Updated encryption tool for al-Qaeda backers improves on first version, researcher says

Computerworld - A recently released tool that allegedly was designed to help al-Qaeda supporters encrypt their Internet-based communications is a well-written and easily portable piece of code, according to a security researcher who has analyzed the software.

However, messages that are encrypted using the tool, which is known as Mujahideen Secrets 2, should be relatively easy for law enforcement authorities to spot and track, said Paul Henry, vice president of technology evangelism at Secure Computing Corp. in San Jose.

Henry said that based on his analysis of the encryption tool, "it will not be a difficult matter for law enforcement to identify files created using this software," because it puts a unique fingerprint on them. "You may not be able to read the messages, but you will be able to figure out where it was sent from and to whom," he added.

Mujahideen Secrets 2 was released last month via an Arabic-language Web site set up by an Islamic forum called al-Ekhlaas. At the time, the password-protected Web site was running on a server that belonged to a Web hosting firm in Tampa, Fla., after previously being on a system owned by another company in Rochester, Minn. But the URL that the group was using on the server in Tampa is no longer working.

As of last week, the al-Ekhlaas site had been moved to a server owned by yet another hosting firm, this one based in Phoenix, Henry said. But the link to the site on that server also now appears to be broken.

The new encryption software is an updated version of an easier-to-crack tool that was released early last year by the same group. Henry said the copy of Mujahideen Secrets 2 that he evaluated was provided to him by J.M. Berger, a Cambridge, Mass.-based freelance journalist and documentary filmmaker who focuses on terrorism as well as science and business topics.

Mujahideen Secrets 2 is a very compelling piece of software, from an encryption perspective, according to Henry. He said the new tool is easy to use and provides 2,048-bit encryption, an improvement over the 256-bit AES encryption supported in the original version. What makes the update especially interesting, he noted, is the fact that it can be used to encrypt Yahoo and MSN chat messages in addition to e-mails.

Another interesting aspect of the tool is its ability to take a binary file and encrypt it in such a way that the file can be posted in a pure ASCII or text-only format, Henry added. As a result, individuals could use Mujahideen Secrets 2 to encrypt files and post them on sites that aren't even on the Internet -- for instance, on a telephone-accessed bulletin board system. "If you wanted to do something covert, that's one way of doing it," Henry said.

The new version of the tool also has a much better graphical user interface than the initial release did, he noted. And he thinks the tool's developers have done a better job of integrating bits and pieces of RSA Security Inc.'s encryption code in order to handle functions such as key generation and key management. Many of the mistakes they made in the first version seem to have been addressed in the new one, thereby making it harder to crack, he said.

In addition, the revamped tool is highly portable, Henry said. For instance, he explained, someone could put the software on a USB memory stick, go to an Internet cafe, plug in the USB device and run Mujahideen Secrets 2 to encrypt any communications from that cafe.

According to Berger, the new version of the tool sounds worrisome both because of its increased sophistication and the ease with which it can be used. The software appears to be designed for use by relatively low-level operators in the al-Qaeda hierarchy, he said.

The capabilities offered by Mujahideen Secrets 2 fit a pattern for al-Qaeda groups, Berger said, noting that the terrorist organization "has always been pretty current with what they use — cutting edge, but not bleeding edge."

Berger added that there is a "robust discussion" taking place within the counterterrorism community over the issue of online forums such as al-Ekhlaas being hosted on U.S.-based servers. Some people believe it is easier to monitor what's going on in the forums when they are hosted on U.S.-based servers, he said. Others, though, want the Web sites to be taken down immediately.