Clarifications and further thoughts
The security of the dead drop technique relies on the secrecy of the dead drop location. Additionally, this protocol is easily detected on the wire if the security forces know to look for it. NSA, for example, has been looking for it for years.
Crypto Tool Agnostic Protocol
The encryption tool used to create the envelope for protecting the message is basically irrelevant to the security of this protocol. Provided the tool is secure, the tool itself doesn’t matter: PGP, 7-Zip, TrueCrypt, VeraCrypt, etc. all are perfectly capable of producing an encrypted container for a message. There are advantages and disadvantages to each (not enumerated here, for obvious reasons.)
The critical security of the protocol is reliant on using a secret dead drop location. Once the location is known it can be monitored and the operatives using it can be detected by surveillance. With a digital dead drop, the problem gets worse, as the logs may be available for months or years after the actual activity.
“Glows on the wire”
Detecting an encrypted blob, such as a TrueCrypt container is very simple for a passive network sniffer, such as those deployed by national intelligence agencies. Why the DGSI failed to detect the use of the dead drop remains a mystery. Either they never looked, or the terrorist cell did not use that website again. Reda Hame, who provided the information about the protocol, was quietly arrested in Aug 2015. The attacks on Paris were months later (Nov 2015), long after security forces were aware of the protocol.
Generating metadata from the transfer of encrypted blobs to file sharing sites is straightforward. The upload source and date, the download source and date. This would give basic metadata for measuring “chatter.” The encrypted data will be stored forever by the intelligence agencies, and if the keys are ever captured or retrieved then the containers can be opened. This is because using TrueCrypt as an envelope lacks a security property known as “forward security.”
I asked @ErrataRob to do a write up of how easily TrueCrypt uploads can be detected by intelligence agencies. Not only are they easy to detect, but NSA is specifically monitoring file transfer sites already. ISIS does not seem to be learning very well from the Snowden leaks.
Update: some important clarification on the NYT article from @errataRob
Sources:
40/ Here is a verbatim what Hame said. After putting the USB key containing Truecrypt in the laptop,"You need to open the program …
— Rukmini Callimachi (@rcallimachi) March 29, 2016
41/ …"You need to create a folder inside, where you place your text. You choose the size you want to send & in ribbon unfurling at bottom
— Rukmini Callimachi (@rcallimachi) March 29, 2016
42/ … "you choose the mode of encryption." Then once the message is in the folder and the folder is encrypted, the instructions he had was
— Rukmini Callimachi (@rcallimachi) March 29, 2016
44/ Hame describes the Turkish website as "a dead inbox." He said his ISIS handler would then check website & download encrypted folder
— Rukmini Callimachi (@rcallimachi) March 29, 2016
45/ Counterterror experts who reviewed this protocol tell me it reminds them of what al-Qaeda did for yrs: Saving "drafts" in Yahoo inboxes
— Rukmini Callimachi (@rcallimachi) March 29, 2016
46/The twist is twofold. 1) The message is inside an encrypted folder, whereas al-Qaeda's were unencrypted; 2) website is not Western-owned
— Rukmini Callimachi (@rcallimachi) March 29, 2016
47/ It seems that ISIS was worried about metadata tracking, and for that reason was advising operatives not to email anything, only upload
— Rukmini Callimachi (@rcallimachi) March 29, 2016
48/Secondly they don't trust Western-made applications & for good reason: the Yahoo drafts were backdoor because officials could go to Yahoo
— Rukmini Callimachi (@rcallimachi) March 29, 2016
https://twitter.com/csoghoian/status/714892014664421376
@csoghoian @rcallimachi @runasand all their data centers are in Western Europe or North America. Does the upload use HTTPS?
— thaddeus e. grugq (@thegrugq) March 29, 2016
https://twitter.com/csoghoian/status/714895437996691456
@rcallimachi 2) That they're using filelockers for comms — of which monitoring was public — underlines how little ISIS learns from news.
— Edward Snowden (@Snowden) March 29, 2016
Leave a Reply