The future of digital conflict

Excerpt from the TED blog:


The digital age of conflict. “What are the connections between Facebook, Minnesota, ISIS and Al-Shabaab?” asks security researcher Rodrigo Bijou. The answer: the two terrorist groups used social media to recruit young men in Minnesota to their cause.

The digital landscape has changed radicalization, says Bijou, and it’s also changed what constitutes a threat. Governments simply aren’t nimble and adaptive enough to keep up, he says. He points to a moment in the wake of the Charlie Hebdo attack when hackers infected a “Je Sui Charlie” photo meme with malware.

“The new common class of threats is decentralized, digital and takes place at network speed,” he says. So how can we stay safe? Peer-to-peer security, says Bijou. “Individuals have more power than ever before to affect national and international security,” he says. He ends with a plea for governments to nurture hackers, value encryption and support privacy. Because if governments use security backdoors to check in on their citizens, so can those with ill intent.




ZDNet: Terrorist encryption tools nothing more than ‘security cape’ and gov’t red flag

CANCUN, MEXICO: Are encryption tools used by terrorist organizations truly secure, or are they nothing more than a publicity stunt?

“Terrorists love forums,” Rodrigo Bijou said with a slight shrug as he addressed attendees at Kaspersky Labs’ Security Analyst Summit. On Tuesday, the terrorism and technology speaker said that throughout his research, online forums have become a modern-day breeding ground for the spread of terrorist-based propaganda — as well as a place to share “secure” encrypted communications tools used by groups including ISIS and Al Qaeda.

Read the rest of the coverage here

Law enforcement struggles to control darknet | IHS Jane’s

Darknet markets have multiplied since the first major takedowns in 2013, and continue to use advanced privacy and decentralisation technologies that have so far frustrated law enforcement efforts.

An exclusively interdiction-based approach to darknet markets is limited in its abilities to deter cybercrime on the darknet, and may be politically precarious as privacy advocates will continue to criticise any circumvention of technologies that political activists and others depend on.

The same technologies, including Bitcoin, upon which illicit darknet markets are built, have attracted significant venture capital, and this is likely to have an impact on political and law enforcement bureaucracies seeking progressive opportunities to tax and control the darknet.

Read the rest of my piece here [PDF]

Outlaw Privacy

“In our country, do we want to allow a means of communication between people which […] we cannot read?”

Leaders often seek to contain and control information following serious crises. This is the working theory that brought us the Patriot Act following 9/11 and spawned the offense-as-a-defense mass surveillance policies that we live under today.

Yesterday, following the horrifying attacks in Paris, David Cameron used the emotional moment to argue for an extension of surveillance capabilities. His suggestions would effectively outlaw the few useful options we have left for communicating easily and privately. Applications we use everyday like WhatsApp or Snapchat that encrypt and protect our communications by default would be forced to strip those protections.

“I think we cannot allow modern forms of communication…to be exempt from being listened to.”

Some might look at Cameron’s claims and use the old adage, “I have nothing to hide.” That’s not the point. To have nothing to hide is a privilege, and one that can be quickly taken away.

The sad irony is that as leaders propose new controls to contain and surveil speech due to fear of ambiguous futures, the same ambiguity can quickly turn for compliant citizens. We may have nothing to hide today, but what about tomorrow? Why do we fear terrorist attacks and not more likely events that could condemn our current views?

It’s fallacy to claim we need more control because of an uncertain future. That same future could just as easily condemn our current views and turn our new systems against us. The algorithmic nature, the global scale, and the lack of sensitivity in those systems are, to me, much scarier than single attacks.

 We live in an era that lacks the clarity of the past– in actors, motivations, and the divide between domains- but that does not mean we need to respond with overbearing control. Building the societal resilience we need hinges on trust and that trust will come from decentralized organizations and ensuring private communications—not burning the small haystack of protections we have left to find the needles left.

To use the Charlie Hebdo attacks, cruel acts against free speech, to strip us of our remaining abilities to speak freely is a crime.

