ITsecurity
twitter facebook rss

The Islamic State’s Propaganda Network and the Forty-Nine Dollar Challenge

Posted by on November 4, 2014.

A couple of weeks ago, this happened, in Iceland:

ISNIC – Internet á Íslandi hf., which manages the registry for the .is country code, was forced to shut down a website on grounds of its content for the first time in the company’s history last night because terrorist organization Islamic State (IS) was using the domain .is.

“The majority of ISNIC’s board made this decision … on the grounds of Article 9 of ISNIC’s Rules on Domain Registration, which states: ‘The registrant is responsible for ensuring that the use of the domain is within the limits of Icelandic law as current at any time,’” ISNIC said in a statement.

There was an immediate echo on the other side of the planet. There turned out to be two Islamic State websites with the country code .is, and New Zealand registration details:

An international security expert says the terrorist website fiasco shows New Zealand is not checking website details registered here closely enough.

Two websites sympathetic to Isis (Islamic State) extremists, including one still online last evening, were registered to an Auckland address.

Icelandic authorities traced the khilafa.is site’s registration to Private Box, a mail forwarding company in Auckland.

Another extremist website called qa.af was registered to the same address, 3News reported. That site was still online last night.

…and there was some impressively energetic buck-passing in New Zealand:

Government agencies referred media inquiries to other agencies, including to police, Internal Affairs, the Department of Prime Minister and the Cabinet, the Ministry of Foreign Affairs and Trade, and Chris Finlayson, the Minister for the Security Intelligence Services (SIS) and the Government Security Communications Bureau (GCSB).

The New Zealand Intelligence Community, which is responsible for the SIS and GCSB, said: “We are aware of the story, but would not comment on what may or may not be operational matters.”

Another New Zealander, less agile than the politicians and bureaucrats, and more talkative than the spooks, blinked nervously in the limelight:

The website, which was shut down by Iceland authorities, was registered to Private Box, a mail forwarding company in Auckland.

Gareth Foster, managing director of Private Box, said the website domain was registered to Suite 4551, 17b Farnham Street, Parnell and to Azym Abdullah.

Mr Foster said the person was not a customer of Private Box, however the company does provide a mail drop service to that address.

“We will be working with authorities to identify what relationship this account has with the person/website in question (if any). We will be fully co-operative any enquiry from the appropriate government officials.”

Mr Foster said Private Box was a reporting entity under the Anti-Money Laundering (AML) and Counter Funding of Terrorism Act.

Evidently 17B Farnham Street is more interesting than it looks.

The Washington Post chimed in, at second hand:

The site’s purpose was unambiguous: “This is the news publishing website of the Islamic State,” the homepage reportedly read, featuring visual material showing the murder of hostages and other gruesome propaganda videos.

By the 16th the story (criminal Islamic terror web site detected, duly clobbered, shamefaced New Zealander, renewed vigilance) had pretty much run its course.

The news behind the news is more complicated and ambiguous. Let’s dig a little deeper.

The Washington Post guy thinks that the .is suffix is terribly significant:

Iceland’s general Web site domains, which end with ‘.is,’ are likely to have drawn a special interest by the Islamic State, which is often abbreviated to IS as well.

Back when the Washington Post did actual investigations, this might have been a persuasive speculation that could be accepted without much question. However, when one does looks a little harder, it turns out that the Washington Post, apparently now running on investigative brand fumes, didn’t dig very deep at all. The context provided by a quick teaser scan of the web sites registered to Azym Abdullah, who has an encrypted email service from the Canadian company Hushmail, suggests that the WaPo’s speculation about the special significance of the suffix could be bunkum:

All abdullah domain names Capture

We can see that there’s nothing very special about “.is”. Azym’s sites also have suffix “.com” (usually American), “.cc” (Cocos and Keeling, beloved of email spammers), “.re” (Réunion), and, in a flurry of recent registrations since the news broke on the 12th, which has also gone unremarked in the press, “.link” (preferred for sites that just redirect the user to another site). In that context, the “.is” suffix isn’t quite so striking. Perhaps Mr Abdullah just likes small islands in out of the way places, and redirections.

It does look as if 3News in New Zealand got a tiny bit further: they managed to get from “q_.af to “qa.af”; possibly, simply by looking at the list, trying the letter “a” first, and lucking out straight away.

