The idea is fairly simple – an enemy confronted with an encrypted message can see there is a code to break. With steganography, the enemy (ideally) doesn’t know the coded message is being transmitted at all.
In the digital world the most common form of steganography is embedding information in media files. Media files are rather large, so a little data padding isn’t as noticeable. They are also created with layers of information, which allows the embedding of other data into a layer, and keeps it obscured behind preceding layers – kind of like slipping a tiny, extra piece of cheese into a dagwood sandwich.
Sound and video files are also commonly used – and all kinds of Word, PDF or other common documents can all be manipulated to conceal additional, hidden data. I’m not going to get into a technical breakdown of how steganography works, but I will include some links at the end of this article if you are curious and want to read up on it. Fascinating stuff, but I am on the brevity train here.
You know all those jokes about pornography being found on jihadi computers? Some of those pictures are not like the others. Terrorists have been using digital steganography to pass information about their operations for years.
In 2007, the jihadi magazine “Technical Mujahid” contained six articles designed to train internet recruits in terrorist operations and OpSec. The first article, authored by Abi Musab al-Jazayri (“the Algerian”), is titled ” Section 1: Covert Communications and Hiding Secrets Inside Images,” and includes detailed instructions on using steganography to exchange messages. This issue of “Technical Mujahid” was heavily analyzed when it came out, and as noted by The Jamestown Foundation’s review:
“Al-Jazayri appears to be an expert on the subject judging from the details he included such as image pixels, mathematical equations to prevent distortions in pictures used to hide data and the disadvantages of encryption software available on the market like Ezstego, S-Tools and Hide and Seek, which can all be easily deciphered using hexadecimal editors.”
So back to the porn, right? In 2011 a member of al Qaeda was arrested in Berlin. Hidden in his underwear, he had a storage device and a bunch of memory cards. Buried in that data was a porn video titled “KickAss” — and a file marked “Sexy Tanja.” The investigators went to work on cracking the passwords to the files and analyzing the data.
It took them weeks, but when they finally did get in, they discovered hidden in the porn video hundreds of al Qaeda documents – training manuals for jihadis in PDF, detailed future plots and instructions, including ship seizures and plans for a Lashkar-e-Taiba Mumbai massacre style operation.
It was an unbelievably huge intelligence haul – all hidden in a video. The original article on this case from Zeit Online is still available, but in German, here: In ihren eigenen Worten.
The Intelligence Community is well aware of the increasing technical sophistication of terrorist organizations and their ability to pass encoded messages and instructions among their adherents. And, of course, terrorists know their information is being tracked an analyzed.
Highly aware of the reality their internal communications have been infiltrated by intelligence agents, the terrorists have adapted, as they do, and evidence shows they are utilizing third parties (i.e. mules) to convey hidden information. Whether or not the third parties are aware of their participation in transmitting terrorist communiques is up for debate.
Buckler (@CaffSec on Twitter) applied Steganalysis techniques to examine 51 images recently distributed by the @YourAnonNews Twitter account, and his analysis yielded two positive hits for altered/hidden data and two files generating error messages. Buckler used several Steganalysis programs to detect the additional data in the images, and was able to do so because the original image was available elsewhere on the internet – which allowed him to compare the Anonymous distributed image file size to the size of the originals.
Ken Buckler, a Senior Cyber Security expert at a major defense firm, began analyzing images distributed by members of Anonymous via social media. He focused in particular on a very popular Anonymous Twitter account – @YourAnonNews – that has over 100,000 Twitter followers and is a prolific source of news items regarding the activities of Anonymous.
Suggestions the image had been cropped, and the cropping explained the data discrepancy, were taken in account. Buckler retested the images by cropping the originals and comparing the results, and was able to rule out cropping as an explanation for the additional data in the images. An article detailing his analysis of these images is published on Buckler’s blog “Caffeine Security.”
What do the images contain? That remains a mystery as Buckler is unable to crack the password to the contents. However, one of the Anonymous distributed images contains 26% more data than the original image file. Something is there.
Anonymous has blatantly supported terrorist organizations such as Hamas, and is currently suspected of knowingly renting out botnets to known terror organizations to facilitate their online operations. For more on that, see this blog post by the Jester, “Anonymous/Qassam Pay-Per-Minute DDoS. ”
The flawed model of Anonymous – anyone can join, so anyone does – leaves Anonymous as a loose collective with a variety of “cells” instead of a structured hierarchy, and that loose collection of cells have a wide range of agendas. The conflicts between ideologies held by various Anonymous members or cells bubble up frequently – the left hand doesn’t always know what the right hand is doing.
And with Anonymous, the left hand and the right hand don’t really know who each other are in the real world.
As an unorganized organization, Anonymous is an incubator for exploitation by outside groups with their own agendas and need for some unwitting dupes to spread the word. As Ken Buckler put it:
“While their public support of terrorist organizations is being dismissed with “anyone can claim to be Anonymous” their blind distribution of encrypted files containing information from outside entities may not even be known to the inner-most circles of the organization. “
For terrorists, Anonymous is an invitation to join a loosely affiliated group of people who don’t know who each other are, most often don’t care to find out, and share a love for attacking governments and civilian targets with little to no concern for collateral damage. Kismet.
- Hide and Seek: An introduction to steganography
- Black Hat Paper: An introduction to more advanced stegonagraphy
- SANS Report Steganography and Steganalysis: An Overview
(Featured Image Courtesy: edwardtufte.com)