Entries Tagged "al Qaeda"

Page 1 of 7

Research into the Root Causes of Terrorism

Interesting article in Science discussing field research on how people are radicalized to become terrorists.

The potential for research that can overcome existing constraints can be seen in recent advances in understanding violent extremism and, partly, in interdiction and prevention. Most notable is waning interest in simplistic root-cause explanations of why individuals become violent extremists (e.g., poverty, lack of education, marginalization, foreign occupation, and religious fervor), which cannot accommodate the richness and diversity of situations that breed terrorism or support meaningful interventions. A more tractable line of inquiry is how people actually become involved in terror networks (e.g., how they radicalize and are recruited, move to action, or come to abandon cause and comrades).

Reports from the The Soufan Group, International Center for the Study of Radicalisation (King’s College London), and the Combating Terrorism Center (U.S. Military Academy) indicate that approximately three-fourths of those who join the Islamic State or al-Qaeda do so in groups. These groups often involve preexisting social networks and typically cluster in particular towns and neighborhoods.. This suggests that much recruitment does not need direct personal appeals by organization agents or individual exposure to social media (which would entail a more dispersed recruitment pattern). Fieldwork is needed to identify the specific conditions under which these processes play out. Natural growth models of terrorist networks then might be based on an epidemiology of radical ideas in host social networks rather than built in the abstract then fitted to data and would allow for a public health, rather than strictly criminal, approach to violent extremism.

Such considerations have implications for countering terrorist recruitment. The present USG focus is on “counternarratives,” intended as alternative to the “ideologies” held to motivate terrorists. This strategy treats ideas as disembodied from the human conditions in which they are embedded and given life as animators of social groups. In their stead, research and policy might better focus on personalized “counterengagement,” addressing and harnessing the fellowship, passion, and purpose of people within specific social contexts, as ISIS and al-Qaeda often do. This focus stands in sharp contrast to reliance on negative mass messaging and sting operations to dissuade young people in doubt through entrapment and punishment (the most common practice used in U.S. law enforcement) rather than through positive persuasion and channeling into productive life paths. At the very least, we need field research in communities that is capable of capturing evidence to reveal which strategies are working, failing, or backfiring.

Posted on February 15, 2017 at 6:31 AMView Comments

Analysis of Yemeni Cell Phone Metadata

This research shows the power of cell phone metadata. From an article by the author:

Yemen has experienced an array of violent incidents and political turmoil in recent years, ranging from al Qaeda militant attacks to drone strikes, Arab Spring protests, and now Saudi Arabian air strikes. Call patterns can capture political or violent activities as they unravel in real time. For instance, there was a significant increase in the number of local calls following a nighttime drone strike on Friday, October 14, 2011, in Shabwa Province, which killed Ibrahim alBanna, media chief of al Qaeda in the Arabian Peninsula, along with eight others. Several additional drone strikes are detectable through significant spikes in local call volume at the time of attack, including a May 5, 2011, strike in Jahwa that killed two brothers affiliated with al Qaeda. A May 10, 2012, attack that killed eight al Qaeda militants in Jaar and a May 25, 2010, attack in Wadi Abida that killed two militants and four to six civilians.

Because call data records are geolocated, researchers can also examine them to assess users’ mobility. This can be a very useful tool to detect protests and other events that entail notable mobilization. On Friday, June 3, 2011, for example, the day President Ali Abdullah Saleh was attacked at the presidential palace in connection with the Yemeni Arab Spring, the number of people near the palace spiked around the time of the incident. Several other protest events linked to the Yemeni Arab Spring are captured by high levels of user mobility, including the string of Friday protests during 2011 when protesters would gather at Sanaa University Square and government supporters would stage their counterrallies at Sanaa’s Tahrir Square.

