Schneier on Security
A blog covering security and security technology.
« Secure Flight News |
| Cryptographically-Secured Murder Confession »
August 15, 2005
Terrorists, Steganography, and False Alarms
Remember all thost stories about the terrorists hiding messages in television broadcasts? They were all false alarms:
The first sign that something was amiss came a few days before Christmas Eve 2003. The US department of homeland security raised the national terror alert level to "high risk". The move triggered a ripple of concern throughout the airline industry and nearly 30 flights were grounded, including long hauls between Paris and Los Angeles and subsequently London and Washington.
But in recent weeks, US officials have made a startling admission: the key intelligence that prompted the security alert was seriously flawed. CIA analysts believed they had detected hidden terrorist messages in al-Jazeera television broadcasts that identified flights and buildings as targets. In fact, what they had seen were the equivalent of faces in clouds - random patterns all too easily over-interpreted.
It's a signal-to-noise issue. If you look at enough noise, you're going to find signal just by random chance. It's only signal that rises above random chance that's valuable.
And the whole notion of terrorists using steganography to embed secret messages was ludicrous from the beginning. It makes no sense to communicate with terrorist cells this way, given the wide variety of more efficient anonymous communications channels.
I first wrote about this in September of 2001.
Posted on August 15, 2005 at 11:03 AM
• 23 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I guess if you put enough monkeys in a room with typewriters, one of them will type out coded messages to Al-Qaeda.
The first sign t_h_at something was am_i_ss came a few _d_ays before Christmas Eve 2003. The US _d_epartm_e_nt of homela_n_d security raised the national terror alert level to "high risk". The _m_ove trigg_e_red a ripple of concern throughout the airline industry and nearly 30 flight_s_ were grounded, including long haul_s_ between Paris _a_nd Los An_g_eles and subs_e_quently London and Washington.
When writing another "I told you so!" blog entry about government ineptitude, it helps to *not* post a link to a previous writing of your own where you, in effect, prove the exact opposite of what you claim to have said before. To whit:
"It doesn't surprise me that terrorists are using this trick. The very aspects of steganography that make it unsuitable for normal corporate use make it ideally suited for terrorist use. Most importantly, it can be used in an electronic dead drop."
Or maybe you're counting on the echo chamber to not bother reading what you wrote the first time? Or perhaps there is an stego message in your original post that I'm just totally missing here.
9-01: "Steganography is good way for terrorist cells to communicate, allowing communication without any group knowing the identity of the other."
8-05: "And the whole notion of terrorists using steganography to embed secret messages was ludicrous from the beginning."
It's cool if you've totally changed your mind and all, but please elaborate. This makes you sound pretty much like you're just criticizing whatever $GOVERNMENT is doing right now and saying they should do something different.
At the expense of not taking the easy way and join in the bashing of Bruce Schneier, it's nice to see that the gub'mint (tm) is at least willing to look at this "security" thing properly and at least own up when a mistake is made instead of lying about it. It shows they are trying to grow up.
I don't see any contradiction in what I wrote then and what I wrote now. In both essays, I thought that the easiest way for terrorists to communicate anonymously is to post hidden messages on alt.inconspicuous.boring (although I said that more explicitly in 2001 than I did in the last sentence above).
What is ludicrous is the notion of terrorists embeding hidden messsages in al Jazerra broadcasts, something I would have found equally ludicrous in 2001.
Like everything else in security, this is not a black and white issue. Anonymous "dead drop" communications are vital in both espionage and terrorist cells. And there's a right way and a wrong way to go about it. Hiding messages in television broadcasts is the wrong way.
Trust me, I wouldn't have posted a link if I expected people not to read it.
i remember the controversy over an alleged hidden message in a beatles song to the effect that paul mccartney was dead. thank goodness the department of homeland security didn't exist and have jurisdiction over that.