To follow the same path and further outlaw protections on free speech, will leave only outlaws speaking freely.

Examining The Cyber Kill Chain

Many in the security community have long advocated on focusing beyond the perimeter, where setting a few firewall rules and an antivirus program clearly won’t hold up against advanced attacks. The new push is towards security systems with internal focus, where events like privilege escalation, transferring sensitive data, or other potentially anomalous behavior can be better incorporated into intrusion detection systems. Cyber ‘kill chain’ methodology is the latest in a series of forward-thinking security strategies, targeted especially at advanced persistent threats (APT), that are premised on a more nuanced model of monitoring, analysis, and mitigation.

The formal concept of cyber ‘kill chain’ methodology was first developed by a group of scientists at Lockheed Martin in a paper titled “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”. Based on conventional warfare ‘kill chain’ methodology, the concept adapts an analytical model of viewing an offensive campaign through segmented stages to the cyber domain. Applied to cyber attacks, the model analyzes attacks in a series of stages from initial reconnaissance through exfiltration of data.

In practice, the cyber kill chain comprises a highly sophisticated system where defenders monitor data on each stage of every attack. The end goal of this is to analyze the data for patterns of attack methods, behaviors of distinct hostile actors, and other indicators which can inform the development of unique responses.

alt text

Secureworks’ conception[ of a cyber killchain

For example, a kill chain system could analyze the specific stages of attack Chinese hackers took in their campaign against American media outlets like the New York Times and Wall Street Journal. Defenders would track which media outlets were targeted, how the attackers delivered payloads through spear phishing, patterns of navigation and privilege escalation through the compromised systems, and finally what information was exfiltrated. From the sum segments of this data, defenders can better attribute attacks based on indicators like the prominence of media outlets attacked, information potentially tracked or sought after like sources of Chinese dissidents, and the exfiltration to Chinese servers. On the response side, an organization could better understand where their internal vulnerabilities lie, and what kind of offensive countermeasures can be taken like implementing local honey pots and blacklisting certain IPs.

Segmenting the security process at each stage also means attackers will be forced to bear more risk. Even common phishing attacks take many steps to be successful, and with a system like this attackers need to deliver more unique methods in order to not get caught in a previously recognized or anomalous pattern. Adopting more complex methods like the cyber ‘kill chain’ will continue to be critical with the expansion of advanced persistent threats, which are more sophisticated and take place over a longer timeframe. However, while the cyber ‘kill chain’ strategy is promising, some problems need to be kept in mind.

For one, generating data from not just inbound and egress network data but every stage in between adds a new level of complexity. I think the issue lies in assigning sentiment or basically ‘weighing’ the data, where making decisions about a multitude of malicious acts becomes difficult. We have the understanding to sort between a common XSS vulnerability and a more complex zero day attack on the kernel level, but scaling this to stand out among a kill chain system is a big obstacle when there are many distinct stages of malicious behavior. This has implications on responses too, where a defender tasked with making changes to a system may have to sort through the noise between a high volume of malicious behavior in one domain versus less activity but more significant impact in another. Taking the Chinese media hacking example, this could be the difference in sorting between a high volume of successful intrusions and a smaller, but more significant number of privilege escalations.

Another critical problem when building any system based on large amounts of data from disparate domains, in this case the different stages of attack, is deciding what queries or analytics to run Too many companies today are all flocking to #bigdata, the buzz word of 2012, but run the same reports and analysis they have in the past. Whether it’s big data for marketing, or for the cyber ‘kill chain’, organizations need to realize that especially with a much larger dataset, extracting unique relationships requires unique queries. Like perimeter defenses, running the same tired analytics just won’t cut it if we want to get real insight into data relationships. I think part of the solution to solving this issue is taking the ‘human’ side into account, where incorporating data from social science and social engineering can help. Projects correlating relationships on style and culture of attacks from distinct areas like Eastern Europe vs. China, or online groups like Latin American Anonymous vs. the Izzt ad-Din al-Qassam Cyber Fighters would educate the kind of queries we need to run to sort out meaningful attributions and relationships. Running the same general analytics like a checklist of the OWASP Top 10 fails to capture the real significance of the large, nuanced dataset that a cyber kill chain aims to construct.

