Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘Digital Forensics’ Category

Abo Yahya and Metadata Cleaning

with one comment

I recently came across the site above through some searches and I have to say that it kind of surprised me as to the contents sophistication in the hacking/security area. This Abo Yahya is adept at understanding the security intricacies needed to prevent easy detection online (using TOR) and seems quite plugged into the hacker community with videos from a European hacker conference to boot. What really struck me though is the above picture where Abo talks about the metadata problem and how it was used to capture Dennis Raider.

Abo goes on to talk about a script to remove the data from word docs as well, which I guess has been on the minds of some and has been used in tracking the files that the jihadi’s are making. One wonders if the doc files are the only ones he (Abo) has worked out or have they done so with say PDF files? All I know is that there are many more files than just doc files out there that can be used to track you all. However, there is much more to learn isn’t there? Now it seems that Abo and Song of Terror have plans to teach the ways of hacking and information security.

The site goes on to show tutorials in linux command line as well as the flavors of Linux including video tutorials. It would seem that they have been paying attention quite well to the security communities posts and chatter about how to be secure online. Abo also brings out the old jihadi crypto program (mujahideen secrets 2.0) and does a little how to on encrypting all their transmissions. All of these files and programs including a tutorial sweet by GIMF are available for download in various places.. All of which I assume, will give us all the chance to check the metadata and see what they might offer in leads as to who made them.

Meanwhile, there was an interesting little passage below Song of Terror’s video on Linux basics…

Peace be upon you and God’s mercy and blessings be upon you

After reading the topic to Brother, “the grandson of bin Laden,” may God preserve him for a script Rapidleech
The fact was the subject of a great and a quantum leap in the world of Jihad in the era of fighting jihad
In squares, in particular the field of media jihad there is no secret to you delete thousands of links to movies jihadist pretext of combatting terrorism. Here, a modest contribution to me for how to publish links rapidly and participation comes after reading the topic to Brother, “the grandson of Bin Laden,” more than once since the beginning has not sunk in but please God I understand that after you apply some examples so I would recommend reading the first issue of the brother by watching this video

So, Bin Laden’s grandson called all of this a quantum leap in jihad huh? Well, in a sense it is really.. They are learning…. However, just how much can they learn and does anyone really think that they can be as “secure” as they need to be to not get popped? I mean, with all the warning and hand wringing that we in the security community do about the lack of security in the general populace, just how much actually works? All too often the security is lacking in all quarters and I am sure that these guys too will also fail when it comes right down to it.

… And in the case of Abo.. I already know who he is in real life I think… And where he lives… How you ask?

Metadata.

So, what I have learned from this site is that there are certain factions that are more learned about hacking and security. They are now making inroads into the jihadi forums and in fact, this site is directly linked to the alfaloja boys. The very same site that was hacked and brought down by CAUI efforts on the part of certain governments. I guess they took from the incident a certain fear of being popped and recruited more people with the help of Song Of Terror I assume. Of course though, just as the security community posts things or creates software/hacks and releases them, they only serve to allow for follow up and obfuscation due to it being in the open. In the case of this site and others that are showing how to hack, we too now know exactly what they are up to and how we can turn that around on them.

Additionally, one of the nice tasty bits that Abo left for me was a hash for mujahideen secrets:

15738D22AC6EACF1F54CC155BDE72D368F81AB2525DD2F64733A36E31D8B137E

Which I put into Maltego and began some searches…

I have to do some more tweaks to searches with Maltego here, but, you can see where this program is being mentioned, served out, and talked about. All of these sites make nice launch points with Maltego and some Googling to further explore who is using it… If I can’t read what you’re saying kids, I can at least know WHO YOU ARE. Funny how those little features that make something more secure can be used against you huh?

