Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘CAUI’ Category

Inspire Magazine Analysis: Going Green for College Age Recruits

with one comment

Now that the file has been around a while, I have gotten around to reading all 61 pages of it and have the following analysis to blog about. After thinking about it a bit and doing some research from data culled from the file and the prose I have to say that yes, this is a slick attempt at recruitment for the teen-twenty somethings in the West. However, when I say slick, I only mean that it has some interesting graphics and methods to get kids to join their cause. On the whole though, it is an uneven piece of propaganda that does harbor some serious portents about things that I have mentioned here before.

  • They are adopting espionage tradecraft
  • They are splintering further down, advocating small independent action cells
  • They are using encrypted communications and advocating for more secure operations online
  • They have begun marketing to the “youth culture”
  • That same “youth culture” that idealists inhabit includes the “green movement” arguments
  • They have begun to adopt the more mainstream propaganda tools of major governments

I have to say, these guys are learning and they I swear that they have begun to read psyops texts as well as advertising age to get to where they think they need to be to win. This is something different, however, this is not as much of a threat to the nation as “they” would have you think it is per their posts and chatter after its release and subsequent hacking/infection by malware.

All they really need to do next is watch “Cool Hunters” on PBS and then apply some more of these tactics.. Then they could maybe sell.. Well, would any Western teen buy into the 72 virgins idea? I think not. So, they try to be slick and all Mad Men, but they fail because of what they are trying to sell…

Religious zealotry and a culture of loving death.

Which, I should think is quite the opposite of the Western mindset. Of course they are trying to get the whole “It’s an adventure” thing going with all the talk of going on site and fighting the good fight, but, it just will not ring true with the majority here in the US. Of course, there are always those who are willing to follow along. I think though, that most will have to be deranged or brain washed by the local Imam and cell mosque in order to really buy  a ticket and bring a friend along for the ride. These folks also more than likely will be originally from other countries that they feel ties to which are re-enforced by this type of rhetoric.

So, here are some observations:

First article attempts to make a “green” argument for jihad and the removal of the US from the area. This is an alleged piece by OBL and claims that all of our problems with the world are oil based and this can be remedied by Jihad. In other words Allah will be loving it if you get the khafir out of the Muslim lands. Once that happens its all good.

This was quite interesting to see OBL getting all green. Somehow I doubt it was actually him doing the writing here. I just don’t see OBL wearing a Greenpeace shirt and protecting a baby harp seal.. Do you?

The articles vacillate between saying if you leave there will be peace to “all khafir must die” There are some wild mood swings in this pdf. Its almost like you were talking to someone under anger management therapy and you have to talk them off the ledge.

Mukhtar’s piece is oriented toward college age males with media board bandito imagery. He also advocates brining a friend and learning the language. This is the very “college” looking piece and is aimed at the twenty somethings. I would hazard a guess too, that the handwritten look is not just a type font, but in fact someone’s actual handwriting. Let the graphologists loose!

Abu Musab Al Suri’s piece advocates small cell/single jihadi terrorism. There is a long section of history and philosophy on their war thus far. They have learned that the agile force is the one that is hard to catch, hard to destroy, and has the most bang for their buck. Thus they are advocating making small bombs at home that could kill 10 people as a process to learning how to make bigger ones. All the while they are using guerrilla warfare tactics and philosophy to sell jihad everywhere. What it boils down to is this: Do this at home and breed fear. This is a dangerous idea because inevitably there will be people who buy into this. The bomb making section has been removed from the document for your and my protection.

Technologically, they are getting more savvy. The writers have given the would be jihadi’s pointers in internet security that include the use of encryption technologies (Al Majahden 2) which I have written about before and have a copy that has been pulled apart. They even go as far as to show how to authenticate that the program is official with hashing sigs. They also are advocating the use of proxies as well as being in internet cafes. Another surprise was a section on cell phone safety too AND the use of live distro’s on USB. It was inevitable as all this is out there on the hacking sites anyway.

