Do terrorists use spam to shroud their secrets?

Michael Wertheimer is a mathematician.

And not just any old mathematician.

He describes himself an NSA mathematician, no less, and he doesn’t see any reason to be ashamed of that. (Probably because there isn’t one.)

Wertheimer has published a well-worth-reading article in the latest Notices of the American Mathematical Society.

In it, he discusses the brouhaha of the past few years surrounding a random number generator called Dual_EC_DRBG.

Learn more about the Dual_EC_DRBG controversy...

Conspiracy theory says that the NSA deliberately subverted official standards documents and promoted Dual_EC_DRBG because they had a secret way to “derandomise” it.

Wertheimer argues that, as far adding a working backdoor to the standard was concerned, what actually happened would have been a peculiar way for the NSA to go about it.

→ We know that conspiracy theory is often considered a pejorative term, but conspiracies can be real and they often involve codes and code-breaking.

But Wertheimer agrees that the NSA ought to have abandoned the algorithm much sooner, once the possibility of a backdoor in the algorithm was clear, for the greater good of trust in the cryptographic community.

For this alone, I’d suggest you read the paper.

Especially if you don’t really understand elliptic curves yourself, yet have felt inclined to accept the oft-repeated argument that Dual_EC_DRBG not only potentially, but actually, worked against our general online security.

One strange claim

There is one strange claim in the paper, though.

Almost as a throw-away remark towards the end, while commenting on intelligence gathering in the face of contemporary traffic volumes, Wertheimer drifts into steganography.

Unlike cryptography, which is the study of secret writing, steganography is the study of hidden writing.

Cryptography enables you to encode your secrets so you can publish them openly without anyone else being able to read them.

Steganography publishes your secrets openly but in a way that no-one else knows where to look, so that they are effectively hidden by another innocent message.

Think of spy novel stuff: invisible ink written on top of a letter to a friend; a deliberate announcer’s error in a radio headline; or a telegram where the third letter of every fourth word is the actual information you are trying to convey.

Spam as cover

Anyway, Wertheimer mentions the possibility of terrorists and other Bad Actors using spam as a cover.

Not because spam is often so weirdly written that it makes an ideal hiding place for otherwise suspicious words, but because spam is usually overlooked.

In other words, to reduce the number of messages you need to wade through to look for obviously suspicious stuff, you probably filter out the spam first.

After all, even if you’re the NSA, you don’t have an infinite amount of time, CPU power or RAM.

So if you could insert a real message into a drivellous-looking spam, your enemy might throw the spam away first, assuming that it was irrelevant garbage

As part of the anecdote, Wertheimer recalls an analysis of messages recovered from Taliban combatants in Afghanistan, shortly after 11 September 2001:

In one case we were able to retrieve an email listing in the customary to/​from/​subject/​date format. There was only one English language email listed. The "to" and "from" addresses were nondescript (later confirmed to be combatants) and the subject line read: CONSOLIDATE YOUR DEBT. It is surely the case that the sender and receiver attempted to avoid Allied collection of this operational message by triggering presumed spam filters.

Online business publication Quartz has already picked up this observation and exaggerated it into a “security truth”, using the headline:

To avoid detection, terrorists purposely sent emails with spammy subject lines

Actually, in Wertheimer’s story, there was exactly one email, so Quartz’s use of the plural adds a disingenuous depth to the headline.

And without reliable evidence of what was in the CONSOLIDATE YOUR DEBT message, we shall never know whether it really did contain any hidden information, or whether, as now seems much more plausible, it was exactly what it looked like: a spam.

A spam, with the sender spoofed so it seemed to come from someone the recipient knew. (Spammers sometimes go over the top: like me, you probably receive the occasional spam apparently from yourself!)

On the other hand, Wertheimer could be right, because spam does make a good hiding place, and if you are a security researcher, you do indeed ignore it to your possible disadvantage.

The bottom line

We’ll leave you with a pithy sentence from Wertheimer’s article which summarises the job that we all face in trying to stay ahead of cybercrime and other abuses of the internet.

He reminds us of the cat-and-mouse game that we unavoidably need to play:

Indeed, this is exactly how intelligence and counter­intelligence work: an escalating series of moves to discover and avoid discovery of information.

Remember that the next time someone tries to sell you a computer security product that “never needs updating.”

Cybercriminals are constantly trying to aim for places where they think you won’t look, so even the most proactive security product needs to be able to react when new tricks appear.