Saturday, February 12, 2011

Jihadi Encryption: U.K. Case Reveals Terror Tactics

Via WSJ.com (h/t Jihadica) -

A British Airways PLC employee named Rajib Karim allegedly exchanged electronic messages with an al Qaeda cleric in Yemen for more than two years, his activities cloaked by an encrypted fortress he created on a laptop computer and an external hard drive, prosecutors say.

The sophisticated encryption tactics Mr. Karim allegedly used to shield his communications with U.S.-born radical cleric Anwar al-Awlaki—and the small clue he left behind that enabled police forensics teams to defeat them—are center stage in a high-profile trial here in which Mr. Karim is accused of preparing for terrorist acts related to his work at the airline and to his alleged communications with Mr. Awlaki.

The case provides a rare and detailed look at how terror suspects may be able to communicate surreptitiously—and how difficult and laborious it is for law enforcement to crack their codes.

Mr. Karim used layer upon layer of encryption and other techniques to prevent others from being able to read the messages and access other data stored on his computer equipment, prosecutors allege.

The encryption is so complex and layered that "I could give an analogy of Russian dolls," Detective Constable Stephen Ball, the policeman in charge of the computer forensics in Mr. Karim's case, said in court Thursday.

Mr. Karim, a 31-year-old Bangladeshi national, pleaded guilty in November to fund-raising for the purposes of terrorism; possessing documents likely to be of use to a person committing or preparing to commit an act of terrorism; and engaging in conduct for the preparation of terrorist acts, all charges mainly related to his association with a banned Bangladeshi terrorist group.

Mr. Karim, who is in custody, is being tried on four counts of engaging in conduct in preparation of terrorist acts, including providing information about his employer to others for terrorist purposes.

[...]

Upon raiding Mr. Karim's apartment police recovered, among other things, a laptop and an external hard drive able to store some 320 gigabytes of data, according to prosecutors. The hard drive held some 35,000 files including messages with Mr. Karim's brother, with Mr. Awlaki—a leader of terror group al Qaeda in the Arabian Peninsula—and with other colleagues, prosecutors say.

Mr. Karim allegedly hid the messages and other data stored on the drive by changing the suffix at the end of the name of key files, which would typically tell a computer what program would be needed to open them up. That included four files labeled "Quran DVD Collection," which appeared to be compressed files because they took the suffix ".rar," which relates to a type of software that reduces the size of a file, according to prosecutors.

Mr. Ball said he noted these files were unusually large, and discovered that they were actually created in a different program, Pretty Good Privacy, which enabled each file to run as a separate, encryption-protected "virtual hard drive." Without the correct password, the files were completely unintelligible.

[...]

He sent the files to British intelligence services, which returned them decrypted, or unlocked. Once able to open the files, Mr. Ball testified, he still wasn't able to read most of the messages contained with them: Mr. Karim had enciphered the text, leaving it scrambled and unreadable.

Mr. Karim left police a clue, however. On the external hard drive was a disguised file that looked like it was meant for viewing thumbnail-size photographs—but that actually consisted of text with instructions for using a spreadsheet containing a purpose-built formula to decipher the message, according to Mr. Ball. The spreadsheet also worked in reverse, enciphering messages before sending to another member of the group, Mr. Ball said.

Those instructions helped Mr. Ball decrypt the messages and see that—according to prosecutors' account—Mr. Karim was passing to Mr. Awlaki information about British Airways' computer and security systems that could be vitally important for those wishing to conduct a terrorist attack.

Still, it took many more months for the messages to fully come into focus. There were many spreadsheets on the hard drive, and sometimes numerous versions of each one. Even once unscrambled, prosecutors allege the messages contained false names and other coded words, further obscuring their contents. The names of countries and people, as well as their sex, were changed, and their movements and activity were discussed as if involved in business transactions, prosecutors allege.

As an additional layer of protection, prosecutors say, Mr. Karim and his colleagues didn't exchange their messages as emails, which can be intercepted. They instead uploaded them to public websites that host files, where another member of the group could then download them to his or her own machine.

No comments:

Post a Comment