In the final analysis, they also put in their pulic key as well as a series of emails to contact with with. Ironically, the actual posting o the pubkey gave me something to use in Maltego and it turned up some very interesting results! I will be chasing those down in the near future as well as more on the email addresses.

I wonder if there will be an issue #2….

I have to say though, that their market of young and impressionable individuals may be swayed by some of their arguments. They do lay them out logically (well their logic) and try to use the tools of the west on itself, but then you hit the sections of “kill all kafir!” and you have to go

“whoa, where was I?”

As a psy-op they have gotten off to an interesting start…

The full file sans bomb making plans can be downloaded HERE The sections omitted have graven images of Muhammad so YAY fatwa’s on me! Take a long swig of something and sit down to read the drivel.

CoB

Al-Faloja, Inspire, and Internet Security

leave a comment »



On July 2, 2010, the administrators of the Al-Faloja web forum warned that “enemies of Allah have stolen the account information of one of the Al-Faloja Islamic Forums administrators, and…caused havoc in the forums.” They urged forum members “out of courtesy and out of caution and concern to change” their “personal passwords”, although they “insured the forums and especially the copy that will be brought back…” In a June 9, 2010 posting on the Al-Faloja web forum, administrator Abu al-Aina’a al-Khorasani had warned of an “infiltration operation” targeting “the website of the Islamic Emirate in Afghanistan and the website of al-Sumood Magazine, which belongs to the Emirate.”

Oh my.. Well, it seems that all those links back to my blog were because of this huh? Or was it the other way round? I suppose the logs on the web server will tell me just how many of them had looked in there and seen all the data I had culled over time. or could it have been the mention of CAUI there in the above screenshot translation of my blog entry?

Inquiring minds want to know.. Say, uhh Abu al‐Hawraa, care to enlighten me?

Heh.

Anyway, this is an interesting turn of events because the word on the street is that other sites have been attacked. Perhaps they have? Perhaps they haven’t.. All I do know is that if you put something out there it is libel to be attacked by hackers, bots, and malware in short order. I mean what was it like 20 minutes or less for an unpatched windows system to survive without protections online last I heard? I hate to tell ya Admin, you are going to be popped any way you do it. Especially if you are dropping sites on servers without really taking care to secure them properly.

Just sayin…

Meanwhile, it seems that the Inspire magazine debacle seems to have been percolating in the background and was augmenting this feeling that they had been pwn3d.

In a July 11, 2010 online posting, an administrator of the Al‐Faloja forum asserted that Al‐Qaida’s  “dangerous” English‐language  “Inspire”  magazine  “provoked”  recent cyberattacks  on  the  forum:  “that  and  nothing  else.” He  also  asserted  that  “Inspire” magazine “is considered a unique transformation and a proactive hit in the history of the standing struggle between Kufr and faith; it even is a media martyrdom operation and I do not exaggerate in this description.” He promised impending “good news of an audio attack that will highly pain you, through one of the media establishments, so await the slap and turn the other cheek for another.”

Full text HERE

Now, their claim is that they were attacked further because of the magazine.. Even to the point that the mag was compromised by a trojan by someone out there looking to do them harm. Maybe…Maybe not. Maybe instead they infected the document themselves huh? After all, the majority of the stuff I have found out there has been created on mostly Windows Xp machines so, perhaps they got infected and just passed it on? Or maybe someone did get in the middle of the uploading process and propagated a new unclean version for all the little jihadi kiddies to download and pwn themselves huh?

😉

Maybe we will never know…

However, on that contention that your product was so revolutionary, uhh yeah, it was slick looking for a cut and paste from a 20 something and a pc in Yemmen, but revolutionary? Nah. It was pretty pedantic really and you should face facts Abu. I certainly did not see it as any kind of threat and I am sure that the government didn’t either really. The media, well, they need things to slather on about to get the ratings really so if you got play from that ok.. you got play, but anyone with a frontal lobe thought it was crap.

