Terrorists brandish tech sword, too

Five years after the 2001 terrorist attacks, law enforcement and terrorist groups bring new levels of sophistication to the ongoing game of digital cat and mouse.

Imam Samudra is notorious for his technology evangelism. From death row in Indonesia, the architect of bomb blasts that killed 202 people at a Bali nightclub in 2002 wrote an autobiography that encourages would-be terrorists to use technology against the United States and offers a primer on credit card fraud for financing the operations.

“It’s really a very powerful guide to becoming an effective cyber thief,” said Alan Paller, director of research at the SANS Institute, a security watchdog.

Samudra is a chilling reminder that the FBI, the CIA, England’s MI5 and other intelligence and law enforcement agencies worldwide aren’t the only ones turning to modern computer and communications technology to help their cause.

Like the recently foiled plot to use easily obtained chemicals to produce bombs aboard airplanes, another branch of modern terrorism tradecraft is “taking advantage of technology we use everyday, but for subversive uses,” said Kim Taipale, executive director of the Center for Advanced Studies in Science and Technology Policy, a think tank.

According to security experts, al Qaeda and loosely organized units inspired by it approach technology differently from state-sponsored spies who have tried to hack into classified U.S. government computer systems to gather intelligence and disrupt operations.

Stateless terrorist groups often use the Internet for communications and recruiting. They also use it to spread bots, stealth software programs that load onto the PCs of unsuspecting people and then steal credit card numbers and banking passwords or use the infected machine to launch cyberattacks.

Others worry about the potential for even more sophisticated technology applications by terrorists. “The next frontier is their ability to potentially attack our infrastructure from a cave in Afghanistan to shut down the northeastern power grid,” said Bruce Brody, vice president for information security at Input, a consulting firm for the public sector.

Fortunately, law enforcement agencies, aided by security experts in government and private industry, don’t only react to threats. New security techniques and technologies are helping crack the top technology challenges created by international terrorist techno-geeks and proactively diminish their effectiveness.

Terrorist Tech Challenge #1: The Internet
Similar to its multifaceted personality for law-abiding uses, the Internet presents many opportunities to terrorists:

Command and control. The Internet’s fluid organizational structure provides a communications foundation for command and control activities within centralized terrorist groups, such as al Qaeda, and more loosely organized cells worldwide. It quickly conveys communications via e-mail messages and secure Web sites to operatives.

“They can open up Web sites and close them down within minutes, which [shows] that the intended audience had a separate message indicating what to look for and when to look for it,” said Brian Jenkins, senior adviser to the president of Rand Corp., a public policy think tank. “As you go chasing it, it disappears by the time you get there.”

Reconnaissance and surveillance. Laptop PCs captured by suspected terrorist leaders and operatives often contain schematics of government buildings, power plants and other potential physical targets — plans likely obtained and distributed via the Internet.

“A terrorist organization today has available to it as much [surveillance technology] as the Soviets had during the Cold War,” Taipale said. Terrorists “don’t need a satellite; they can just go to Google Earth.”

Tradecraft development. “The information revolution means that information is now widely available at the same time,” said Peter Singer, a senior fellow and national security expert at the Brookings Institution. Instant communications means that the latest tactics for making improvised bombs, obtaining stolen credit card numbers or evading authorities while using cellular phones quickly become available worldwide.

Media and propaganda. The Internet removes editor and reporter intermediaries that may alter messages terrorists seek to communicate to their perceived constituents. Terrorists “are able to put some of these horrific videotapes of actual attacks or hostages being beheaded directly on the Internet,” Jenkins said. As of Sept. 11, 2001, “there were probably only a handful of sites devoted to the jihadist cause. Now there are hundreds and hundreds of these sites.”

Community development and recruitment. In the past, Islamic terrorist recruiting counted on the “jihadi trail,” a chain of radical outposts that stretched across the Middle East to Afghanistan, to unite new recruits with organizers. Today, like-minded communities organized in Internet chat rooms or on MySpace perform similar roles electronically.