Bruce, I think the perceived contradiction lies in the old crypto-gram piece which says that steganography (as a technique) is a good choice, and the current blog entry which says "he whole notion of terrorists using steganography to embed secret messages was ludicrous from the beginning." Out of context, there is contradiction. In context, your recent comment may/should/could/must be implied to apply to television broadcasts.
It's funny, because nobody seems to link these two facts :
1. the very first mention of steganography use by terrorists was in a USA Today article by journalist Jack Kelley in February 5th 2001 (which, Bruce, you mentionned in your own 2001 article). This journalist wrote an even more precise article on the same journal on July 10th 2001 (claiming that eBay pictures are used).
2. Jack Kelley was fired from USA Today in 2004 because he faked most of his stories.
There was a famous incident in WWII when the Times crossword for the day before D-Day had some of the codewords ("Overlord" if I recall) in it; caused quite a scare at the time.
Interestingly the idea of posting to a alt.boring group is simply the modern equivalent of a dead drop, which is an age old tradecraft technique
I don't think there's any sensible way of sending detailed information out hidden in broadcast media, without some sort of codebook. Though radio broadcasts have been used as trigger signals.
In WW2 there was a fear that record dedications might be doing stuff like signalling convoy departures to German U-boats off the US coast., and the government imposed rules to spoil such things as timing significance.
And the BBC, famously, was broadcasting coded instructions to the Resistance movements in German-occupied Europe. Sometimes just a coded comfirmation of something local already set up by other means; sometimes a message to everyone.
Les sanglots longs des violons de l'automne
Bercent mon coeur d'une langueur monotone.
The Germans apparently knew that was the warning to the Resistance that the invasion was coming, but it didn't tell them where.
How could anyone expect to get any more information than that about a planned terrorist attack, however the message was broadcast?
And knowing even that much about the meaning depends on getting other intelligence. It isn't hard to guess the methods the Germans might have used, but where are the recent prisoners, the penetrated cells, and the double agents of this war?
I feel that it's worth pointing out that the KGB and GRU used steganography to hide messages for illegals in the UK in radio transmissions from Radio Moscow and other stations. If I remember correctly they developed and built several huge megawatt-class radio transmitters for the express purpose of being able to transmit across all of Western Europe.
It worked then for the KGB - the illegals receiving the messages were notoriously difficult to track down. The beauty of steganography of course is that it's a completely passive technique on the part of the intended recipient.
It also worked very well for various resistance groups in Europe during World War 2.
As far as I can see, the only reason that Al-Jazera may be a bad choice for Islamist terrorists is that they’re a known mouthpiece for these sort of groups and are thus more likely to be carefully watched. Otherwise, I see no disadvantage to it.
True, using an anonymous internet cafe to view various web pages, chat rooms etc. would be equally easy in most western countries and would also provide two-way communication. However, this then requires some action by the terrorist cell that negates the passive advantage of watching TV.
hiding a steg in a tv broadcast doesn't make as much sense as hiding it in an image. radio transmission of a file degrades the signal and introduces noise. you must "have your ears on" or at least a vcr turned on to capture the degraded signal in real time; an image uploaded to, say, ebay can be downloaded and analyzed at leisure with no loss of signal quality. the most critical enemy-encrypted messages tend to be very short (e.g., pearl harbor and "east wind, rain"); one is unlikely to discover a looooong encrypted manual for obtaining yellowcake in niger, refining it into weapons-grade uranium in iran, assembling a nuke in saudi arabia, then smuggling it into san francisco bay on a pleasure yacht.
Don't honestly believe there have been *any* instances of terrorists using steg to hide messages to their followers - but while on the subject - what do those here think of the statistical analysis performed here :-
As far as I know, the plans for doing something bad are first delivered personally and multiple plans are delivered to multiple parties. Each one has a different agenda that covers a generic action (bomb this, bomb that, cause a scene at a certain place, etc) and they are each given a special keyword imbedded in a certain picture. By using random pictures and random embedded words, nobody knows what the key word or action is except the bad guys. Even the bad guys don't know who the other bad guys are or what their plans are. Basically you are creating your own "static" and messing up the good guys. The good guys don't know if or when something is going to happen, or even if something is going to happen at all. During the cold war there was always traffic going about with most of it being about nothing. After the cold war the "noise" didn't even slack off. You don't want the other guy to know when you had nothing planned.
