How Terrorists use Encryption

Posted on June 16, 2016June 16, 2016 by Denise Simon

How Terrorists Use Encryption

June 16, 2016

Author(s): Robert Graham

CTC: Abstract: As powerful encryption increasingly becomes embedded in electronic devices and online messaging apps, Islamist terrorists are exploiting the technology to communicate securely and store information. Legislative efforts to help law enforcement agencies wrestle with the phenomenon of “going dark” will never lead to a return to the status quo ante, however. With the code underlying end-to-end encryption now widely available, unbreakable encryption is here to stay. However, the picture is not wholly bleak. While end-to-end encryption itself often cannot be broken, intelligence agencies have been able to hack the software on the ends and take advantage of users’ mistakes.

Counterterrorism officials have grown increasingly concerned about terrorist groups using encryption in order to communicate securely. As encryption increasingly becomes a part of electronic devices and online messaging apps, a range of criminal actors including Islamist terrorists are exploiting the technology to communicate and store information, thus avoiding detection and incrimination, a phenomenon law enforcement officials refer to as “going dark.”

Despite a vociferous public debate on both sides of the Atlantic that has pitted government agencies against tech companies, civil liberties advocates, and even senior figures in the national security establishment who have argued that creation of “backdoors”[1] for law enforcement agencies to retrieve communications would do more harm than good, there remains widespread confusion about how encryption actually works.[a]

Technologists have long understood that regulatory measures stand little chance of rolling back the tide. Besides software being written in other countries (and beyond local laws), what has not been fully understood in the public debate is that the “source code” itself behind end-to-end encryption is now widely available online, which means that short of shutting down the internet, there is nothing that can be done to stop individuals, including terrorists, from creating and customizing their own encryption software.

The first part of this article provides a primer on the various forms of encryption, including end-to-end encryption, full device encryption, anonymization, and various secure communication (operational security or opsec) methods that are used on top of or instead of encryption. Part two then looks at some examples of how terrorist actors are using these methods.

Part 1: Encryption 101

End-to-End Encryption
A cell phone already uses encryption to talk to the nearest cell tower. This is because hackers could otherwise eavesdrop on radio waves to listen in on phone calls. However, after the cell tower, phone calls are not encrypted as they traverse copper wires and fiber optic cables. It is considered too hard for nefarious actors to dig up these cables and tap into them.

In a similar manner, older chat apps only encrypted messages as far as the servers, using what is known as SSL.[b] That was to defeat hackers who would be able to eavesdrop on internet traffic to the servers going over the Wi-Fi at public places. But once the messages reached the servers, they were stored in an unencrypted format because at that point they were considered “safe” from hackers. Law enforcement could still obtain the messages with a court order.

Newer chat apps, instead of encrypting the messages only as far as the server, encrypt the message all the way to the other end, to the recipient’s phone. Only the recipients, with a private key, are able to decrypt the message. Service providers can still provide the “metadata” to police (who sent messages to whom), but they no longer have access to the content of the messages.

The online messaging app Telegram was one of the earliest systems to support end-to-end encryption, and terrorists groups such as the Islamic State took advantage.[2]These days, the feature has been added to most messaging apps, such as Signal, Wickr, and even Apple’s own iMessage. Recently, Facebook’s WhatsApp[3] and Google[4] announced they will be supporting Signal’s end-to-end encryption protocol.

On personal computers, the software known as PGP,[c] first created in the mid-1990s, reigns supreme for end-to-end encryption. It converts a message (or even entire files) into encrypted text that can be copy/pasted anywhere, such as email messages, Facebook posts, or forum posts. There is no difference between “military grade encryption” and the “consumer encryption” that is seen in PGP. That means individuals can post these encrypted messages publicly and even the NSA is unable to access them. There is a misconception that intelligence agencies like the NSA are able to crack any encryption. This is not true. Most encryption that is done correctly cannot be overcome unless the user makes a mistake.

