© SANS Institute 2001, Author retains full rights Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2001, As part of the Information Security Reading Room. Author retains full rights.An Analysis of Terrorist Groups’ Potential Use of Electronic Steganography SANS Security Essentials GSEC Practical Assignment Version 1.3 Stephen Lau February 18, 2003 Abstract The events of September 11th, 2001 have irrevocably altered the landscape of computer security. In the aftermath of these events, various urban legends and rumors have developed surrounding terrorists’ online activities. One such topic has been in the alleged use of electronic steganography, a method to covertly hide messages within another, by terrorist groups. This paper provides an overview of steganography, its historical use during times of war, and how modern day electronic steganography can be accomplished. An overview is provided of current techniques to detect steganography on the Internet, which have so far failed to uncover any evidence of steganography on the Internet, and possible future avenues of research in detecting online steganography using techniques similar to the Federal Bureau of Investigation’s Carnivore system. The paper concludes with examples of the dangers of unsubstantiated steganography claims and privacy considerations in detecting online electronic steganography. Introduction The tragic events of September 11th, 2001 have caused a major reevaluation of security procedures within the United States. Overnight, seemingly normal events have become suspect. Potential terrorists and terrorist activity lurk in every aspect of United States life and culture. Although much of this increased awareness for security and of potentially suspicious activity is most likely an adverse short-term reaction to the September 11th events, it is obvious that many changes that have been set in motion since that date will be permanent. Fundamental changes in the approach to security both online and in real life are underway and will forever change our perceptions of both real life security and computer security. Online criminal activity such as distributed denial of service attacks, web page defacements, cracker intrusions, are now perceived in a different light, especially by the mainstream American public. Long dismissed as being the online equivalent of teenage delinquency, they are now viewed as potential terrorist activity. An anti-terrorism bill, “USA Patriot Act”[24] recently enacted within the United States lists computer crimes such as web defacement and denial of service attacks as potential terrorist activity and subject to far more punitive damages than in the past. Government organizations, educational institutions and corporations are reviewing and removing or limiting access to information available on the Internet that can potentially be used for terrorist activity. The capability of the Internet as a means of mass instant communication has helped to spread news and, unfortunately, rumors far and wide quite quickly. Instant urban legends appear almost daily. Not wanting to miss out on potential news stories, some of these© SANS Institute 2001, Author retains full rights Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2001, As part of the Information Security Reading Room. Author retains full rights.rumors have been picked up by the United States mainstream media, giving it more “credibility” in the eyes of a large majority of the American public. This has lead to a confusing mix of both information and disinformation. Have you heard the story of the man who “surfed” the debris down from the 86th floor of the World Trade Center? A false story reported on many mainstream media sources.[25] How about the school kid in New York City who looked out the window in his classroom a week before September 11th and told his teachers that they wouldn’t be there next week? Strangely enough, this “urban legend” was actually true. [26][1][1] For computer security professionals and law enforcement dedicated toward online activities, how does this affect our professions and how can we determine what is “true” and what is not? With limited resources available to combat potential terrorist threats, it is essential now more than ever that these limited resources be applied efficiently and effectively. News stories began appearing in mainstream United States media in the days following September 11th reporting that Osama bin Laden and the al-Qaeda were using the Internet to covertly communicate between various terrorist cells to plan and relay information. Although news of the potential for the Internet to be used for terrorist activity has been percolating in the ocean of online criminal activity even before September 11th, [11][9] recent events have brought this potential to the forefront of attention. [8][3][22] One interesting aspect of the media reports was that the al-Qaeda were supposedly using a technique known as steganography to covertly communicate.[22] Assuming that terrorists are using the Internet to covertly communicate, several questions arise. Is it possible to determine if there is actually covert communications occurring? What type of techniques could they be using? Are the rumors that covert communications actually true? Background Steganography is, in broad terms, embedding covert communications within seemingly innocuous communications. Only persons who have knowledge of the embedded information and possess a “key” will be able to decode and view the information. This key can take many forms. It can range from a passphrase for electronic steganography to an understanding of a method to decode the information. Unlike other forms of information hiding such as encryption, where both parties encrypt the information and transfer a cipher, steganography aims to prevent a third party from realizing that any covert communication has taken place. Steganography exploits communications that appear innocuous to a casual observer, using it as a cover medium to hide the underlying message. Clearly it is obvious that such a form of communication can be of interest to terrorist
View Full Document
Unlocking...