SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Stop bullying Apple around and start doing some intelligence homework
Tue, 1st Mar 2016
FYI, this story is more than a year old

It's no secret that terrorists almost always have two phones, one personal and one used to communicate with fellow terrorists and attack organisers. The San Bernardino shooters, Syed Rizwan Farook and Tashfeen Malik, apparently were no exception. They took the time to destroy and obliterate two other phones they had in their possession prior to the attacks. The damaged phones were in such bad shape that nothing reportedly was recoverable from those phones.

Following the attack, the FBI confiscated Farook's personal/work issued iPhone and that seems to have become the centrepiece of their investigation efforts. But surely there is a wealth of intelligence the FBI can go after instead of strong arming Apple's employees into writing a piece of code that potentially harms the rest of us in significant ways.

The FBI does in fact know the phone number of the shooter's personal/work-issued iPhone, and its agents can obtain location and cellular records on other phones that traveled alongside that iPhone as the terrorists moved around. (It can be reasonably assumed that the San Bernardino terrorists carried both their personal and ‘work' phones on them together at the same time, most of the time for the mere sake of convenience).

Here's how one former intelligence officer explained to me the manner in which this data could be mined.

Imagine this scenario:

a) The San Bernardino terrorist attack takes place and investigators scan back through historical data to identify all the perpetrators – i.e. not just the shooters themselves but any other persons they may have collaborated or associated with.

b) The investigators assume that the attackers used dedicated communications devices (as is reasonable to assume in this case, given they destroyed two other phones before the attack) that can be verified as an ‘operational device' as they would have shown some indicative pattern; very few communications, always to the same numbers, short communications, etc.

c) Investigators could also assume that the shooters visited the attack site at least once before they launched the attack, probably simulating the day and hour of the actual terror strike.

d) Finally the investigators could assume that at some point before the attack – usually a few hours – the shooters turned off their operational devices and stopped communications.

A good investigator could take the assumptions above and then go scan cellular network records (which they already have the right to obtain) to try and find this assumed pattern of behaviour – starting with the shooter's iPhone as an anchor data element. Using data mining and various algorithms, they could pinpoint the attackers' communications and discover the network of individuals they communicated with, some of which no doubt would be the collaborators the FBI and the rest of us are so eager to find. (For whatever it is worth, I doubt very much Farook left a trail of any collaborators on his work/personal iPhone when he went to the trouble to smash two other phones he possessed into smithereens before his attack).

There is in fact lots of data available to the FBI even if they can't read the actual contents of the terrorists' communications, for example if they were encrypted or if some of them are actually on Farook's personal iPhone that Apple will not help unlock. In fact I've been told many times that reading lots of communications in the form of emails and chats, or listening to lots of phone calls, can be very time consuming for an investigation and is generally not worth the effort unless an investigator knows exactly which communications to read or listen to.

Instead, using the cellular network data, the FBI and its agents can discover the communications between Farook's and his wife's various phones, and discover the patterns of communications that indicate the linkages with other fellow terrorists and sympathisers. The law enforcement agents can also link the various IP addresses or phone numbers/devices that are discovered to other information they can cull from other sources.

For example, by establishing these linkages, they could discover a chat room or forum where the terrorists meet to collaborate and they could cull the logs from those forums to look for patterns and meaningful information that might indicate prominent actors involved in the actual attacks. The former intelligence officer that explained all this to me also told me many months ago that it's best to focus on and analyse network behaviour and not the actual content of communications, since the content is ‘a waste of time with the volume of noise vs signals in them.'

Intelligence has become a data science job. Here's how my colleague summed it up: “the daily challenge of the modern intelligence officer is to link data coming from human intelligence, signal intelligence, visual intelligence, financial intelligence, cyber intelligence… in part to make up for gaps that encrypted data communications and lack of associated metadata creates.” This is predicated on the human ability to mine the data, and the machines' abilities to bring all kinds of data together with advanced algorithms and analytics running on top of it.

There's plenty of data out there for the FBI to work with. I wish they would stop bullying Apple and the technology industry around and spend their time and energy instead on figuring out how to rise to the challenge.