Re: [ISN] Terrorist group claims responsibility for Slammer

From: InfoSec News (isnat_private)
Date: Mon Feb 10 2003 - 00:33:54 PST

  • Next message: InfoSec News: "[ISN] Firms' hacking-related insurance costs soar"

    Forwarded from: security curmudgeon <jerichoat_private>
    cc: Brian McWilliams <>,
        Dan Verton <Dan_Vertonat_private>
    Several points are not clear after this hoax unfolded. I invite both
    Verton and McWilliams to reply to any part of this. There are several
    times where I quote McWilliam's regarding this event. These quotes are
    taken from: which was posted to
    explain why he perpetuated this hoax. I encourage everyone to read
    this at some point.
    > Forwarded from: Dan Verton <Dan_Vertonat_private>
    > Here's the story of how I got screwed. I was duped, I was had --
    > call it what you will. Despite calls to the FBI and security firms
    > and other journalists around the world, I didn't turn up the hidden
    > ownership of the domain in question. I let myself get burned.
    > By DAN VERTON 
    > FEBRUARY 06, 2003
    > In an elaborate scheme to dupe security companies and journalists,
    > McWilliams acknowledged last night that he purchased the domain name
    > last March and registered it under the name of "Abu-Mujahid of
    > Karachi." He also left a legitimate mirror site in place on a server
    According to McWilliams, he snatched up the lapsed domain for other
      It certainly was a big departure from my original reason for
      registering the domain: to gain some insight into how the Internet 
      was being used for terrorist recruitment, and to report my findings.
    Your response above is cleverly worded to make it sound like
    McWilliam's intentions were solely to dupe journalists and security
    > McWilliams' hoax, which he described as an effort to surreptitiously
    > obtain information that he might be able to turn into a good news
    > story, came to my attention after I reported being contacted by Abu
    > Mujahid. In a series of e-mails spanning several weeks, McWilliams,
    Once again, your wording is very poor. When asked, McWilliams said
    that YOU contacted him (as Abu-Mujahid), which contradicts your
    statement above.
    > a.k.a. "Mujahid," claimed responsibility for the Slammer Internet
    > worm late last month. Although my story noted that claims of
    > responsibility for Slammer couldn't be verified, I, along with
    > journalists in India, several computer security firms and even law
    > enforcement experts, didn't see through McWilliams' hoax.
    Which is nothing short of pathetic. Not only was the claim far fetched
    to begin with, the proof supplied went well beyond bogus. On top of
    absurd 'math' and glaring contradictions in the claim, iDefense went
    so far as to tell Computerworld "HUM's claim of injecting a
    fingerprint into the code 'does not hold water'". Despite a security
    company telling you their claim had no foundation, and despite you
    have no other validation of anything, you still went with the story
    without properly disclaiming yourself.
    > "I worked hard to make the illusion look real," he said in an e-mail
    > to me last night, after the hoax had been exposed. McWilliams also
    > expressed regret for having allowed the hoax to go so far. "But the
    > Internet gives those who want to spread misinformation a big
    > advantage. It's so easy to conceal ... the ownership of a domain."
    Yes, it is. Despite that, you apparently did not take note of a few
    facts before believing the hoax. The fact that
    appears to be located in the US, the domain contact info provides no
    information or validation of who owns it, and that a simple google
    search would have revealed an American company took ownvership of the
    domain during the Pearl incident should not have escaped you. All of
    these facts didn't register in your mind as warnings that it may be a
    hoax, because you didn't bother to do what a journalist is supposed
    to.. a little research. Let's also not forget that you are the
    "Computerworld Security Expert" according to your press releases. How
    is it that a "security expert" can not figure out e-mail headers and
    Had you done the research and discovered all of the above, I have a
    feeling that would not have stopped you from running those same
    stories. As several people have stated, you WANTED to believe.
    > "I've been secretly receiving lots of interesting e-mails apparently
    > intended for HUM," said McWilliams. "I was hoping I might get a
    > story out of some of the stuff that came in to the site. Most of the
    > messages have been from people in the Middle East who wanted to join
    > jihad. I've forwarded some to the FBI."
    This was a clever thing to include in your story. Consider that
    incredible lead for information dead from here on out. I'm sure the
    FBI are loving that since they were benefiting by a US Citizen
    receiving that mail and forwarding relevant mail on to the proper
    authorities. Later in this article you speak of McWilliams "[damaging]
    the effectiveness of the defensive action." Yet here you are damaging
    an important lead that was likely producing good intel on potential
    terrorists and their actions. I'm glad you see fit to trade this for a
    little news fodder, the whole while pointing fingers at McWilliams for
    using the domain for possible story leads.