Such end-to-end encryption relies upon something called public-key cryptography. Two mathematically related keys are created, such that a message encrypted by one key can only be decrypted by the other. This allows one key to be made public so that one’s interlocutor can use it to encrypt messages that the intended recipient can decrypt through the private-key.[d] Al-Qa`ida’s Inspire magazine, for example, publishes its public-key[5] so that anyone using PGP can use it to encrypt a message that only the publishers of the magazine can read.

Full Device Encryption
If an individual loses his iPhone, for example, his data should be safe from criminals.[e] Only governments are likely to have the resources to crack the phone by finding some strange vulnerability. The FBI reportedly paid a private contractor close to $1 million to unlock the iPhone of San Bernardino terrorist Syed Rizwan Farook.[6]

The reason an iPhone is secure from criminals is because of full device encryption, also full disk encryption. Not only is all of the data encrypted, it is done in a way that is combined or entangled[7] with the hardware. Thus, the police cannot clone the encrypted data, then crack it offline using supercomputers to “brute-force” guess all possible combinations of the passcode. Instead, they effectively have to ask the phone to decrypt itself, which it will do but slowly, defeating cracking.[f]

Android phones work in much the same manner. However, most manufacturers put less effort into securing their phones than Apple. Exceptions are companies like Blackphone, which explicitly took extra care to secure their devices.

Full disk encryption is also a feature of personal computers. Microsoft Windows comes with BitLocker, Macintosh comes with FileVault, and Linux comes with LUKS. The well-known disk encryption software TrueCrypt works with all three operating systems as does a variation of PGP called PGPdisk. Some computers come with a chip called a TPM[g] that can protect the password from cracking, but most owners do not use a TPM. This means that unless they use long/complex passwords, adversaries will be able to crack their passwords.

Disgusting: Democrats Walk During Moment of Silence

Posted on June 14, 2016June 14, 2016 by Denise Simon

6 victims remain in intensive care.

Democrats shout down Paul Ryan after Orlando shooting moment of silence

CBS: Shouting erupted Monday evening on the House floor after a moment of silence for the victims of the Orlando massacre as Democrats demanded that the House consider gun control legislation.

After the brief moment of silence that Speaker Paul Ryan, R-Wisconsin, called for, Democrats began shouting from one side of the chamber, interrupting Ryan. Ryan’s office only tweeted out a clip of the moment of silence, but not the shouting that followed.

The House just observed a moment of silence in memory of those killed in the terrorist attack in #Orlando.https://t.co/MqS94hk68V

— Paul Ryan (@SpeakerRyan) June 13, 2016

“Where’s the bill?” Democrats shouted, referring to gun control legislation.

Amid the shouting, Assistant Democratic Leader Jim Clyburn, D-South Carolina, tried to seek recognition.

“I am really concerned that we have just today had a moment of silence and later this week the 17th…,” Clyburn said, as he was interrupted by Ryan who then asked if he was a posing a parliamentary inquiry.

“Yes, Mr. Speaker,” Clyburn said. “I am particularly interested about three pieces of legislation that have been filed in response to Charleston.”

Clyburn was referring to the anniversary this Saturday of the Charleston shooting massacre that left nine parishioners dead in a South Carolina church last year. One of the bills Democrats want the House to consider would close the “Charleston loophole, which is how the shooter in Charleston obtained a gun. The FBI performs background checks on gun buyers on South Carolina and if the check isn’t denied or completed in three days, the gun seller can sell the guy to the prospective buyer. The other pieces of legislation would prevent people who are on the FBI’s no-fly list from purchasing guns and one would ban anyone convicted of a hate crime from buying firearms, according to a leadership aide.

Ryan, however, ignored Clyburn and called for the House to continue voting. According to the speaker’s office, Clyburn was out of order under House rules and was not making a proper motion or inquiry.

“It’s shameful that anyone would try to use a moment of silence honoring victims of a brutal terrorist attack to advance their own political agenda,” Ryan spokeswoman AshLee Strong said.