So Abu, you are on the defensive now huh? All this has your hackles up? Worrying that your sites, all mirrored, are compromised and your details are being harvested? Shucks, them’s the breaks. You want to have outlets like the php boards you better be prepared to get compromised now and then. I mean, its the Internet man! Everyone gets pwn3d…

Sometimes more than once…. See ya out there Abu

CoB

5 Reasons to Doubt Al-Qaeda Magazine’s Authenticity: Gives One Ideas, False Flag Anyone?

leave a comment »

The 5 reasons:

(1) Bin Laden and Zawahiri are extremely secretive and issue statements rarely and directly to the media. It would be unusual for them to write for a third-party publication, especially one put out by the Yemen-based AQAP, with which they have little or no direct ties. However, it is possible that the magazine’s producers simply copied old statements they had made.

(2) The language of the magazine, such as “Make a bomb in the kitchen of your mom,” reflects either a poor command of English or a light-hearted sense of self-parody. AQAP is not known for either. Awlaki, whose location in Yemen makes his participation very plausible, is a native, fluent, and very articulate English speaker. His fiery English-language sermons are not funny.

(3) The magazine includes an essay by Abu Mu’sab al-Suri. But Suri, whose connection to al-Qaeda is uncertain, has been locked up in Guantanamo–and possibly a CIA black site–since 2005. However, as with bin Laden, it is possible the magazine simply copied old statements.

(4) Analysts tell me that the magazine PDF file either does not load properly or carries a trojan virus. This is unusual because al-Qaeda and AQAP have produced and disseminated such PDF publications many times without such problems. If the report was produced by U.S. counterintelligence, or if the U.S. operatives attached the virus to the original file, would the trojan really be so easily detectable by simple, consumer-grade virus scanners? Surely U.S. counterintelligence has less detectable viruses at their disposal.

(5) The web-based “jihadi” community itself seems suspicious. The report has received little attention on web forums, especially given its apparent importance. A publication including such high-profile figures would normally receive far more attention than it has so far.

Full article HERE Inspire AQAP Glossy HERE (CLEAN)

Exploit or Ineptitude?

When this file came out I too had some issues with it not downloading fully from the myriad of uploader sites that the Jihadi’s had “ostensibly” uploaded it to. I attributed it to a lack of understanding on their part that the original had been corrupt somewhere along the line between sharing partners and propagated that way. However, given all of the data post release and some looking into, I think there are a couple of scenarios that might fit the bill;

1) The original was sent out to the trusted before going wide. Once sent wide, it was quickly infected with malware per persons unknown and propagated further on the internet.

2) The reason for the placement of the malware could be to sow distrust on the part of the jihadi’s trafficking in the data by persons unknown. This makes it an untrusted channel and more likely people will not download it too quickly in the future. I say this because the malware was easily detectable by current AV products. Had this been a program of the intelligence agencies, they would have indeed used 0day that was not detectable. The same could be said for certain factions of the hacking community who may have an interest in helping the other “community”

3) This was indeed some sort of poorly conceived exploit by some organization as the malware was easily detectable.. They screwed up.

I cannot say either way and I as yet, have not seen a copy of the “infected” file to prove out that it did indeed have malware embedded in it. The current version that I have on my server (linked above) is clean, but I believe that I have another dirty copy on another *nix box. I will check that later and amend this post once I have. All of this though does not lead me to believe that the magazine was part and parcel created by anyone else but a jihadist movement faction that offered it to AQAP.

You can go on the cues from above about the language and the other telltale clues that this is not a straight out work of GIMF or As Sahab. The writer of the article is right on this account in that the language would have been much better constructed by bi-lingual speakers of Arabic and English as you have seen in the past. The Al-Awlaki connection too may be there, but he likely did not have oversight directly of this magazine. In fact, when I pulled the metadata on the PDF file that I got hold of today, there was NONE in it. So it is hard to say who made the file at present. I will check again once I find that dirty copy I downloaded when it came out for metadata in situ.

As for Giving One Ideas..

All of this has given me ideas on perhaps how the information war should be waged against AQ and other online Jihadist movements if it already isn’t being done by the likes of the NSA. What if such PDF files were commonly compromised with 0day? The jihadists usually traffic pretty much only in PDF files nowadays. If you go to their sites you can’t even get a lock on the files there because they have uploaded them all to share sites all over the globe. So, who’s to say that there isn’t some governmental bodies out there with access to those .com .net sites and are infecting the files soon after the uploads happen?

