Steganography and Cyber Terrorism Communications

Following my previous post on Cyber Terrorism Communications and Propaganda, I'm continuing to summarize interesting findings on the topic. The use of encryption to ensure the confidentiality of a communication, be it criminals or terrorists taking advantage of the speed and cheap nature of Internet communications, is often taken as the de-facto type of communication. I feel that it's steganographic communication in all of its variety that's playing a crucial role in terrorist communications. It's never been about the lack of publicly or even commercially obtainable steganographic tools, but the ability to know where and what to look for. Here's a brief comment on a rather hard to intercept communication tool - SSSS - Shamir's Secret Sharing Scheme :

"No other medium can provide better speed, connectivity, and most importantly anonymity, given it’s achieved and understood, and it often is. Plain encryption might seem the obvious answer, but to me it’s steganography, having the potential to fully hide within legitimate (at least looking) data flow. Another possibility is the use secret sharing schemes. A bit of a relevant tool that can be fully utilized by any group of people wanting to ensure their authenticity and perhaps everyone’s pulse, is SSSS - Shamir's Secret Sharing Scheme. And no, I’m not giving tips, just shredding light on the potential in here! The way botnets of malware can use public forums to get commands, in this very same fashion, terrorists could easily hide sensitive communications by mixing it with huge amounts of public data, while still keeping it secret."

Intelligence officials/analysts are often confronted with the difficult task of, should they actively work on scanning the entire public Internet, or single partitions of the known chaos, namely the majority of Islamic/Jihadi related web sites. Trouble is, it's heck of a short sighted approach, and way too logical one to actually provide results. Moreover, in all the fuss of terrorists using steganography, even encryption to communicate, the majority of experts -- shooting into the dark -- have totally neglected the very concept of disinformation. To be honest, I'm a little bit surprised on the lack of such, picture the media buzz of a recently found map of key region and encoded messages embedded in public image, continue with the public institutions raising threat levels, vendors taking advantages of this "marketing window" when in between, someone gained access to a third-party's E-identity and used to creatively communicate the real message.

It's a public secret that the majority of already obtained Terrorist Training Manuals on the Web give instructions on primitive, but IT-centered approaches for anonymity such as encryption, use of proxies, and yes, steganography as well. Yet another public secret, these very same training manuals are actual copies of unclassified and publicly obtained Intelligence, Military and Security research documents. Here's a chapter on Secret Writing and Cipher and Codes. Primitive, but still acting as an indicator of the trend.

The most comprehensive Scan of the USENET for steganography was conducted back in 2001, primarily because of the post 9/11 debate on the use of steganography by terrorists. Surprisingly, the experiment didn't find a single hidden image -- out of a dictionary based attack on the JSteg and JPHide positive images of course :

"After scanning two million images from eBay without finding any hidden messages, we extended the scope of our analysis. A detailed description of the detection framework can be found in Detecting Steganographic Content on the Internet. This page provides details about the analysis of one million images from the Internet Archive's USENET archive. Processing the one million images with stegdetect results in about 20,000 suspicious images. We launched a dictionary attack on the JSteg and JPHide positive images. The dictionary has a size of 1,800,000 words and phrases. The disconcert cluster used to distribute the dictionary attack has a peak performance of roughly 87 GFLOPS."

Concerns about the invaluable sample :
- Used primarily USENET as a possible source for images
- Excluded music and multimedia files, and the hard to detect while in transmission TCP/IP covert communication channels -- information can indeed move with the speed of an error message
- Cannot scan the Dark Web, the one closed behind common crawlers blocking techniques or simple authentication
- Cannot scan what's not public, namely malware-infected hosts, or entire communication platforms hosted on a defaced web server somewhere, temporary communication dead boxes -- and while taking about such, free web space providers can provide interesting information given you know where and what to look for as always

The bottom line is that if someone really wants to embed something into a commodity data such as video, picture or an MP3 file, they would. Generating more noise when there's enough of it is on the other hand a smart approach I feel is getting abused all the time. How to deal with the problem? Ensure your ECHELON approaches are capable of detecting the patterns of the majority of public/commercial steganography tools. And according to public sources, that seems to be the case already :

"R2051 Steganography Decryption by Distributive Network Attack Develop a distributive network analysis application that can detect, identify, and decrypt steganography in multiple types of files, including commonly used audio, video and graphic file formats.The application must quickly and accurately detect and identify files containing steganography and extract the hidden messages and data from the file. Decryption of any messages or data encoded before the use of a steganography program is not required. The system must allow for easy, low-cost, frequent updating to counter new emerging programs. It must detect, extract, and decrypt messages in any file that has used any currently commercially available steganography programs as well as commonly encountered non-commercial programs. These would include, but are not limited to, the following: Covert.tcp; dc-Steganograph; EzStego; FFEncode; Gzsteg; Hide 4 PGP; Hide and Seek 4.1; Hide and Seek 5.0; Hide and Seek for Windows 95; jpeg-jsteg; Paranoid, Paranoid1.1.hqx.gz; PGE - Pretty Good Envelope; PGPn123; S-Tools : S-Tools 1.0 (Italy, Finland); S-Tools 2.0 (Italy, Finland); S-Tools 3.0 (Italy), Finland); S-Tools 4.0 (Italy, Finland); Scytale; Snow; Stealth, Stealth 2.01 ; Steganos 1.4; Steganos for Windows 95 and upgrade 1.0a; Stego by John Walker; Stego by Romana Machado; Stegodos; Texto; wbStego; WitnesSoft; and WINSTORM"

The rest is making sense out of the noise and OSINT approaches for locating the "bad neighborhoods".

Figure courtesy of Bauer 2002 at the FBI's Overview of Steganography for the Computer Forensics Examiner.


Post a Comment

Note: Only a member of this blog may post a comment.

My Instagram