In today’s digital world, steganography-from the Greek for “covered writing”-has become a popular form of encryption. Traditional ciphers give themselves away because they appear to be gibberish, and anyone who intercepts them will at least have reason to suspect the sender’s motives. But steganography hides the message inside an ordinary-looking objects such as a digitized photo or sound file. It is “visible” only to someone who knows it’s there. Thus, photo agencies use it to create digital “watermarks” for their pictures. The U.S. Customs Service has warned that some Web sites use it to mask pornographic images. And now, many federal investigators believe, some of the terrorists used it to coordinate their attacks on New York and Washington. “Since I’m in the [computer-] security field and therefore a paranoid sort,” says Neil F. Johnson, a steganography specialist at George Mason University in northern Virginia, “I’d expect it to have been used.”
Digital images are good vehicles for steganography. All images contain redundant data: information as to color, for example, that is present but unnecessary for the picture to be seen and understood. This enables the senders of a secret message to substitute digitized text for some of the redundant pixels in a photo, for example. Or it could be a verbal message; when transmitting information, computers treat sound, image and text files all the same. They are all parts of bitstreams.
The senders can then post the result on a public Web site, with only the intended recipients knowing of its existence. A message about which California-bound plane to board in Boston could, for example, be inserted into a picture of a football game at Ohio State. Who would suspect?
The technology will appeal to terrorists because it’s both low cost and relatively easy to use. “You don’t have to be sophisticated,” says Johnson, “and there are tools readily available on the Internet. It’s just download and run.” Browsing any of the well-known download sites like CNET.com will turn up a number of “stego” files for less than $50. The well-reviewed program called Cloak is shareware priced at $30.
The U.S. government is worried enough about terrorists’ use of steganography to have commissioned research on countermeasures. Under contract from the Air Force, for example, WetStone Technologies in Corning, N.Y., is developing algorithms for detecting the existence of embedded messages in digital files. Another-though more primitive-method is to monitor closely Internet images that might match a terrorist’s interests, such as photos of the White House or the New York Stock Exchange. Some steganographic compression techniques, for example, produce noticeable shifts in the color palette. “All existing stego tools and technologies require some modification of the medium,” says Johnson. “The changes made may create anomalies.” Just as if the ancient runner’s hair had grown back white instead of black.
