to send a message? Maybe posting a baseball card for sale means that a cell is to attack on the day that the auction closes. A Sammy Sosa card means we fly into the Sears Tower; a Thurman Munson card means the WTC. The starting bid is the price is the time at which it's to happen.

The whole point of steganography is that the outside world doesn't even know what your encoding system is, much less be able to decipher it.

Bin Laden Stenography? LOL

From what I heard, not that I have any clue what I'm talking about other then what I've seen on the news and water cooler talk. But, they don't even use computers for the most part. Not only are they low-tech, they are no-tech. I don't see what the fear is other then some goverment officials taking advantage of the mass hysteria.

This is naive

According to the details of their study, they took images from Ebay and scanned them for steganographic content using statistical analysis. Out of the two million images they scanned from Ebay, they determined that about 17000 seemed to have steganographic content. They then used a dictionary attack to try and extract any encrypted messages that may be contained within. They failed on all 17000 images. Their report indicates one of three possible explanations for this:

1. There is no significant use of steganography on the Internet.
2. Nobody uses steganographic systems that we can find.
3. All users of steganographic systems carefully choose passwords that are not susceptible to dictionary attacks. (emphasis mine)

In response to number 3, I'd like to say, "well, duh". Anyone clever enough to transmit messages via steganography is not going to be stupid enough to potentially compromise themselves by choosing a simple password.

But beyond that, this search is limited to one small part (Ebay) of the entire Internet. There are certainly many other places where images can be transmitted inconspicuously (certain usenet groups come to mind).

To me, this seems like a "feel good" story designed to put people at ease. It has little actual merit.

Why Ebay?

Ebay seems like a poor choice for stenography. First off, you have to actually sell something to get a picture on Ebay (IIRC), and I doubt the terrorists are going to want to bother with having buyers on their back all the time.

It seems to me like it would be much easier just to set up some random Geocities site with text like:
Hi, I'm Lisa Smith and this is my site about me and my 10 cats!
Then include several pictures of 10 different cats, including some with covert information. If you need new information you can reencode some of the pictures and reupload them. Other messages can be sent by subtly changing the HTML (adding and deleting extra spaces for instance).

I still can't figure out why they thought the images would be one Ebay.

e-Bay?

Apart from the fact that by default, good steganography should be undetectable, it appears that e-bay is a poor site to use. By default, the user posting a sale has to exist in some manner, unless a new identity is created for each item to be sold - which makes sense, but the bottom line is that it is a pain to keep creating e-bay accounts, and making up e-mail addresses.

Something on the newsgroups would be a much better place to look. the alt.binaries.pictures.* areas. Almost total anonymity.

If I were to want to communicate this way, I would avoid e-bay.

gus

It's not always so easy to detect!

I could easily encode a message into an image, and NOBODY could detect that one was there, even through careful examination... why would this study be accurate?

For example:

-take an original image as a reference
-encode a message into binary 1's and 0's (use encryption if you like, or just the binary ascii equivalent)
-go through the image in a certain direction, and change each pixel value by 1 to encode a binary "1", or leave it alone to encode a binary "0".
-distribute a "reference image" separately that can be used to decode the image (like a key)
-use a simple algorythm to compare the original and reference, which will give you a binary sequence
-decode the binary sequence using whatever method you used to encode it

Unless you have the reference image, you're screwed. Changing RGB values by 0 or 1 will not be detectable, and will easily blend in with the noise of most images.

The only thing you can't do is compress the image with JPEG or other "lossy" compression routines.

How could you detect this? How could you prevent it from being used? You can't, unless you know the reference image. I could post secret messages on the front page of CNN.com and nobody would know (ok, assuming I had access to CNN.com to post an image).

MadCow.

Re:It's not always so easy to detect!

I don't agree with you, actually...

If binary "1"s are encoded as "different than original image, and 0's are "same as original image", you could change the pixel value by +/- 1 to suit the general area of the image.

If you look closely at any scanned or digitally captured image, there's always a "noise factor", from sensor gain, etc. A value change of 1 would not be detectable due to a noise level of at least 1 pixel value.

You could also triple your data density by encoding the R, G, and B channels separately. This could potentially be a little more noticable, but not by much. You could also encode them in different orders (rgbrgb... rrrrggggbbbb, whatever order you want) to further encrypt it.