I’d be doing that…

Hell, I’d be loading the files with malware for all the major OS’ out there not just Windows variants… Which, we know a good percentage of these online jihadi’s are using Windows as you may have seen in the posts I have made. The only problem then would be that if you are doing this to the downloaders, it leaves the creators still potentially unaffected.. How to get the creators boxes I wonder….

I guess the question Is… is this already being done? If not.. Why not? Seems to me that we could get a pretty nice haul if you compromised all those down loaders boxes and set up a nice back channel server somewhere to aggregate all the data as well as do some escalation….

Maybe the government just needs a good copy of Core Impact huh?

CoB

Jihadi Hacking Tutorials: Irhabi 007’s Text and More….

with 2 comments

I recently posted some preliminary findings on files found on Jihadist websites for hacking. Actual full tutorials on how to hack that ended up with actually useful data and tools for the jihadi’s to hack in the name of Allah. In looking at those files I also ran across a section of .pdf files that included a text, that if I read correctly, is from Younis Tsouli aka “Irhabi 007” (Terrorist 007) Like the autorun/distro like tutorials from earlier, these pdf’s run the gauntlet of current hacking attacks that are the hack-du-jour. PHP hacking, SQL, Linux/*NIX hacking, Database hacking of various kinds etc. Much of this data has been taken from other sites like MILW0RM and others, translated into Arabic with notations and put into the pdf format for dissemination on jihadi sites and or, certain Arabic hacking group sites like XP10.

With each tutorial though, the hackers had to add their own personal emails on there, so I have about 10 or so addresses to put into Maltego and Google. So far, “metoovet”, who created the tutorial on hacking that I posted about last, seems to be rather open in using his hotmail address on other sites including a business site for programming. The site is ostensibly his and via a whois I was able to get another address of his. The sum of the data points toward his being not only a hacker programmer, but he also claims to be a medical student.

Heh.

I will continue the poking about on this, but I thought these files would be interesting for you all to see. They were uploaded to the megashare a while back and I am sure have proliferated all over.

The Files

On the 007 text though, I need a good way to translate the pdf file. His stuff was pretty comprehensive too…

More soon.

CoB

MJAHDEN: Jihadi Crypto Progam

with one comment

While looking through one of the jihadi sites I came across this little missive in their super secret file area on hacking. This is a little program developed by “R3P” to encrypt data for jihadi use. I guess they aren’ t too trusting of say “PGP” or any of the other programs they could grab on bittorrent.

MJAHDEN is the tool and I have yet to decompile and poke at it. It will be interesting to see exactly how they are encrypting things and what kind of crypto hack this guy is.

*NOTE* (rar file is live and all precautions should be taken before executing the .exe kids)

I suspect that this program will not have an extensive crypto algorithm so reverse engineering should be fairly easy. This is one of the first times I have actually run into the program but I have heard that they have been developing programs like this and other iterations of perhaps the same one. The post here was a little older, but, still valid as it was at the top and still being commented on by jihadi’s thanking R3P for his holy creation.

So, all you technofreaks out there who wanna play, be my guest.. Let me know if you find anything of note and I will post my findings after I mess around a bit with it.

MEANWHILE.. BACK AT THE RANCH….

I have been busy lately so things have slowed on the posting and my forays into the jihadi world. However, with the onset of this new guy in Jamaica (Abdulla el-Faisal) I decided to do a little looking at his internet presence. Off of the Wiki site there is a link for his main page. I checked this out with the usual tools and came up with an interesting link to a 4shared site. This site belongs to a user named m.rahman007 and in it are a plethora of mp3 sermons by this guy el-Faisal. At present I am listening to the jihad speech now and this guy really needs to be picked up for incitement to violent jihad. Considering he has been at the nexus of so many of the terrorist plots over the years, and he is still thumbing his nose at everyone from his cozy Jamaican digs.