    > As part of this scam, McWilliams contacted a journalist in India and
    > then defaced his own phony Web site, posting one of my earlier
    > e-mails as part of the defacement by a bogus hacker group. That
    > "hacking" was one reason that at least one security vendor,
    >, initially considered the Web site to be genuine.
    First, McWilliams makes no mention of contacting a journalist in India
    when explaining his actions. I invite him to clarify this or for you
    to provide more information.
    Second, this is *exactly* what McWilliams proved with this hoax. A web
    site that has no real visible ties to anything outside the US other
    than random e-mail claims gets 'defaced', and mi2g is saying "this is
    the first significant attempt at anti- Islamic cyberwar." Even worse,
    mi2g continues on saying the following:
      In early 2003, however, the anti-Islamic backlash predicted by the
      mi2g Intelligence Unit is beginning to materialize. This is a 
      significant development and we will continue to monitor the 
      situation closely.
    If this doesn't define FUD, I don't know what does.
    According to Computerworld's Feb 05 article about the defacement, you
    have yourself validating the site as legitimate, and you have mi2g
    validating it was defaced and referencing you. Excuse me, may I remind
    you that you were a former "intelligence officer" and mi2g is an
    "information intelligence" company. Where the hell do you guys get off
    using these self granted titles? Neither of you had any real
    validation of anything, yet both ran with this as legitimate news. The
    fact that mi2g still has no retraction or explanation on their website
    should warn off anyone using their service that they are charlatans
    and pushing whatever crap hits their inbox as 'news'. Two charlatans
    validating each other is a very common practice in many industries,
    and one that the security industry has seen many times before
    (Jones/Murphy, Meinel/Vranesevich, et al). Next time I referencec this
    activity, I can include "Verton/mi2g" I guess.
    > been to uncover. He did not, however, acknowledge then that he had
    > registered the domain using a fictitious name. After the hoax was
    > revealed, the story was removed from Computerworld's Web site. By
    > then it had been picked up by other Web sites.
    Who deserve what they got. The inbreeding that goes on between
    supposedly reputable news sources is disgusting. The fact that they
    push unverified stories out the door themselves, and then turn around
    and swallow other outlet's stories without a question speaks wonders
    about the current state of industry reporting.
    > That authenticity unraveled late yesterday, after my story had been
    > posted, when members of an e-mail list that focuses on security
    > topics contacted Computerworld and informed me that McWilliams had
    > been bragging about the success of his hoax and how simple it would
    > have been to uncover.
    According to McWilliams:
      Contrary to some reports, I did not brag about this fact on a
      security mailing list. On the contrary, I find it troubling.
    So.. is your source questionable or you misstating facts to try to
    convince your readers that you were not at fault?
    > This isn't the first time McWilliams has relied on questionable
    > reporting procedures to obtain information for a story, according to
    > government intelligence and industry sources, who requested
    > anonymity.
    Of course they requested anonymity. This isn't the first time your
    sources have been called into question either, and i'm not just
    talking about the one above.
    > These sources confirmed that in September 2001, at the height of the
    > Nimda worm, McWilliams obtained the telephone number for conference
    > calls held by the National Security Council, the National Security
    > Agency and private companies, and listened in surreptitiously to the
    > conversations. He then used the information from the conference
    > calls in news reports he filed.
    Once again, I invite McWilliams to respond to these claims. While
    waiting for his reply, i'd love to know why he wasn't charged with
    various criminal law infractions if this was the case. Or were the
    conference calls not near as important as made to sound?
    > McWilliams confirmed today that he did listen in to the conference
    > call.
    But did not confirm he did so in an unethical manner?
    > Although the hoax this week taught me a valuable lesson about the
    > nature of information on the Internet, it's less clear that
    > McWilliams' scheme has done anything to advance the understanding of
    > cyberterrorism -- one of his stated reasons for conducting the hoax
    > in the first place.
    Sure it has. It has proven that you, Computerworld and companies like
    mi2g will do anything to perpetuate the idea/myth/desire for
    "cyberterrorism" despite the lack of documented cases proving it even
    I'll close with the following quote from McWilliam's explanation:
      As my bungled experiment proved, even Verton -- whose book about
      teenage hackers claims he is "one of the leading technology 
      journalists in the country" -- can apparently be fooled by fake 
      e-mails, phony web sites, and wild claims, in a desire to get a big 
      scoop on a hot topic.
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Feb 10 2003 - 03:05:21 PST