The only images that do not have noise are digitally created images (i.e. rendered, or drawn in a computer). Just JPEG compressing an image causes noise of more than 1 value.

I could write a program to encrypt/decrypt like this in less than 5 minutes... the only problem I can see is distributing the "key images", which would be susceptible to being intercepted. You could always distribute them on a hard medium (CD), and trust that noone is a spy in your group. I'd probably distribute a few hundered "refrence images".

MadCow.

Trying to prevent steganography

is like trying to prevent a germ warfare attack.

The truth is, that even if we had known about the WTC attack we could not have prevented it without causing an economic loss of millions of dollars in the city of New York that our current hero-mayor -- Rudy Giuliani -- would have prevented, to the accolades of his fellow citizens if an attack had not come.

You have to do so much alteration to the medium which you are trying to keep free of bad stuff, be it Internet porn or our daily lives, that the medium itself is changed beyond recognition. It's not worth it.

Unlike a specific cryptographic algorithm, steganography is a group of methods that take advantage of the huge volume of information that passes over the internet.

Unless you want to dramatically slow down the transfer of all information, making sure the file looks the same at each gateway it passes through, there is very little you can do to catch people who disguise information in this way.

ObL is a modern terrorist, using modern methods to operate and communicate. He want us to be afraid of our own modern trappings and conveniences in our lives; if we try to make it impossible for him to communicate, we give up far too much ourselves.

We must allow full encryption freedom, full steganography freedom, and all otehr lifestyle freedoms in the US and around the world.

Traditional deterrence methods, such as massive military response, should be used to stop terrorists; we need to stop them after their attacks, and instill fear in others who would attack through a terrifying military response, unfortunately against the innocent as well as the guilty.

Forgetting Terrorists, what about the rest of us?

Ignoring terrorists for the moment, what about the rest of us?

Most of us agree that use of encryption is probably a good thing. (Envelope as opposed to postcard and all that.)

So, how do we get normal folks to use encryption? By creating tools that interface well with the tools normal folks use. If that means writing a plugin to outlook, so that the braindead can encrypt the latest virus they're trying to pass me, we should do it.

The study is about detecting stego when normal tools are used for the encryption. It doesn't suggest that the message is easily extracted, and it's foolish to suppose that terrorists will only use the most commonly available tools.

What can we do to get normal folks to use stego, PGP, or other forms of encryption?

I think that we spend a lot of time on Slashdot arguing about Linux and it's place on the desktop, when we could be focusing on encryption as well, and how to make it ubiquitous.

The Scientific Method

The report omits a glaring error in the study. Namely, that the researchers never checked out the alt.binaries.pictures.steganography group. And the moral? Never send a scientist to do a lurkers job.

I can help

there has been speculation that Osama Bin Laden has hidden messages in pornographic images posted and swapped on Usenet

If they posted in alt.binaries.erotica.veils or alt.binaries.erotica.bondage.camels between 1990 and 2001 I have every .jpg, .mpg, .avi, .bmp, .pcx, .mov and .html file ever posted. Also I have every .txt, .doc file from alt.stories.erotica.camel.

Hmm...research as excuse for gaming?

The thought occurred to me that conspirers could meet on a FPS server (Quake, Unreal, whatever), and communicate using gestures. Perhaps shooting a rocket into the third tower from the left means let's meet at the usual place. (Note that you wouldn't want to use the chat feature of the game, since that is probably coded pretty clearly in the game's client/server protocol.) This would be an extremely low-bandwidth approach, but fiendishly difficult to detect.

Well, now it is my patriotic duty to spend time checking out UT servers for potential terrorists!

This study says nothing but will be misinterpreted

Ok, so we have a study that says that only a small percentage of pictures on eBay seem to have some kind of steganographic content, but none of them can be confirmed to actually contain this information. You can conclude several things from this, depending on your personal bias:

-Steganography is not used on the web.
-Steganography is not used on eBay.
-We can't detect steganography.
-Any steganographic we can detect can't be decoded.
-Steganography isn't widely used - yet.

You can mix and match these to fit your personal agenda, which I'm sure many people will do. In reality though, these results say almost nothing. The only way to know where, how, and how often steganography is used is to find out from the people using it.