Anyway, for those interested.. Here is the data using Maltego on the site and its connections. Maktoobblog is a Yahoo site and this particular one is out of the UK. Perhaps soon Yahoo will get wise to the site…

I see you Abo…

inetnum:        77.238.160.0 - 77.238.191.255 org:            ORG-YE1-RIPE netname:        UK-YAHOO-20070216 descr:          Yahoo! Europe country:        GB admin-c:        KW3969-RIPE tech-c:         KW3969-RIPE status:         ALLOCATED PA mnt-by:         RIPE-NCC-HM-MNT mnt-lower:      YAHOO-MNT mnt-routes:     YAHOO-MNT mnt-domains:    YAHOO-MNT source:         RIPE # Filtered organisation:   ORG-YE1-RIPE org-name:       Yahoo! Europe org-type:       LIR address:        Yahoo! UK Ltd 125 Shaftesbury Avenue London WC2H 8AD London United Kingdom phone:          +44 207 131 1495 fax-no:         +44 207 131 1213 e-mail:         kwoods@uk.yahoo-inc.com admin-c:        DR2790-RIPE admin-c:        IG1154-RIPE admin-c:        NA1231-RIPE mnt-ref:        YAHOO-MNT mnt-ref:        RIPE-NCC-HM-MNT mnt-by:         RIPE-NCC-HM-MNT source:         RIPE # Filtered person:         Kerry Woods address:        125 Shaftesbury Avenue address:        London address:        WC2H 8AD phone:          +44 020 7131 1000 fax-no:         +44 020 7131 1213 e-mail:         kwoods@uk.yahoo-inc.com nic-hdl:        KW3969-RIPE mnt-by:         YAHOO-MNT source:         RIPE # Filtered

Служба Внешней Разведки: Russian Espionage “The Illegals 1990-2010”

with one comment

Служба Внешней Разведки

“Christ, I miss the Cold War”

M from Casino Royale

The dramatic events unfolding within the last day or so over the “illegals” program caught by the FBI is really the stuff of Le Carre and other writers of espionage fiction. Yet, this is all real….

The reports started coming out yesterday afternoon and having seen a blurb on CNN I went out and got a hold of the complaint by the Federal government against the 10 conspirators and had a sit down. In the end I found myself alternately laughing at the story that unfolded as well as waxing historical about yesteryear during the cold war days. It seems though that one thing has changed a bit since the old days.

Millennial Spies?

It seems the SVR had to remind their operatives that they were in fact here for a reason and being taken care of for that reason, i.e. being spies.

This communique pretty much alludes to the fact that perhaps the “illegals” had been here too long and had begun feeling entitled as opposed to being servants of the state. This is a bit of a difference from the old cold war days. Yes, of course some deep cover operatives might have become “comfortable” in the west, but, they pretty much lived under the fear of reprisals to themselves and family in the old country if they misbehaved. This message and some of the handling that can be seen from the surveillance bespeaks a more millennial attitude by these illegals than old school Sov operatives. in one case an officer remarks that he is glad not to be one of the illegals handler as he is bitching about money… Kinda comical…

It also seems to me that some of these operatives were in fact quite young when they started and even as things progressed, were not as well trained as they could have been. In one case there is a remark of only about 2 weeks of training at the SVR  center, and this is not quite like the old days when the spooks got some serious training before going out in the field. Of course today, post the 1990’s break up of the Soviet Union, I suspect that in some of the minds at “C” we (FBI) have become lax at detection and operations just because we were very Sov oriented back in the cold war period.

However, this group of illegals seems to have been in play since the late 90’s and over time, have become more American than true blood Russian idealogs. With the amounts of money being passed to them over the years, these folks were rather well taken care of. This is something a bit different from the old days and bespeaks a paradigm shift in the SVR’s handling of them and approaches to getting good INTEL out of them. These folks were monetarily motivated which is usually how spies get brought in from other nation states, not the ones being sent to foreign posts by the motherland.

Times are a changing though… Guess you have to roll with it or lose assets.

Technology and OPSEC

The times have changed and with them the technologies of spy-craft do too. In the case of the illegals not only did they engage “AD HOC” wireless networks between laptops in open spaces (ballsy really given the nature of WIFI 802.11 standards and vulnerabilities) but also with the addition of things like the use of “Steganography

For some time now I have been randomly hoovering sites looking for stegged images and so far, I have come up with potential hits (Jihadist sites) but as yet, I haven’t been able to decrypt anything that is alleged to be hidden. In the case of the illegals, they had special software installed on laptops given to them by Moscow Centre. It turns out that these laptops and the schemes that they were using didn’t always work for the agents but, in many cases, had it not been for the surveillance by the FBI, this particular method of data passing might not have been seen.