Evidently 3News didn’t have the budget required (a modest $49) to get the full names of this small constellation of Islamic State propaganda web sites either, but then, nor did any of the other worldwide news sites behind the hundreds of Google hits that this story yields.

Our first conclusion is therefore this: the global press’s consolidated budget, 12th October to date, for investigating web sites of that bruited threat to world peace, the Islamic State, is less than $49.

Our second conclusion is that the press weren’t particularly quick to check even the facts that they had got hold of. Before it disappeared, around the 13th October, the khilafa.is web site redirected to a Russian-language Islamic site, not on the Azym Abdullah list, that is still very much alive, and carefully documents the other side’s atrocities in Chechnya, Syria and so on. Forgive me: I didn’t check for hostage murder videos. The site has a privacy domain registration in Panama, so it might stick around for a bit, especially if the Panamanian government’s current ebullient non-compliance with international norms extends from anonymous shell companies to anonymous Islamic State web sites.

Associated with that site is a Russian language Twitter account that tweets Islamic State video links, sporadically, and has about 150 followers, including some serious-looking journalists and researchers who specialize in the conflicts in Syria and Chechnya.

Miss the Russian Islamic site, as the press did, and you miss, not only a chance to beat Wikileaks to the punch by a couple of weeks, but also an interesting angle: in the eyes of Islamic State adherents, the Russian state and its proxies are antagonists, just like the “West” lately, in Ukraine and elsewhere. Putin’s media moan about being encircled by hostile forces: you can begin to see how they can sell that line.

Another connected Twitter account, in English, but basically the same sort of fare, has fewer that 50 followers, but again they include serious researchers and journalists, including one highly-regarded beat journalist at a heavyweight US newspaper.

Next up, we have a microblogging site, which is in English, and greets its visitors with the cheery messages “Virtues of Martyrs” and “Die by the Sword”, and brands itself “Media releases from the Islamic State”. The all-American firm Tumblr (now owned by Yahoo!) hosts the site ands its IP address is located in New York. It also has a YouTube channel. YouTube is owned by the American company, Google.

I think those extensive American connections are enough to warrant a certain scepticism about the Washington Post’s concluding words:

American companies have been particularly harsh in dealing with Islamic State affiliated users: Both Twitter and Facebook have cracked down on online propaganda distributed via their social networks, forcing Islamic State militants to search for less popular alternatives or to face the possibility of having their accounts suspended.

Well, to me, I must admit, it really doesn’t look as if any of Twitter, Google, Yahoo! (not forgetting the Canadian Hushmail) mind all that much about web sites that display Islamic State affiliations; otherwise those accounts, which aren’t at all shy about what they are doing, would have been closed long ago. Furthermore, the very researchers with a track record of ongoing commitment to covering this stuff think that those are the sites and feeds one should keep an eye on. Perhaps, despite the “crackdowns”, there is a consensus, behind the scenes, that the sites should stay up.

We haven’t dragged Bitcoin into this saga yet, so let’s repair that omission. That English language Twitter feed had this to say, on Oct 30:

In’shaa’Allah, if you’re able, send a contribution towards server costs to the Birtcoin address here:

>>>fiabillillah.khilafah.link<<<

There are 8 servers, apparently, serving up a terabyte of data per day. The Bitcoin donation required to keep that little farm going rather pales into insignificance compared with the Islamic State’s estimated $2Million/day revenues. If those numbers and proportions are right, Bitcoin has about the same uptake in the Islamic State as it does anywhere else: negligible.

Let’s conclude our disobligingly unevidenced tour, incomplete. It’s only $49, if anyone wants to challenge me on the details, or add more!

We’ll go back to where we started, with qa.af, still live, once registered at the unprepossessing 17B Farnham Street in Auckland, as reported by 3 News in mid-October, but no longer. That web site is now registered at Suite D7559, 68 Tanners Drive, Blakelands, Milton Keynes, MK14 5BP, UK; also not a beauty spot, though at least there are some hedges and a little tree. Perhaps there are connections to follow up there, too. Is anyone on the case, apart from this blogger? If so, they don’t want the site shut down, just yet.

