A Blog by Jonathan Low

 

Nov 19, 2015

How the Islamic State Teaches Tech Savvy Detection Evasion AND Why Weakening Encryption May Do Little To Stop Terrorism

The terrorist attacks in Paris have reopened the debate about whether tech companies are optimally protecting their customers through encryption or actually making them more vulnerable by giving terrorists communications' cover.

The following post consists of two articles which explain that western civilization's current adversaries have learned the lessons of the digital age: they are knowledgeable, resourceful - and adaptive. Suggesting that there are no easy solutions to the need for security. JL

Margaret Coker and colleagues report in the Wall Street Journal plus Annie Sneed reports in Scientific American:

What we've learned is that these terrorists are very adaptable and they will find ways to communicate no matter what you do. If the government gets backdoor access to iMessage, terrorists will just switch to something else.
Wall Street Journal: Terror groups have for years waged a technical battle with Western intelligence services that have sought to constrain them through a web of electronic surveillance.
The Paris attacks, apparently planned under the noses of French and Belgian authorities, raise the possibility that Islamic State adherents have found ways around the dragnet.
French authorities say two of the attackers knew each other in prison, but it isn’t clear how the group communicated in plotting and coordinating the Friday attacks. Intelligence services have monitored communications from one terror suspect, Belgian Islamist Abdelhamid Abaaoud, between Syria and alleged associates in Belgium and Morocco.
Low-tech methods exist for communicating off law enforcement’s radar including passing written notes or relaying messages through friends or relatives.
But law-enforcement agencies also have long warned that encrypted platforms built for gaming or other commercial purposes to safeguard privacy are being used by would-be terrorists to communicate.
Islamic State, for its part, has built a tech-savvy division of commanders who issue tutorials to sympathizers about the most secure and least expensive ways of communicating.
The bloodshed in Paris will likely exacerbate a tense debate between governments that want inside access to those encrypted tools and tech companies that say are trying to protect customer data and are wary of government overreach.
Mike Morell, the former deputy director of the Central Intelligence Agency, said terrorists’ ability to use encrypted communication is a huge problem.
“I think this is going to open an entire new debate about security versus privacy,” he told CBS television on Sunday.
Two top U.S. intelligence officials, CIA Director John Brennan and Robert Cardillo, director of the National Geospatial Intelligence Agency, said Monday that terror groups have “gone to school” on U.S. spying practices and learned ways to evade detection. Mr. Brennan blasted efforts to curb surveillance while Mr. Cardillo said agencies needed to adapt and find new ways to gather intelligence.
For more than a year, governments in Europe have pushed for companies such as Google, Facebook and Twitter TWTR 2.66 % to build “back doors” that allow law enforcement access into their encrypted tools.
Tech companies and security experts have resisted that push, which gained steam in Europe following the January attacks in Paris against the satirical magazine Charlie Hebdo.
Security experts say inserting back doors would weaken the encryption and undermine trust in the Internet.
Islamic State is among the most technologically sophisticated extremist groups. Its advice to followers includes an eight-minute video released last year in Arabic that discusses the surveillance capabilities of hostile governments and how phones can be tracked. Bulletins also include advice about brands of electronic equipment that appear vulnerable.
In January, a follower known online as al-Khabir al-Taqni, who identifies himself as a “technical expert,” provided would-be fighters with a list of what he determined were the safest encrypted communications systems available.
“Through this, we can break one of the strongest weapons of the Crusader governments in spying on and tracking the mujahedeen and targeting them with aircraft,” the author said, referring to the U.S.-led coalition fighting Islamic State.
The missive, authenticated by the SITE Intelligence Group which monitors and tracks radical groups online, ranked 33 applications as unsafe, moderately safe, safe, and safest.
Soon after the list was published, Islamic State started moving official communications from Twitter to Telegram Messenger, which received the second-highest safety rating from the Islamic State tech team.
That included the group’s claim of responsibility for the Paris attacks as well as the Oct. 31 Russian airline crash in Egypt.
Islamic State also has urged its followers to make use of the app’s capability to host encrypted group chats.
A spokesman for Telegram didn’t respond to requests to comment. Pavel Durov, the app’s founder who also created the Russian social network VKontakte, criticized recent calls by the Russian government to ban Telegram.
“I propose we ban words,” Mr. Durov wrote in a sarcastic VKontake post. “There is information that terrorists use them to communicate.”
U.K. prosecutors convicted a British teen this year in part because police had access to his Telegram chats.
The boy, inspired by Islamic State, admitted to communicating with an Australian teenager and encouraging him to attack ceremonies commemorating military veterans.
He was convicted on one terrorism charge. Police and prosecutors have declined to comment about how they accessed those communications.
Telegram was among the first apps that explicitly catered to privacy enthusiasts in the wake of reports in 2013 alleging widespread surveillance by U.S. intelligence. A similar U.S.-based app called Wickr received the highest safety recommendation in the Islamic State tech guide. Wickr didn’t respond to a request to comment.
European law-enforcement officials have also expressed concern about gaming consoles, which also allow players to communicate with each other via the Internet.
Belgium’s Interior Minister Jan Jambon told a conference in Brussels last week that Sony Corp. SNE 0.45 % ’s PlayStation was a concern, calling it one of the most difficult platforms for governments to intercept.
He didn’t say whether Belgium has investigations that include monitoring of gamers or game consoles. A spokeswoman in Brussels didn’t return calls seeking comment.
In May, an Austrian court convicted a 14-year-old boy of downloading bomb-making instructions onto his PlayStation console, according to local media reports.
It is unclear whether governments have approached Sony for access to customer data. Sony said in a statement it works with local authorities as appropriate. “We take our responsibilities to protect our users extremely seriously and we urge our users and partners to report activities that may be offensive, suspicious or illegal. When we identify or are notified of such conduct, we are committed to taking appropriate actions in conjunction with the appropriate authorities,” it said.

