By Dan Berrett
Pocono Record Writer
November 25, 2007
EAST STROUDSBURG During rush hour on a Tuesday night in July 2006,
terrorists set off seven bombs in a coordinated attack on commuter
trains outside Mumbai, India, that killed more than 200 people and
wounded some 700 others.
Thousands of miles away, at East Stroudsburg University, computer
science graduate students are trying to foil future terrorists and
criminals from using a tool that may have masked the plotters'
communications with each other.
Authorities have suspected that the Mumbai bombers engaged in a
technique called steganography, according to news reports from India. It
would have disguised their plans, maps, photographs and bomb-making
instructions within common and seemingly innocent digital images that
they exchanged over the Web.
Steganography is most often deployed legitimately to watermark digital
images so that they will not be duplicated illegally. But some say the
technique's tracks have been glimpsed in shadier terrain in the
trafficking of child pornography, in identity theft, stealing
intellectual property and trading insider information.
"This is brand new stuff," said Paul Schembari, director of the computer
security program at ESU, which is one of 85 in the nation to be
certified by the National Security Agency and the U.S. Department of
Homeland Security. "It's out there and being used by bad guys."
Steganography, which translates roughly as "covered writing," has
existed as a concept since antiquity. Ancient Greeks tattooed messages
on the shaved scalps of their slaves who traveled long distances during
which their hair grew and obscured the message to deliver them. The
intended recipient then re-shaved the head of the messenger to read the
In later centuries, as technology advanced, the practice was typified by
less arduous methods invisible ink or microdots, which are shrunken
images or text.
In today's digital world, steganography has taken a form that is both
simpler and more inscrutable. Illicit data can be saved within JPEG
images attached to an e-mail message, or even on popular Web sites that
are rich with visual files, such as eBay or Flickr.
In a computer lab at ESU, Schembari demonstrated how steganography
works. He projected two images next to each other on a screen. Each
depicted seemingly identical lake landscapes.
But they differed imperceptibly. The digital code underpinning the
shading of each pixel in one of the images varied by one number a subtle
sign that people may have been using it to disguise information.
Academics have yet to establish much of a research trail on the subject.
Only about 10 scholarly papers on it exist, Schembari said.
"We knew this problem was new and unsolved," he said. "And that's what
His graduate students, Adam Engle and Michael Moynihan III, are hoping
to add something substantial to the body of knowledge on the subject as
they carry out their master's theses.
The subject's obscurity and the challenges it poses appealed to
Moynihan, 24, of East Stroudsburg. "They're hard problems," he said.
He is looking to develop a method that reveals the use of steganography
in still images. Once he has refined his method, he will test it on a
sea of images, some that contain hidden data, and others that do not.
When his method finds the disguised data 95 percent of the time without
falsely turning them up where they don't exist called false-positives he
will have something he can use.
"This is cutting-edge research," Moynihan said. "The whole
problem-solving gets me going."
Engle, 23, who is from West Virginia, is exploring more uncharted
territory. He is devising code to reveal the use of steganography in
video, which projects images at a rate of 30 frames per second.
"There aren't a lot of methods out there for video steganography," he
To improve his odds, Engle's tool will analyze sets of five frames at a
time to compare any changes in code between them.
Engle hopes to parlay his experience at ESU to the types of jobs other
alumni of the program have found; he wants to work for the FBI or
Lockheed Martin, the defense contractor. "I just want to do something
that's cutting edge," he said.
To some cyber security experts, steganography is so cutting edge some
say impractical that it is unclear how much of a threat it truly poses.
"There are lots and lots of tools," said Bruce Schneier, a security
technologist, founder of the communications firm BT Counterpane, and
author of "Beyond Fear: Thinking Sensibly about Security in an Uncertain
Calling steganography a "minor tactic," Schneier said terrorists can
more easily use other tools: the phone, radio, cryptography or, as has
already been demonstrated, simply saving drafts of messages on free
Web-based e-mail services, but not sending them across the Internet,
thus making them unlikely to be spotted.
"Steganography seems like a dumb tool of choice," Schneier said. "It
doesn't make any sense."
Those on either side of the issue agree that little hard evidence of
steganography has yet been found in crimes, except for the sordid case
of the Shadowz Brotherhood, a ring of child pornographers who used the
technique to exchange images of babies and young children being abused.
Police broke the ring in 2002, arresting 50 people in ten countries
across Europe and in the United States and Canada.
Those who fear that steganography is widespread worry that its lack of
demonstrated use is giving people a false sense of security.
"I fervently believe there is much more evidence of criminal activity
being concealed through the use of digital steganography than anyone
knows. And no one really knows because no one is looking for it. It's a
classic paradox," said Jim Wingate, director of the Steganography
Analysis and Research Center and a vice president at Backbone Security
in West Virginia. The company has roots at ESU; it grew out of the
school's small business accelerator.
The U.S. Department of Justice has taken the threat seriously enough
that it has given $1 million to ESU and its partners at Rider and Drexel
universities to better anticipate how steganography might be used and to
fight other cyber crimes.
Still, Wingate finds himself countering charges from critics in security
and law enforcement that steganography is too sophisticated for most
criminals to master.
"It couldn't be further from the truth. You can do a Google search and
the applications are out there easy to share, easy to download, easy to
use," he said. "It's a serious threat, but the threat perception is
extraordinarily low, and that's a dangerous situation in terms of
national security and homeland security."
Visit InfoSec News