To clarify, when I posted about the KGB & GRU hiding messages in radio transmissions, I wasn't speaking of a code to be decoded, I was speaking of good old-fashioned code phrases. It's very easy to read out a couple of pages of text that are ostensibly about a completely mundane subject, but in fact contain a heap of coded phrases, each of which means something to a different illegal agent.
The benefits of operational security you mentioned are also absolutely true. Forgot to mention that...
"Bruce, I think the perceived contradiction lies in the old crypto-gram piece which says that steganography (as a technique) is a good choice, and the current blog entry which says 'the whole notion of terrorists using steganography to embed secret messages was ludicrous from the beginning.' Out of context, there is contradiction. In context, your recent comment may/should/could/must be implied to apply to television broadcasts."
That makes sense. I should have qualified that quote in the blog post, making it clear tht I was talking about broadcast television.
I think it's personally for terrorists, and spies, to hide messages in boring corners of the Internet (Usenet in particular).
Have you read Leo Marks' book "Between Silk and Cyanide. He was in charge of SOE crypto and he also composed crosswords for the national daily newspapers.
I'dont know if he composed that particular crossword but he might well have done, he most definatly would have known about Overlord from his position within SOE...
Just to tie up the loose ends, it looks like that if the NSA (or other tea-leaf-watching group) is seeing patterns in al-Jazeera, they should warn whoever is in charge of preventing terrorism in Saudi Arabia, because that is where to expect such attacks. The point is that presumably that you could watch al-Jazeera in Saudi without suspicion (alt.sex.pictures could get you beheaded)*. In the West, there are plenty of better means to distribute such data.
* Saudi tolerence of al-Jazeera and intolerence for porn used for rhetorical purposes, reality may vary.
W.r.t. the revelation of Overlord code words in Daily Telegraph
crossword puzzles in May and June, 1944, I have--entirely by
coincidence--just read "The Secret of D-Day" by Gilles Perrault,
translated from the French by Len Ortzen (Little, Brown and Company,
1965). It says,
"39 hours before D-Day.
"Two British counterespionage agents call at Leaonard Dawe's house
in Leatherhead, Surrey. He and his friend Melville Jones are the
compilers of the Daily Telegraph crossword puzzles. ...
"... a total of five important code words involved in the invasion
have appeared in the Daily Telegraph in less than a month. A
strange coincidence, say the two spy-hunters. An extraordinary
coincidence, agrees Leonard Dawe. But he easily proves his
inocence: he composes and sends off the puzzles months in advance.
It was only by a fantastic trick of chance that all the suspect
slues appeared in such a brief space of time."
Other opportunities for revelation of the location of the Allied
invasion included a set of planning documents which a sergeant working
in Eisenhower's headquarters absent-mindedly mailed to his sister in
Chicago. He did a poor job of wrapping the package, and it came open
in a Chicago post office. One morning in May, a window of the War
Office in London blew open and twelve copies of a report summarizing
Overlord were whisked out into the street. Another complete plan of
Overlord was left in a briefcase in a railway comparment.
I heartily recommend Leo Marks' book "Between Silk and Cyanide". It
is emminently readable.
Mr. Marks was involved with British code-making, and thus not
officially privy to the knowledge that the Allies had cracked Enigma.
His knowledge of that came about this way. During preparations for
D-Day, he was involved with getting the word to workers in France that
destruction of telephone lines and switching centres was a top
priority. Why oh why, he wondered, should that be? Then, like a
light coming on, he know the answer!
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.