Overall, the technology today is neat but as in the case of the AD HOC networking over WIFI, I have to wonder about their choice here. I mean it wasn’t all that long ago that the CIA had a fiasco wth a “WIFI” enabled faux rock in a park in Moscow. The rock was supposed to be able to transfer data onto a CF type card from a PDA or phone that the asset would pass by. As the technology failed, the KGB noticed that there were people wandering around looking to connect to this rock. When they did a search they got the rock and later the asset trying to connect to the faulty device. So much for the technological approach.

When it works it works great.. When it fails, you end up in Lubyanka…

Tradecraft: Tried and True

Meanwhile, some of the illegals seem to have perfected the tradecraft side of the work by performing brush passes with operatives from the Russian consulate as well as infiltrate and exfiltrate out of other countries using bogus passports etc. It seems that perhaps though, that the FBI caught on to the group however and exploited poor tradecraft practices to catch onto the whole of the operation. In one case the handler from the consulate took 3 hours of evasion practices to elude any possible surveillance only to be compromised by the fact that the “illegal” already was under surveillance… OOPS.

The meetings that are mentioned in the complaint though show how much tradecraft the group was using to perform their meetings. These included marking, dead drops, and of course the brush passes with pass phrases like “Didn’t I meet you in Bangkok in 1990?” So those of you who think that its just cliche, its not really… Even in todays technological world these practices are kept up BECAUSE the technology is so easily watched from remote ala the NSA. Of course it was that technological FAIL along with the poor practices of basic information security that caught them in the end.

Kinda funny really.. I mean how often do I moan and wail about all of this huh and here it is that very thing that pops a group of spies for Russia.

Funny…

Meanwhile some of the “old school” techniques still pervade…

Numbers Stations and Rapid Burst Transmissions Making a Comeback

When some of the houses/apartments were black bagged, the operatives found that the illegals were not only using “rapid burst” radio technology, but also the old old school technique of “Numbers Stations” to get their orders as well as report their data to Moscow Centre. I imagine that in the case of the rapid burst technology, they were in close proximity of either other operatives that they did not know about, or they were in fact close enough to the consulates that they could burst their data to their arrays on the roof.

This stuff is really old school and I have mentioned before that the number of “numbers” stations has increased over time since the internet age took over because this technology, properly implemented, is sure fire and hard to detect. After all, how many of us have short wave radios in their homes huh? The burst technology though is a little more circumspect and can be detected, but since it has not been in vogue for some time, I doubt many agencies are looking for it. Perhaps a HAM radio operator in the area might have picked up on it but it was the surveillance team that mentions “noise” that seems to be radio transmissions.

It just goes to show that sometimes the new tech just doesn’t cut it. You need to go old school.

Espionage 2010, Pooty Poot, The Bear Never Left

In the end, I expect to be hearing more about this story in the news. There will likely be the expuslions of diplomats from the Russian consulates in the US as well as the ongoing coverage of the trials. What I am wondering about though is that the FBI charged these guys with smaller charges rather than official “espionage”

This makes me think that there is much more to this tale behind the scenes that we will eventually get in dribs and drabs. I personally think that the illegals that we caught really made a dent in the security of the nation. The complaint does not mention any high level connections that would be bad enough to consider this operation as a whole to be damaging. However, if the group is in fact bigger or as we know, there are others out there, just who have they compromised? Remember that in the complaint you can see Moscow Center asking about compromisable assets. What they really wanted was to go old school and get the dirt on someone juicy and turn them… and given Washington’s habit of nasty behavior with pages or toe tapping in airport mens rooms, I can see they had a rich target environment.

All of this also makes it so ironic that the operation had been ongoing since at least the Clinton administration. When “W” looked into the soul of Pooty Poot, he wasn’t in fact seeing anything there. George, he was PWN-ing you as you gave him the reach around.. and liked it. The Bear never left my friends and anyone who thought we were all friends with rainbows and puppies where Russia was concerned is seriously deluded.

The only thing that has changed is that the American conciousness became… Unconcious to conspicuous wealth and reality TV.

I too pine for the cold war…Looks like its back on.

