During the months and days leading up to the Sept. 11 terrorist attacks on the World Trade Center and the Pentagon, officials suspect that hijackers and planners of the attacks used steganography, a method of hiding encrypted messages within, say, music files or pictures. If you saw the Morgan Freeman movie, Along Came a Spider, then you have an idea of just how steganography works. In the movie, grade-schoolers hide messages in photos that they send to each other on class computers.
Steganography is virtually undetectable unless you know what to look for, says Michael Rasmussen, a senior industry analyst at Giga Information Group, a technology research and consulting firm in Cambridge, Massachusetts. Law enforcement officials have known for years that hackers and terrorists worldwide–in addition to businesses–have been using the technology.
Currently, individuals and companies use encryption to transact business and keep messages or copyrighted works secure online. But laws restricting the use of encryption could become a reality if it’s proven that these technologies do more harm than good. In the wake of the attacks, lawmakers such as Sen. Judd Gregg (R-NH), once again called for restrictions on the use and availability of strong encryption products. Gregg even called for a global “new regime” that would grant law enforcement access to private keys citizens use to secure information. Although Gregg has since retracted his statement, officials are still calling for some restriction. But that might be easier said than done.
“You can’t effectively eliminate steganography,” says Dorothy Denning, professor of computer science at Georgetown University in Washington, D.C. “You don’t even need software to use it. For example, on the Taliban site, terrorists could have a guy in a picture raise his hand to relay a message.”
Steganography is not a new phenomenon. Herodotus, the ancient Greek historian, for example, told of a messenger who shaved his head and then had a secret message imprinted on his scalp. Once his hair grew, he traveled to deliver the message.
According to searchSecurity.com, a site for security professionals, in modern digital steganography, data is first encrypted by the usual means and then inserted into redundant (that is, provided but unnecessary) data that is part of a file format such as a JPEG image. By applying the encrypted data to this redundant data in a random way, the result will be data that appears to have the “noise” patterns of regular, nonencrypted data.
Artists, such as painters, musicians, and writers, have been using it for years to protect their work online. For example, steganography is often used to place a watermark on a copyrighted digital file. Companies such as Digimarc (www.digimarc.com) sell a plug-in for use with many of the popular image-editing applications, including Adobe’s PhotoShop, Ulead’s PhotoImpact, and Corel’s PhotoPaint.
“Steganography is still going to be available to the average user,” adds Rasmussen. “It’s very difficult, if not impossible, to control.”
Find the tools
Numerous developers and programmers have created software to detect steganography and to hide information. Stegdetect and Stegbreak, developed by Niels Provos (free source code