The Two-Way
5:05 am
Fri August 1, 2014

Big Data Firm Says It Can Link Snowden Data To Changed Terrorist Behavior

Originally published on Mon August 18, 2014 4:28 am

Editor's note on Aug. 17 at 11:25 a.m. ET: A clarification and links to the ombudsman's critique of this post have been added.

For nearly a year, U.S. government officials have said revelations from former NSA contract worker Edward Snowden harmed national security and allowed terrorists to develop their own countermeasures. Those officials haven't publicly given specific examples — but a tech firm based in Cambridge, Mass., says it has tangible evidence of the changes.

According to a new report to be released Friday by big data firm Recorded Future, a direct connection can be drawn: Just months after the Snowden documents were released, al-Qaida dramatically changed the way its operatives interacted online.

"We saw at least three major product releases coming out with different organizations with al-Qaida and associated organizations fairly quickly after the Snowden disclosures," said Recorded Future's CEO and co-founder Christopher Ahlberg. "But we wanted to go deeper and see how big those changes were."

By "product releases," Ahlberg means new software. And for the first time, Recorded Future says, it can now codify just how big a change it was.

The company brought in a cyber expert, Mario Vuksan, the CEO of Reversing Labs, to investigate the technical aspects of the new software. Vuksan essentially reverse-engineered the 2013 encryption updates and found not only more sophisticated software but also newly available downloads that allowed encryption on cellphones, Android products and Macs.

To put that change into context, for years, al-Qaida has used an encryption program written by its own coders called Mujahideen Secrets. It was a Windows-based program that groups like al-Qaida's arm in Yemen and al-Shabab in Somalia used to scramble their communications. American-born radical imam Anwar al-Awlaki used it, too. Since Mujahideen Secret's introduction in 2007, there had been some minor updates to the program, but no big upgrades.

Ahlberg thought the fact that the group changed the program months after Snowden's revelations provided good circumstantial evidence that the former contractor had had an impact — but he wanted to see how much.

As it turns out, Recorded Future and Reversing Labs discovered that al-Qaida didn't just tinker at the edges of its seven-year-old encryption software; it overhauled it. The new programs no longer use much of what's known as "homebrew," or homemade algorithms. Instead, al-Qaida has started incorporating more sophisticated open-source code to help disguise its communications.

"This is as close to proof that you can get that these have changed and improved their communications structure post the Snowden leaks," Ahlberg said.

Others are less sure that you can draw a straight line from Snowden to the changes in al-Qaida's encryption program. Bruce Schneier, a technologist and fellow at the Berkman Center at Harvard, said it's hard to tell.

"Certainly they have made changes," Schneier said, "but is that because of the normal costs of software development or because they thought rightly or wrongly that they were being targeted?"

Whatever the reason, Schneier says, al-Qaida's new encryption program won't necessarily keep communications secret, and the only way to ensure that nothing gets picked up is to not send anything electronically. Osama bin Laden understood that. That's why he ended up resorting to couriers.

Upgrading encryption software might mask communications for al-Qaida temporarily, but probably not for long, Schneier said.

"It is relatively easy to find vulnerabilities in software," he added. "This is why cybercriminals do so well stealing our credit cards. And it is also going to be why intelligence agencies are going to be able to break whatever software these al-Qaida operatives are using."

The NSA, for its part, declined to comment.


Copyright 2014 NPR. To see more, visit http://www.npr.org/.

Transcript

RENEE MONTAGNE, HOST:

For months now, U.S. officials have said that leaks from former NSA contractor Edward Snowden changed the way terrorists communicate. But they've stopped short of providing details. Now, a technology company in Cambridge, Massachusetts says it's found tangible evidence that terrorist groups are using sophisticated encryption programs.

NPR's Dina Temple-Raston reports.

DINA TEMPLE-RASTON, BYLINE: The CEO of big data company Recorded Future is a man named Christopher Ahlberg. He had heard the Obama administration say that terrorists had changed the way they behave because of the Snowden leaks. He wanted to see if it was really true.

CHRISTOPHER AHLBERG: So we dove into that, sort of, diving into forums and product platform releases and the like.

TEMPLE-RASTON: The company trolled the Internet for al-Qaida mentions of Snowden. It downloaded versions of al-Qaida's encryption software and it discovered signs that al-Qaida had changed, specifically, it upgraded its encryption systems. For years, al-Qaida had used an encryption program written by its own coders. They called it Mujahideen Secrets. And most al-Qaida affiliates used it to scramble their communications. Since its introduction in 2007 there had been some minor updates. Then, in late 2013 after the Snowden leaks, the program got a major overhaul. Three different groups with links to al-Qaida introduced three new encryption products. It was like jumping from Windows 2.0 to Windows XP. Ahlberg says, that wasn't a coincidence.

AHLBERG: Three major product releases coming from three different organizations on the al-Qaida and associated organizations, fairly quickly after the Snowden disclosures.

TEMPLE-RASTON: Ahlberg believed this amounted to good circumstantial evidence that Snowden had had an impact. But he wanted to see how much so he called in a cyber expert.

MARIO VUKSAN: My name is Mario Vuksan and I'm the CEO and the founder of Reversing Labs.

TEMPLE-RASTON: Reversing Labs is a cyber analysis company. And Vuksan took the new al-Qaida encryption program apart to see what it was made of. As a general matter, he says, encryption is fairly straightforward.

VUKSAN: So multiple mathematical algorithms have been developed to scramble this content into a random set of letters and numbers so that only the target receiver would be able to read it.

TEMPLE-RASTON: In other words, someone might type a message in Arabic, then the encryption program turns it into random numbers and letters. The recipient on the other side can unscramble the message with a key.

Vuksan said the new version of Mujahideen Secrets is much better. The old program was built on code that al-Qaida created for itself. The new version incorporates more sophisticated open source code, which means it's probably harder to break.

VUKSAN: This is not the work of somebody who has learned the programming yesterday and is now trying to do their first, you know, hello world application. I cannot imagine that this is being developed in some cave in Afghanistan.

TEMPLE-RASTON: Ahlberg says, wherever it was developed, the complexity and timing of the software upgrade is important.

AHLBERG: This is as close to proof you can get to these guys have changed and improved their communications infrastructure post the Snowden leaks.

TEMPLE-RASTON: Others are less sure that you can draw a straight line from Snowden's documents to the changes in al-Qaida's encryption program. Bruce Schneier is a technologist and a fellow at the Berkman Center at Harvard.

BRUCE SCHNEIER: It's hard to tell. Certainly they've made changes. Is that because of the normal cost of software development or because they thought, rightly or wrongly, that they were being targeted?

TEMPLE-RASTON: Whatever the reason, Schneier says al-Qaida's new encryption program won't necessarily keep communication secret.

SCHNEIER: It is relatively easy to find vulnerabilities in software. I mean, this is why cyber criminals do so well stealing our credit cards. And it's also going to be why intelligence agencies are going to be able to break whatever software these al-Qaida operatives are using.

TEMPLE-RASTON: The NSA declined to comment.

Dina Temple-Raston. NPR News, New York. Transcript provided by NPR, Copyright NPR.