To top it off, in my searches of this site I have a direct email from Faisal Shazhad to el-Faisal. So, as you may have heard before on the news he did have direct contact with him and you now can see it in that link above. All of my work tonight was spurred by an article that I read that reported on the sudden light bulb moment for the authorities that the internet has been being used for online recruitment of not only foreign jihadi’s but now “home grown or naturlized” ones too… And we have no way to fight it..

Who’da thunk it?

Wakey wakey folks in government!

One only hopes that they think about it logically and not have knee jerk reactions… Oh, who am I kidding?

CoB

Muwahideen.info: Ghulam Ali’s Web of Jihadist Propaganda

with 7 comments

A random Google search led me to the site: sitedossier.com which culls certain types of data from websites and domain scraping. The site originally did not impress me until I began to look at the external links from it as well as the links from other sites that pointed to the muwahideen.info site. What I found was that this was not just one site, but a myriad of sites hosted on different domains all over the globe.

Here are a few of them:

al-muwahideends4a.com
haque.110mb.com
tawhed.zxq.net
muwahideen.t35.com
muwahideen.info
forgottenobligation.wordpress.com
urduansaar.wordpress.com
muwahideen.tk

All of these sites are mirrors and all of them have links to the usual video, ebooks, etc that comprise jihadist propaganda. You have the greatest hits so to speak even up to Anwar al-Awlakis posts on how Jihad is as American as apple pie now (yeah he really said that)

Through the usual means, I began to track all the sites, make the connections between them and try to get a bead on who the owner/operator might be. It wasn’t until I located the actual .info site that I was able to get a decent lock on an owners name. All of the other sites lacked an owner name, but, the .info I think was the first and he used his real name when he set it up. The name of the person is Ali Ghulam… Or perhaps it is Ghulam Ali, I am not sure of the convention there.

At any rate, by using the data from that site’s whois call, I was able to get more of his personal data through a Google search of the email address given in the WHOIS (alipk3@hotmail.com)

But wait, there’s more! Ghulam Ali has been a busy boy online. He even has a consulting service that outsources code creation and other types of services to anyone in need.. All from Pakistan… His company softsolutions.com.pk isn’t the only one too. He has a slew of companies and sites out there as you can see below:
muwahideen.info = [ 66.49.217.87 ]
(Asked whois.afilias.info:43 about muwahideen.info)
Domain ID: D28488944-LRMS
Domain Name: MUWAHIDEEN.INFO
Created On: 09-May-2009 11: 01: 20 UTC
Last Updated On: 24-Apr-2010 11: 29: 49 UTC
Expiration Date: 09-May-2011 11: 01: 20 UTC
Sponsoring Registrar: DomainPeople  Inc. (R128-LRMS)
Status: CLIENT TRANSFER PROHIBITED
Registrant ID: DPRP-9715313
Registrant Name: Ghulam Ali
Registrant Organization: Ghulam Ali
Registrant Street1: 620 AlHafeez Shopping Mall
Registrant Street2:
Registrant Street3:
Registrant City: Lahore
Registrant State/Province: PUNJAB
Registrant Postal Code: 54600
Registrant Country: PK
Registrant Phone: 92.5774670
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email: info@softsolutions.com.pk

Soft Solutions Pakistan

620 Al Hafeez Shopping Mall

Main Boulevard Gulberg

Lahore Pakistan

Tel: (+92 42) 5774669-70

Fax: (+92 42) 5774670

Email: info@softsolutions.com.pk

Web: http://www.softsolutions.com.pk

Here’s what we know about epipak.com:

“Ghulam Ali” owns about 67 other domains View these domains >

is a contact on the whois record of 79 domains

1 registrar has maintained records for this domain since 2006-05-19

This domain has changed name servers 7 times over 4 years.

Hosted on 6 IP addresses over 4 years.

View 85 ownership records archived since 2007-11-04 .

Wiki article on Epipak.com

251 other web sites are hosted on this server.