We just observed a moment of silence for the #Orlando victims. Then @SpeakerRyan refused to act to keep guns out of the hands of terrorists.

— Rep. Ted Deutch (@RepTedDeutch) June 13, 2016

Some Democrats said that they didn’t want to participate in the moment of silence at all.

Why I’m refusing the moment of silence. #NoMoreSilence Read: https://t.co/pSKUie0jVk pic.twitter.com/NTnFEokK3r

— Katherine Clark (@RepKClark) June 13, 2016

The victims of #Orlando deserve more than a moment of silence from Congress. They deserve moments of courage & action. #WheresTheBill

— Rep. Eric Swalwell (@RepSwalwell) June 13, 2016

Jim HimesVerified account ‏@jahimes Jun 12

I will not attend one more”Moment of Silence” on the Floor. Our silence does not honor the victims, it mocks them.

Seth MoultonVerified account ‏@sethmoulton 14h14 hours ago

So I’m joining @jahimes in not attending any more House “Moments of Silence” for mass shooting victims. Walked out of my first one tonight.

***** Tuesday, Obama holds a large national security council meeting to discuss terror attacks.

Taking part in the NSC meeting now underway at @USTreasury per WH:pic.twitter.com/0TAFys8gJg

#RedNationRising

Post Sandy Hook Gun Laws to Judges

Posted on June 13, 2016June 13, 2016 by Denise Simon

Post-Sandy Hook Gun Laws to Reach Justices Days After Orlando Shooting

Second Circuit upheld Connecticut restrictions on military-style rifles. But justices haven’t shown a recent interest in gun cases.

NationalLawJournal: With the worst mass shooting in American history in the background, the U.S. Supreme Court on June 16 will take its first look at a challenge to Connecticut’s ban on military-style firearms. But as past actions show, the justices may have little interest in revisiting Second Amendment disputes, including the regulation of the AR-15-style weapon reportedly used in the Orlando shootings that killed at least 50 people at a night club.

Since its landmark 2008 ruling in District of Columbia v. Heller, the high court has declined numerous requests by gun rights advocates to examine the scope of protection for firearms—from concealed carry bans to open carry and guns on campus.

One possible reason? Lower courts have largely been uniform in upholding firearm restrictions. Jonathan Lowy, director of the Legal Action Project of the Brady Campaign to Prevent Gun Violence, told The National Law Journal last year that the circuit courts haven’t split on any significant issues.

In the Connecticut case, Shew v. Malloy, the Connecticut Citizens Defense League and others challenged a law the state passed in the aftermath of the 2012 mass killing of 20 children and six adults in Newtown, Connecticut. The shooter, Adam Lanza, fired 154 rounds in less than five minutes from an AR-15 military-style rifle.

The U.S. Court of Appeals for the Second Circuit upheld the challenged provisions in October.

The Supreme Court last year was presented a chance to take up a Chicago suburb’s assault-weapon ban. In December, the court, with justices Clarence Thomas and the late Antonin Scalia dissenting, denied review in Friedman v. City of Highland Park, Illinois. The decision left in place a Seventh Circuit ruling that upheld the city’s ban on assault weapons and large capacity magazines.

Highland Park defined an “assault weapon” as a semiautomatic firearm with one of five specific features and with the capacity to accept more than 10 rounds of ammunition. A large capacity magazine is an “ammunition feeding device with the capacity to accept more than 10 rounds,” according to the ordinance.

Thomas dissented from the denial of review. He said the Heller decision asks “whether the law bans types of firearms commonly used for a lawful purpose—regardless of whether alternatives exist. And Heller draws a distinction between such firearms and weapons specially adapted to unlawful uses and not in common use, such as sawed-off shotguns.”

Thomas said Highland Park’s ban “is thus highly suspect because it broadly prohibits common semiautomatic firearms used for lawful purposes. Roughly five million Americans own AR-style semiautomatic rifles. The overwhelming majority of citizens who own and use such rifles do so for lawful purposes, including self-defense and target shooting.”

