Hacking al Qaeda's Secrets
By Alex Salkever
You read it here first: Al Qaeda has been hacked. That's right. Hacked. Compromised. Cracked.
Why am I sure of this? No, I don't have any sources divulging top-secret intelligence. But the string of attacks that police and intelligence agencies have averted since September 11 tells a interesting tale. From seizing a bomb-materials cache in Belgium to uncovering a possible plot to gas the U.S. Embassy in Rome with deadly cyanide, the success in thwarting threats has been truly breathtaking. Considering the difficulties in getting agents on the ground inside small terrorist cells that function within tight-knit militant Islamic communities, the likely alternative is that al Qaeda has been hacked quite nicely.
Other signs point the same way. First, for all their vaunted organizational skills, the terrorists appear to be less than sophisticated in the art of concealing their cells and its members. Second, the technological intelligence-gathering capabilities of the National Security Agency and other state-sponsored hackers are probably better than they get credit for. Third, even small amounts of information can tell a huge amount about an organization's strategy and movements.
After the horror of September 11, pundits couldn't stop talking about how sophisticated the World Trade Center attack was -- Osama bin Laden turning jumbo passenger jets into weapons of mass destruction. While the al Qaeda terrorists pulled off an operation that was more complex than anyone could have imagined, they've also proven to be anything but technologically savvy.
BOND WOULD BLANCH.
The World Trade Center assailants thought they were anonymous when they used public Internet terminals. They sent clear-text messages when most e-mail services, such as Yahoo! and HotMail, offer free heavy-duty encryption of messages. One of the alleged terrorist organizers, caught in Milan last April, coughed up an address book full of cell-phone numbers and e-mail addresses -- not exactly text-book spycraft.
Bin Laden himself took a very long time to realize that not only are cell-phone communications easy to track but they're also simple to crack. "These are the same guys who only stopped using cell phones to coordinate their activities when CNN outed them on TV. Security experts these guys are not," says Marcus Ranum, chief technology officer at Network Flight Recorder, a maker of computer-intrusion detection systems. Ranum is a computer-security expert who has watched over networks for the White House.
Then, there's the underestimated technological prowess of spy organizations. Although it keeps by far the lowest profile of all the intelligence agencies in the U.S., if not the world, the NSA remains a potent force. Its key weapon is a system called Echelon, a shadowy network of so-called "sniffer" devices that sit astride the global Internet's handful of key choke points. Perhaps as much as 90% of all Internet traffic passes through these sniffers, some sources with knowledge of the system think. The devices are connected to computer systems that look through communications, seeking tip-offs such as word associations -- bomb and Bush in the same e-mail, for example.
AN IP STAKEOUT.
This might sound simplistic. But according to Ranum and others, the systems are far more potent than commercial programs that perform similar tasks. In part, that's because they can narrow down the type of data they're looking for by geography or location. In response to September 11, Internet security consultancy iDefense published a listing of all the IP address ranges for 80 countries around the globe. An IP address is a unique numerical identity -- a different one is attached to every device on the Internet.
So techno-spies could, theoretically, target IP addresses more likely associated with terrorists, and then zero in on those areas for intense snooping. That could mean IP addresses at a specific cybercafe in a neighborhood where suspected al Qaeda operatives live. Or it could mean even an entire country, if Internet penetration remains relatively low. "Pakistan, in the world of the Internet, only has 55 IP address ranges registered to itself. We are talking about an extremely small pond compared to the ocean of the Internet," explains Michael Cheek, iDefense's director of intelligence.
Finally, a little information can actually go a long way, thanks to an exotic intelligence discipline dubbed traffic analysis. This is the science of deciphering the structure and purpose of an organization without understanding anything that members of the organization say to each other. It's an art, really. NFR's Ranum explains that if an e-mail goes from one address to another and then 50 e-mail messages subsequently come out from the second e-mail, that means a leader has likely issued a command to a so-called reflector. Thus, watchers have ascertained a key piece of information about the organization.
Of course, traffic analysis is tough to execute if the organizational network isn't known or all that obvious. But that's no longer the case with al Qaeda. In the first week in March, U.S. intelligence officials warned that intercepted e-mail traffic indicated that al Qaeda was regrouping. Due to the inherent connectivity of the Net, identifying a single e-mail address belonging to a group member can quickly reveal large chunks of information about the terrorist network.
Tracing this information requires nothing more than cooperation from Internet service providers. At the very least, most ISPs log several months worth of e-mail traffic (though usually not the content). "The NSA is the worldwide god of traffic analysis. Just based on the fan-out of subsequent e-mail, you can make a guess at who is whom," says Ranum.
I'm not saying that hacking al Qaeda will be a slam dunk. Terrorists have plenty of ways to confuse authorities. While using strong encryption might raise a red flag with the NSA, that's not the only way to evade detection. A cell member in Pakistan might dial out to an ISP in India over the public phone network, explains Bill Stearns, a senior research engineer at Dartmouth's Institute for Security Technology Studies. And in many parts of the world where the U.S. government is not viewed as a friendly entity, the cooperation of ISPs and telecom companies isn't a given.
Yes, the war against terrorism may have just begun, even though it's now six months since the World Trade Center and Pentagon attacks. But just as on the battlefield, the U.S. government has technological superiority online, too. Like the attack on al Qaeda holdouts in the mountains of Afghanistan, the hack is on, and it appears to be making great strides at lifting the veil on al Qaeda.
Salkever covers computer security issues twice a month in his Security Net column, only on BusinessWeek Online
Edited by Douglas Harbrecht