Study Finds Low Use Of Steganography On Internet

schnippy writes: "New Scientist reports on new study from the University of Michigan that argues that steganography (the science of obfuscating communications) is not in wide use, or at least not on the 2 million images they scanned on eBay. Earlier this year, USA Today reported that Bin Laden was using steganography to disguise his communications. Full study is available here. Wonder how long before someone sets up a distributed computing client to help search for Bin Laden's secret communications? :p" Niels Provos' research was mentioned in Slashback not long ago, and this article is based on the same research.

Why Ebay?

[jandrese]

Ebay seems like a poor choice for stenography. First off, you have to actually sell something to get a picture on Ebay (IIRC), and I doubt the terrorists are going to want to bother with having buyers on their back all the time.

It seems to me like it would be much easier just to set up some random Geocities site with text like:
Hi, I'm Lisa Smith and this is my site about me and my 10 cats!
Then include several pictures of 10 different cats, including some with covert information. If you need new information you can reencode some of the pictures and reupload them. Other messages can be sent by subtly changing the HTML (adding and deleting extra spaces for instance).

I still can't figure out why they thought the images would be one Ebay.

Fundamental flaw

[gazbo]

I know people are joking about it being the whole point that you can't find it in use, but reading the article, this is not far from the truth. The researchers admitted that the method they used only hunted for known, commercially available techniques, and that there were other techniques available that would not have been spotted. Add in any totally novel methods people may have used themselves.

Still, if we're going to give these researchers funding...

I couldn't help laughing...

[dfay]

I couldn't help laughing at the title. The first thing that popped into my head was, "How do you measure the amount of steganography on the internet?" Seems like the answer is that there should be a lot of nearly useless information, a low signal-to-noise ratio if you will. Which, I'm sorry to say, is a very accurate description of the internet. :P

Okay, okay, now I'll go read the article. :)

Happy winnowing and chaffing!

Dave

It's not always so easy to detect!

[MadCow42]

I could easily encode a message into an image, and NOBODY could detect that one was there, even through careful examination... why would this study be accurate?

For example:

-take an original image as a reference
-encode a message into binary 1's and 0's (use encryption if you like, or just the binary ascii equivalent)
-go through the image in a certain direction, and change each pixel value by 1 to encode a binary "1", or leave it alone to encode a binary "0".
-distribute a "reference image" separately that can be used to decode the image (like a key)
-use a simple algorythm to compare the original and reference, which will give you a binary sequence
-decode the binary sequence using whatever method you used to encode it

Unless you have the reference image, you're screwed. Changing RGB values by 0 or 1 will not be detectable, and will easily blend in with the noise of most images.

The only thing you can't do is compress the image with JPEG or other "lossy" compression routines.

How could you detect this? How could you prevent it from being used? You can't, unless you know the reference image. I could post secret messages on the front page of CNN.com and nobody would know (ok, assuming I had access to CNN.com to post an image).

MadCow.

Re:It's not always so easy to detect!

[MadCow42]

I'm curious...

I'll use my "method" above to encode a message in an image tonite, and then try out such tools to see what they find. I truly believe that it would be impossible to detect a 1-value change (out of 255), even if it is a regular pattern, due to the noise level apparent in any normal digital photo/scan.

Hey, I'm always willing to be proved wrong, but that's just it, I am the type that needs proof.

If you're interested in trying to "break" such a scheme, let me know and I'll post a link to the image with the hidden text tonite.

MadCow.

Re:Isn't that the point?

[dachshund]

The whole point of stenography is that people CAN'T spot the fact that you're using it!

To elaborate... The whole point of good steganography is that people can't easily spot the fact that you're using it. If you use some common freeware steg. programs, people'll have no problem detecting it-- these programs make very little attempt to hide their trail if the files are carefully examined. In any case, except for the nefarious use by criminals, or a few people having fun, there's no reason to use steganography very much. The hope is not to be detected when you do use it.

As an aside, one imagines that with the hundreds of millions of dollars Bin Laden has access to, he can afford to create some half-decent steganography procedures... Perhaps using one-time-pads to conceal the data as noise.

Read the article

[melquiades]

Tampering can still leave traces, and once you know how a tool works, you may be able to detect it. This turns out to be the case with almost all of the currently available steganographic tools. From the Slashback link:

"[The researcher has] been developing several interesting tools to do steganalysis during the course of his universal stego engine development: (http://www.outguess.org/) including stegbreak (which can detect images produced by all popular stego tools -- except outguess)....

