[ISN] Web used to lure terror suspects

From: InfoSec News (isn@private)
Date: Mon Jun 19 2006 - 00:44:43 PDT


Forwarded from: William Knowles <wk@private>

http://www.thestar.com/NASApp/cs/ContentServer?pagename=thestar/Layout/Article_Type1&c=Article&cid=1150494610771&call_pageid=968332188492

By SANDRO CONTENTA
EUROPEAN BUREAU
June 17, 2006

LONDON - On a cold night last October, police stormed a West London
apartment and found Younis Tsouli at his computer, allegedly building
a Web page with the title "You Bomb It."

Initially, the raid seemed relatively routine, one of about 1,000
arrests made under Britain's terrorism act during the last five years.

The more eye-popping evidence was allegedly found in the London-area
homes of two accused co-conspirators: a DVD manual on making suicide
bomb vests, a note with the heading "Welcome to Jihad," material on
beheadings, a recipe for rocket fuel, and a note with the formula
"hospital = attack."

But as investigators sifted through computer disk information the
picture that emerged was dramatic. Police had apparently stumbled on
the man suspected of being the most hunted cyber-extremist in the
world.

Tsouli, a 22-year-old Moroccan, is being widely named as a central
figure in a cyber-terrorist network that has inspired suspected
homegrown extremists in Europe and North America, including the 17
people recently arrested in the Toronto area.

The massive, 750 gigabytes of confiscated computer and disk
information - an average DVD movie is 4.7 gigabytes - found on
Tsouli's computer files is an Internet trail believed to link some of
the 39 terror suspects arrested in Canada, Britain, the United States,
Sweden, Denmark and Bosnia over the past eight months.

A source with close knowledge of the Tsouli case has told the Toronto
Star of evidence that he used the Web address Irhabi007 — the
cyber-persona of the most notorious extremist hacker on the World Wide
Web.

"Irhabi007 was like the Godfather of cyber-terrorism for Al Qaeda,"  
says Evan Kohlmann, an Internet terrorism consultant and determined
Irhabi tracker. Since coming on the cyber-extremist scene in late
2003, Irhabi's Internet exploits have become the stuff of legend for
the scores of militants reading and chatting on Al Qaeda-inspired
sites.

He almost single-handedly brought the hardcore network into the modern
computer age, solving its most pressing propaganda challenge - how to
distribute heavy multi-media files, such as videos of beheadings, to
the growing ranks of jihadis.

A self-starter believed to have worked mainly from his home, he hacked
and linked his way to become the administrator of the
password-protected forum, Muntada al-Ansar al-Islami, the main
Internet mouthpiece of Abu Musab al-Zarqawi, Al Qaeda's leader in Iraq
until he was killed last week by a U.S. aerial attack.

But his downfall has been as dramatic as his rise.

Says Aaron Weisburd, another Irhabi tracker: "While he was at large,
he was a leader, an opinion-shaper, a solver of problems, and an
inspiration to his friends and associates. Now that the authorities
have him and his hard disk drive, he has become a major liability."

The London-area raid resulted in terrorism related charges against
Tsouli, Waseem Mughal, 22, and Tariq Al-Daour, 19.

Their trial is expected to begin in January.

Among the items allegedly found in Tsouli's computer is a video slide
film on how to make a bomb and another showing sites in Washington,
D.C. The images of the American capital were reportedly filmed by two
Georgia men arrested by the FBI in March and accused in U.S. court
documents of having travelled to Toronto to meet "like-minded
Islamists."

Tsouli immigrated to London four years ago. At the time of his arrest,
his father said Tsouli spoke often of the West waging a war against
Islam. Bachir Tsouli, then deputy head of Morocco's tourism office in
London, said his son had few friends and spent most of his time at his
computer.

"What can you do on the computer?" Bachir, 60, told the Daily Mail
newspaper. "He hasn't been to Iraq or to training camps in
Afghanistan. Tomorrow they will be saying he is a friend of Osama bin
Laden."

No one has accused him of that, but experts who tracked Irhabi007
believe he had links to al-Zarqawi, credited with having turned the
Web into a powerful tool for global jihad.

During the past two years, al-Zarqawi's followers produced scores of
videos on suicide bombings, attacks against U.S. forces in Iraq,
beheadings of hostages, propaganda tracts and terrorist "how to"  
manuals.

The problem was distribution - how to post and move heavy files on the
Internet without sites crashing or being shut down. Irhabi007 met the
challenge.

In May 2004, he helped distribute the video of al-Zarqawi's beheading
of American contractor Nicholas Berg. It was quickly copied on
Internet sites and downloaded half a million times within 24 hours.

"He got his name on the map with the Nicholas Berg beheading video,"  
says Ned Moran, intelligence analyst with the Virginia-based,
Terrorism Research Center.

Irhabi007's distribution technique became clear two months later, when
he hacked into a FTP computer site used to transfer big files by the
Arkansas Highway and Transportation Department.