Scientific American:
In the aftermath of last Friday’s terrorist attacks in Paris, U.S. government officials have reignited the debate over encryption and government surveillance. They argue that encryption is a huge problem in the fight against the Islamic State in Iraq and Syria (ISIS), and that tech companies should create “backdoor” access to encrypted information for the government—something that big tech companies including Apple, Google and Facebook fiercely oppose. Yet despite speculation, we still do not know whether encryption played any role in the Paris attacks—and even if it did, security analysts say, granting the government access to encrypted data will not make it much easier to track terrorists.
The fight over surveillance and encryption is not new, but the Paris attacks have energized arguments in favor of government access. California Sen. Dianne Feinstein (D) told MSNBC on Monday that ISIS has “apps to communicate on that cannot be pierced, even with a court order,” she said. She added, “Silicon Valley has to take a look at their products, because if you create a product that allows evil monsters to communicate in this way—to behead children, to strike innocents, whether it’s at a game in a stadium, in a small restaurant in Paris, take down an airliner—that’s a big problem.”
CIA Director John Brennan voiced similar concerns about encryption at a global security forum on Monday. When a reporter asked why intelligence agencies “didn’t even catch a whiff” of the planned attacks, Brennan responded, “There are a lot of technological capabilities that are available right now that make it exceptionally difficult, both technically as well as legally, for intelligence and security services to have the insight they need to uncover it.”
Brennan and other officials are mainly concerned with end-to-end encryption, which prevents anyone except the user from accessing personal data; not even the tech companies that provide encryption can unscramble the information and hand it over to governments. Messaging apps like Facebook’s WhatsApp, Apple’s iMessage, Telegram, Wickr and others use end-to-end encryption, and it is those types of services that officials say are helping ISIS keep their communications hidden from intelligence agencies. That is why officials argue tech companies need to build backdoors that will let governments in when they need critical information and have obtained a court order.
But many security analysts doubt this reasoning. Yes, encryption makes investigations more difficult for intelligence agencies, they say. But the problem with giving the government backdoor access to a major platform like WhatsApp is that bad actors will just use other platforms instead. “Encryption is just math, and there are dozens of open-source encryption packages. There’s no way you could stop it,” says Matthew Green, an assistant professor at the Johns Hopkins Information Security Institute, “Law enforcement is talking about easy encryption apps that you download from the app store. What we've learned from terrorists is that they will go to great lengths to encrypt and even hide their communications in code. They're not completely dependent on these easy-use apps that people are talking about.”
Although some officials make it sound as if encryption renders intelligence work impossible, agencies can still gather critical information from messages they cannot read directly. Security experts point out that it is possible to access metadata with end-to-end encryption, and this tells you who someone is talking to, the date and time of the communication and some other information. In other words, encryption does not leave governments entirely in the dark. FBI Director James Comey has acknowledged this but has said that metadata is not enough. “Metadata doesn’t provide the content of any communication,” Comey has stated, “It’s incomplete information, and even this is difficult to access when time is of the essence.”
Even if governments have access to encrypted information, security analysts say that would not necessarily be enough to stop a terrorist attack. There is so much information—and so many false alarms—it is like searching for a needle in a haystack to predict what is going to happen. “After the fact, it’s really easy to claim you should have connected the dots,” Schneier says. “Before the fact, there are two million dots, and you don't see it coming.”
After a tragedy like the attacks in Paris, people rightly want to know why no one saw it coming. Encryption is an easy scapegoat, but experts say the public should know that installing backdoors in encryption software is not a good solution. “I think there's this magical view that you can have FBI or NSA [National Security Agency] listen to people's communication and this is going to stop terrorist attacks,” Green says, “What we've learned is that these terrorists are very adaptable and they will find ways to communicate no matter what you do.”
Backdoor access for governments has a huge downside, too, security analysts say: It also gives hackers, criminals and other governments easy access to everyone’s private information. More people might be comfortable with this trade-off in the wake of the Paris attacks but there are many who say it is still not worth it. “Encryption is so important for our security and backdoors are so detrimental. I think it would be a disaster to our security to allow that kind of access,” Schneier says, “Are we really that stupid? We might be, because we're scared. That's the problem.”

0 comments:

Post a Comment