Terror's Confounding Online Trail

[R. A. Hettinga]

http://www.nytimes.com/2002/03/28/technology/circuits/28TERR.html?tntemail0=&pagewanted=print



March 28, 2002


Terror's Confounding Online Trail


By SUSAN STELLIN


OR all the sophisticated electronic tools the United States government has
at its investigative disposal, tracking the activities of suspected
terrorist groups online has proved to be not unlike the search for Osama
bin Laden and his operatives on the ground.

In essence, even against a superior arsenal of technology, there are still
plenty of ways for terrorists to avoid detection.

Although digital forensics has undoubtedly been useful in piecing together
events since Sept. 11 - leading, for example, to the arrests of three of
the suspects in the abduction and murder of an American reporter in
Pakistan - information technology has significant limits in monitoring a
widely dispersed terrorist network.

Moreover, terrorist groups are taking advantage of their own knowledge of
technology to evade surveillance through simple tactics, like moving from
one Internet cafe to the next, and more sophisticated ones, like encryption.

"The Internet presents two main challenges," said David Lang, director of
the computer forensics department at the Veridian Corporation, a company
based in Arlington, Va., that provides systems for the Pentagon and United
States intelligence. "One is it's ubiquitous - you can access it from just
about anywhere in the world. The other thing is you can be easily hidden."

Despite growing concerns about invasions of Internet users' privacy, it is
still relatively simple to communicate anonymously online. Many services
enable users to send e-mail or browse the Web without leaving a digital
trail - generally by disguising the unique number, known as an I.P.
address, that links a specific computer to e-mail messages sent or Web
sites visited.

Some of those services have taken measures to prevent their technology from
being put to ill use. Anonymizer.com, for instance, rejects subscribers
from countries known for harboring terrorists, including Afghanistan and
Pakistan. But individuals linked to terrorist groups appear to be relying
on more low-tech methods to avoid detection.

"The interesting thing is there's no evidence that any of these people have
ever used Anonymizer or any other privacy service," said Lance Cottrell,
the company's president. "What you see them doing is using Internet cafes
and Yahoo (news/quote) and Hotmail and moving from cafe to cafe."

In one of the few known cases in which suspected terrorists have been
traced through e-mail, the kidnapping and slaying of Daniel Pearl, a Wall
Street Journal reporter working in Pakistan, the abductors used Hotmail,
Microsoft (news/quote)'s Web-based e-mail service, to announce their deed
to news organizations. Although the sender seemingly remains anonymous,
Hotmail attaches the I.P. address of the sending computer to messages
transmitted through its service, which left investigators with at least the
beginning of a trail.

With the use of public look-up services on the Web, the I.P. address from a
message received from the kidnappers on Jan. 30 could be traced to Cyber
Internet Services, an Internet service provider in Pakistan. The I.P.
address from an earlier message reached a dead end farther upstream at New
Skies, a Netherlands-based company that provides Internet access by
satellite to many countries, including Pakistan.

>From there, investigators are likely to have relied on cooperation from
those companies to trace the computer that was assigned that I.P. address
when the message was sent. (A spokeswoman for New Skies confirmed that
investigators had been in contact with the company. Although she declined
to discuss details, the company's Web site indicates that Cyber Internet
Services is a client.)

One challenge for investigators is that many people in developing countries
like Pakistan get Internet access through public places like cybercafes,
which do not necessarily ask customers for identification or keep the logs
of Internet activity that service providers in the United States typically
do. With help from the F.B.I., Pakistani officials ultimately recovered
copies of the e-mail on a computer belonging to a suspect arrested with two
others in the case. It is not clear whether the messages were sent through
a dial-up account or from an Internet cafe.

Getting cooperation from Internet service providers in other countries can
also be a hurdle, although operating outside the reach of American laws
regulating how Internet communications may be monitored presents some
advantages. "If it comes down to it, we would do a black-bag job on an
I.S.P. - literally, kick in the door in the middle of the night," said Mark
Rasch, an expert on cyberlaw in Reston, Va., who formerly headed the
Justice Department's computer crime unit and is now a vice president at
Predictive Systems (news/quote), a security firm.

Mr. Rasch noted that within the United States, wiretaps for intelligence
purposes face a lower threshold for approval, the assent of a secret
three-judge panel. Wiretaps in criminal investigations, on the other hand,
are approved in the regular courts and require a showing of "probable
cause."

But even with relaxed laws, gathering intelligence, particularly without a
suspect or lead, involves collecting and analyzing mountains of data. And
government monitoring systems may not be quite as developed as some have
speculated.