The cyber ‘kill chain’ represents many of the forward thinking principles and problems that security professionals are working on. Shifting from perimeter defenses to internal focus on malicious activity, using machine learning and large-scale data analytics, and trying to form unique responses to distinct actors and attacks are just a few. Incorporating this new methodology is the right step, but we need to recognize the obstacles in sorting and analysis to overcome for a kill chain to be effective.

Attacks in Cyberspace | Harvard Law Review

In the past year, the United States has experienced an alarming explosion of cyberattacks aimed at public- and private-sector targets. From small businesses to U.S. government agencies and security contractors, a surprisingly broad range of systems have been compromised by increasingly sophisticated attacks attributed to both criminal and state actors alike. While the country’s leadership continues to make references to a “cyber-Pearl Harbor,” a “digital 9/11,” and even “Cybergeddon,” the reality is that the most severe cyberattacks are below a conventionally understood military threshold. The most severe threats lie in attacks against critical infrastructure like banks, energy companies, and telecommunications firms. Unfortunately, it is often these sorts of attacks that are the most socially disruptive and yet rarely subject to any form of clear punitive sanction.

Read the rest of my piece here [PDF]

Products, Not Process

Returning home from a great Suits and Spooks in D.C. last week, the words of one presenter stood out: products, not process are what really matter in security engineering.

Ali-Reza Anghaie (@packetknife) was presenting on “Security Economics – Competing in a Obese and Insecure Intellectual Property Landscape“, and ended his speech with several key takeaways, products over process being one of them. In practice, he explained this philosophy as a key part of his security training where he makes security engineers shadow other people in their organization. Through following their colleagues in day to day work, security teams can better understand what exactly they contribute to securing, and hopefully empathize with some of the trade offs their peers make in accepting security over the features that marketing/sales/developers want to implement.

What hits home most, for me, was that the balance between security, freedom, and convenience has to truly be seen as a balance. Through engaging with the “product” side of the organizations we aim to protect, sometimes it’s more helpful in the long run to sacrifice some security.

In broader practice, Ali-Reza’s talk kept returning me to the same set of questions, where the adversarial approach of “How can we disrupt what companies value?” I usually depend on for security audits can be flipped into collaborative questions of “How can security practices benefit our core product, IP, or service?”

Security is at its worst when practiced separately from the rest of the organization. In this misguided line of thinking, the trap that teams tend to fall into seems to be ‘process’. In my security assessments, I’ve seen this happen at worst when teams equate compliance processes as security, or even at best they have the resources to run red-team ops and buy a plethora of appliances without clear objectives. Getting caught in the appeal of ‘process’ detracts from the long-term success that comes from contributing to the real output of an organization, even it comes with difficult compromises where security is less important than other concerns.

At the end of the day, we can’t engineer security in the void of “process” whether its HIPAA compliance or our own risk management frameworks. Engaging other teams, systems, and products in the organization will only be increasingly vital as information security continues to climb in importance to the board room level.

An Overview of Jihadist Encryption Programs

While programs like Truecrypt and PGP are standard for many of us looking for enhanced file or email security, online Islamist terrorist organizations have developed similar in-house programs for the better part of the last decade. Used by al-Qaeda leaders like Anwar al-Awlaki and recommended in many online jihadist forums, these programs represent an interesting phenomena within jihadist technology. I’ll first give a brief overview of the two popular programs, and then some ideas on why these programs came to be developed and adopted over more mainstream applications.


