from the I-study-bitcoin-and-violence,-I-love-my-hashes... dept
So much for "going dark." The FBI's narrative of a terrorist-filled world enshrouded in encryption continues to be disproven. For one, it appears the NSA has made tremendous strides towards cracking commonly-used encryption, thanks to its computing power and a multitude of shared Diffie-Hellman primes. For another, the super secret world of terrorism doesn't seem to be all that secret. FBI director James Comey has repeatedly pointed out that terrorism suspects are vanishing behind encrypted communication platforms, but when pointedly asked about how often this is actually happening, he could only claim "dozens of times."
Operational security may be improving over time, but as of this point, suspected terrorists are still leaving themselves exposed through easily-accessed channels. Marcy Wheeler of emptywheel took a look at the latest terrorism suspect busted by the FBI and sees nothing in the criminal complaint that suggests the agency had much trouble hunting him down.
Given Jim Comey’s repeated warnings of how the FBI is going dark on ISIS organizing, I thought I’d look at how FBI found this guy.Facebook, Hotmail, Twitter… these aren't exactly the tools of the "going dark" trade. It could be that Ferizi is an anomaly -- a terrorist who thinks OPSEC is for losers who want to stay out of prison. But it also suggests commonly-used communications continue to be commonly used, even by people performing unlawful actions.
Ardit Ferizi, the suspect’s real name, was connected to the @Th3Dir3ctorY account on Twitter. On that account Ferizi linked to an article about the Kosova Hacker’s Security group (KHS) for which he had been interviewed. He also identified himself as the owner of KHS.
Ferizi registered the Twitter identity to a hotmail account tied to an IP address in Kosovo.
@Th3Dir3ctorY subsequently logged into Twitter from various ISPs in Malaysia, including 184.108.40.206.
The hacker who first broke into “Victim Company” on June 13, 2015 and ultimately stole the data of 100,000 people created an account with the identity KHS. On August 19, 2015 — after the company had removed the malware used to exfiltrate the data — someone identifying himself as “Albanian Hacker” and using the email “email@example.com” contacted the company and asked them to stop taking down their files (which the FBI interpreted to mean the malware left on the server). The IP address tied to the SQL injection used by the hacker was 220.127.116.11.
A Facebook account tied to the name “ardit.ferizi01” also used that IP address. Ferizi sent himself a spreadsheet via that facebook account with the stolen PII.
As Wheeler points out, the FBI calls Ferizi a hacker… and yet, for all of his alleged skills, he deployed less secretive measures than many people who have no connection to illicit deeds or today's Public Enemy No. 1: ISIS/ISIL.
Even if Ferizi had been more careful, it's likely the FBI would not have run into an encrypted dead end. While apps like WhatsApp may offer encrypted communications, their creators are often willing to hand over whatever identifying information they do have on suspected criminals. This can then be tied to more open communications platforms. It's highly unlikely that every single bit of communication between terrorism suspects happens on secured channels. And once a suspect is in custody, work can begin on forcing the person to cough up login info.
Nothing about this suggests backdoored encryption is the only way to successfully fight terrorism (and the drug war, etc.). What Comey's complaints suggest is that the FBI would definitely prefer an easier way to do this, one that doesn't involve approaching the NSA for anything it has collected or seeking court orders/ warrants to collect information from third parties. What it would like is as many communication platforms as possible to be open books, where all investigators have to do is a small amount of Googling -- or simply have full access to any account where it suspects discussions of illegal acts might be taking place.