U.K. Case Reveals Terror Tactics

Eugen Leitl eugen at leitl.org
Mon Feb 28 15:24:02 PST 2011


U.K. Case Reveals Terror Tactics


LONDONbA British Airways PLC employee named Rajib Karim allegedly exchanged
electronic messages with an al Qaeda cleric in Yemen for more than two years,
his activities cloaked by an encrypted fortress he created on a laptop
computer and an external hard drive, prosecutors say.

View Full Image

PA Photos /Landov

Rajib Karim, shown in an undated police photo.

The sophisticated encryption tactics Mr. Karim allegedly used to shield his
communications with U.S.-born radical cleric Anwar al-Awlakiband the small
clue he left behind that enabled police forensics teams to defeat thembare
center stage in a high-profile trial here in which Mr. Karim is accused of
preparing for terrorist acts related to his work at the airline and to his
alleged communications with Mr. Awlaki.

The case provides a rare and detailed look at how terror suspects may be able
to communicate surreptitiouslyband how difficult and laborious it is for law
enforcement to crack their codes.

Mr. Karim used layer upon layer of encryption and other techniques to prevent
others from being able to read the messages and access other data stored on
his computer equipment, prosecutors allege.

The encryption is so complex and layered that "I could give an analogy of
Russian dolls," Detective Constable Stephen Ball, the policeman in charge of
the computer forensics in Mr. Karim's case, said in court Thursday.

Mr. Karim, a 31-year-old Bangladeshi national, pleaded guilty in November to
fund-raising for the purposes of terrorism; possessing documents likely to be
of use to a person committing or preparing to commit an act of terrorism; and
engaging in conduct for the preparation of terrorist acts, all charges mainly
related to his association with a banned Bangladeshi terrorist group.

Mr. Karim, who is in custody, is being tried on four counts of engaging in
conduct in preparation of terrorist acts, including providing information
about his employer to others for terrorist purposes.

James Wood, a lawyer for Mr. Karim, told the court that while his client had
committed some offenses, "that which he has admitted is the limit of his
criminal actions." Mr. Wood didn't dispute that Mr. Karim had encrypted the

Lawyers for Mr. Karim didn't respond to requests to comment for this article.

The methods that terror suspects use to conceal their communications are "a
real problem" for police and intelligence authorities, says Lord Alan West,
who was security adviser to former Prime Minister Gordon Brown. Other experts
say such problems have been made worse by off-the-shelf software.

View Full Image

PA Photos /Landov British Airways planes at Heathrow Airport.

Keeping Secrets

Among the steps Rajib Karim allegedly used to encrypt messages:

b" Messages were stored on an external hard drive in files that appeared to
have been created in one kind of program, but in fact used a different type
of program

b" The program used enables each file to run as a separate, password-protected
'virtual hard drive'

b" Text contained in those files also was in scrambled form unless decrypted
with the help of a custom-built software program

b" Messages allegedly contained false names and other coded words

b" Didn't exchange messages as emails, which can be intercepted; instead
uploaded them to publicly available websites that host files

b" Used software to erase some electronic fingerprints from laptop

WSJ research

The previous government had even looked into whether they should make it a
criminal offense for suspects to not hand over decryption codes, Lord West

The time needed to break such codes was one reason the previous British
government under Mr. Brown argued for holding terror suspects for as long as
28 days without charge, Lord West added. The current government of Prime
Minister David Cameron recently reduced this to 14 days.

Upon raiding Mr. Karim's apartment police recovered, among other things, a
laptop and an external hard drive able to store some 320 gigabytes of data,
according to prosecutors. The hard drive held some 35,000 files including
messages with Mr. Karim's brother, with Mr. Awlakiba leader of terror group
al Qaeda in the Arabian Peninsulaband with other colleagues, prosecutors say.

Mr. Karim allegedly hid the messages and other data stored on the drive by
changing the suffix at the end of the name of key files, which would
typically tell a computer what program would be needed to open them up. That
included four files labeled "Quran DVD Collection," which appeared to be
compressed files because they took the suffix ".rar," which relates to a type
of software that reduces the size of a file, according to prosecutors.

Mr. Ball said he noted these files were unusually large, and discovered that
they were actually created in a different program, Pretty Good Privacy, which
enabled each file to run as a separate, encryption-protected "virtual hard
drive." Without the correct password, the files were completely

It's the equivalent of "a safe with a combination," Mr. Ball said in court.
He sent the files to British intelligence services, which returned them
decrypted, or unlocked. Once able to open the files, Mr. Ball testified, he
still wasn't able to read most of the messages contained with them: Mr. Karim
had enciphered the text, leaving it scrambled and unreadable.

Mr. Karim left police a clue, however. On the external hard drive was a
disguised file that looked like it was meant for viewing thumbnail-size
photographsbbut that actually consisted of text with instructions for using a
spreadsheet containing a purpose-built formula to decipher the message,
according to Mr. Ball. The spreadsheet also worked in reverse, enciphering
messages before sending to another member of the group, Mr. Ball said.

Those instructions helped Mr. Ball decrypt the messages and see
thatbaccording to prosecutors' accountbMr. Karim was passing to Mr. Awlaki
information about British Airways' computer and security systems that could
be vitally important for those wishing to conduct a terrorist attack.

Still, it took many more months for the messages to fully come into focus.
There were many spreadsheets on the hard drive, and sometimes numerous
versions of each one. Even once unscrambled, prosecutors allege the messages
contained false names and other coded words, further obscuring their
contents. The names of countries and people, as well as their sex, were
changed, and their movements and activity were discussed as if involved in
business transactions, prosecutors allege.

As an additional layer of protection, prosecutors say, Mr. Karim and his
colleagues didn't exchange their messages as emails, which can be
intercepted. They instead uploaded them to public websites that host files,
where another member of the group could then download them to his or her own

In a further safeguard, prosecutors allege, Mr. Karim used software to erase
other electronic fingerprints from his laptop, including a program called
"Windows Washer" that effectively deletes traces of Internet browsing history
from the machine.

Write to Alistair MacDonald at alistair.macdonald at wsj.com and Cassell
Bryan-Low at cassell.bryan-low at wsj.com

More information about the cypherpunks-legacy mailing list