One more tentative conclusion follows from that observed continuity: at least three Western intelligence services, in NZ, the US, and perhaps, the UK, too, don’t mind very much about any of these web sites.  After all, it is just as convenient for the intelligence services, as it is for serious researchers and journalists, to have the Islamic State’s deeds and thoughts where they can see them. I am assuming, of course, that the intelligence services are not too busy drowning in terabytes of Snowden’s metadata to follow the same old-fashioned leads that I am plucking at, erratically, here.

“Leave the sites up”: that’s pretty much what Wikileaks are saying, too; they just don’t want access to be controlled, or manipulated, by the intelligence elite:

We denounce Iceland’s shutdown of ‘Islamic State’ news. Everyone has the right to see and judge the arguments of IS.

Seeing and judging is certainly what’s been happening so far, as The Guardian reported recently:

A report by the UN security council, obtained by the Guardian, finds that 15,000 people have travelled to Syria and Iraq to fight alongside the Islamic State (Isis) and similar extremist groups. They come from more than 80 countries, the report states, “including a tail of countries that have not previously faced challenges relating to al-Qaida”.

Azym Abdullah’s sites don’t have that sort of reach, and are clearly part of a far larger picture, another aspect neglected in the reporting of the Iceland furore:

Leadership disputes between the organisations are reflected in the shape of their propaganda, the UN finds. A “cosmopolitan” embrace of social media platforms and internet culture by Isis (“as when extremists post kitten photographs”) has displaced the “long and turgid messaging” from al-Qaida. Zawahiri’s most recent video lasted 55 minutes, while Isis members incessantly use Twitter, Snapchat, Kik, Ask.fm, a communications apparatus “unhindered by organisational structures”.

A “lack of social media message discipline” in Isis points to a leadership “that recognizes the terror and recruitment value of multichannel, multi-language social and other media messaging,” reflecting a younger and “more international” membership than al-Qaida’s various affiliates.

The availability of these sites makes sense for both sides, in fact, and not just as a means to polarize opinion with well-timed PR. After all, if those perceived as hostile to ISIS put their conspicuous feet on the ground, they are quite likely to be kidnapped or decapitated. Journalism and intelligence gathering via Twitter and YouTube is much safer for the proponents than the away-from-the-couch alternatives, and arguably, because of the ransom risk, more responsible, too.

It’s interesting to see the Islamic State embracing Web 2.0 with such enthusiasm, is it not, even down to the kitten pictures? Clearly, the Web is a natural way for Islamic State enthusiasts worldwide to make a little contribution. A whole troop of Azym Abdullahs might be quite a bit harder to keep track of, and they’re on their way, or at work already, judging by the 15,000 migrant warriors that have been drummed up so far.

Two final observations undermine the official story (terrorism detected, thwarted, renewed vigilance) a little more.

First, ISNIC, which manages the registry for the .is country code, later announced that the site shutdown of the 12th, which kicked off the whole story, was more to do with reputation management than perceived illegality, after all.

Second, and so far unnoticed, a fairly classy-looking New Zealand domain name agent has apparently registered at least three of the ISIS domain names. Two of them were registered quite recently, in the days after the story hit the headlines, as the structure was reorganised in the wake of the Iceland publicity and the shutdowns.

By the time I blogged this, the agents had not responded to an emailed request for comment. I daresay they are looking into it, or simply bogged down in figuring out whether to contact the police, Internal Affairs, the Department of the Prime Minister and the Cabinet, the Ministry of Foreign Affairs and Trade, or the Ministry for the Security Intelligence Services (SIS) and the Government Security Communications Bureau (GCSB). I’d recommend scattergunning the lot with emails, having first shelled out $49, if necessary, for a reverse DNS lookup, to make sure of getting to the bottom of it.

Whether those agents are unapologetic free speech types, or merely oblivious, they probably will need to dream up some kind of public statement. After all, there might be some fleeting, under-budgeted press interest, worldwide, and a free ad for their services. Wing it and bluff it out, is my tip: that’s what everyone else in this story seems to be doing, including even Azym Abdullah, who’s not exactly been going to extravagant lengths to cover his traces, yet.

There is further new commentary from the director of GCHQ. His remarks deserve close and thoughtful scrutiny, particularly with the Washington Post’s story in mind, or Snowden’s revelations, or certain light industrial units in Milton Keynes, GB, come to that.


Share This:
Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: News_politics, News_privacy, News_surveillance, Richard Smith, Security |