Forwarded From: phreak moi <hackerelite@deathsdoor.com>
http://www.wired.com/news/news/politics/story/15812.html
Do Terrorists Troll the Net? Part I of IV
by Niall McKay
10:15 a.m. 4.Nov.98.PST
Over the last six months, a self-proclaimed terrorist has attempted to
purchase sensitive information about US military computer networks from
teenagers cracking sites on the Internet, according to crackers and
security experts.
Khalid Ibrahim, who identifies himself as an Indian national, may have
obtained classified and unclassified US government software and
information, as well as data from India's Bhabha Atomic Research Center,
from teenagers who say they routinely break into such Web servers for fun.
"I was on [Internet Relay Chat] one night when this guy said he wanted the
DEM software," said an 18-year-old cracker from Irvine, California,
calling himself Chameleon. "I didn't have it and I was just messing about
with the guy."
Internet Relay Chat is a worldwide, text-based network where real-world
identities can be concealed or forged. Conversations are logged, but
those transcripts are easily tampered with and therefore unreliable.
DEM, or the Defense Information Systems Network Equipment Manager, is a
nonclassified military-networking program. A cracker organization called
Masters of Downloading stole the software from an unsecured server in
June. According to several of the group's members, Ibrahim tried to
purchase that software from them.
In conversations taken from IRC logs, Ibrahim claimed to be a member of
Harkat-ul-Ansar, a militant Indian separatist group. "We fight for our
independence," he said during one June conversation.
Harkat-ul-Ansar is on the State Department's list of the 30 most dangerous
terrorist organizations in the world.
Establishing Ibrahim's true identity is difficult. The most compelling
evidence that he was acting on behalf of Harkat-ul-Ansar is a US$1,000
money order that he sent to Chameleon in an attempt to buy stolen military
software.
"If this man is who he says he is, then he is extremely dangerous," said
Nalani Alexander, senior Asia consultant with Pinkerton's Global
Intelligence Service.
Harkat-ul-Ansar declared war on the United States following the Pentagon's
20 August cruise-missile attack on a suspected terrorist training camp in
Afghanistan run by Islamic militant Osama bin Laden. Harkat-ul-Ansar
claimed that nine of its members were killed in the attack.
But even before the missile strikes Ibrahim was trolling the Internet,
looking for information mercenaries.
Do Terrorists Troll the Net? Page 2 10:15 a.m. 4.Nov.98.PST
Although he used several anonymous Hotmail accounts to send his email,
Ibrahim always accessed the Net from an Internet service provider in New
Delhi, according to John Vranesevich, a security expert and founder of
AntiOnline.
"I and others have traced Ibrahim's Internet connection," said
Vranesevich. "It always came from d637.pppdel.vsnl.net.in -- [the IP
address of] an Internet service provider in India." The ISP, Videsh
Sanchar Nigam Limited, declined comment.
Wired News obtained transcripts of IRC conversations from five of the
crackers who said that Ibrahim had tried to cut deals with them.
Using the online aliases RahulB and Rama3456, Ibrahim began frequenting
online cracker hangouts in June. He approached members of various cracking
teams, including the Masters of Downloading, the Noid, and Milw0rm,
looking for sensitive information.
An FBI source who asked not to be named said that the agency was familiar
with Ibrahim, but declined to discuss what, if anything, was being done
about him.
The crackers interviewed by Wired News were less reticent.
Members of the cracking group Noid said that Ibrahim asked them for help
gaining access to the SIPRNET, the Pentagon's secure Internet protocol
network used for the exchange of classified information and email by the
military and intelligence communities.
One member of the now-defunct group Milw0rm said Ibrahim also tried to
purchase information obtained from the computer systems of India's Bhabha
Atomic Research Center.
Though almost all of Ibrahim's efforts to buy information were rebuffed,
Chameleon attracted the attention of authorities by cashing a check that
he said was sent to him by Ibrahim.
In June, a few days after being solicited for military-networking
hardware, Chameleon received a money order for US$1,000 and a pager number
to call in Boston. He cashed the check, he said, to buy a gift for his
sister.
Two weeks later, the FBI raided Chameleon's home and confiscated his
equipment. He was not charged with any crime and has since begun a career
in computer programming.
Do Terrorists Troll the Net? Page 3 10:15 a.m. 4.Nov.98.PST
Apparently frustrated by his lack of progress, Ibrahim began raising the
stakes. In one transcript of an Internet chat conversation between Ibrahim
and crackers, Ibrahim threatens to have the youths killed if they reported
him to the FBI.
"I want to know: Did they tell the Feds about me?" Ibrahim asks the
crackers. "Tell them [if they did that], they are dead meat. I will have
snipers set on them."
Until the death threats, Chameleon and Savec0re believed that Ibrahim was
an undercover FBI agent trying to entrap them.
According to Vranesevich, Ibrahim approached many crackers, on one
occasion impersonating an FBI agent to try and obtain information from
Savec0re.
In June, Savec0re was chatting online with someone he thought was another
MilwOrm member. The individual said that he had an uncle in the FBI who
could offer the Milw0rm immunity in exchange for information obtained from
the group's raid on the Indian labs.
"I thought that this would send a message to the FBI that we weren't
hostile," said Savec0re in an email interview. "So I gave him my phone
number."
Savec0re said he also emailed the individual an encrypted file of
information from the Indian atomic research center, including diagrams of
reactors and trajectory calculations, and an analysis of five Indian
nuclear tests.
"The next day I got a call from the so-called FBI agent but he had an
amazingly strong Pakistani accent," said Savec0re. "He said his name was
Michael Gordon and that he was with the FBI in Washington, DC. I realized
then that it had been Ibrahim all along."
Another time, Ibrahim tried to hire a 17-year-old former cracker named
mercs, who claimed to have accessed many military sites as a security
consultant.
"He said that he wanted to employ me as a security consultant, legally
testing servers for weaknesses," said mercs. "But that was before I knew
who he was."
Ibrahim revealed his identity to mercs when he tried to purchase
information about the US Defense Information Infrastructure, mercs said.
Do Terrorists Troll the Net? Page 4 10:15 a.m. 4.Nov.98.PST
Despite his high failure rate, Ibrahim may have succeeded in collecting
some potentially dangerous information, Vranesevich said. "I believe that
he obtained the DEM software, SIPRNET network topology maps, and data from
BARC. It may not be dangerous but it would be a very useful first step for
breaking into US military networks."
How Ibrahim actually obtained the information is unclear. He may have
found a cracker who was prepared to pass along information, or he could
have received it under false pretenses, as he did with Savec0re.
At least one security expert believes that even if Ibrahim did obtain
information, it is unlikely to pose a threat to national security.
"It wouldn't be the first time that somebody bought useless information
from a hacker," said Gene Spafford, director of the Computer Operations
Audit and Security Technology laboratory at Purdue University.
"Network topology maps are useless if the network is secure. You can go to
the Library of Congress for a blueprint of the Pentagon, but that doesn't
mean you can walk in there."
However, Ibrahim's tactics are not uncommon, according to many hackers.
"It's been a while since we have received a political or military request
to hack," said Space Rogue, a member of The L0pht, a Boston hacking group
turned network-security specialists.
"People know that it is futile. We don't do it."
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Thu Nov 12 17:59:18 1998