Al-Qaeda uses steganography - documents hidden in porn videos found on memory stick

Maqsood Lodin, a 22-year-old Austrian, is on trial in Germany. It now emerges that when stopped and questioned by Berlin police almost exactly one year ago (16 May 2011, after traveling to Berlin from Pakistan via Hungary) he was found to have a memory stick hidden in his underpants. The memory stick contained two porn videos; but the porn videos were hiding around 100 documents believed to include al-Qaeda training manuals and operational details.

The basis for most of the current reports comes from CNN, which takes its source from an article in Die Zeit. The Die Zeit article is not currently online. However, the investigative journalist author of the article, Yassin Musharbash, has published an English-language summary of his findings, on his own blog. He discusses some of the details found in the recovered documents and whether they are genuine: how effective western intelligence has been in disrupting al-Qaeda operations, how suspected operatives should draw attention away from active plotters, and how concerned the leadership had become at the failure to deliver new attacks. The documents of most interest, he says, are “Lessons learned from past operations – Reports on three past operations (7/7 London; 21/7 London (sic!); Airliner Plot) – a sketch for a terror campaign in the West.”

The current reports are all concerned with the politics of the situation. Sadly, no details are given on the technology: how were the files hidden; were they encrypted as well as hidden; how were they discovered and extracted? We have to surmise. Infosecurity asked RandomStorm’s security researcher Robin Wood to explain the concepts and methods behind steganography. “It can take many forms,” he said, “from simply hiding the information in clear text (that is, unencrypted) in unused portions of a host file, to encrypting the data and then actually modifying the contents of the host file.” We can assume that the latter more complicated approach was used in this case. But how?

“For storing in images,” says Wood, “what you can do is to encode the data in the least significant bit of a range of pixels. What you end up with is a slightly different image; but as it is the least significant bit, the color is changed so insignificantly that a viewer won't notice. Exactly the same can be done with video, changing areas where humans won't notice the almost insignificant change. And as video is a much denser file format – sound, image, transitions etc – there is much more capacity to hide the data.”

It would seem, however, that steganography is not too difficult to detect once it is suspected. “Retrieving the data depends on how it was hidden,” Wood told Infosecurity. “Most file formats have a recognizable footprint, so using tools which can look for that footprint in other files you can easily pull out data which has been just been added to an unused portion.” In this part, steganography is more akin to obfuscation than serious security. However, added Wood, “If the data has been encrypted and mixed in with the host data then it is harder – but there are other tools that use various techniques to spot content.”

What’s hot on Infosecurity Magazine?