[ISN] Al Qaeda Messages Posted on U.S. Server

From: William Knowles (wk@private)
Date: Thu Jul 15 2004 - 01:09:54 PDT


http://www.washingtonpost.com/wp-dyn/articles/A47681-2004Jul13.html

By David McGuire
washingtonpost.com Staff Writer
July 13, 2004

An Internet computer server operated by an Arkansas government agency
was transformed last weekend into the online home of dozens of videos
featuring Osama bin Laden, Islamic jihadist anthems and terrorist
speeches.

State government officials removed the files from a computer operated
by the Arkansas Highway and Transportation Department shortly after
they were discovered, a government spokesman said. The case highlights
an increasing trend of hackers hijacking vulnerable Web servers for
the purpose of advocating radical political and terrorist ideologies.

Links to the files were posted to a message board of a group called al
Ansar. The Web site features photos of bin Laden, leader of the al
Qaeda terrorist network, and the Sept. 11, 2001, hijackers, as well as
basic facts about the tenets of Islam and links to chatrooms and other
Islamic Web sites. The person who posted the links identified himself
as "Irhabi 007"-- or "Terrorist 007" -- said Laura Mansfield, who
tracks pro-al Qaeda Web sites for Northeast Intelligence Network, an
Erie, Pa.-based private group of analysts that monitors the Internet
for terrorist activity.

Arkansas Transportation Department spokesman Randy Ort confirmed that
approximately 70 unauthorized files were posted on Sunday to a "File
Transfer Protocol" (FTP) site that the agency operates for
contractors. FTP sites are widely used throughout the Internet as a
way to transfer large files quickly.

Ort would not describe the files, except to say that they were labeled
"in a foreign language." He said the department shut the site down on
Monday morning after a CNN reporter called to ask what the materials
were doing there.

Ort said that the FBI has confiscated the server where the files were
located.

FBI spokesman Joe Parris confirmed that the agency took the computers,
but would not say whether it was investigating the incident.

Mansfield said hijacking unsecured FTP sites is standard procedure for
al Qaeda sympathizers, but it was unusual for them to take over a
government site.

"Basically, what they do is they go out, they find a Web site, and
they borrow the bandwidth until they get caught and somebody kicks
them off," Mansfield said. "Companies and organizations would do well
to shut down their anonymous FTP servers nowadays, because they are
being misused."

According to a 23-year CIA veteran who has anonymously criticized U.S.  
counterterrorism policy in a recently published book, "Al Qaeda's most
important growth since the 11 September attacks has not been physical
but has been, rather, its expansion into the Internet." In his book,
"Imperial Hubris: Why the West is Losing the War on Terror," [1] the
author says the United States and its allies have staged "information
warfare attacks" on some Internet sites, "thereby forcing them
off-line and making their producers hunt for new host servers."

However, it was not clear whether the person who hijacked the Arkansas
server was an actual al Qaeda terrorist or someone with other
motivations.

Ken Dunham, malicious code manager for iDefense Inc., an Internet
security firm based in Reston, said a growing number of computer
crimes are being committed in the name of political causes, with some
hackers seeking to identify themselves with terrorism in a bid to
boost their importance in the hacker subculture.

Mansfield, who said she speaks fluent Arabic and has tracked Terrorist
007's activities since February, said the poster admitted online that
he does not speak Arabic. His postings in Arabic bear signs of being
run though an electronic translator, she said. She said the person has
posted at least 900 items on the al Ansar Web site.

In a statement posted on the Northeast Intelligence Network's Web site
yesterday, Mansfield described the poster as "a self-proclaimed
U.S.-based terrorist."

In addition to the links to the Arkansas computer server, the al Ansar
site featured downloadable copies of video depicting the beheading of
American businessman Nicholas Berg, an al Qaeda-produced video called
"Wills of Martyrs" and video of a deadly car bomb attack on a housing
complex in Riyadh, the Saudi Arabian capital, Mansfield said.

The al Ansar site is a popular destination for al Qaeda sympathizers
and is often one of the first places where videos of terrorist attacks
and ultimatums are posted, Mansfield said.

James Lewis, a senior fellow at the Center for Strategic and
International Studies, said that sites run by al Qaeda and its
sympathizers change addresses often and rely on word of mouth for
publicity.

He added that the practice of taking advantage of unsecured computer
space to host information is a common tactic of al Qaeda backers.

Terrorist 007 apparently moved the same material to other locations on
the Internet, Mansfield said. Earlier this year, a person identifying
himself as Terrorist 007 posted similar material to an FTP server run
by The George Washington University in Washington, D.C., Mansfield
said.

University spokesman Matt Nehmer said security officials at the
university had no knowledge of any such intrusion, and had not been
contacted by law enforcement officials.

[1] http://www.amazon.com/exec/obidos/ASIN/1574888498/c4iorg



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
----------------------------------------------------------------
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
================================================================
Help C4I.org with a donation:   http://www.c4i.org/donation.html
*==============================================================*



_________________________________________
Help InfoSec News with a donation: http://www.c4i.org/donation.html



This archive was generated by hypermail 2.1.3 : Thu Jul 15 2004 - 02:11:49 PDT