Security Manual Reveals The OPSEC Advise ISIS Gives To Recruits
In the wake of the Paris attacks, US government officials have been vocal in their condemnation of encryption, suggesting that US companies like Apple and Google have blood on their hands for refusing to give intelligence and law enforcement agencies backdoors to unlock customer phones and decrypt protected communications. But news reports of the Paris attacks have revealed that at least some of the time, the terrorists behind the attacks didn’t bother to use encryption while communicating, allowing authorities to intercept and read their messages.
The manual advises to avoid using Instagram because its parent company, Facebook, has a poor track record on privacy.
The guide was originally written about a year ago by a Kuwaiti security firm known as Cyberkov to advise journalists and political activists in Gaza on how to protect their identities, the identity of their sources and the integrity of information they report. But members of ISIS have since co-opted it for their own use as well.
The guide offers a handy compilation of advice on how to keep communications and location data private, as well as links to dozens of privacy and security applications and services, including the Tor browser, the Tails operating system; Cryptocat, Wickr, and Telegram encrypted chat tools; Hushmail and ProtonMail for email; and RedPhone and Signal for encrypted phone communications. Gmail, the guide notes, is only considered secure if the account is opened using false credentials and is used with Tor or a virtual private network. Android and iOS platforms are only secure when communications are routed through Tor.
The manual advises disabling the GPS tagging feature on mobile phones to avoid leaking location data when taking photos—a mistake that a Vice reporter made in 2012 when interviewing murder suspect John McAfee who was on the lam. Alternatively, operatives and journalists can use the Mappr app can be used to falsify location data and throw intelligence agencies off their trail.
The OPSEC manual used by ISIS also advises against using Instagram because its parent company, Facebook, has a poor track record on privacy, and it warns that mobile communications can be intercepted, even though GSM networks are encrypted. It advises readers to use encrypted phones like Cryptophone or BlackPhone instead.
Dropbox is held up for special condemnation—because Edward Snowden advised against using it, and because President Bush’s former Secretary of State Condoleezza Rice is on the company’s investors board.
There are no surprises among the documents. Most of the recommendations are the same that other civil liberties and journalist groups around the world advise human rights workers, political activists, whistleblowers and reporters to use to secure their communications and obscure their identity or hide their location. The appearance of this and other OPSEC documents in ISIS forums and social media accounts indicate that the jihadis have not only studied these guides closely, but also keep pace with the news to understand the latest privacy and security vulnerabilities uncovered in apps and software that could change their status on the jihadi greatest-hits list.
‘This is about as good at OPSEC as you can get without being formally trained by a government… But there’s a difference between telling somebody how to do it and then doing it right.’ West Point cyber fellow Aaron Brantly
“This is about as good at OPSEC as you can get without being formally trained by a government,” Brantly, a cyber fellow with the West Point center, told WIRED. “This is roughly [the same advice] I give to human rights activists and journalists to avoid state surveillance in other countries. If they do it right, then they can become pretty secure. [But] there’s a difference between telling somebody how to do it and then [them] doing it right.”
Intelligence agencies, of course, are hoping that ISIS jihadis don’t get it right.
The documents warn that followers should use strong passwords and avoid clicking on suspicious links, to prevent intelligence agencies and everyday hackers from breaching their systems. And there’s advice for communicating even when repressive regimes block Internet and mobile networks to thwart activists from organizing, such as during the Arab Spring. It coaches readers, for example, on how to set up their own private Wi-Fi network or use apps like FireChat to share photos and text short distances without needing internet access.
It advises users to always use a VPN online to encrypt data and prevent ISPs and spy agencies from reading their communication. But it cautions users to stay away from American providers of VPNs and encrypted chat tools and instead use ones like Telegram and Sicher, instant messaging apps made by companies based in Germany, or the Freedome, a VPN from the Finish computer security firm F-Secure. Apple’s iMessage, an end-to-end encryption service, also gets a thumbs-up for being impervious to both spying from government intelligence agencies and Apple itself.
Although US government officials have repeatedly cited WhatsApp as a tool ISIS uses to thwart surveillance, the Kuwaiti manual actually puts the chat application on a “banned” list. Although WhatsApp offers end-to-end encryption, a German security firm found problems with its implementation earlier this year.
Brantly says one thing he hasn’t seen in any documents or discussions found in ISIS forums and social media accounts is mentioned of Sony’s PlayStation 4 for protected communication. Although a Belgian official told media last week, prior to the Paris attacks, that ISIS operatives in Belgium had been using Sony’s videogame system to communicate, Brantly says he’s seen no sign of that in their research. “I’ve never seen PlayStation come up in any document,” he says.
He also says they’ve seen no sign yet that ISIS is using home-brewed encryption programs that its members created themselves. “Al Qaeda developed their own encryption platform for a while. But ISIS right now is largely using Telegram [for encrypted communication],” he says.
To help jihadis master their OPSEC, ISIS also reportedly provides a 24-hour help desk.
Documents like the Kuwaiti OPSEC manual aren’t the only aid jihadis have to protect their communications. To help them master their OPSEC, ISIS also reportedly provides a 24-hour help desk.
Brantly says the jihadis they encounter in ISIS forums and chatrooms vary greatly in their technical savviness. He also says there are signs of increased interest not only in securing their own communication but in hacking other targets as an ISIS tactic. The so-called Cyber Caliphate, a hacking group that supports ISIS, claimed responsibility for hacking the US Central Command’s Twitter and YouTube accounts earlier this year. ISIS hackers have also taken credit for hacking a number of government ministries in Iran and stealing internal communications and login credentials, some of which they posted online.
“There’s a whole section on hacking [in the ISIS forums],” Brantley says. “They’re not super-talented hackers, but they’re reasonable.”
1 UPDATE 11/21/2015: This story has been updated to identify the original source of the document—a Kuwaiti security firm—and the original reason for its creation.
CED Solutions is a Cisco Learning Partner, Microsoft Gold Learning Partner and the #1 location for Microsoft Certifications in North America for the last 6 years combined. CED Solutions is a CompTIA Partner, EC Council Partner, and many others and is one of the largest providers of training in North America. The Atlanta facility provides IT training for up to 300 students per day, with separate buildings dedicated to training. CED Solutions provides training for up to 10,000 students per year and students take up to 800 certification exams every two weeks.
CED Solutions provides training and certification for MCSD: SharePoint 2013 Applications Developer; MCSE: SharePoint 2013; Cisco CCNA; Cisco CCNP; Cisco CCNA Security; Cisco CCNP Security; Cisco CCNA Voice; Cisco CCNP Voice; Microsoft MCSA: Windows 2012 Server; MCSA: Windows 2008 Server; MCSA: SQL 2012 Server; MCSE: Business Intelligence SQL 2012 Server; MCSE: Data Platform SQL 2012 Server; MCSE: Desktop Infrastructure Windows 2012 Server; MCSE: Server Infrastructure Windows 2012 Server; MCPD: 6 Cert Visual Studio Developer; MCSD: Windows Store Apps C#; MCSD: Windows Store Apps HTML5; IT Healthcare Technician and many more.