From an interview:

So for instance, if you are interested in larger political patterns, such as who shows at a demonstration, or who takes a leadership role in a demonstration…by having this data, you know what he’s like. You know where he lives. You know who he calls and who his friends are. You know if he’s Shia or Sunni, depending on what holidays he makes calls. You know if he’s rich or poor depending on how much phone credit he uses.

Posted on March 13, 2016 at 6:32 AMView Comments

More about the NSA's XKEYSCORE

I’ve been reading through the 48 classified documents about the NSA’s XKEYSCORE system released by the Intercept last week. From the article:

The NSA’s XKEYSCORE program, first revealed by The Guardian, sweeps up countless people’s Internet searches, emails, documents, usernames and passwords, and other private communications. XKEYSCORE is fed a constant flow of Internet traffic from fiber optic cables that make up the backbone of the world’s communication network, among other sources, for processing. As of 2008, the surveillance system boasted approximately 150 field sites in the United States, Mexico, Brazil, United Kingdom, Spain, Russia, Nigeria, Somalia, Pakistan, Japan, Australia, as well as many other countries, consisting of over 700 servers.

These servers store “full-take data” at the collection sites—meaning that they captured all of the traffic collected—and, as of 2009, stored content for 3 to 5 days and metadata for 30 to 45 days. NSA documents indicate that tens of billions of records are stored in its database. “It is a fully distributed processing and query system that runs on machines around the world,” an NSA briefing on XKEYSCORE says. “At field sites, XKEYSCORE can run on multiple computers that gives it the ability to scale in both processing power and storage.”

There seems to be no access controls at all restricting how analysts can use XKEYSCORE. Standing queries—called “workflows”—and new fingerprints have an approval process, presumably for load issues, but individual queries are not approved beforehand but may be audited after the fact. These are things which are supposed to be low latency, and you can’t have an approval process for low latency analyst queries. Since a query can get at the recorded raw data, a single query is effectively a retrospective wiretap.

All this means that the Intercept is correct when it writes:

These facts bolster one of Snowden’s most controversial statements, made in his first video interview published by The Guardian on June 9, 2013. “I, sitting at my desk,” said Snowden, could “wiretap anyone, from you or your accountant, to a federal judge to even the president, if I had a personal email.”

You’ll only get the data if it’s in the NSA’s databases, but if it is there you’ll get it.

Honestly, there’s not much in these documents that’s a surprise to anyone who studied the 2013 XKEYSCORE leaks and knows what can be done with a highly customizable Intrusion Detection System. But it’s always interesting to read the details.

One document—”Intro to Context Sensitive Scanning with X-KEYSCORE Fingerprints (2010)—talks about some of the queries an analyst can run. A sample scenario: “I want to look for people using Mojahedeen Secrets encryption from an iPhone” (page 6).

Mujahedeen Secrets is an encryption program written by al Qaeda supporters. It has been around since 2007. Last year, Stuart Baker cited its increased use as evidence that Snowden harmed America. I thought the opposite, that the NSA benefits from al Qaeda using this program. I wrote: “There’s nothing that screams ‘hack me’ more than using specially designed al Qaeda encryption software.”

And now we see how it’s done. In the document, we read about the specific XKEYSCORE queries an analyst can use to search for traffic encrypted by Mujahedeen Secrets. Here are some of the program’s fingerprints (page 10):

encryption/mojahaden2
encryption/mojahaden2/encodedheader
encryption/mojahaden2/hidden
encryption/mojahaden2/hidden2
encryption/mojahaden2/hidden44
encryption/mojahaden2/secure_file_cendode
encryption/mojahaden2/securefile

So if you want to search for all iPhone users of Mujahedeen Secrets (page 33):

fingerprint(‘demo/scenario4’)=

fingerprint(‘encryption/mojahdeen2’ and fingerprint(‘browser/cellphone/iphone’)

