Some Jihadists Are Really Bad At Recommending Encryption

The FBI and other law enforcement agencies continue to complain of "going dark" as terrorists use message and hard drive encryption. But it turns out that one Al Qaeda-linked magazine is giving out really bad advice on what specific encryption programmes to use.

On Sunday, "anti-IS fighters in Syria," according to SITE Intel Group, released the second issue of their English language magazine Al Risalah, which includes a section that takes into account very recent developments in cybersecurity.

Overall, the jihadis make a poor assessment of what software vulnerabilities should be taken into account when deciding what programmes to use, and instead of recommending established, already-vetted software, they opt for their own homemade versions.

Earlier this month, researchers discovered a critical vulnerability in TrueCrypt, a popular but officially discontinued hard drive encryption programme. The flaw allowed an attacker to gain escalated privileges on the target machine, meaning they had the same powers over the computer as an administrator.

"Therefore, any ansar or muhajir that uses these two applications must be very careful and avoid them," the authors of Al Risalah write, referring to both TrueCrypt and its open-source version VeraCrypt.

The vulnerabilities, however, did not affect the actual encryption provided by TrueCrypt itself, which had already been audited months earlier, with no critical issues being found. So, it appears Al Risalah is suggesting jihadis stop using a product because of a bug that likely doesn't have any real impact on what they are using it for: namely, encrypting data.

Next, the authors recommend its readers make use of various custom-made message and file encryption programmes. "These software packages—Asrar al-Mujahideen, Asrar al-Dardashah, Mobile Encryption, and Amn al-Mujahid—are the arrows in your quiver to pierce the eyes of the spies," the magazine reads.

Asrar al-Mujahideen works pretty much in the same way as PGP encryption, and became more well known after it was featured in Inspire, the English language magazine of Al Qaeda in the Arabian Penisula (AQAP).

But, using these pieces of software would be a truly terrible idea for anyone trying to keep information secure. First, they have not suffered the scrutiny of the broader cybersecurity community, unlike widespread, open source encryption software, meaning that the programmes may not have been sufficiently swept for bugs and vulnerabilities. That, and every message sent with Asrar al-Mujahideen is branded with the name of the software, making it an easy target for intelligence agencies to pick out.

Possibly the only half decent advice from a security perspective is the use of messaging apps Telegram and Surespot to contact GIMF representatives, as both of these apps offer end-to-end encryption, and are generally considered to be fairly secure. GIMF is the "Global Islamic Media Front," the organisation that greenlights any officially branded Al Qaeda encryption software.

But other that that, instead of recommending that jihadis use established, well-tested and reliable methods of encryption, perhaps those provided by Apple iOS devices, Al Risalah urges against it.

"It is of utmost importance to exercise caution when using any application not developed by or promoted by your brothers in the jihadi media," the magazine reads. ISIS also banned Apple devices in towns under its control last year.

If jihadis really are following this array of terrible security advice, maybe the authorities will have a lot easier time of catching them.