He posted 70 jihadi propaganda files on the site, including videos
featuring Osama bin Laden. He then posted links to the files on the
Muntada site and urged jihadis to download quickly. Arkansas
authorities didn't catch on until 24 hours later. By then, the
material had replicated exponentially, with those who downloaded it
passing it on to others in an almost endless chain.

Irhabi (the word means "terrorist" in Arabic) was using skills largely
unknown in the cyber-jihadi world. And he spread them around, posting
his own hacking manuals for a new generation of more computer-savvy
jihadis increasingly using the Internet as a tool to recruit and plot
attacks.

Irhabi wannabes suddenly began appearing on chat forums, tagging 007
at the end of their Web personas. On October 2004, his status in their
eyes reached heroic proportions. He provided almost immediate links to
a suicide bombing video posted by Abu Maysara al-Iraqi, widely
considered one of al-Zarqawi's closest aides. The initiative led
Maysara to break silence for the first time and post praise for
Irhabi007's work, Kohlmann says.

"Bless the terrorist, Irhabi007," said the message, translated by
Kohlmann, founder of globalterroralert.com. "In the name of Allah, I
am pleased with your presence my beloved brother. May Allah protect
you."

Says Kohlmann: "It's kind of like Bruce Springsteen picking someone
out in a concert and saying, `I love this guy.' That's what the effect
was - people went crazy."

In September 2005, a Terrorist Research Center report described
Irhabi007 as "heavily involved in maintaining Al Qaeda's on-line
presence."

It found evidence on al-Zarqawi's Al-Ansar site listing Irhabi as its
"administrator." The speed with which Irhabi posted links to videos
from al-Zarqawi's Iraqi cell led observers to speculate he was getting
a heads up from al-Zarqawi's people.

He's suspected of stealing identities to register his websites. His
http://www.irhabi007.org domain name was registered to the name,
telephone number and Pennsylvania home address of a first lieutenant
deployed in Iraq, according to the centre's report. He also registered
a Canada-based domain name, http://www.irhaby007.ca.

By the end of 2005, Irhabi007 had a whole army of cyber-terrorism
trackers on his tail. Few were as persistent as Aaron Weisburd,
director of Internet Haganah, dedicated to making on-line life
miserable for cyber-jihadis.

In 2004, Weisburd turned in Irhabi to his service provider and got him
cut off. An incensed Irhabi posted Weisburd's home address in Illinois
on the Internet and took part in chat-room discussions on slicing
Weisburd like a salami.

"I get to keep a finger or an ear," Irhabi wrote, "a little souvenir."

Weisburd reported the threat to the FBI and stepped up his efforts. "I
take all threats seriously," he said in an email exchange with the
Toronto Star. "And like any American `good ole boy' I have more than
one loaded gun nearby."

In July that year, Irhabi made his first mistake, leaving his IP
(Internet Protocol) address — which can be used to track a user's
location - on a site he was setting up to post a threat against Italy.

Weisburd examined another Irhabi Web page and found a second IP
address. He then posted a message on the Haganah site warning that
Irhabi's files were infected.

Irhabi responded by posting a graphic to prove they were not. His IP
number was blotted out, but not well enough. Weisburd's associate made
it out.

The three IP addresses all pointed to London's Ealing area — the place
where Tsouli would be arrested 15 months later. Weisburd passed the
information on to U.S. and British police but heard nothing back.

In September 2005, a month before Tsouli's arrest, a frustrated
Weisburd posted this message on his site: "Irhabi007 is in Ealing. Or
at least that's where the bastard was when we located him (18 months
ago)."

Since Tsouli's arrest, Weisburd says police have asked him to resubmit
the information he passed on months before.

The events that led to the arrest of the presumed Irhabi began with
police forcing their way into an apartment in Sarajevo on Oct. 19,
arresting 18-year-old Swedish citizen Mirsad Bektasevic and Abdul
Kadir Cesur, a 20-year-old Danish-born Turk.

Almost 20 kilograms of explosives were in the apartment, according to
the indictment filed in a Sarajevo court. A Sony VHS tape also found
gives instructions on how to make a bomb.

Says a voice on the tape, believed to be that of Bektasevic: "These 
brothers are ready to attack and, God willing, they will attack the 
infidels who are killing our brothers and Muslims in Iraq, 
Afghanistan. This weapon will be used against Europe, against those 
whose forces are in Iraq and Afghanistan."

Their arrests sparked back-to-back raids in London and Denmark, where 
a total of nine men were arrested, including Tsouli. The last number 
dialled on his cellular phone was Bektasevic's Bosnian number three 
days earlier, according to the Star's source. Since then, arrests have 
also been made in the U.S., Canada, Britain and Sweden.

Postings on the Internet by Irhabi007 stopped with Tsouli's arrest.



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com



This archive was generated by hypermail 2.1.3 : Mon Jun 19 2006 - 01:14:16 PDT