Secret codes 'not hidden in Web images'

A study of more than two million images downloaded from eBay auctions appears to show little evidence that terrorists -- or indeed anybody else -- is using the images to hide encoded messages.

The study, by Niels Provos and Peter Honeyman at the University of Michigan, was carried out in response to reports that terrorists are using steganography to hide their communications in images on Internet sites such as Amazon and eBay.

The researchers analysed the images to look for evidence of a type of encryption called steganography, which refers to the practice of hiding the existence of a message. If an image on eBay did have a message encoded into it, it would be indistinguishable to the casual observer from the original image. The weakness of such systems, say the researchers, is that they rely on the secrecy of the encoding system.

"Once the encoding system is known, the steganographic system is defeated," they say in their paper: Detecting Steganographic Content on the Internet.

Provost and Honeyman wrote a program called Crawl to search eBay for images to download, and it retrieved more than two million images ranging between 20KB and 400KB in size. Images smaller than 20KB are considered too small to hide steganographic content reliably. They then used a cluster of 60 computers to search the images for evidence of content hidden using three common steganographic encoders: JSteg, JPHide and OutGuess.

Statistical analysis can be used to reveal whether an image is likely to have been modified by steganography, say the researchers, and they used a program called Stegdetect to sift through the images looking for evidence.

Of the two million images downloaded by Crawl, the researchers found 17,000 images that at first sight appeared to have steganographic content. But statistical analysis alone cannot be used to prove that a particular image contains steganographic content; it can only indicate a likelihood that it does.

To prove that steganographic content had been hidden within these images, the researchers used their network of computers to mount a distributed dictionary attack, which they assert should have been successful in at least a few cases, citing research showing that 25 percent of all passwords are vulnerable to such attacks. The dictionary attacks were, however, unsuccessful.

The researchers offered three possibilities for their failure to confirm a single piece of steganographic content in a single image. First, that there is no significant use of steganography on the Internet; second, that nobody uses any of the steganographic systems that they checked for; and third, that all users of steganographic systems carefully choose passwords that are not susceptible to password attacks.

Both the latter two answers were dismissed by Provos and Honeymoon. Even if there were images containing steganographic content, said the researchers, it is inconceivable that at least some were not encoded using common programs. Similarly, they found it inconceivable that every image could have been encoded using a strong password.

"The most likely explanation is that there is no use of steganography on the Internet," say the researchers in conclusion. However, the researchers now plan to widen their search from eBay to include content from USENET image groups.

See the Net Crime News Section for the latest on hacking, fraud, viruses and related issues.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.