So in conclusion here are some questions that I have:

  • Why was this operation rolled up now?
  • How did the FBI catch on to these illegals?
  • Who is “FARMER”
  • Who is “PARROT”
  • Why the charges of not telling the AG that the illegals were.. well illegal and not actually charged with “espionage”
  • Why did “C” want the operatives to buy ASUS EEE PC’s?
  • What steg program did they have?
  • When will we be expelling the 3 consulate “secretaries” in NYC?

You can read the “almost full” complaint here

CoB

FBI’s “Investigative Kiosks” allow quick data extraction from cell phones = FAIL

leave a comment »

It seems that every day, manufacturers add features to the garden-variety cell phone that make these mobile devices increasingly valuable as items of evidence. Text messages, call logs, e-mails, photographs, videos—all of this data and more can be found on many cell phones today.

To help local, state, and federal law enforcement deal with an increased demand in analyzing cell-phone data, the FBI has been launching Cell Phone Investigative Kiosks (CPIKs) in FBI Field Offices and Regional Computer Forensics Laboratory (RCFL) locations across the country. The CPIK allows users to extract data from a cell phone, put it into a report, and burn the report onto a CD or DVD in as little as 30 minutes.

Kiosk users only need to have some familiarity with computers and are required to take a one-time only, hour-long training course. Assistance with the kiosks is also available on site at CPIK locations.

Each CPIK has two components: 1) a cell phone examination system that contains software and the necessary cables to download data; and 2) a photographic system that enables a user to take pictures of a cell phone’s screen.

Users of the CPIK are able to:

  • Copy data from a cell phone to a computer hard drive
  • Examine data in a report format on the computer screen
  • Copy the report onto a portable device (such as a CD or DVD)
  • Copy the photographs onto a portable device (such as a CD or DVD)

While the CPIK is intended to be a preview tool—not equivalent to a full-scale cell-phone examination such as that performed by a certified examiner—any evidence produced using the tool is admissible in a court of law.

Non-FBI personnel may access the kiosks at their local RCFL. For CPIKs located at an FBI Field Office, non-FBI personnel must have an FBI escort at all times.
To locate a CPIK near you and to learn more about the program, go to: www.rcfl.gov

What this story fails to mention is that these “point and click” kiosks are just that.. Point and click, there is no expertise being used to look forensically at the data. For that matter, this system can fail to “see” the data in the first place due to the many different types of phone OS’s. Each OS has a different way of storing data, where they store it, how they store it, etc so when the kiosk is used by an unskilled agent, they may in fact be missing much.

How do I know this? I know this from speaking with and listening to a forensics specialist who works for the FBI as a consultant. So, here we have another chink in the forensics chain due to point and click mentality and a deep lack of understanding of Digital Forensics. Of course if you ask any agent or even police officer, you will hear that right now, digital forensics cases are backed up about six months at the labs. There is it seems, a deficit in qualified digital forensics examiners. *hint hint, good time to look into the CHFI kids* and a glut of cases, many many many of them now involving mobile phones and PDA’s.

Think about it.. How many dealers out there are doing their deals by text messages or SMS huh? How many bangers out there are making vids on their phones of beat downs etc? Yeah, there’s a lot of data out there and unless the feds and other LEO’s are performing these initial searches right, they might not only miss data, but in many cases with phones, screw the pooch by altering data.

Yeah…

Time to get your phone forensics on kids…

CoB

Written by Krypt3ia

2010/06/05 at 11:33

MJAHDEN: Jihadi Crypto Progam

with one comment

While looking through one of the jihadi sites I came across this little missive in their super secret file area on hacking. This is a little program developed by “R3P” to encrypt data for jihadi use. I guess they aren’ t too trusting of say “PGP” or any of the other programs they could grab on bittorrent.

MJAHDEN is the tool and I have yet to decompile and poke at it. It will be interesting to see exactly how they are encrypting things and what kind of crypto hack this guy is.

*NOTE* (rar file is live and all precautions should be taken before executing the .exe kids)

I suspect that this program will not have an extensive crypto algorithm so reverse engineering should be fairly easy. This is one of the first times I have actually run into the program but I have heard that they have been developing programs like this and other iterations of perhaps the same one. The post here was a little older, but, still valid as it was at the top and still being commented on by jihadi’s thanking R3P for his holy creation.