Or you can search for the program’s use in the encrypted text, because (page 37): “…many of the CT Targets are now smart enough not to leave the Mojahedeen Secrets header in the E-mails they send. How can we detect that the E-mail (which looks like junk) is in fact Mojahedeen Secrets encrypted text.” Summary of the answer: there are lots of ways to detect the use of this program that users can’t detect. And you can combine the use of Mujahedeen Secrets with other identifiers to find targets. For example, you can specifically search for the program’s use in extremist forums (page 9). (Note that the NSA wrote that comment about Mujahedeen Secrets users increasing their opsec in 2010, two years before Snowden supposedly told them that the NSA was listening on their communications. Honestly, I would not be surprised if the program turned out to have been a US operation to get Islamic radicals to make their traffic stand out more easily.)

It’s not just Mujahedeen Secrets. Nicholas Weaver explains how you can use XKEYSCORE to identify co-conspirators who are all using PGP.

And these searches are just one example. Other examples from the documents include:

  • “Targets using mail.ru from a behind a large Iranian proxy” (here, page 7).
  • Usernames and passwords of people visiting gov.ir (here, page 26 and following).
  • People in Pakistan visiting certain German-language message boards (here, page 1).
  • HTTP POST traffic from Russia in the middle of the night—useful for finding people trying to steal our data (here, page 16).
  • People doing web searches on jihadist topics from Kabul (here).

E-mails, chats, web-browsing traffic, pictures, documents, voice calls, webcam photos, web searches, advertising analytics traffic, social media traffic, botnet traffic, logged keystrokes, file uploads to online services, Skype sessions and more: if you can figure out how to form the query, you can ask XKEYSCORE for it. For an example of how complex the searches can be, look at this XKEYSCORE query published in March, showing how New Zealand used the system to spy on the World Trade Organization: automatically track any email body with any particular WTO-related content for the upcoming election. (Good new documents to read include this, this, and this.)

I always read these NSA documents with an assumption that other countries are doing the same thing. The NSA is not made of magic, and XKEYSCORE is not some super-advanced NSA-only technology. It is the same sort of thing that every other country would use with its surveillance data. For example, Russia explicitly requires ISPs to install similar monitors as part of its SORM Internet surveillance system. As a home user, you can build your own XKEYSCORE using the public-domain Bro Security Monitor and the related Network Time Machine attached to a back-end data-storage system. (Lawrence Berkeley National Laboratory uses this system to store three months’ worth of Internet traffic for retrospective surveillance—it used the data to study Heartbleed.) The primary advantage the NSA has is that it sees more of the Internet than anyone else, and spends more money to store the data it intercepts for longer than anyone else. And if these documents explain XKEYSCORE in 2009 and 2010, expect that it’s much more powerful now.

Back to encryption and Mujahedeen Secrets. If you want to stay secure, whether you’re trying to evade surveillance by Russia, China, the NSA, criminals intercepting large amounts of traffic, or anyone else, try not to stand out. Don’t use some homemade specialized cryptography that can be easily identified by a system like this. Use reasonably strong encryption software on a reasonably secure device. If you trust Apple’s claims (pages 35-6), use iMessage and FaceTime on your iPhone. I really like Moxie Marlinspike’s Signal for both text and voice, but worry that it’s too obvious because it’s still rare. Ubiquitous encryption is the bane of listeners worldwide, and it’s the best thing we can deploy to make the world safer.

Posted on July 7, 2015 at 6:38 AMView Comments

The Security of al Qaeda Encryption Software

The web intelligence firm Recorded Future has posted two stories about how al Qaeda is using new encryption software in response to the Snowden disclosures. NPR picked up the story a week later.

Former NSA Chief Council Stewart Baker uses this as evidence that Snowden has harmed America. Glenn Greenwald calls this “CIA talking points” and shows that al Qaeda was using encryption well before Snowden. Both quote me heavily, Baker casting me as somehow disingenuous on this topic.

