While their public support of terrorist organizations is being dismissed with "anyone can claim to be Anonymous" their blind distribution of encrypted files containing information from outside entities may not even be known to the inner-most circles of the organization.
What encrypted files? One of the most common means of distributing Anonymous related information is through social media - especially through the distribution of image files. Little known to many outside the security field is that images can be used to hide information through a process called Steganography. For those not familiar with the topic here is an excellent whitepaper on how Steganography works as well as how to detect it. I have started using the StegDetect program from Outguess.org and have found some interesting results.
I recently started analyzing several images being re-posted by the Twitter handle @YourAnonNews. Out of 51 images analyzed I found two images which returned "positive" as having embedded data, as well as two additional images which generated errors during analysis (possibly obfuscated?).
The first picture with a positive hit was an internet meme of the TV show "Game of Thrones".
The picture was re-posted by @YourAnonNews here: https://twitter.com/i/#!/YourAnonNews/media/slideshow?url=http%3A%2F%2Ftwitpic.com%2Fbqiggl
However the image originated from @57UN here: http://twitpic.com/bqiggl
Below is the image re-posted by @YourAnonNews
Picture re-posted by @YourAnonNews - Click to Enlarge |
Similar Meme Picture - Click to Enlarge |
Similarities between the two pictures:
Both are of the same content - with only a slight variation (text at the bottom)
Both are 72 dpi resolution
Both are 24-bit color depth
There are also some interesting differences between the two pictures.
The "Gym" picture is 600x461 pixels while the "Sandy" picture is 600x460 (Gym is one pixel taller)
The "Gym" picture is 69,919 bytes while the "Sandy" picture is 51,416 bytes (26% difference)
Error Level Analysis (ELA) using FotoForensics produces some interesting results.
ELA - @YourAnonNews Reposted Image |
ELA - "Sandy" image |
So the question remains - is there something embedded inside this image? I believe so. Unfortunately all of my attempts to crack the password failed. Whatever secret this image holds we may never know. But I believe it definitely holds a secret.
UPDATE 1:
It was suggested in the comments below that this is simply a result of resizing or cropping the image. As such I cropped both images as suggested...and this provided some rather interesting results.
Suspect steganography image "Gym" cropped |
ELA of cropped "Gym" image |
More interesting is that StegDetect now throws an error instead of a negative/positive hit for steganography. "error: Quantization table 0x01 was not defined"
Image "Sandy" cropped |
ELA of Image "Sandy" cropped |
Related Reading:
Al-Qaeda uses steganography - documents hidden in porn videos found on memory stick - http://www.infosecurity-magazine.com/view/25524/alqaeda-uses-steganography-documents-hidden-in-porn-videos-found-on-memory-stick/
Hidden Pictures: Steganography, Al-Qaeda and Anonymous - http://sofrep.com/15858/hidden-pictures-steganography-al-qaeda-anonymous/
Okay.. but you have to know that tons of people have used and re-used this photo so the text gets erased every time.
ReplyDeleteKim - exactly why I found the closest match to the original image as I could - to confirm the detection wasn't a false positive.
ReplyDeleteAlso - when you modify without resizing an image which has Steganography inside it - you will corrupt the embedded file.
If you resize the image - the image is completely re-sampled by the photo editor and the embedded file is completely erased.
I dont mean to be "that guy", but I feel it's necessary to note that first you must prove there is a message. Then once that has been proven there still isn't enough to say that the message has anything to do with terrorists at all. The title of this article seems VERY premature.
ReplyDeleteBrandon - I agree 100% that we need to prove there's a message. That's why I've published this...in hopes that someone out there can crack the steganography and reveal the contents.
ReplyDeleteThe only reason I brought up the possibility of terrorist messages being contained within the file is that the signs have been out there that Anonymous is being manipulated by outside entities including Hamas.
I felt that the fact that this image has multiple "indicators" of embedded content was worth enough to post.
You'll notice I said I had two positive hits - the second hit I did not post because I'm unable to find any indicators outside of StegDetect that the image has embedded content. This is because I have no "baseline" image for comparison...unlink the meme image above.
Ben - Thanks for the suggestion.
ReplyDeleteI just tried cropping the image - and upon doing so StegDetect now returns the following error instead of saying the file contains imbedded data:
"error: Quantization table 0x01 was not defined"
That's actually pretty interesting. This would possibly explain the errors I'm receiving with two other suspect files.
As for the ELA of the images...
The ELA of the suspect "Gym" image doesn't change much when cropping:
http://fotoforensics.com/analysis.php?id=d410702b1b58ab1847c1997beecba66873d5472c.68090
The ELA of the "Sandy" image does change slightly...but not nearly as significantly as the "Gym" image:
http://fotoforensics.com/analysis.php?id=6f335aa0b46e9796ff9d750cd3f23ee19ea71fbe.67962
I believe this may reinforce my theory that ELA does detect steganography images.
I've updated my post above to reflect this new data.