One of those tools, DCS-1000, generally referred to as Carnivore, can be
installed at Internet service providers to monitor e-mail traffic - the
digital version, essentially, of a wiretap. On a worldwide level, the
National Security Agency operates a satellite network called Echelon
(news/quote) in cooperation with Britain, Canada, Australia and New Zealand
that monitors voice and data communications. Privacy groups have raised
concerns about its use, but there is debate about whether in practice
Echelon is very effective.

"Echelon as described doesn't exist," Mr. Rasch said. "The idea that the
N.S.A. has a program that captures every international phone call and
analyzes every word and phrase isn't true. One of the biggest problems is
there's just so much noise and so much traffic."

Such monitoring systems can in principle be programmed to look for certain
keywords, like bomb or target, within messages they capture. But given
recent international events, such language is probably not uncommon,
leaving investigators to determine which communications may represent
serious threats.

"Is it that everybody in the country hates the U.S., or is it directed
terrorist activity?" said Mark Seiden, a computer security consultant based
in Silicon Valley. "I don't know if we have the resources to make that
distinction."

There is some indication that plotters are aware of such keyword sniffers:
Mr. Seiden, who reviewed the e-mail from Mr. Pearl's kidnappers, is among
those who suggest that the suspects in that case deliberately misspelled
words to avoid detection - for example, using "Amreeka," "terrarism" and
"Pakstan."

Those messages were written in English, but foreign languages present
another challenge. Mr. Lang of Veridian acknowledged that digital forensics
teams accustomed to tracking down criminal suspects in the United States
had undergone a "crash course" in foreign language analysis since Sept. 11,
with help from companies that have re-engineered forensics tools to work
with Arabic and other languages not based on the Roman alphabet.

As an example, Mr. Lang described data-mining software that relies on
link-analysis techniques to determine relationships between messages. "Say
you want to see everything in these e-mails that has `Washington D.C.' and
`terrorist' or `bomb' within 10 spaces of each other," Mr. Lang said. "It
will show you all the e-mail content that has that relationship and where
it came from and where it went to."

Of course, deciphering coded messages is another matter. Although some
reports have suggested that members of Al Qaeda may be using steganography
- hiding communications within seemingly harmless information like an image
or audio file - security experts said they knew of no evidence of its use,
pointing out that there are much easier ways to disguise communications.

It is clear that the terrorist network is using encryption: The Wall Street
Journal has said that two computers purchased by one of its reporters in
Kabul, Afghanistan, were apparently looted from a former Al Qaeda office
and contained files protected by encryption. One document provided
instructions for encrypting files, The Journal reported, while others
contained evidence that seemed to link Al Qaeda to Richard C. Reid, the man
accused of trying to ignite a shoe bomb on a flight from Paris to Miami in
December.

The Journal was able to decipher the files because they relied on an older
version of encryption. Stronger encryption is much more difficult to crack.

Both the e-mail in the Pearl case and the computers containing Al Qaeda
documents came to investigators' attention by way of news organizations.
Far less is known about other evidence collected by military and
intelligence personnel. In recent weeks government officials have
acknowledged intercepting e-mail communications among Al Qaeda members that
apparently originated in Pakistan and have cited at least three Web sites
they were monitoring, but few details have been made public.

One of the three Web sites cited, www.newjihad.com, is registered to an
address in Lahore, Pakistan, but is no longer online. Another,
www.azzam.com, is registered to an address in London but uses a New York
company's host computers. The third, alemarh.com, is registered to an
address in Pakistan and has a Nevada company as host.

Locating Web sites that terrorists may be using to communicate is in some
ways more difficult than monitoring e-mail traffic, which can be
intercepted. Although software tools can be programmed to search the Web
for pages with certain characteristics, they are by no means foolproof. And
even if a particular site raises a red flag, finding out who runs it is not
always simple. The contact information provided when a person registers a
Web address can easily be faked, and the host of the site may not even know
who is publishing the pages.

Often a host company will take a site offline after being contacted by
investigators. Such a response highlights the delicate balance that
intelligence agencies face in trying to root out terrorists who may be
communicating by the Web.

"If we shut down sites we don't agree with, we're really subverting the
values that we're fighting for," said Mr. Cottrell of Anonymizer.com. He
and many other security experts say they doubt that even the most
sophisticated surveillance system can catch everyone trying to slip through
the cracks.

"That's kind of the irony in this," he said. "For the honest good citizen,
privacy is extremely endangered and tracking is ubiquitous. But I don't see
a sign that we've ever been able to build a system that criminals with
serious intent haven't been able to circumvent."
Home | Back to Technology | Search | Help 	Back to Top


Copyright 2002 The New York Times Company | Privacy Information
-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA

The IBUC Symposium on Geodesic Capital
April 3-4, 2002, The Downtown Harvard Club, Boston
<mailto: rah at ibuc.com> for details...

"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com