So, all you technofreaks out there who wanna play, be my guest.. Let me know if you find anything of note and I will post my findings after I mess around a bit with it.

MEANWHILE.. BACK AT THE RANCH….

I have been busy lately so things have slowed on the posting and my forays into the jihadi world. However, with the onset of this new guy in Jamaica (Abdulla el-Faisal) I decided to do a little looking at his internet presence. Off of the Wiki site there is a link for his main page. I checked this out with the usual tools and came up with an interesting link to a 4shared site. This site belongs to a user named m.rahman007 and in it are a plethora of mp3 sermons by this guy el-Faisal. At present I am listening to the jihad speech now and this guy really needs to be picked up for incitement to violent jihad. Considering he has been at the nexus of so many of the terrorist plots over the years, and he is still thumbing his nose at everyone from his cozy Jamaican digs.

To top it off, in my searches of this site I have a direct email from Faisal Shazhad to el-Faisal. So, as you may have heard before on the news he did have direct contact with him and you now can see it in that link above. All of my work tonight was spurred by an article that I read that reported on the sudden light bulb moment for the authorities that the internet has been being used for online recruitment of not only foreign jihadi’s but now “home grown or naturlized” ones too… And we have no way to fight it..

Who’da thunk it?

Wakey wakey folks in government!

One only hopes that they think about it logically and not have knee jerk reactions… Oh, who am I kidding?

CoB

Weapons Of Mass Disruption: Cyberpocalypse-a-palooza

leave a comment »

To avoid a digital doomsday, Clarke and co-author Robert Knake argue that America needs to treat cyberattack capabilities as nothing less than weapons of mass destruction that can “skip over the battlefield” to target civilian life. That sort of threat, like nuclear weapons, calls for a multi-tiered response: treaties, transparency, beefed-up defenses and a focused concern on rogue states.

Cyberwar treaties face a problem that traditional ones don’t. An enemy could easily hide the source of attacks by routing them through hijacked computers in another country or attributing them to independent criminals.

But Clarke contends that a government could be held accountable for helping to track down any cyberattack originating within its borders, just as the Taliban was held responsible for harboring Osama bin Laden. Although attribution on the Internet isn’t as simple as in traditional warfare, cyberattacks can be traced. Clarke says forensic hackers can follow the trail of bits when they’re given time and leave to breach enemy computers.

“The NSA can do that. And the NSA tells me that attribution isn’t actually a problem,” he says bluntly.

Full article HERE

Dick, Dick, Dick, I am with you in so many ways.. BUT, when you start talking about DPI of the WHOLE INTERNET, then you lose me pal.

Sorry *shrug*

I personally don’t want the whole of the internet being siphoned even MORE than it already is by DPI at every providers NOC with a NARUS STA6400 system installed.

Nope, no thank you.

Now, on the other things likes accountability for nations with server on their soil I am with you. If a server is public/private and is on your soil, there should be “some” responsibility there. At least there should be enough to enforce security practices be carried out to prevent it from becoming the botnet slave in the first place no? Of course Obama wussed out on that one here didn’t he? No rules will be created to enforce that type of accountability here in the private sector.. No sir! It would put an undue strain on the private sector!

*tap tap* Uhh sir, most of the infrastructure is in “private” hands… Umm without making them do some due diligence we are fucked mmmkay?

Yeah…

Meanwhile, lets talk to the italicized and BOLD text. Back in the days of yore, when pirates roamed the seas, there was a thing called a “Letter of Marque” basically, government would give a pirate hunter the letter and say “go git em” This is what we need today I think. Of course this is touchy, but, this is pretty much what Dick is alluding to. He says that he “knows” that were the NSA given a letter of marque, they could not only penetrate the systems involved, but also run the forensics to attribute where the perp really is.

“Whoa” to quote Neo…

Yes, it’s quite true. Not only the NSA could do this though. Go to the BlackHat or Defcon and you would have a plethora of people to choose from really. So this is no mysterious mojo here. Its just that this type of action could cause much more ire than the original attack maybe and lead us into that physical war with the nukes. Who knows.