California, Connecticut, New York, Maryland, Massachusetts, New Jersey and Hawaii, have bans similar to Highland Park’s law.

In June 2015, with Thomas and Scalia again dissenting, the justices declined to review Jackson v. City and County of San Francisco. The Ninth Circuit in that case upheld certain restrictions on handguns kept in the home.

The Ninth Circuit acted again on June 10 in Peruta v. County of San Diego, holding there is no Second Amendment right for private citizens to carry concealed weapons in public.

The Connecticut case that the justices have scheduled for their June 16 conference was filed by the Connecticut Citizens Defense League and others. They are represented by the same lawyers who brought the Illinois challenge—including David Thompson of Washington’s Cooper & Kirk.

Thompson argues the Supreme Court’s ruling in Heller applies to firearms “typically possessed by law-abiding citizens for lawful purposes.”

Under Heller’s reasoning, he said, “law-abiding citizens also must be permitted to use the arms at issue in this case, which include AR-15s, the nation’s most popular semi-automatic rifles.”

Opposing review, Connecticut Assistant Attorney General Maura Osborne argued: “There is no disagreement among the lower courts on the question in this case. Indeed, the lower courts that have fully and finally considered whether a state may prohibit access to assault weapons have universally concluded that states may do so.”

Maryland regulations under review

Gun rights advocates and their opponents are closely watching a Maryland case that could create a division among circuit courts.

On May 11, the full Fourth Circuit considered the constitutionality of Maryland’s ban on certain semiautomatic weapons. Maryland’s Firearm Safety Act, like Connecticut’s regulations, passed in the wake of the 2012 Newtown elementary school shootings. The law also prohibits magazines holding more than 10 rounds.

A three-judge panel in Kolbe v. Hogan ruled in February that the state ban imposed a “substantial” burden on the Second Amendment rights of law-abiding citizens. It vacated a district court decision that upheld the ban. The appellate panel directed the trial court to apply “strict scrutiny,” a high standard that requires the government to prove a restriction “furthers a compelling interest” and it not overly broad.

“Let’s be real: The assault weapons banned by Maryland’s [Firearm Safety Act] are exceptionally lethal weapons of war,” Fourth Circuit Judge Robert King wrote in a dissent that supported the trial judge. “In fact, the most popular of the prohibited semiautomatic rifles, the AR-15, functions almost identically to the military’s fully automatic M16.”

A decision by the full Fourth Circuit is pending.

Read More:

Thomas Objects as Justices Turn Away Challenge to Assault-Weapon Ban

A Liberal Court Could Limit Reach of ‘Heller’

Second Circuit Largely Upholds Weapon Restrictions in Connecticut, New York

Split Ninth Circuit Rejects Concealed Carry Right in Gun Case

Florida Supreme Court Takes On Open-Carry Case

The Long Push to Get Another High-Court Gun Ruling

In Wake of Oregon Shooting, Don’t Expect Gun Makers to Pay

Global Human Trafficking, Here at Home

Posted on June 9, 2016June 9, 2016 by Denise Simon

Pigs Fly, the UN Finally Admitted Global Sex Violence/Trafficking

Even CNBC is Sounding Alarm on Smuggling at Southern Border

Reps. Cohen, Kinzinger, Cárdenas and Wagner Introduce Bipartisan Human Trafficking Bill

June 9, 2016

Press Release

[WASHINGTON, DC] – Congressman Steve Cohen (D-TN), Congressman Adam Kinzinger (R-IL), Congressman Tony Cárdenas (D-CA) and Congresswoman Ann Wagner (R-MO) yesterday introduced H.R. 5405, the Stop, Observe, Ask and Respond (SOAR) to Health and Wellness Act. This bipartisan legislation would provide health care professionals at all levels training on how to identify and appropriately treat human trafficking victims. It is a companion bill to S. 1446, which was introduced by Senators Heidi Heitkamp (D-ND) and Susan Collins (R-ME).

