Al-Qaida supporters hack into student's Web site

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.oregonlive.com/business/oregonian/index.ssf?/base/business/1049201902166680.xml

By Jeffrey Kosseff
jeffkosseff () news oregonian com 
04/01/03

The Web site of a Portland State University graduate student has been
targeted in a wave of Internet hackings supporting al-Qaida,
attracting federal authorities and terrorism experts who worry the
break-in may be more than a prank.

Files planted in Conrado Salas Cano's personal Web site housed threats
against the United States, tributes to the Sept. 11 attacks and
purported messages from Osama bin Laden. The physics student said the
files were added without his knowledge or consent.

The FBI reportedly launched an investigation, and some cyberterrorism
followers said it resembled attacks by the online propaganda unit of
al-Qaida, the Islamic group led by bin Laden. But it is unclear
whether the cyber-intruders represent a terrorist threat or are
playing a joke on Cano, whose site explores theories about science and
space.

Liquid Web, a Lansing, Mich., Internet service provider that stores
Cano's site, said it contacted the FBI when it discovered the hacking
about a month ago. The FBI began investigating the site and took
control of the al-Qaida pages, removing them more than a week ago,
said Jack Flintz, Liquid Web's security administrator.

Flintz said that according to Liquid Web's records, intruders used
computers in Saudi Arabia to bust into his servers.

"We consider it more than just a prankster bit," Flintz said.

Bill Murray, a spokesman for the FBI's cyberdivision, early Monday
could not confirm the FBI's investigation.

"Generally, Web site defacements have to achieve a certain level of
damage for us to be involved" because thousands of pages are defaced
every day, Murray said.

Cano was stunned last month to receive e-mail messages from groups
opposed to al-Qaida alerting him to the pages, buried within a folder
in his personal Web site.

"I'm so happy to have it off my back," said Cano, who maintains
www.conrado.net. "It is abhorrent."

Hacking in support of al-Qaida has been seen on two other sites hosted
by Liquid Web.

After the pages were pulled from Cano's site, hackers placed them on a
visitor's information portal for Homer, Alaska, operated by a high
school student. Those pages were removed last week. And last year, a
Dutch soccer fan site hosted by Liquid Web was home to the al-Qaida
pages.

Flintz said he doesn't know why the hackers have repeatedly chosen
sites hosted by his provider. Liquid Web, he said, has thoroughly
investigated its servers and has not found holes that would allow
hackers into its members' sites.

"Clearly, they busted into Liquid Web's servers, and they found an
easy back door," said Josh Devon, an analyst at the Search for
International Terrorist Entities Institute, which tracks
cyberterrorism.

More than coincidence George Heuston, a retired FBI agent who
specialized in high-tech crimes, said that as with all
counterintelligence, investigators should worry when a crime is
committed more than once.

"If you see them once, that's just chance," said Heuston, who works on
high-tech crime cases at the Hillsboro Police Department. "If you see
them twice, it's an interesting coincidence. If you see them three
times, it's no coincidence. You're being followed."

In many cases of Web defacement, the entire site is changed to make a
political statement. But the Liquid Web sites appeared unchanged. The
al-Qaida files were hidden, leading Heuston to think the hackers were
using the sites to communicate.

"They're not trying to create a huge statement," he said. "It's more
subtle than that."

The pages on Cano's site, posted by the Center for Islamic Studies and
Research, urged Muslims to "destroy and divide the US" and praised
Sept. 11 and the attacks on U.S. embassies and the USS Cole.

"The US went mad because of panic, terror and astonishment at what it
sees and hears," the pages on Cano's site said. "It could not bear
such humiliating acts, thus it forced the whole world to come under
its banner and join its camp."

Many of the hacked pages are in Arabic, including those with the most
updated information, said Devon, whose Washington, D.C., group tracks
Al Neda, the alleged online arm of al-Qaida.

Propaganda outlet Based on his research of previous al-Qaida sites,
Devon thinks the messages on Cano's pages and the other Liquid Web
sites come from officials within al-Qaida.

"It's definitely a propaganda outlet," Devon said. "That's one of the
fronts al-Qaida realizes they have to wage. They're trying to appeal
to Web-savvy young men."

Some of the Al Neda pages, Devon said, contain pictures of guns and
bomb-making manuals in Arabic. Specific plans of future attacks aren't
on the site, although Devon said it's possible they use code words to
communicate attacks.

Until last summer, similar content from the Center for Islamic Studies
and Research was found on alneda.com. But a Maryland operator of
pornography Web sites took the domain name when it expired. The
porn-site operator claimed the domain name using Snapnames, a Portland
company that places people on waiting lists for Web addresses.

Since then, Devon said, Al Neda has been hacking into various sites
around the globe to spread its message. Once the sites are discovered
and shut down, a new Al Neda site pops up within 48 hours. News of the
Web sites, he said, spreads by word of mouth and in Arabic newspapers.

"The Web site they're putting up is literally how al-Qaida
disseminates new information," Devon said.

Cano said he thinks the Web site defacement wasn't in response to the
statements on his site about science and the late Carl Sagan. He
hasn't received an e-mail about his site for about two years, he said.

"I was just an unlucky target," Cano said. "I completely abhor, detest
and want nothing to do with the entity or people who put that in my
domain."


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.