I guess though, that what has been seen as the model for the future “internet” with cyber-geographic demarcations might just be the real future state we need. At least that is what Dick’s advocating here and I can sorta see that as a way to handle certain problems. If we break up cyberspace so to speak, into regions (like the whole .XXX debacle) then we can have set rules of governance. At present the internet is just a giant wild west stage complete with digital tumbleweeds and an old whore house.

*pictures the dual swinging doors and spurs jangling*

The one thing that rings true though, is that there needs to be some accountability.. Just what form that will take is anyone’s guess. For now though, we will continue on with the lame government jabbering and frothing with the lapdog that is the so called “press” lapping it all up and parroting it back to the masses.

Smoke em if ya got em…

CoB

Security experts: Don’t blame Internet for JihadJane and other recent terror scares

with 2 comments

By Michael Booth, The Denver Post
Published: Saturday, March 13, 2010 11:15 PM EST

It’s not the Internet. It’s the unstable surfer at the keyboard that constitutes the threat.

Internet terrorism and crime experts hedged their outrage when reacting to the arrest of Leadville’s Jamie Paulin-Ramirez, who was released Saturday without charges. Yes, they said, the Internet provides ample opportunity for disgruntled, lonely or violent people to meet up for criminal ends.

But social media, from chat rooms to Facebook, have become so widespread they are no more or less dangerous than society as a whole, these Internet observers said. And the technology cuts both ways: If alleged plotters like Paulin-Ramirez and “Jihad Jane” are using the Internet to plan crimes, rest assured law enforcement and watchdog groups successfully employ the same tools to foil them.

“Anyone who is trying to use the Internet for crime is falsely under the illusion that they are anonymous and won’t get busted,” said Steve Jones, author of “Virtual Culture” and a professor of communication and technology at the University of Illinois-Chicago. “Consider it an Internet-based `neighborhood watch.’ I’m not more concerned about the Internet than I am about the rest of the world.”

Internet connections can make for notorious nicknames and chilling chat-room transcripts, but the method of communication may not have that much impact on terrorism, said Jeremy Lipschultz, an expert in communications law and culture at the University of Nebraska-Omaha.

The rest HERE

Ummm yeah, Steve, you seem to be misunderstanding the problems faced here. Sure, there are people like me and others out there cruising the boards, but, the “authorities” are kinda behind the curve on this stuff.

Believe me Steve, I know. I have had dealings with the authorities.

So, yes, if you are on the internet and looking to do bad things AND you don’t know how to be stealthy, sure, eventually, you will be caught. However, if you are careful and you know what you are doing, then it may take some time if at all to be caught.

Case in point, look at our whole APT and cyber security debacle ongoing in the US. The CyberShockwave CNN mess is just the tip of the digital iceberg when talking about how inept our government and its minions are in dealing with the problems in cyberspace.

Better yet, lets look at the 559 million dollar haul recently cited by the FBI taken by cyber criminals. Any clues? Suspects? Not like they can round up the usual crew huh? It’s just not that easy with our current infrastructure to capture traffic and catch those who were committing the crime. Nor are the cops, even the Feds up to the task of trying to capture these offenders.

Here’s a quote for you from a recent exchange I had with the FBI:

“I don’t know anything about this stuff.. I do drug cases”

This from a field agent tasked with looking into a cyber oriented incident. What I am saying here is there is a big gap and the criminals and jihadi’s are using that to the most.

So Steve, you obviously don’t have a clue about cyber security issues. The real ones to worry about surely aren’t the guys and gals just using chat groups to talk to Jihadists, these “Jihobbyists” but let me remind you, it was a group of guys who were NOT cops or feds, that caught on to Jane and then reported her. Of course all of this AFTER she had activated and tried to whack a cartoonist. An act in which she failed mind you.

Oh, and Steve, did you know she was doing all this on YouTube? I mean really, just how friggin sooper sekret is that huh?

Duh.

Were Jane and others out there tech savvy or trained to be, they could be much more dangerous. In fact, the moniker “jihobbyist” has taken a turn in meaning. You see, the feds thought of Jane and others as “mostly harmless” but, as you can see they were wrong.

No, worry about the Jihadi’s who are technically savvy and trained in computer skills who know how to use a TOR router, encryption, email dead drops, etc. Those are the ones to worry about because even if one of us non cops are watching, we may not catch on.  Never mind the cops/feds who are playing catch up.