“Human trafficking is a hidden crime that impacts hundreds of thousands of people across the U.S., and many of these victims end up in a health care setting while being exploited,” said Congressman Cohen. “Our bill aims to ensure health care professionals are trained to identify victims of human trafficking and provide them with critical, victim-centered health care. Our bill also enables health care providers to implement protocols and procedures to work with victims, service organizations, and law enforcement so that victims can get proper support and perpetrators of human trafficking are brought to justice. I would like to thank Reps. Kinzinger, Cárdenas and Wagner for joining me in introducing this bill.”

“It is critical that our health care providers are trained to recognize cases of human trafficking and have the proper procedures to best help those most vulnerable,” said Rep. Kinzinger. “I’m proud to be an original cosponsor of the SOAR Act and I believe this pilot program will have a significant impact towards identifying cases of human trafficking and helping more victims across the country from this disgusting crime.”

“Human trafficking has grown into a large scale industry that is disproportionately geared towards women,” said Rep. Cárdenas. “This is just one of the many reasons why I did not hesitate to become an original cosponsor of the SOAR bill. Victims of trafficking suffer long-term effects, and with the introduction of new research, it is evident that the people who seek help can be identified and properly cared for by trained professionals. It is time to use this information in order to help stop the growth of the trafficking industry and facilitate the well-being of both survivors and victims.”

“Education and awareness are critical in the fight to end human trafficking. This legislation will provide health care providers on all levels with the appropriate training and tools necessary to identify and report potential cases of human trafficking,” said Congresswoman Wagner. “With tens of thousands of victims being trafficked in the United States each year, I am happy to work with my colleagues across the aisle to introduce and quickly pass this legislation.”

“Victims of human trafficking are hidden in plain sight – making those in captivity unrecognizable even to our most trusted professionals like doctors and nurses,” said Senator Heitkamp. “By implementing across the country the successes of health worker pilot training programs in North Dakota, my bipartisan bill with Sen. Collins would help provide the critical tools medical professionals need to recognize and protect victims of human trafficking. Today’s introduction of our bill in the U.S. House of Representatives is a critical step toward putting an end to human trafficking by identifying victims and getting them the support they need.”

“Sex trafficking is a heinous crime that tragically affects every corner of America. Human traffickers prey upon the most vulnerable, often homeless or runaway children,” said Senator Collins. “Identification is a crucial, and frequently missed, step in helping victims and stopping these atrocities. This bipartisan legislation would expand a successful pilot program at the U.S. Department of Health and Human Services to ensure that more health care providers have the training to identify, report, and treat these cases, which will help us shine a light on some of the darkest stories imaginable and protect victims of these detestable crimes.”

The Stop, Observe, Ask and Respond (SOAR) to Health and Wellness Act supports efforts underway at the Department of Health and Human Services (HHS) to combat human trafficking by directing the Secretary to establish a pilot program to be known as ‘Stop, Observe, Ask and Respond to Health and Wellness Training.’ While human trafficking victims are often difficult to identify, a reported 68 percent of trafficking victims end up in a health care setting at some point while being exploited, including in clinics, emergency rooms and doctor’s offices. Despite this, out of more than 5,680 hospitals in the country, only 60 have been identified as having a plan for treating patients who are victims of trafficking and 95 percent of emergency room personnel are not trained to treat trafficking victims. The SOAR Act will help close the gap in health care settings without plans for treating human trafficking victims.

**** How bad is it?

BBC: Dubbed “the General”, Mered Medhanie is alleged to have led a multi-billion dollar empire which specialised in people-smuggling.

Mered Medhanie styled himself on the late Libyan leader Col Muammar Gaddafi

A 35-year-old Eritrean, he came to public attention after being linked to the worst migrant disaster at sea – the deaths of 359 migrants in October 2013 after their boat sank near the Italian island of Lampedusa.

Canada-based barrister Christine Duhaime, who specialises in money-laundering legislation, said Mr Mered was suspected to be a ringleader of the people-smuggling network which stretched across Africa and Europe.

“He is notorious just for the fact that he controlled a lot of money and a lot of people,” she told the BBC’s Newsday programme.

