Forwarded From: phreak moi <hackereliteat_private> http://www.wired.com/news/news/politics/story/15812.html Do Terrorists Troll the Net? Part I of IV by Niall McKay 10:15 a.m. 4.Nov.98.PST Over the last six months, a self-proclaimed terrorist has attempted to purchase sensitive information about US military computer networks from teenagers cracking sites on the Internet, according to crackers and security experts. Khalid Ibrahim, who identifies himself as an Indian national, may have obtained classified and unclassified US government software and information, as well as data from India's Bhabha Atomic Research Center, from teenagers who say they routinely break into such Web servers for fun. "I was on [Internet Relay Chat] one night when this guy said he wanted the DEM software," said an 18-year-old cracker from Irvine, California, calling himself Chameleon. "I didn't have it and I was just messing about with the guy." Internet Relay Chat is a worldwide, text-based network where real-world identities can be concealed or forged. Conversations are logged, but those transcripts are easily tampered with and therefore unreliable. DEM, or the Defense Information Systems Network Equipment Manager, is a nonclassified military-networking program. A cracker organization called Masters of Downloading stole the software from an unsecured server in June. According to several of the group's members, Ibrahim tried to purchase that software from them. In conversations taken from IRC logs, Ibrahim claimed to be a member of Harkat-ul-Ansar, a militant Indian separatist group. "We fight for our independence," he said during one June conversation. Harkat-ul-Ansar is on the State Department's list of the 30 most dangerous terrorist organizations in the world. Establishing Ibrahim's true identity is difficult. The most compelling evidence that he was acting on behalf of Harkat-ul-Ansar is a US$1,000 money order that he sent to Chameleon in an attempt to buy stolen military software. "If this man is who he says he is, then he is extremely dangerous," said Nalani Alexander, senior Asia consultant with Pinkerton's Global Intelligence Service. Harkat-ul-Ansar declared war on the United States following the Pentagon's 20 August cruise-missile attack on a suspected terrorist training camp in Afghanistan run by Islamic militant Osama bin Laden. Harkat-ul-Ansar claimed that nine of its members were killed in the attack. But even before the missile strikes Ibrahim was trolling the Internet, looking for information mercenaries. Do Terrorists Troll the Net? Page 2 10:15 a.m. 4.Nov.98.PST Although he used several anonymous Hotmail accounts to send his email, Ibrahim always accessed the Net from an Internet service provider in New Delhi, according to John Vranesevich, a security expert and founder of AntiOnline. "I and others have traced Ibrahim's Internet connection," said Vranesevich. "It always came from d637.pppdel.vsnl.net.in -- [the IP address of] an Internet service provider in India." The ISP, Videsh Sanchar Nigam Limited, declined comment. Wired News obtained transcripts of IRC conversations from five of the crackers who said that Ibrahim had tried to cut deals with them. Using the online aliases RahulB and Rama3456, Ibrahim began frequenting online cracker hangouts in June. He approached members of various cracking teams, including the Masters of Downloading, the Noid, and Milw0rm, looking for sensitive information. An FBI source who asked not to be named said that the agency was familiar with Ibrahim, but declined to discuss what, if anything, was being done about him. The crackers interviewed by Wired News were less reticent. Members of the cracking group Noid said that Ibrahim asked them for help gaining access to the SIPRNET, the Pentagon's secure Internet protocol network used for the exchange of classified information and email by the military and intelligence communities. One member of the now-defunct group Milw0rm said Ibrahim also tried to purchase information obtained from the computer systems of India's Bhabha Atomic Research Center. Though almost all of Ibrahim's efforts to buy information were rebuffed, Chameleon attracted the attention of authorities by cashing a check that he said was sent to him by Ibrahim. In June, a few days after being solicited for military-networking hardware, Chameleon received a money order for US$1,000 and a pager number to call in Boston. He cashed the check, he said, to buy a gift for his sister. Two weeks later, the FBI raided Chameleon's home and confiscated his equipment. He was not charged with any crime and has since begun a career in computer programming. Do Terrorists Troll the Net? Page 3 10:15 a.m. 4.Nov.98.PST Apparently frustrated by his lack of progress, Ibrahim began raising the stakes. In one transcript of an Internet chat conversation between Ibrahim and crackers, Ibrahim threatens to have the youths killed if they reported him to the FBI. "I want to know: Did they tell the Feds about me?" Ibrahim asks the crackers. "Tell them [if they did that], they are dead meat. I will have snipers set on them." Until the death threats, Chameleon and Savec0re believed that Ibrahim was an undercover FBI agent trying to entrap them. According to Vranesevich, Ibrahim approached many crackers, on one occasion impersonating an FBI agent to try and obtain information from Savec0re. In June, Savec0re was chatting online with someone he thought was another MilwOrm member. The individual said that he had an uncle in the FBI who could offer the Milw0rm immunity in exchange for information obtained from the group's raid on the Indian labs. "I thought that this would send a message to the FBI that we weren't hostile," said Savec0re in an email interview. "So I gave him my phone number." Savec0re said he also emailed the individual an encrypted file of information from the Indian atomic research center, including diagrams of reactors and trajectory calculations, and an analysis of five Indian nuclear tests. "The next day I got a call from the so-called FBI agent but he had an amazingly strong Pakistani accent," said Savec0re. "He said his name was Michael Gordon and that he was with the FBI in Washington, DC. I realized then that it had been Ibrahim all along." Another time, Ibrahim tried to hire a 17-year-old former cracker named mercs, who claimed to have accessed many military sites as a security consultant. "He said that he wanted to employ me as a security consultant, legally testing servers for weaknesses," said mercs. "But that was before I knew who he was." Ibrahim revealed his identity to mercs when he tried to purchase information about the US Defense Information Infrastructure, mercs said. Do Terrorists Troll the Net? Page 4 10:15 a.m. 4.Nov.98.PST Despite his high failure rate, Ibrahim may have succeeded in collecting some potentially dangerous information, Vranesevich said. "I believe that he obtained the DEM software, SIPRNET network topology maps, and data from BARC. It may not be dangerous but it would be a very useful first step for breaking into US military networks." How Ibrahim actually obtained the information is unclear. He may have found a cracker who was prepared to pass along information, or he could have received it under false pretenses, as he did with Savec0re. At least one security expert believes that even if Ibrahim did obtain information, it is unlikely to pose a threat to national security. "It wouldn't be the first time that somebody bought useless information from a hacker," said Gene Spafford, director of the Computer Operations Audit and Security Technology laboratory at Purdue University. "Network topology maps are useless if the network is secure. You can go to the Library of Congress for a blueprint of the Pentagon, but that doesn't mean you can walk in there." However, Ibrahim's tactics are not uncommon, according to many hackers. "It's been a while since we have received a political or military request to hack," said Space Rogue, a member of The L0pht, a Boston hacking group turned network-security specialists. "People know that it is futile. We don't do it." -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:11:05 PDT