Re: [ISN] Terrorist group claims responsibility for Slammer

From: InfoSec News (isnat_private)
Date: Fri Feb 07 2003 - 00:35:46 PST

  • Next message: InfoSec News: "[ISN] Former Viewsonic employee hit with hacking charge"

    Forwarded from: Dan Verton <Dan_Vertonat_private>
    Here's the story of how I got screwed. I was duped, I was had -- call
    it what you will. Despite calls to the FBI and security firms and
    other journalists around the world, I didn't turn up the hidden
    ownership of the domain in question. I let myself get burned.
    FEBRUARY 06, 2003
    Editor's note: An online story yesterday by Computerworld reporting on
    terrorist claims of responsibility for having authored the Slammer
    worm was based on a hoax. The security reporter who wrote the story,
    Dan Verton, explains in this first-person account how he and others
    were misled by a U.S. journalist who pretended to be someone named
    "Abdul Mujahid." The original story has been removed from
    Computerworld's Web site.
    There's an old Italian proverb that says, "Those who sleep with dogs
    will rise with fleas." That's the situation in which I now find
    While catching a few fleas isn't unusual in the murky, dog-eat-dog
    world of reporting on hackers and terrorists, this hoax is different.
    Had it been a simple scam, I might be embarrassed. But in this case,
    the scammer is Brian McWilliams, a former reporter for,
    which is now owned by The Washington Post Co.
    For the past 11 months, McWilliams has operated a Web site,, which once belonged to a real terrorist
    organization based in Pakistan. It was during legitimate research into
    pro-terrorist Web sites that I first came across the
    Harkat-ul-Mujahideen site and McWilliams.
    In an elaborate scheme to dupe security companies and journalists,
    McWilliams acknowledged last night that he purchased the domain name
    last March and registered it under the name of "Abu-Mujahid of
    Karachi." He also left a legitimate mirror site in place on a server
    in Pakistan and by his own admission has been receiving e-mails from
    people looking to join the actual terrorist group. He then posed as
    Abu Mujahid in his communications with people and the news media.
    McWilliams' hoax, which he described as an effort to surreptitiously
    obtain information that he might be able to turn into a good news
    story, came to my attention after I reported being contacted by Abu
    Mujahid. In a series of e-mails spanning several weeks, McWilliams,
    a.k.a. "Mujahid," claimed responsibility for the Slammer Internet worm
    late last month. Although my story noted that claims of responsibility
    for Slammer couldn't be verified, I, along with journalists in India,
    several computer security firms and even law enforcement experts,
    didn't see through McWilliams' hoax.
    "I worked hard to make the illusion look real," he said in an e-mail
    to me last night, after the hoax had been exposed. McWilliams also
    expressed regret for having allowed the hoax to go so far. "But the
    Internet gives those who want to spread misinformation a big
    advantage. It's so easy to conceal ... the ownership of a domain."
    McWilliams' efforts misled journalists in a foreign country now living
    with the real-world threat from a very real group,
    Harkat-ul-Mujahideen (HUM), a group linked not only to Osama bin
    Laden, but also to the abductors and murderers of Wall Street Journal
    reporter Daniel Pearl.
    The Web site still in place in Pakistan,,
    refers to a radical Islamic group on the State Department's list of
    designated terrorist groups. Once known as Harkat-ul-Ansar, the group
    changed its name to Harkat-ul-Mujahideen in an effort to avoid
    problems stemming from the U.S. terrorist designation. Contact
    information on that site goes to, which is
    McWilliams' domain.
    "I've been secretly receiving lots of interesting e-mails apparently
    intended for HUM," said McWilliams. "I was hoping I might get a story
    out of some of the stuff that came in to the site. Most of the
    messages have been from people in the Middle East who wanted to join
    jihad. I've forwarded some to the FBI."
    As part of this scam, McWilliams contacted a journalist in India and
    then defaced his own phony Web site, posting one of my earlier e-mails
    as part of the defacement by a bogus hacker group. That "hacking" was
    one reason that at least one security vendor,, initially
    considered the Web site to be genuine.
    That authenticity unraveled late yesterday, after my story had been
    posted, when members of an e-mail list that focuses on security topics
    contacted Computerworld and informed me that McWilliams had been
    bragging about the success of his hoax and how simple it would have
    been to uncover. He did not, however, acknowledge then that he had
    registered the domain using a fictitious name. After the hoax was
    revealed, the story was removed from Computerworld's Web site. By then
    it had been picked up by other Web sites.
    This isn't the first time McWilliams has relied on questionable
    reporting procedures to obtain information for a story, according to
    government intelligence and industry sources, who requested anonymity.
    These sources confirmed that in September 2001, at the height of the
    Nimda worm, McWilliams obtained the telephone number for conference
    calls held by the National Security Council, the National Security
    Agency and private companies, and listened in surreptitiously to the
    conversations. He then used the information from the conference calls
    in news reports he filed.
    "Just as that group was hitting its stride, the trust relationship was
    fractured," said a source who took part in the conference calls.
    "Since we couldn't know which participant compromised the trust,
    [McWilliams'] efforts actually damaged the effectiveness of the
    defensive action."
    McWilliams confirmed today that he did listen in to the conference
    Although the hoax this week taught me a valuable lesson about the
    nature of information on the Internet, it's less clear that
    McWilliams' scheme has done anything to advance the understanding of
    cyberterrorism -- one of his stated reasons for conducting the hoax in
    the first place. The fact is that real terrorist organizations around
    the world do run Web sites. The Palestinian terrorist group Hamas is a
    prime example of a terrorist group on the Web. There are many others,
    including, until last March, Harkat-ul-Mujahideen.
    This experience has been a particularly difficult one for me. I feel
    like I've been had, and that's never an easy thing to swallow. I got
    burned. So, I'm left here scratching fleas as the price you sometimes
    pay for sleeping with dogs.
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Feb 07 2003 - 03:07:44 PST