[ISN] Do Terrorists Troll the Net?

From: mea culpa (jerichoat_private)
Date: Thu Nov 12 1998 - 04:44:12 PST

  • Next message: mea culpa: "[ISN] Security hole found in junkbuster program."

    Forwarded From: phreak moi <hackereliteat_private>
    Do Terrorists Troll the Net? Part I of IV
    by Niall McKay
    10:15 a.m.  4.Nov.98.PST
    Over the last six months, a self-proclaimed terrorist has attempted to
    purchase sensitive information about US military computer networks from
    teenagers cracking sites on the Internet, according to crackers and
    security experts. 
    Khalid Ibrahim, who identifies himself as an Indian national, may have
    obtained classified and unclassified US government software and
    information, as well as data from India's Bhabha Atomic Research Center,
    from teenagers who say they routinely break into such Web servers for fun. 
    "I was on [Internet Relay Chat] one night when this guy said he wanted the
    DEM software," said an 18-year-old cracker from Irvine, California,
    calling himself Chameleon. "I didn't have it and I was just messing about
    with the guy." 
    Internet Relay Chat is a worldwide, text-based network where real-world
    identities can be concealed or forged.  Conversations are logged, but
    those transcripts are easily tampered with and therefore unreliable. 
    DEM, or the Defense Information Systems Network Equipment Manager, is a
    nonclassified military-networking program.  A cracker organization called
    Masters of Downloading stole the software from an unsecured server in
    June. According to several of the group's members, Ibrahim tried to
    purchase that software from them. 
    In conversations taken from IRC logs, Ibrahim claimed to be a member of
    Harkat-ul-Ansar, a militant Indian separatist group. "We fight for our
    independence," he said during one June conversation. 
    Harkat-ul-Ansar is on the State Department's list of the 30 most dangerous
    terrorist organizations in the world. 
    Establishing Ibrahim's true identity is difficult. The most compelling
    evidence that he was acting on behalf of Harkat-ul-Ansar is a US$1,000
    money order that he sent to Chameleon in an attempt to buy stolen military
    "If this man is who he says he is, then he is extremely dangerous," said
    Nalani Alexander, senior Asia consultant with Pinkerton's Global
    Intelligence Service. 
    Harkat-ul-Ansar declared war on the United States following the Pentagon's
    20 August cruise-missile attack on a suspected terrorist training camp in
    Afghanistan run by Islamic militant Osama bin Laden. Harkat-ul-Ansar
    claimed that nine of its members were killed in the attack. 
    But even before the missile strikes Ibrahim was trolling the Internet,
    looking for information mercenaries. 
    Do Terrorists Troll the Net? Page 2 10:15 a.m.  4.Nov.98.PST
    Although he used several anonymous Hotmail accounts to send his email,
    Ibrahim always accessed the Net from an Internet service provider in New
    Delhi, according to John Vranesevich, a security expert and founder of
    "I and others have traced Ibrahim's Internet connection," said
    Vranesevich.  "It always came from d637.pppdel.vsnl.net.in -- [the IP
    address of] an Internet service provider in India."  The ISP, Videsh
    Sanchar Nigam Limited, declined comment. 
    Wired News obtained transcripts of IRC conversations from five of the
    crackers who said that Ibrahim had tried to cut deals with them. 
    Using the online aliases RahulB and Rama3456, Ibrahim began frequenting
    online cracker hangouts in June. He approached members of various cracking
    teams, including the Masters of Downloading, the Noid, and Milw0rm,
    looking for sensitive information. 
    An FBI source who asked not to be named said that the agency was familiar
    with Ibrahim, but declined to discuss what, if anything, was being done
    about him. 
    The crackers interviewed by Wired News were less reticent. 
    Members of the cracking group Noid said that Ibrahim asked them for help
    gaining access to the SIPRNET, the Pentagon's secure Internet protocol
    network used for the exchange of classified information and email by the
    military and intelligence communities. 
    One member of the now-defunct group Milw0rm said Ibrahim also tried to
    purchase information obtained from the computer systems of India's Bhabha
