The Unwilling, Uninformed by the Unknowing
ISIS cyber security is very poor and severely hampered by their lack of knowledgable information security operatives. They rely almost exclusively on repurposed privacy guides, frequently assembled into sprawling unreadable mega-manuals. The occasional original ISIS content is amateur at best and clearly aspirational rather than operational.
ISIS has deep intelligence service capabilities from the many Iraqi intelligence officers in their ranks. However, their skills date from a pre-Internet era. If there is any strong cyber security capability within ISIS, it is not immediately apparent.
The clear lack of competent defensive cyber security skills expose ISIS’ deficiencies in the cyber realm. Their low skill low impact cyber attacks, combined with this obvious lack of understanding of cyber threats, suggest that ISIS do not have credible cyber capabilities. Any cyber capability they possess has not been on display.
Security, how hard can it be?
Embedded below is a screenshot of a post on an ISIS forum providing security advice to the jihobbiest bros.
Fundamentally, this guide emphasizes some good principles:
- cover identities
- unlinked activities/financial transactions
- information denial (i.e. STFU OPSEC)
There is some very poor advice in there though, and it seems that most of the cyber security suggestions are aspirational rather than operational. For example, “different typing styles and different whatever you can imagine” is not particularly actionable. It is not even clear what threat it is meant to address, possibly stylometry?
The emphasis on carrying only clean sanitized devices is very sound. Not having incriminating evidence on your person is a major security principle. There are numerous examples of this in the existing terrorist literature such as: not carrying weapons when conducting surveillance for attacks, and minimizing the overt signifiers of ideology to better blend in to Western society and avoid attracting attention.
There is solid advice on using unique email address and anonymous payment methods for each operation. Compartmentation of communications channels is a critical security principle, and using unlinked financial payments prevents leaking information.
There is repeated emphasis on developing a cover and providing false information when interacting with people and services. Additionally, there is the suggestion to minimize the amount of information provided, although the threat is incorrectly called a “correlation attack.” This error is interesting as correlation attacks are a technique for breaking anonymity, that is, they are a real threat to ISIS supporters.
The directive to never open anything sensitive except with Tor is solid advice. Connecting to IRC without Tor was the fatal error that sunk Sabu. The phrasing is interesting “opening such a thing once is mistake enough” as it mirrors a common phrase in al Qaeda security manuals: the first and last mistake. This phrase is often illustrated with the example of handling explosives.
Practicing basic information denial is emphasized repeatedly, such as “never give personal information,” “don’t talk about personal interests” and “don’t volunteer information.” This is the foundation of operational security as practiced by military and intelligence organizations the world over. There are numerous manuals and guides from which these rules could be learned.
The final security guideline “behave normal” is probably the most important for a clandestine operative. The security principle of acting normally and not drawing attention to oneself is well documented, from Murphy’s Laws of War to the Moscow Rules and KGB operational manuals. Of course, this security advice has little relevance to engaging in ISIS related online activities which are themselves inherently going to attract attention.
The advice indicates that it source from dated privacy manuals, rather than developed from an understanding the actual threats faced by jihobbiests and other ISIS boosters.
There is an evident lack of knowledge regarding modern cyber investigation techniques. The advice in #4 about opening documents offline is a technique to protect against embedded beacons, similar to the old FBI NIT. These days the threat is much more likely to be a complete malware package, not a privacy violating beacon. This outmoded advice reveals how poorly ISIS understand cyber security threats.
The proscription against Flash, Java and other “scripts” because they will “leak your IP” is also revealing. All of these can be disabled by simply adjusting the security settings on the Tor Browser Bundle, something the author tellingly fails to mention — possibly because he unfamiliar with recent versions of the TBB? More importantly, while these browser plugins do have the risk of revealing an IP (and potentially other information), their real risk is that they are riddled with vulnerabilities allowing hackers to run code and install malware on the computer. Again, this advice indicates that ISIS is aware of “privacy” risks, but unfamiliar with modern cyber security threats.
The author of this document demonstrates familiarity with the risks facing Tor users in, say, 2008. But they are completely ignorant of the real capabilities of the security forces who target Tor users in the modern day. In the modern nation state level cyber investigation toolkit, an exploit is far more likely than a beacon or a Flash based callback.
While there is some wrong advice, mostly the impression that one forms from this guide is that the author does not practice it. There is very little that is proscriptive, some actions that are prohibited, but in general it is a combination of basic denial, some compartmentation and tidbits gleaned from privacy manuals for activists. Although there are superficial similarities between the risks faced by dissident activists and ISIS jihobbiests, the actual nature of the threats are vastly different. Researching democracy from inside Vietnam is a vastly different threat model to avoiding the active interests of the NSA. ISIS jihobbiests don’t seem to be aware of this.
There are several indications that the guidelines here are aspirational rather than operational. For example, the following advice is not actionable by itself and indicates the author is not entirely clear on how to go about doing the thing they suggest:
You can also use Virtualization[sic] like VirtualBox or any other open source virtualization software to isolate your Tor usage.
It is not clear what the author is suggesting, but it is clear that they have no clue either. Typically when recommending that users run a dedicated virtual machine for a sensitive activity, there is a suggestion to install that machine into a dedicate TrueCrypt container. This is an important security consideration and completely absent from the guide, along with any guidance or directions on how to actually use a virtual machine for security.
There is another option called Tails and another I forgot at the moment but search the internet for “Tor alternatives” (other than VPNs)
Tails is a privacy centric Linux distribution that uses Tor by default. There are other such distros, and possibly the author is suggesting Whonix. The confusion of the author is on display here, it is obvious they have limited familiarity with the options, or usage, of privacy centric distros. This is an important point, as using a privacy centric distribution, particularly Tails, limits the range of mistakes a user can make. Using a privacy centric Linux distribution is a very sound security practice for a hostile environment.
Different typing styles and different whatever you can imagine
Again, the author seems to be vague on specifics and unclear on what threat the guide is supposed to address. There are certainly examples of writing style and content being used to link suspects to online personas. However, the guidance is too vague to even indicate what threat the author intends to counter. They do better when they stick to summarizing privacy manuals.
Although the ISIS cyber security guidelines are influenced by privacy manuals, the threats that ISIS jihobbist bros face is very different. There are some Western sources who are similarly confused about the nature of the threat. WIRED published an article allegedly about ISIS OPSEC, which is actually a privacy manual written by a Kuwaiti security company for Palestinian journalists.
One of These Things is not Like the Others
Journalists and activists are, generally speaking, not clandestine operatives. They face different threats and have different risks. ISIS jihobbiest bros fail to realize this and repurpose privacy manuals written to address threat models they do not face. They do not have a deep understanding of cyber security evidenced by their inability to create manuals addressing their own unique security needs. Indeed, the poor understanding of cyber security reflected in their guides suggests they are not even aware of the real threats they face. Their understanding of cyber security is limited.
ISIS don’t know what they are doing, why they are doing it, what it does, or what it is meant to do.