Of course, this only works if you know the tool, so this research only would detect the use of "off-the-shelf" steganography, as the researchers point out. From the article:

The technique may not be infallible. The methods used by Provos and Honeyman were particularly aimed at uncovering use of steganographic tools already released on the internet.

There are more advanced methods of hiding communications within images that involve using active, as well as redundant parts, of the underlying code. Sushil Jajodia of the Centre for Secure Information Systems at George Mason University in Virginia, US, says that this could have evaded detection but would require considerable technical sophistication.

BTW, it's "steganography". "Stenography" is what those speedy typists in courtrooms do.

Forgetting Terrorists, what about the rest of us?

[firewort]

Ignoring terrorists for the moment, what about the rest of us?

Most of us agree that use of encryption is probably a good thing. (Envelope as opposed to postcard and all that.)

So, how do we get normal folks to use encryption? By creating tools that interface well with the tools normal folks use. If that means writing a plugin to outlook, so that the braindead can encrypt the latest virus they're trying to pass me, we should do it.

The study is about detecting stego when normal tools are used for the encryption. It doesn't suggest that the message is easily extracted, and it's foolish to suppose that terrorists will only use the most commonly available tools.

What can we do to get normal folks to use stego, PGP, or other forms of encryption?

I think that we spend a lot of time on Slashdot arguing about Linux and it's place on the desktop, when we could be focusing on encryption as well, and how to make it ubiquitous.

The Scientific Method

[SirSlud]

The report omits a glaring error in the study. Namely, that the researchers never checked out the alt.binaries.pictures.steganography group. And the moral? Never send a scientist to do a lurkers job.

Re:This is naive

[Cerebus]

Worse-- the study looked only for three common stegongraphic tools, and noted that the best of them (OutGuess) has a new version that is not detectible using the method descibed in the study.

If you're smart enough to use steganography, wouldn't you be smart enough to use the latest version of the most advanced tool?

"Well, duh," again.

While I applaud Mr. Provos and Mr. Honeyman's efforts, the study uses a flawed methodology and this is reflected in the distinct lack of any real conclusions. You'll note that section 9, Conclusions doesn't actually conclude anything-- they simply state "we are unable to report finding a single message."

This study says nothing but will be misinterpreted

[mttlg]

Ok, so we have a study that says that only a small percentage of pictures on eBay seem to have some kind of steganographic content, but none of them can be confirmed to actually contain this information. You can conclude several things from this, depending on your personal bias:

-Steganography is not used on the web.
-Steganography is not used on eBay.
-We can't detect steganography.
-Any steganographic we can detect can't be decoded.
-Steganography isn't widely used - yet.

You can mix and match these to fit your personal agenda, which I'm sure many people will do. In reality though, these results say almost nothing. The only way to know where, how, and how often steganography is used is to find out from the people using it.

Unfortunately, I have a feeling some people in Congress and elsewhere in the US government will use this as proof that if they can control encryption, there won't be too much use of other methods of hiding data. Ignoring all of the flaws in this conclusion, there is a further flaw in the assumption that by changing the security in encryption, the amount of use of other methods will remain the same. I would not be surprised if there aren't any people on eBay using steganography, nor would I be surprised if the same was true on most other sites; with available alternatives, this is just one of many tools that could be used to transmit messages securely. If the alternatives are removed, more effort will be spent on steganography, resulting in more widespread use and more resistance to detection. In other words, a ban on secure encryption would just encourage development in other areas, even if such development is dormant right now.

On a final note, if you want to look for steganography, try a sleazy porn site. Not that I've seen any myself, but I've heard that they toss all kinds of random stuff up on those, grabbing the images from all over the internet. This would seem to make a more representative sample than a site full of people selling their junk.

Who needs to hide anything!

[Cro+Magnon]

I would have just emailed a plaintext message "Achmed, meet me at WTC at 9". The whole f**king FBI/CIA could have read that message Sept 10 and not thought anything about it.

Re:Why Ebay?

[Coniine]

Two simple points :

1) you do not ever want to use the same image for multiple messages. The fact that the same image is shown but has subtle differences is a strong indicator of the presence of stegoed data.

2) you do not ever want to restrict access to the images containing stegoed messages - that enables traffic and association analysis.