    Atomic Research Center. 
    Though almost all of Ibrahim's efforts to buy information were rebuffed,
    Chameleon attracted the attention of authorities by cashing a check that
    he said was sent to him by Ibrahim. 
    In June, a few days after being solicited for military-networking
    hardware, Chameleon received a money order for US$1,000 and a pager number
    to call in Boston. He cashed the check, he said, to buy a gift for his
    Two weeks later, the FBI raided Chameleon's home and confiscated his
    equipment. He was not charged with any crime and has since begun a career
    in computer programming. 
    Do Terrorists Troll the Net? Page 3 10:15 a.m.  4.Nov.98.PST
    Apparently frustrated by his lack of progress, Ibrahim began raising the
    stakes. In one transcript of an Internet chat conversation between Ibrahim
    and crackers, Ibrahim threatens to have the youths killed if they reported
    him to the FBI. 
    "I want to know: Did they tell the Feds about me?" Ibrahim asks the
    crackers.  "Tell them [if they did that], they are dead meat. I will have
    snipers set on them." 
    Until the death threats, Chameleon and Savec0re believed that Ibrahim was
    an undercover FBI agent trying to entrap them. 
    According to Vranesevich, Ibrahim approached many crackers, on one
    occasion impersonating an FBI agent to try and obtain information from
    In June, Savec0re was chatting online with someone he thought was another
    MilwOrm member. The individual said that he had an uncle in the FBI who
    could offer the Milw0rm immunity in exchange for information obtained from
    the group's raid on the Indian labs. 
    "I thought that this would send a message to the FBI that we weren't
    hostile," said Savec0re in an email interview. "So I gave him my phone
    Savec0re said he also emailed the individual an encrypted file of
    information from the Indian atomic research center, including diagrams of
    reactors and trajectory calculations, and an analysis of five Indian
    nuclear tests. 
    "The next day I got a call from the so-called FBI agent but he had an
    amazingly strong Pakistani accent," said Savec0re. "He said his name was
    Michael Gordon and that he was with the FBI in Washington, DC. I realized
    then that it had been Ibrahim all along." 
    Another time, Ibrahim tried to hire a 17-year-old former cracker named
    mercs, who claimed to have accessed many military sites as a security
    "He said that he wanted to employ me as a security consultant, legally
    testing servers for weaknesses," said mercs. "But that was before I knew
    who he was." 
    Ibrahim revealed his identity to mercs when he tried to purchase
    information about the US Defense Information Infrastructure, mercs said. 
    Do Terrorists Troll the Net? Page 4 10:15 a.m.  4.Nov.98.PST
    Despite his high failure rate, Ibrahim may have succeeded in collecting
    some potentially dangerous information, Vranesevich said. "I believe that
    he obtained the DEM software, SIPRNET network topology maps, and data from
    BARC. It may not be dangerous but it would be a very useful first step for
    breaking into US military networks." 
    How Ibrahim actually obtained the information is unclear. He may have
    found a cracker who was prepared to pass along information, or he could
    have received it under false pretenses, as he did with Savec0re. 
    At least one security expert believes that even if Ibrahim did obtain
    information, it is unlikely to pose a threat to national security. 
    "It wouldn't be the first time that somebody bought useless information
    from a hacker," said Gene Spafford, director of the Computer Operations
    Audit and Security Technology laboratory at Purdue University. 
    "Network topology maps are useless if the network is secure. You can go to
    the Library of Congress for a blueprint of the Pentagon, but that doesn't
    mean you can walk in there." 
    However, Ibrahim's tactics are not uncommon, according to many hackers. 
    "It's been a while since we have received a political or military request
    to hack,"  said Space Rogue, a member of The L0pht, a Boston hacking group
    turned network-security specialists. 
    "People know that it is futile. We don't do it." 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:11:05 PDT