“As kingpin, the amount of money that went through him is apparently in the billions.” More to the story here.

Tech, One Extreme to Another

Posted on May 26, 2016May 26, 2016 by Denise Simon

Does anyone remember the floppy disk? How about Windows Me or COBOL?

Sheesh….

Gov’t report: Feds spend billions to run ancient technology

In a report to be released Wednesday, nonpartisan congressional investigators say the increasing cost of maintaining museum-ready equipment devours money better spent on modernization.

Despite a White House push to replace aging workhorse systems, the budget for modernization has fallen, and will be $7 billion less in 2017 than in 2010, said the Government Accountability Office. The report was provided to The Associated Press ahead of a House oversight committee hearing.

GAO said it found problems across the government, not just in a few agencies. Among those highlighted in the report:

— The Defense Department’s Strategic Automated Command and Control System, which is used to send and receive emergency action messages to U.S. nuclear forces. The system is running on a 1970s IBM computing platform, and still uses 8-inch floppy disks to store data. “Replacement parts for the system are difficult to find because they are now obsolete,” GAO said. The Pentagon is initiating a full replacement and says the floppy disks should be gone by the end of next year. The entire upgrade will take longer.

— Treasury’s individual and business master files, the authoritative data sources for taxpayer information. The systems are about 56 years old, and use an outdated computer language that is difficult to write and maintain. Treasury plans to replace the systems, but has no firm dates.

— Social Security systems that are used to determine eligibility and estimate benefits, about 31 years old. Some use a programming language called COBOL, dating to the late 1950s and early 1960s. “Most of the employees who developed these systems are ready to retire and the agency will lose their collective knowledge,” the report said. “Training new employees to maintain the older systems takes a lot of time.” Social Security has no plans to replace the entire system, but is eliminating and upgrading older and costlier components. It is also rehiring retirees who know the technology.

— Medicare’s Appeals System, which is only 11 years old, but facing challenges keeping up with a growing number of appeals, as well as questions from congressional offices following up on constituent concerns. The report says the agency has general plans to keep updating the system, depending on the availability of funds.

— The Transportation Department’s Hazardous Materials Information System, used to track incidents and keep information relied on by regulators. The system is about 41 years old, and some of its software is no longer supported by vendors, which can create security risks. The department plans to complete its modernization program in 2018.

GAO estimates that the government spent at least $80 billion on information technology, or IT, in 2015. However, the total could be significantly higher. Not counted in the report are certain Pentagon systems, as well as those run by independent agencies, among them the CIA. Major systems are known as “IT investments” in government jargon. More here from WashingtonPost.

*****

Smarter than Google?

This new search engine could be way smarter than Google

Search engines that aren’t Google rarely have much that’s interesting to offer to the average consumer. But Omnity, a new search engine aimed at researchers — or even just students doing their homework — offers some glimmers of something new that make it worth taking notice.

Search, as we know it, is ripe for some sort of change, after all. Google is certainly working to bake search more fully into our cars, phones and other devices. Specialized search engines — for flights, places to stay, even .gifs — are going strong. And then there are those AI bots being promised by Google, Facebook, Microsoft and others. What are they but high-powered, repackaged search engines?

Omnity stands out by offering results that best match for any given search term and also how those results relate to each other. So if you’re about to start a research project on a topic you know little about, you can quickly see who is getting cited the most, whose research is the most influential or which university is leading the pack on that subject. It draws from a number of data sets, including SEC filings, public news organization reports, scientific journals, financial reports and legal histories.

You can also drag and drop documents into the search engine to get an analysis of the “rare words” in it — Omnity obviously strips out the little words like “he,” “she,” “it” and “but,” yet also looks for words that are more unique to any given document to get a better idea of what it’s about. For example, I dragged in a legal filing from a case I’m researching for another article. Omnity turned up links to other cases that were relevant but not directly cited in the filing, as well as the names of some experts that I may now end up calling. More from WashingtonPost.