If you do place stego data in an image make sure that the image is an original ( eg from your own digital camera or scanner ) and that once you have produced the modified image you destroy all copies of the original - see #1 above.

Why hide in one image?

[ectoraige]

Everything I read about stegonagraphy seems to rely on hiding sensitive information within a single, seemingly innocous file.

I've always thought it'd make more sense to spread it between files so that, with the encoding based on differences between the files.

For example, say I want to transmit the binary number 1011, for whatever reason. 1011 is in decimal number the 11, so now I take an image, make a single pixel change at (1,11) and then make some humorous 'before and after' changes to the image, like moustaches, body parts or captions. Whatever, just don't alter row 1.

Send the two pictures, the receiver checks the difference between row 1 of the two images, and gets 11, which he can then converts to 1011. From there, he uses whatever binary-message decoding.

You can thus encode a 512-bit message by making a single pixel change to a 264x512 image.

Include those two images in a pic gallery of 200 images, and now it really becomes hell for anybody trying to detect it.

And that's using a very, very simple method.

Re:How do they know?

[dugb]

Also, there are other ways to investigate image files.

I've experimented with Provos' steganographic tool, outguess . I encoded a short message in a .jpg using the default option to foil detection by preserving statistical properties of the cover medium. Sure enough, the companion detection tool, stegdetect was not able to detect that a message was concealed.

Then, on a hunch, I converted the original and altered .jpgs to .bmps, and examined them side by
side using od -c | less. In the .bmp produced from the altered .jpg, I noted repeated 'senseless variations' in color values, usually pixel triplets of 377-376-377 (octal), as my sample pic was an object on a white background.

Of course you would need the original image to definitively prove alteration of content. But this could be reduced to process and used to sift through content for likelihood of alteration. Such a tool might prove beneficial as a substitute for blunt instruments such as Carnivore.

Thoughts?

Dug

Detect this

[roman_mir]

If I really wanted noone ever to guess what I am sending to someone, I would use a number, a LARGE number of free internet services to send SMALL portions of my message through them. I need many accounts on geocities, yahoo, tripod, ebay, maybe some news groups, and I would distribute my super secret message among them in a fassion that would only be known to me and the person I am communicating with. Every message would be sent in a different manner with different accounts. Decrypt this.

It will never be so easy to detect!

I could write a program to encrypt/decrypt like this in less than 5 minutes... the only problem I can see is distributing the "key images", which would be susceptible to being intercepted.

Nope. You're falling for the same optimistic hedging as the poster you're responding to. Why should these "key images" be so unique and identifiable? If you post an image 20 times (over a month, say) and use different cropping, compression factors, and posting accounts, who can say which parts of which images are references for which parts of which other images? Why would the encoding even be done with just a single image pair? Why would the encoding even require a "correct" binary posting for that matter? There's just no standard to use for comparison in detecting such code schemes.

People just seem to refuse to grasp that terrorists don't play fair. All these solutions and countermeasures being tossed about leave huge gaping holes that anyone with an actual vested interest would notice in a second.

(PS What a story! "Well, we don't see any hidden messages...")

Steganography

I have a friend who does work in cryptography, and who has lately been researching methods for detecting when steganography has been used. It appears that it is very hard to reliably hide things with steganography, in the sense that no-one realizes you are using steganography. Actually determining what the hidden data is can be tricky, and is akin to decrypting an encrypted message without the key. But the real goal of steganography is to hide the very fact that the communication is taking place at all. So far, it seems as though statistical methods can fairly reliably determine if there is hidden information present in an image or text file. The reliability of the tests is proportional to the ratio of hidden information to public information. If you are encoding "yes" or "no" into a 100K jpeg, don't expect miracles. But (for example) trying to distribute a 1K message inside a 10K text file is very detectable.

According to my friend, steganographic messages posted to newsgroups were up the week before 9/11/2001.

Why use the web

[ian_po]

If someone is trying to hide information on the internet why would they use web pages. If I were going to hide information on the web I would do it with a secure webserver not eBay.

Second of all I would use more obscure protocols and programs than http. I would use things like irc or a propeitary online bbs.

And third I would use things that would be easier to hide information in than pictures. Movies are ideal because you have a large amount of space to hide your data and it would introduce less entropy (or whatever).

Terrorist and bad people aren't going to go out of their way to comunicate right under our noses, just like they'd never use encryption with backdoors.