Unfortunately, I have a feeling some people in Congress and elsewhere in the US government will use this as proof that if they can control encryption, there won't be too much use of other methods of hiding data. Ignoring all of the flaws in this conclusion, there is a further flaw in the assumption that by changing the security in encryption, the amount of use of other methods will remain the same. I would not be surprised if there aren't any people on eBay using steganography, nor would I be surprised if the same was true on most other sites; with available alternatives, this is just one of many tools that could be used to transmit messages securely. If the alternatives are removed, more effort will be spent on steganography, resulting in more widespread use and more resistance to detection. In other words, a ban on secure encryption would just encourage development in other areas, even if such development is dormant right now.

On a final note, if you want to look for steganography, try a sleazy porn site. Not that I've seen any myself, but I've heard that they toss all kinds of random stuff up on those, grabbing the images from all over the internet. This would seem to make a more representative sample than a site full of people selling their junk.

Just an innocent, ordinary post

Snow White,

The owl howls at midnight.

Rumpelstiltskin

another warped news story

The paper describes a system for gathering and analyzing steganography data. The researchers are smart enough to know that their methods don't find all methods of hiding text, but their framework can be used to apply whatever analytical tools you like to the images it collects.

The point isn't "there is no steganography on the web." The point is "here is a system to look for steganography."

In typical mass media fashion, both New Scientist and Slashdot go for the flashy story rather than the more interesting point of the research.

Passing secret data not that hard

Folks,
Passing secret data, if you have resources, is not that hard. Look up any book on "Field Craft" in the field of "Intelligence"

Real low bandwith messages are trivial - aka, attack tommorow. It could be a chalk mark on the wall, a newspaper folded a certain way etc.

Even more fun is to pass LOTS of encrypted messages in the clear, but 99% are nothing but random noise. Look up the topic "Numbers Station"

Add in a few cutoffs / dead drops, and it's trivial

Let's say OBL wants to send a message. He could use a combination of low/high tech. He uses a courier to move the data from where he is, to the first drop. The next person has NO idea where OBL is. They use another drop. That person sends a message via the net "Look at the new picture of my dog" might be the whole message - the data isn't even in the picture. Youc could go even further. Use some sort of Steg, but spread the message across multiple images.

The whole trick is to make the signal/noise ratio low enough that you can't see the signal unless you know where to look

ebay not the place to look

Why would you put the images on ebay? There are plenty of forums that aren't as public, and don't require as much information to register, and best of all, don't cost money.

There is absolutely no relationship between there being no stenographic images on Ebay, and the use of stenography by Bin Laden or other terrorist groups.

Seriously, think about where you would put your images? I would say porno boards would be the best place, possibly newsgroups. Tons of people look at porn, so the traffic wouldn't seem strange, and theres so much out there, you wouldn't even know where to look if you were looking for said stenographic images.

As for distributed clients... I'd love to see a distributed client that started searching all the pr0n sites out there, checking them for secret messages. Could you see that popping up as your screen saver?

Its just not going to happen.

Captain_Frisk

Practical steganography

I think the detection of steganography in an image file, given reasonable smarts on the part of the stego software designers, is totally impossible. A typical plain text email message might have 1k words, to be generous. This works out to about 40k bits (5 characters per word, 8 bits per character). A 2048x1536 tiff file, common with today's digital cameras, is about 10+ MB in size. I think that hiding the 40k bits in 10MB of binary image file would result in a file that would pass any practical test, statistical or otherwise.

Also consider this technique, you (the encryptor) could run the statistical tests on the output file and tweak garbage bits at random until it would not raise any alarms. The design principle would be: 1. Encrypt your message, 2. Insert a compensating set of (probably ordered) bits into the image. 3. Test for randomness, you want to have the final encrypted/hidden output look like the original by every statistical measure you can test for. Repeat steps 2 & 3 until done.

The basic principle is that you keep the number of encrypted bits in the hidden part buried in the file low relative to the size of the file the message is buried in; I am not a crypto guy but maybe someone who is would care to comment. I would not bet on the TLAs in this race, it's too easy to hide stuff.

Detect this

If I really wanted noone ever to guess what I am sending to someone, I would use a number, a LARGE number of free internet services to send SMALL portions of my message through them. I need many accounts on geocities, yahoo, tripod, ebay, maybe some news groups, and I would distribute my super secret message among them in a fassion that would only be known to me and the person I am communicating with. Every message would be sent in a different manner with different accounts. Decrypt this.