Every week, possibly every day, it appears that there is a new article about steganography (obviously there is a least one new one today)
- Stego is out there, but its being missed!
- Terrorist are exchanging pictures with messages in them!
- Peadophiles are hiding child abuse pictures in adult porn!
So the story goes .
The stories on stegonography generally come in two forms: Scare stories and technical documents
The Scare Stories
Scare stories from the press. These are stories from every major news organsiation, talking about the “issue” of information hiding. Exmaples include
- BBC – Bin Laden Terror Probe
- ABC – Hijackers and Stegongaphy
- BBC – Terror Code Breakthrough
- CNN – Bin Laden and Stego
- Fox “News” – Terror Threat, steganography, etc
- The Times – Child Porn, Terrorism, AND steganography (they managed to cram it all in one story)
There are lots of technical documents on Steganogaphy as well, they include:
- Documents explaining how files are encrypted and then hidden.
- Document explaining how to break Steganography
- Documents discussing about how to detect Steganography
Most of these documents are well written, intelligent, and interesting. Nearly all are published by, or hint at, a vendor of stego tools.
The mass of press articles, both in the technical and mainstream media, combined with the technical reports, creates a belief that steganography is here, is being used, and is a real problem. In one of Chet Hosmer’s articles on DFI news he states that:
The risk and threat posed by steganography has been argued vigorously for over a decade. Whether you believe that this elusive cyber threat poses an imminent danger, or has been effectively utilized to conceal incriminating information, covertly communicate between operatives, or is utilized to exfiltrate vital information
Chet Hosmer writes very well, and clearly knows more about stegongraphy than this author will ever know, and Wetstone (his company) produce some fantastic products. But, in this article he does not mention another part of the argument about steganography – some commentators and researchers believe that stego is not a problem.
It is too often assumed that steganography is a problem. But is it?
The other side of the argument
Are criminals and ne‘r–do–wels using steganography? Are police coming aross cases with steganography?
It appears not.
There is no reported case about the police, or any law enforcement genuinely finding steganography in a live enviroment [If somebody can provide information to this site, relating to live cases of steganography then this article will be re-written].
The fantastic site, British and Irish Legal Information Insitute, a database of UK cases does not have a single case reporting steganography.
BBC, CNN, and ABC have lots of stories about steganography, but not a single genuine story could be found relating to arrests of individuals using steganograph, let alone convictions. Similar searches were done across the internet, and no substantiated case of steganography being used, in a live criminal enviroment, could be found.
The argument will be that its because its not been found.
But cryptography is found in cases, and this can effectively hide information from forensic tools. Sadly in some forensics labs, data is often processed through an almost conveyor belt of forensics, using keyword searches, pre-defined hash sets and scripts, simply for economic purposes. Despite this high volume/low cost approach to computer forensics cryptography is still detected. But steganography is not. Is it because its not there?
Is absence of evidence, evidence of absence?
Other, more intelligent people than this author, have looked at the issue of steganography, and they get the same results as me using Google. Nothing.
- Millions of pictures from ebay were searched for Steganography, by researcher Niels Provos, at the University of Michigan. None where found.
- Research looking for steganography stumbled upon a normal PC, during normal use of the internet has been conducted, and no steganography was found.
- The Register conducted a search of several hundred Gulf War images. Nothing conclusive was found
In fact, the FBI have gone a step further. It was reported that “Before now, the FBI has complained that the perpetrators of the 11 September attacks did little to hide their electronic tracks.”
i.e. in the most famous, most dramatic, of terrorist attacks ever exectued, the people involved in were too lazy to use encryption, let alone cryptography.
Perhaps the stego detections tools are not sensative enough? Unfortunately they are overly sensative, with anything between a 2% and 10% false positive rate (but a 0% false negative rate; from testing known files)
What do we know?
Steganography is interesting. Its cool. Its geeky. It also makes money and there are lots of PR articles on it. Finding a confirmed confirmed cases of steganography being used is difficult, and research into steganography implies that its not common out there.
Is steganography used? Probably. But how often. 1 in 6 billion people? 1 in 1 billion? 1 in 100 million? And out of these people how many are criminals? We don’t know, but what we do know is that it doesn’t appear common.
Related article: Steganography and Electronic Discovery