Baker is conflating my stating of two cryptography truisms. The first is that cryptography is hard, and you’re much better off using well-tested public algorithms than trying to roll your own. The second is that cryptographic implementation is hard, and you’re much better off using well-tested open-source encryption software than you are trying to roll your own. Admittedly, they’re very similar, and sometimes I’m not as precise as I should be when talking to reporters.

This is what I wrote in May:

I think this will help US intelligence efforts. Cryptography is hard, and the odds that a home-brew encryption product is better than a well-studied open-source tool is slight. Last fall, Matt Blaze said to me that he thought that the Snowden documents will usher in a new dark age of cryptography, as people abandon good algorithms and software for snake oil of their own devising. My guess is that this an example of that.

Note the phrase “good algorithms and software.” My intention was to invoke both truisms in the same sentence. That paragraph is true if al Qaeda is rolling their own encryption algorithms, as Recorded Future reported in May. And it remains true if al Qaeda is using algorithms like my own Twofish and rolling their own software, as Recorded Future reported earlier this month. Everything we know about how the NSA breaks cryptography is that they attack the implementations far more successfully than the algorithms.

My guess is that in this case they don’t even bother with the encryption software; they just attack the users’ computers. There’s nothing that screams “hack me” more than using specially designed al Qaeda encryption software. There’s probably a QUANTUMINSERT attack and FOXACID exploit already set on automatic fire.

I don’t want to get into an argument about whether al Qaeda is altering its security in response to the Snowden documents. Its members would be idiots if they did not, but it’s also clear that they were designing their own cryptographic software long before Snowden. My guess is that the smart ones are using public tools like OTR and PGP and the paranoid dumb ones are using their own stuff, and that the split was the same both pre- and post-Snowden.

Posted on August 19, 2014 at 6:11 AMView Comments

New Al Qaeda Encryption Software

The Web intelligence company Recorded Future is reportingpicked up by the Wall Street Journal—that al Qaeda is using new encryption software in the wake of the Snowden stories. I’ve been fielding press queries, asking me how this will adversely affect US intelligence efforts.

I think the reverse is true. I think this will help US intelligence efforts. Cryptography is hard, and the odds that a home-brew encryption product is better than a well-studied open-source tool is slight. Last fall, Matt Blaze said to me that he thought that the Snowden documents will usher in a new dark age of cryptography, as people abandon good algorithms and software for snake oil of their own devising. My guess is that this an example of that.

Posted on May 14, 2014 at 6:30 AMView Comments

Debunking the "NSA Mass Surveillance Could Have Stopped 9/11" Myth

It’s something that we’re hearing a lot, both from NSA Director General Keith Alexander and others: the NSA’s mass surveillance programs could have stopped 9/11. It’s not true, and recently two people have published good essays debunking this claim.

The first is from Lawrence Wright, who wrote the best book (The Looming Tower) on the lead-up to 9/11:

Judge Pauley cites the 9/11 Commission Report for his statement that telephone metadata “might have permitted the N.S.A. to notify the [F.B.I.] of the fact that al-Mihdhar was calling the Yemeni safe house from inside the United States.” What the report actually says is that the C.I.A. and the N.S.A. already knew that Al Qaeda was in America, based on the N.S.A.’s monitoring of the Hada phone. If they had told the F.B.I., the agents would have established a link to the embassy-bombings case, which “would have made them very interested in learning more about Mihdhar.” Instead, “the agents who found the source were being kept from obtaining the fruits of their work.”

The N.S.A. failed to understand the significance of the calls between the U.S. and Yemen. The C.I.A. had access to the intelligence, and knew that Al Qaeda was in the U.S. almost two years before 9/11. An investigation by the C.I.A.’s inspector general found that up to sixty people in the agency knew that Al Qaeda operatives were in America. The inspector general said that those who refused to coöperate with the F.B.I. should be held accountable. Instead, they were promoted.

The second is by Peter Bergen, another 9/11 scholar:

But is it really the case that the U.S. intelligence community didn’t have the dots in the lead up to 9/11? Hardly.

