Don't let your site help terrorism

"Just think of it as hiding in plain sight," explained my friend. "They embed information into what appears to be innocent material." My friend was describing how terrorists and other international criminals use publicly available Web sites to transmit images and other digital information around the world with little chance of detection. He said it's widely believed that terrorists, including Osama bin Laden, as well as drug and weapons smugglers, routinely use a means of hiding digital information within such things as JPEG images or MP3 files. The process, known as steganography, sends hidden communications, and is almost impossible to detect by means available to most businesses.

In steganography, altered files are placed on unsuspecting Web sites, where they're retrieved by others. The hidden material can include documents, images, video clips, or anything else that you might otherwise send as a binary file. According to my friend (who works for one of those three-letter agencies in the Washington, DC area), it's not uncommon for the sender of such a message to use an existing JPEG image on an existing Web site, alter the image by inserting the additional binary information, and then replace it on the Web site. The people running the Web site will have no idea that their site is now carrying this illegal information.

The only problem with this approach, my friend notes, is that most 72-dot-per-inch Web images aren't big enough for much of a payload. But that's not the case in other areas of a Web site, where high-resolution images are made available for download. In many business sites, this type of material might appear in the product information and press information pages. He also suggested that with many Web sites, it's really not a problem to simply place an image or even an encrypted file on a site, and have it there long enough for it to be retrieved before anyone else even notices, much less becomes suspicious.

There are, of course, obvious business repercussions for your company if your Web site is chosen by terrorists or criminals to host such information. Just imagine how you'd explain to your board or your stock holders how your data center managed to get seized by the FBI. Then there are the liability issues. For example, you could be potentially liable if you were negligent in not protecting your Web site against unauthorized use--including storing unauthorized content that caused someone harm. Beyond that, there's the moral issue of supplying the means by which other people were injured or killed, when you have a way to prevent it. Do you really want to find out after a disaster that the critical diagrams used to make it happen reside on your Web site?

But even if criminals or terrorists never use your site--and the odds are very great that they won't --do you really want your site vulnerable to other steganographic uses? For example, perhaps one of your employees decides to share your trade secrets with your competition in return for a nice bonus? The means to alter binary files are widely available as freeware and shareware on the Internet. Encoding and decoding the information, if you know it's there, isn't hard. All that's needed is a convenient place to drop off and pick up the info--such as your Web site.

Preventing such abuse of your Web site isn't necessarily all that hard, but it does require close attention to security. You must make it impossible to alter the material on your Web site, except by trusted employees. Information that changes may need to come from somewhere else. For example, another friend was running a site that was constantly being attacked by overseas hackers. He discovered that he stopped having problems when he started storing his Web site on CD-ROM, and using a SQL database to deliver dynamic data. It was impossible to alter the Web site, but all that was required for updates was to burn another CD--a fast and inexpensive process.

Of course, you also need to take other basic precautions. Make sure you know what files are in the directories available to your Web server. That way, if someone places an unauthorized file on your site, you'll know. And you need to invest in some reasonably robust form of intrusion detection, along with the layers of authentication you already use. And, of course, you'll need to make sure you use a Web server and operating system that are consistently secure, or at least keep your Web server's security updates current.

All this requires that you pay close attention to your Web server, and to the information it contains. Because it's difficult or impossible to tell whether the information on the server is covertly carrying another message, the best approach is to make sure you eliminate that chance at the outset. Know what's on the server, where it came from, and keep anyone from adding to it. Just basic security, but it requires you to actually do it. Maybe the images of terrorism will help with the motivation.