Asrar al-Mujahideen

Asrar al-Mujahideen, also known as Mujahideen Secrets for short, has been the most prominent program with several released versions. The program was originally developed by forum members at the al-Ekhlaas Islamic Network and became popularized in the first issue of Inspire, al-Qaeda in the Arabian Peninsula’s (AQAP) quarterly magazine, in a July 2010 post entitled ‘How to Use Asrar al-Mujahideen: Sending and receiving Encrypted Messages’. The program has also been frequently recommended on major online jihadist forums like Ansar al-Mujahideen, al-Fidaa, and JHUF.

Since the original Inspire article, the al-Mahalem Media Foundation, the publishing wing responsible for the quarterly, has distributed two new versions of public keys for verifying the software.

The latest version of Asrar al-Mujahideen was released in late January 2008, with some interesting new features supporting digital signatures and online file transfers. I’ve included a quick feature comparison and screenshots below—

Features in the original:

• Choice of AES finalist encryption algorithms: 256 bit ciphers w/ Twofish, Rijndael, Mars, RC6 and Serpent
• 2048 bit RSA encryption key management
• Automatic cipher identification during decoding
• Ability to run from USB
• ‘File Shredder’ to overwrite and destroy files

New features in the second version:

• Text and forum message encryption
• Secure online transfer via produced digital signatures



Original Inspire post


Asrar al-Mujahideen Cover


Screenshot of the Asrar al-Mujahideen program in use


Asrar al-Dardashah


Just released this February, Asrar al-Dardashah is the latest jihadist encryption program. The program is a plugin for Pidgin, an instant messaging client that that supports accounts from popular services like MSN, Yahoo, and Google Talk. Paired with private keys from the Asrar al-Mujahideen program, the program ensures encrypted instant messaging. A user imports his or her private key into the Asrar al-Dardashah plugin which then generates a public key for general use.

Like Asrar al-Mujahideen, the program was spread across the various top tier jihadist forums and syndicated by the Global Islamic Media Front (GIMF).


• Compatible with Pidgin, and by extension any major chat client like Yahoo or MSN
• Asymmetric key management based on RSA
• Use in tandem with Asrar al-Mujahideen private keys
• Supports primary Jihadist languages of Arabic, Urgu, Pashto, Bengali, and English through Unicode encoding


Screenshot of the Asrar al-Dardashah program

Screenshot of the Asrar al-Mujahideen program in use



What’s immediately fascinating to me is why terrorist organizations would take the time to develop programs instead of using already mainstream options. It’s interesting that the developers were clearly aware of best practices, choosing the five AES challenge finalists, but still decided to ignore other options. I think two possible factors are at play in the motivation to create and distribute internal encryption programs: attention and mistrust.

The ‘brand’ value of groups like GIMF and the al-Mahalem Media Foundation benefit from disseminating these tools. While the tools are less secure than their more popular, mainstream counterparts, actions like blatantly tagging all public keys with ‘#—Begin Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public Key 2048 bit—’  and the group branding on the program itself promote the associated al-Qaeda media brands. Despite the fact that using these tools clearly increases the attack surface for these groups through easily identifiable and unique methods, the propaganda value seems to be worth it. In the online jihadist world there are continually competing tiers of forums, release groups, and actors, but less than a handful of encryption programs.

Taking the jihadist point of view, another reason for the development and use of these tools could be heightened mistrust. Anything outside the relatively small ecosystem of online jihadist circles is seen as suspect. Many take the ‘Leviathan’ view of the US and Israel, and continue to apply it towards the cynical views that any Western developed software could contain government backdoors. Even with the popularity of open source security programs, those less technically capable would have a much easier time trusting what’s known to be used by Anwar al-Awlaki, what’s promoted in Inspire, and by prominent jihadist hackers online.

Therefore, factors like attention and mistrust explain the divergence between indicators of technical expertise, like choosing AES finalists, and avoidance, like forgoing PGP or similar programs. These programs are less secure, but allow groups like GIMF to maintain their high profile and feed a confirmation bias of an all-powerful U.S. government. As for now, the programs may arguably protect against ‘backdoors’, but provide easily recognizable data to identify terrorist communications, organizations, and users online.