[ISN] Al-Qaida supporters hack into student's Web site

From: InfoSec News (isnat_private)
Date: Wed Apr 02 2003 - 01:01:47 PST

  • Next message: InfoSec News: "[ISN] Iraq goes offline"

    Forwarded from: William Knowles <wkat_private>
    
    http://www.oregonlive.com/business/oregonian/index.ssf?/base/business/1049201902166680.xml
    
    By Jeffrey Kosseff
    jeffkosseffat_private 
    04/01/03
    
    The Web site of a Portland State University graduate student has been
    targeted in a wave of Internet hackings supporting al-Qaida,
    attracting federal authorities and terrorism experts who worry the
    break-in may be more than a prank.
    
    Files planted in Conrado Salas Cano's personal Web site housed threats
    against the United States, tributes to the Sept. 11 attacks and
    purported messages from Osama bin Laden. The physics student said the
    files were added without his knowledge or consent.
    
    The FBI reportedly launched an investigation, and some cyberterrorism
    followers said it resembled attacks by the online propaganda unit of
    al-Qaida, the Islamic group led by bin Laden. But it is unclear
    whether the cyber-intruders represent a terrorist threat or are
    playing a joke on Cano, whose site explores theories about science and
    space.
    
    Liquid Web, a Lansing, Mich., Internet service provider that stores
    Cano's site, said it contacted the FBI when it discovered the hacking
    about a month ago. The FBI began investigating the site and took
    control of the al-Qaida pages, removing them more than a week ago,
    said Jack Flintz, Liquid Web's security administrator.
    
    Flintz said that according to Liquid Web's records, intruders used
    computers in Saudi Arabia to bust into his servers.
    
    "We consider it more than just a prankster bit," Flintz said.
    
    Bill Murray, a spokesman for the FBI's cyberdivision, early Monday
    could not confirm the FBI's investigation.
    
    "Generally, Web site defacements have to achieve a certain level of
    damage for us to be involved" because thousands of pages are defaced
    every day, Murray said.
    
    Cano was stunned last month to receive e-mail messages from groups
    opposed to al-Qaida alerting him to the pages, buried within a folder
    in his personal Web site.
    
    "I'm so happy to have it off my back," said Cano, who maintains
    www.conrado.net. "It is abhorrent."
    
    Hacking in support of al-Qaida has been seen on two other sites hosted
    by Liquid Web.
    
    After the pages were pulled from Cano's site, hackers placed them on a
    visitor's information portal for Homer, Alaska, operated by a high
    school student. Those pages were removed last week. And last year, a
    Dutch soccer fan site hosted by Liquid Web was home to the al-Qaida
    pages.
    
    Flintz said he doesn't know why the hackers have repeatedly chosen
    sites hosted by his provider. Liquid Web, he said, has thoroughly
    investigated its servers and has not found holes that would allow
    hackers into its members' sites.
    
    "Clearly, they busted into Liquid Web's servers, and they found an
    easy back door," said Josh Devon, an analyst at the Search for
    International Terrorist Entities Institute, which tracks
    cyberterrorism.
    
    More than coincidence George Heuston, a retired FBI agent who
    specialized in high-tech crimes, said that as with all
    counterintelligence, investigators should worry when a crime is
    committed more than once.
    
    "If you see them once, that's just chance," said Heuston, who works on
    high-tech crime cases at the Hillsboro Police Department. "If you see
    them twice, it's an interesting coincidence. If you see them three
    times, it's no coincidence. You're being followed."
    
    In many cases of Web defacement, the entire site is changed to make a
    political statement. But the Liquid Web sites appeared unchanged. The
    al-Qaida files were hidden, leading Heuston to think the hackers were
    using the sites to communicate.
    
    "They're not trying to create a huge statement," he said. "It's more
    subtle than that."
    
    The pages on Cano's site, posted by the Center for Islamic Studies and
    Research, urged Muslims to "destroy and divide the US" and praised
    Sept. 11 and the attacks on U.S. embassies and the USS Cole.
    
    "The US went mad because of panic, terror and astonishment at what it
    sees and hears," the pages on Cano's site said. "It could not bear
    such humiliating acts, thus it forced the whole world to come under
    its banner and join its camp."
    
    Many of the hacked pages are in Arabic, including those with the most
    updated information, said Devon, whose Washington, D.C., group tracks
    Al Neda, the alleged online arm of al-Qaida.
    
    Propaganda outlet Based on his research of previous al-Qaida sites,
    Devon thinks the messages on Cano's pages and the other Liquid Web
    sites come from officials within al-Qaida.
    
    "It's definitely a propaganda outlet," Devon said. "That's one of the
    fronts al-Qaida realizes they have to wage. They're trying to appeal
    to Web-savvy young men."
    
    Some of the Al Neda pages, Devon said, contain pictures of guns and
    bomb-making manuals in Arabic. Specific plans of future attacks aren't
    on the site, although Devon said it's possible they use code words to
    communicate attacks.
    
    Until last summer, similar content from the Center for Islamic Studies
    and Research was found on alneda.com. But a Maryland operator of
    pornography Web sites took the domain name when it expired. The
    porn-site operator claimed the domain name using Snapnames, a Portland
    company that places people on waiting lists for Web addresses.
    
    Since then, Devon said, Al Neda has been hacking into various sites
    around the globe to spread its message. Once the sites are discovered
    and shut down, a new Al Neda site pops up within 48 hours. News of the
    Web sites, he said, spreads by word of mouth and in Arabic newspapers.
    
    "The Web site they're putting up is literally how al-Qaida
    disseminates new information," Devon said.
    
    Cano said he thinks the Web site defacement wasn't in response to the
    statements on his site about science and the late Carl Sagan. He
    hasn't received an e-mail about his site for about two years, he said.
    
    "I was just an unlucky target," Cano said. "I completely abhor, detest
    and want nothing to do with the entity or people who put that in my
    domain."
    
    
     
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ================================================================
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Apr 02 2003 - 03:20:43 PST