Tuesday, March 29, 2016

Some other comments on the ISIS dead-drop system

So, by the time I finished this, this New York Times article has more details. Apparently, it really is just TrueCrypt. What's still missing is how the messages are created. Presumably, it's just notepad. It's also missing the protocol used. It is HTTP/FTP file upload? Or do they log on via SMB? Or is it a service like DropBox?

Anyway, I think my way is better for sending messages that I describe below:



Old post:

CNN is reporting on how the Euro-ISIS terrorists are using encryption. The details are garbled, because neither the terrorists, the police, or the reporters understand what's going on. @thegrugq tries to untangle this nonsense in his post, but I have a different theory. It's pure guesswork, trying to create something that is plausibly useful that somehow fits the garbled story.

I assume what's really going is this.

The terrorist is given a USB drive with the TrueCrypt software and an encrypted partition/file. The first thing the terrorist does is put the USB drive into a computer, run the TrueCrypt program, then mount the file/partition, entering a password. In other words, all you see on the USB drive is the directory "TrueCrypt", and a large file that is the encrypted "container", as you see in the picture of the "F:" drive.





Once the terrorist mounts the container, she then opens that new folder. It'll contain a copy of a PGP program, like gpg4win. The terrorist runs that GUI. You see that on the right with the "G:" drive, with a 'portable' version of GPG installed in the encrypted container.








The terrorist types in the message, then encrypts it. The terrorist chooses one of the many public keys that have been stored inside this encrypted container (G:) within the USB flash drive (F:).











Then the terrorist runs a 'portable' web-browser from the G: drive. These are browsers based on Chrome or Firefox that run completely self-contained from a directory, leaving behind no other trace on the system. In this example, I'm using "Iron Portable", which is based on Chrome. All the settings, like which website to log into, and possibly saved passwords, are stored in this directory. Likewise, any logs will be stored here.




The terrorist then logs onto a forum, such as a typical phpbb one using SSL. The terrorist then create a new message, and copies/pastes the encrypted text from the clipboard. In this example, I'm showing the "Gentoo" forums, which is well-known to be visited by various ne'er-do-wells and sympathizers.








This system works because it's completely contained on the USB drive. The terrorist can walk up to any Windows PC at a cyber-cafe and make this work. All the evidence is on the USB drive, so there's nothing left on the Windows computer that law-enforcement can track down. Likewise, the forum is likely to be something that the NSA is less likely to be monitoring. But if they are, they'll get some metadata, but still won't be able to break the PGP encoding.

This is all guesswork. I built this USB drive in the last hour and installed all the portable versions of the software (TrueCrypt, gpg4win, and IronPortable) on it to create these screenshots. It's a plausibly useful way of doing things such that stupid terrorists can't mess things up (leave unencrypted messages or metadata around). And, it matches (kinda) the garbled news account.

The moral of the story is that news stories ought to talk to experts. We can't figure out from the inaccurate accounts you can tell, and only make guesses like I have here.


No comments: