Just how ISIS encrypts and shares its internal communications — including instructions on making bombs — came to light recently, with none other than Edward Snowden saying that the terror group’s preferred method of encryption “underlines how little ISIS learns from news.”
A 29-year-old Parisian IT specialist named Reda Hame traveled to Syria last summer to join ISIS and fight Assad, but his personal ambitions were nixed by higher-ups, and he was, instead, sent through a rapid training course and then back to France with instructions to carry out a terrorist attack.
Hame’s story on terrorism in Europe was revealed by the New York Times correspondent Rukmini Callimachi, who writes that as he completed his weeklong training course, he was instructed on how to use the program TrueCrypt. In Syria, before returning to France, he was given a USB drive that held the encryption program.
TrueCrypt, he was told, would help mask his communications with ISIS in Syria. He was also given specific instructions on how to share these encrypted files, which in part illustrate how aware ISIS is of surveillance but also expose its ignorance: ISIS knew both to encrypt and to avoid email services, but did not know — as Snowden was quick to point out on Twitter — that uploading encrypted files to file-lockers, as ISIS was doing, “glows on the wire.”
We are privy to this insider information because Hame was captured and arrested in August, 2015, before he could carry out his attacks.
The instructions, Callimachi reported, were as follows:
“After putting the USB key containing Truecrypt in the laptop, [Hame was told:] ‘You need to open the program. You need to create a folder inside, where you place your text. You choose the size you want to send & in ribbon unfurling at bottom. you choose the mode of encryption.’ Then once the message is in the folder and the folder is encrypted, the instructions he had was to upload the encrypted folder to a Turkish stocking website called http://www.dosya.co. Basically he was not to email it. Hame describes the Turkish website as ‘a dead inbox.’ He said his ISIS handler would then check website & download encrypted folder”
Callimachi then speculates that “it seems ISIS was worried about metadata tracking, and for that reason was advising operatives not to email anything, only upload.”
And that’s where Snowden interrupted to clarify that as a Canadian Communications Security Establishment program, “Leviathan,” surveils exactly these sorts of communications. And while the metadata would not show the contents of the encrypted files, the uploading of an encrypted file from a target would raise bright red flags.
With respect to Hame, whether these communications were intercepted thankfully proved irrelevant. After his capture, French investigators found his USB drive and a piece of paper with his TrueCrypt login information. Hame had been instructed to memorize this information and obliterate the evidence, but did not. On that drive were two encrypted files, which, it seems, France could not decrypt.
And France missed an opportunity: internal security agents could’ve used the TrueCrypt account to communicate with Hame’s handler in Syria, but, Callimachi reported, probably did not do so.
And, as to how this should inform current U.S. encryption debates?