“You may be some angry teenager in Farmingham, England; Pensacola, Fla.; or Madrid, Spain, and meet other people just like you,” Singer said. “On the Internet, people tend to congregate with like-minded people. It’s self-reinforcing and helps to radicalize people.”

What's next in security technology?

Click here to enlarge chart (.pdf).

chart
How we fight back
The best way to foil Internet-based command and control activities may be the use of stealth operations rather than force. Intelligence agencies can disrupt terrorists’ communications by breaking network connections to keep information from getting through or delaying its arrival.

“The strategy is to create problems. Let the rest of the organization wonder about where the funds are going or make people think others are informers,” Taipale said, adding that destabilizing communications increases the chances that terrorists will make mistakes.

The Web’s natural anonymity aids those techniques. “The Internet is a masked ball,” Jenkins said. “If you establish the proper credentials, you can actually begin to participate in some of these online communities and chat rooms.”

But he warns that law enforcement authorities need to work harder at this type of digital espionage.

“Dealing with the radicalization and recruitment process is a part of the battlefield where we have not learned to operate effectively yet,” Jenkins said. “We have the most high-tech armed forces in the world, but we’re struggling to understand this new dimension of political warfare. It’s not just a matter of technology; it’s a matter of comprehension.”

Terrorist Tech Challenge #2: Drive-by computer infections
Antivirus software and admonitions against opening e-mail attachments from unknown senders are no longer enough to keep malicious programs off PCs. Careful computer users may unknowingly infect their computers with malicious programs that record keystrokes and send information to hackers anywhere worldwide.

Drive-by infections occur when unsuspecting Web surfers visit a booby-trapped Web site, often one associated with spam, pornography or gambling. Security holes in Web browsers allow such sites to secretly download keystroke-logging software to the visitor’s computer. The logging program then watches for a preset trigger, such as a bank’s Web address, and then records the next couple of hundred keystrokes, which may include an account number and password. With the financial information in hand, terrorist hackers “immediately transfer money to banks outside of the United States,” Paller said. “It’s the fastest, best way to convert cyberattacks into money.”

How we fight back
Paller said anti-spyware programs are becoming less effective at identifying and removing sophisticated keystroke loggers. One defense is to diligently update security patches that plug holes in Web browsers. Another defense is behavior analysis hardware and software, available from Cisco Systems, Finjan Software, Lancope and others. The security technology analyzes a new program’s code to understand what it does before it accesses a PC’s hard drive.

This approach asks a simple question. “‘Is this content legitimate or not?’” said Yuval Ben-Itzhak, chief technology officer at Finjan.

“The first time we see the code, we can understand whether it is malicious or not from its behavior,” he added.

Terrorist Tech Challenge #3: SCADA systems
Supervisory control and data acquisition (SCADA) systems are the brains behind large-scale infrastructures such as electrical power grids and nuclear power plants. Theoretically, regional power blackouts, economic disruptions and sabotage could occur if terrorist hackers penetrated a SCADA system.

“There certainly are vulnerabilities in our infrastructure — we have seen disruptions occur because of failures in reliability,” said Daniel Ryan, a professor at the Information Resources Management College of the National Defense University. “I suspect it might be possible for a terrorist to create those kinds of effects.”

How we fight back
A recent effort by the Idaho National Laboratory, the New York State Office of Cyber Security and Critical Infrastructure Coordination, and the SANS Institute addressed one of the biggest vulnerabilities in SCADA systems.

Many bundles of computers and software contain capabilities — unbeknownst to buyers — that may let terrorist hackers access computers to try to take over systems. Those internal capabilities include features such as an enterprise-class e-mail module in Sun Microsystems workstations and Web servers in Microsoft Windows-based servers.

Paller said those capabilities open unnecessary security risks. For example, he said vulnerabilities associated with Microsoft’s Internet Information Services Web server worsen when the software comes preloaded on a computer from a systems integrator or other third-party source. Worse still, many users, unaware of the software’s presence, don’t think of going to Microsoft for patch updates that would reduce vulnerabilities.