In fact, the intelligence community provided repeated strategic warning in the summer of 9/11 that al Qaeda was planning a large-scale attacks on American interests.

[…]

All of these serious terrorism cases argue not for the gathering of ever vaster troves of information but simply for a better understanding of the information the government has already collected and that are derived from conventional law enforcement and intelligence methods.

Posted on January 14, 2014 at 7:15 AMView Comments

Bizarre Online Gambling Movie-Plot Threat

This article argues that online gambling is a strategic national threat because terrorists could use it to launder money.

The Harper demonstration showed the technology and techniques that terror and crime organizations could use to operate untraceable money laundering built on a highly liquid legalized online poker industry—just the environment that will result from the spread of poker online.

[…]

A single poker game takes just a few hours to transfer $5 million as was recently demonstrated—legally—by American player Brian Hastings with his Swedish competitor half a world away. An established al-Qaida poker network could extract from the United States enough untraceable money in six days to fund an operation like the 9/11 attack on the World Trade Center.

I’m impressed with the massive fear resonating in this essay.

Posted on November 12, 2013 at 6:35 AMView Comments

Management Issues in Terrorist Organizations

Terrorist organizations have the same management problems as other organizations, and new ones besides:

Terrorist leaders also face a stubborn human resources problem: Their talent pool is inherently unstable. Terrorists are obliged to seek out recruits who are predisposed to violence—that is to say, young men with a chip on their shoulder. Unsurprisingly, these recruits are not usually disposed to following orders or recognizing authority figures. Terrorist managers can craft meticulous long-term strategies, but those are of little use if the people tasked with carrying them out want to make a name for themselves right now.

Terrorist managers are also obliged to place a premium on bureaucratic control, because they lack other channels to discipline the ranks. When Walmart managers want to deal with an unruly employee or a supplier who is defaulting on a contract, they can turn to formal legal procedures. Terrorists have no such option. David Ervine, a deceased Irish Unionist politician and onetime bomb maker for the Ulster Volunteer Force (UVF), neatly described this dilemma to me in 2006. “We had some very heinous and counterproductive activities being carried out that the leadership didn’t punish because they had to maintain the hearts and minds within the organization,” he said….

EDITED TO ADD (9/13): More on the economics of terrorism.

Posted on August 16, 2013 at 7:31 AMView Comments

Latest Movie-Plot Threat: Explosive-Dipped Clothing

It’s being reported, although there’s no indication of where this rumor is coming from or what it’s based on.

…the new tactic allows terrorists to dip ordinary clothing into the liquid to make the clothes themselves into explosives once dry.

“It’s ingenious,” one of the officials said.

Another senior official said that the tactic would not be detected by current security measures.

I can see the trailer now. “In a world where your very clothes might explode at any moment, Bruce Willis is, Bruce Willis in a Michael Bay film: BLOW UP! Co-starring Lindsay Lohan…”

I guess there’s nothing to be done but to force everyone to fly naked.

Posted on August 9, 2013 at 6:04 AMView Comments

Al Qaeda Document on Avoiding Drone Strikes

Interesting:

3 – Spreading the reflective pieces of glass on a car or on the roof of the building.

4 – Placing a group of skilled snipers to hunt the drone, especially the reconnaissance
ones because they fly low, about six kilometers or less.

5 – Jamming of and confusing of electronic communication using the ordinary water-lifting dynamo fitted with a 30-meter copper pole.

6 – Jamming of and confusing of electronic communication using old equipment and
keeping them 24-hour running because of their strong frequencies and it is possible using simple ideas of deception of equipment to attract the electronic waves devices similar to that used by the Yugoslav army when they used the microwave (oven) in attracting and confusing the NATO missiles fitted with electromagnetic searching devices.

Posted on March 6, 2013 at 6:50 AMView Comments

1 2 3 7

Sidebar photo of Bruce Schneier by Joe MacInnis.