CoB

Al-Qaida Goes “Old School” With Tradecraft and Steganography

with 3 comments

al-Qaida: Shifting into the spy shadows

12 March 2010 www.cicentre.net

When couriers get caught, so do key al-Qaida documents, plans and key communications. Shaffer says now al-Qaida is hiding their communications on the Internet. It’s not a new concept, but certainly one that’s gaining a lot of momentum since a growing number of critical commanders and operators have either been killed or arrested. How are these dead drops happening? “Steganography in photographs is a good example of a dead drop,” says Shaffer. In a nutshell, a dead drop in a photo involves embedding a message in a picture. .

WTOP, 12 March 2010: A growing list of terror suspects nurtured by al-Qaida is emerging. Former military interrogator Dave Gabutz informed WTOP Radio of this notion in June 2009 after he had spent years tracking al-Qaida sleeper units and recruiters. “We came across the first one in Falls Church, Va.,” Gabutz says. This “first one” was controversial Imam Anwar al-Awlaki, who worked at a location watched by Gabutz and his team. . . .

. . . Gabutz says the recruiters are spreading out. “Michigan, Florida, Texas, Nashville, Richmond, Knoxville, and California,” are prime locations, according to Gabutz. There are indications terrorist recruiters are using every available opportunity and option to lure more people into their world and plan attacks against the United States.

Hezbollah sympathizer Mahmoud Kourani was doing just that before his arrest near Detroit in 2002. “Kourani’s specialties appeared to be weaponry, spycraft, counterintelligence,” according to Tom Diaz, a former Congressional Crime Subcommittee staffer. Diaz says Khourani was recruiting people for training. Recruits were to be trained “to make things go bang, to attack, military type training, terror type training,” Diaz says. . . . .

. . . .One question that is puzzling investigators is how al-Qaida communicates with its foot soldiers and recruiters, some of whom may be embedded in the fabric of the U.S. military. With the almost daily capture and killing of key handlers in Pakistan, it seems al-Qaida is being forced to communicate in a completely different way. Since so many couriers and foot soldiers are being rolled up, al-Qaida is relying on “electronic dead-drops,” says Army Reserve Lt. Col. Tony Shaffer, a former Defense Intelligence Agency officer.

When couriers get caught, so do key al-Qaida documents, plans and key communications. Shaffer says now al-Qaida is hiding their communications on the Internet. It’s not a new concept, but certainly one that’s gaining a lot of momentum since a growing number of critical commanders and operators have either been killed or arrested. How are these dead drops happening? “Steganography in photographs is a good example of a dead drop,” says Shaffer. In a nutshell, a dead drop in a photo involves embedding a message in a picture. .

I have been seeing some hits these last couple days on my “Leggo My Steggo” post from a while back. The post covered some of what I had been finding on jihadist sites with regard to alleged “Stegged Images” that I had been testing to see if they were indeed hiding data.

Thus far I have found images that seem to be stegged but I have yet to actually crack an image open and see the data hidden within. So, it’s kind of up in the air if any of the images I have found are in fact stegged. Anyone who wants to give it a shot feel free to copy the files out of the share in the link above.

Of course this whole article and the premise that the jihadis have had to change their methods of command and control is on the whole correct I think. However, I believe that they have been using dead drops for some time and not only because of the roll ups recently. This is just a good standard “tradecraft” practice that should be used when waging such campaigns. Hell, they probably learned it from us or the Brits in the first place… Well maybe the KGB too.

Now that they have also made much more of their online persona, I am also sure that they have been maximizing this type of technique not only with steg, but also with dead drop email accounts. All one has to do is create an account, share the password, and then just talk amongst yourselves with draft emails. No need to hit the send button there huh. Add to that the use of TOR and you have a pretty safe way to communicate.

What’d be even more secure would be a one time pad.. But, I really don’t see them passing out OTP’s to each jiahdi cell.

This reminds me of “Hacking A Terror Network” which has a story line based approach talking about this very scenario of Steg use. I have talked to the author online and shared my data. The problem of how to prove these methods of communication are myriad. So, it may be hard to prove this theory…

I guess I am gonna have to wash some more pictures, video, and audio through the steg detection software and see what I get…

CoB