“Right now, the people sell it to us with everything turned on, and they justify that by saying that it’s convenient to people,” Paller said.

Earlier this month, the three organizations released “Cyber Security Procurement Language for Control Systems,” a set of guidelines for utilities and their suppliers that define the types of features they should disable until users decide to activate them.

“Most security [strategies] have winners and losers,” Paller said. “This is one that seems to have people only saying that it makes sense.”

Terrorist Tech Challenge #4: Cell phones
Like many previous terrorist plots, the recent liquid-bomb plot apparently included one of the world’s most ubiquitous electronic devices: the cell phone. Cell phones can be detonators for improvised bombs used in Iraq, and investigators think they played a role in the 2002 Bali bombing and the commuter train explosions in Spain two years later.

“What’s scary is the exquisite ease with which a cell phone becomes a detonator,” said David Nelson, a security consultant at Input. “At the appropriate time, from anywhere in the world, you dial the cell phone number, and when the phone rings, the connection is made and the detonator goes off.”

Whether used as detonators or for on-the-fly communications, the rise of inexpensive cell phones that contain prepaid credit for calls rather than a link to a specific account provide a layer of throwaway anonymity for terrorists, Nelson said.

How we fight back
Intelligence agents can track cell phones via the built-in Global Positioning System capabilities in many devices if careless users don’t remove the battery in their phones. Savvier users may try to avoid this tracking tactic, but agents can still thwart the calls using military versions of communications jammers that block calls by sending alternative signals to collide with communications traffic originating several miles away.

“Cell phones allow terrorists to keep moving around and shift bases of communications, but they’re also a vulnerability because cell phone signals can be intercepted,” Ryan said.

Terrorist Tech Challenge # 5: Encryption
Although laptop and desktop PCs seized during raids of terrorist hideouts promise troves of intelligence, common technologies are keeping authorities from easily culling data from the machines. “PGP is just a download away,” Nelson said, referring to a widely used encryption program.

Sophisticated terrorist organizations routinely use encryption technology to scramble data stored on hard drives and in e-mail messages that law enforcement agencies might intercept in transit. Similarly, Web site creators use Internet security protocols such as Secure Sockets Layer to make traffic unreadable to outsiders.

How we fight back
If authorities identify a secured site potentially used by a terrorist organization, they may not be able to read individual messages but can still collect intelligence by analyzing the traffic that comes to the site.

“I may not know what you are saying, but I know who you are saying it to,” Nelson said.

For example, by intercepting SSL communications, authorities could determine the IP addresses of the communicators. The Whois network protocol can then help law enforcement agencies track the owners of specific IP addresses or domain names. Although not always geographically specific, a Whois search may pinpoint a message’s country or perhaps city of origin.

But like other countermeasures, technologically savvy terrorist organizations are finding ways around this one, too. They can cover their Internet tracks by communicating with intermediary computers that indirectly relay messages between primary senders and recipients.

“Authorities may know the guy in the middle, but they can’t get back to the originator,” Nelson said. “It’s the same cat-and-mouse game all over again.”

Joch is a business and technology writer based in New England. He can be reached at ajoch@worldpath.com.

Human touch still needed

Just as there are no silver bullets to cure business productivity ills with technology alone, anti-terrorism organizations need to balance their reliance on technology with “the more grungy aspects of spy tradecraft,” said David Nelson, a security consultant at Input.

Successful espionage requires agents who understand different cultures, speak the relevant languages and blend in with terrorist groups.

Combining agents like these with advanced technology creates a potent anti-terrorism force. “If we know who a bad guy is, then it’s a lot easier to search phone records for who he is connected to than to use phone records just as a black hole to search for a reputed bad guy,” Nelson said. This appears to be the approach the National Security Agency is using by gaining access to domestic phone records, he added. “They are looking for needles in a haystack.”

Instead, Nelson advocates a back-to-basics approach for the people part of the equation.

— Alan Joch