Registrant:

Ghulam Ali  +92.3334229253

Soft Solutions

LG 65, Landmark Plaza, Jail Road

Lahore,Punjab,PK 54000

Domain Name:epipak.com

Record last updated at 2010-05-18 03:23:39

Record created on 2006/5/19

Record expired on 2011/5/19

Domain servers in listed order:

ns11.winshosting.com          ns12.winshosting.com

Administrator:

Ghulam Ali  +92.3334229253

Soft Solutions

LG 65, Landmark Plaza, Jail Road

Lahore,Punjab,PK 54000

Technical Contactor:

Ghulam Ali  +92.3334229253

Soft Solutions

LG 65, Landmark Plaza, Jail Road

Lahore,Punjab,PK 54000

Billing Contactor:

Ghulam Ali  +92.3334229253

Soft Solutions

LG 65, Landmark Plaza, Jail Road

Lahore,Punjab,PK 54000

Registration Service Provider:

name: Wins Hosting

tel: +92.3008885522

fax: +92.4235774670

web:http://www.winshosting.com

Domain Name: ilmkidunya.com

Registrar: Name.com LLC

Expiration Date: 2010-12-26 21:56:30

Creation Date: 2003-12-26 21:56:30

Name Servers:

my.privatedns.com

your.privatedns.com

REGISTRANT CONTACT INFO

Soft Solutions

Ghulam Ali

LG 65 Landmark Plaza

Lahore

Lahore

Punjab

000000

PK

Phone: +92.92425715060

Email Address: alipk3@hotmail.com

ADMINISTRATIVE CONTACT INFO

Soft Solutions

Ghulam Ali

LG 65 Landmark Plaza

Lahore

Lahore

Punjab

000000

PK

Phone: +92.92425715060

Email Address: alipk3@hotmail.com

TECHNICAL CONTACT INFO

Soft Solutions

Ghulam Ali

LG 65 Landmark Plaza

Lahore

Lahore

Punjab

000000

PK

Phone: +92.92425715060

Email Address: alipk3@hotmail.com

BILLING CONTACT INFO

Soft Solutions

Ghulam Ali

LG 65 Landmark Plaza

Lahore

Lahore

Punjab

000000

PK

Phone: +92.92425715060

Email Address: alipk3@hotmail.com

Cash Payments

You may send your cash payments to our office or ask us to collect payment if you are based in Lahore. Our office address is as under

WinsHosting

620-Al Hafeez Shopping Mall

Main Boulevard Gulberg III

Lahore Pakistan

Ph: (+92 42) 5774669-70

Checks

Please write your checks in favor of ‘Soft Solutions’ and send to our given address

WinsHosting

620-Al Hafeez Shopping Mall

Main Boulevard Gulberg III

Lahore Pakistan

Ph: (+92 42) 5774669-70

Online Payments through Credit Card

You can make payments via credit card through our website.

Please click here to make a payment.

Payment via Western Union

Money Transfer From anywhere in the World

Name: Ghulam Ali

S/o : Mukhtar Ahmad

NIC #: 35102-4257761-9

Online Bank Transfers

Please pay in one of the following online banks in Pakistan

Bank Al Habib Limited

A/c Title: WINS HOSTING

A/c # 5501-0081-001055-01-2

Islamic Banking Gulberg Branch Lahore

Bank Alfalah Limited

A/c Title: Ghulam Ali

A/c # 0028-01035357

Bank Alfalah Limited Gulberg Branch Lahore

Branch Code: 0028

Swift Code: ALFHPKKAGBL

Habib Metropolitan Bank Limited

A/c Title: Soft Solutions

A/c # 20311-148093

Habib Metropolitan Bank Limited

Main Branch Egerton Road Lahore

Oh yes, he has been a busy boy indeed. So, exactly when he turned to posting up Jihadist websites I am not too sure. However, he has quite a few of them including some new additions like a Facebook page.

Hey Zuckerberg, how about some security on that shit huh? Yeah, well, evidently Jihad has gone all “Facebook” now. I am going to have to go through that site and collect the “friends” to see just who is tuning in there. Note though, that they have the Al-Faloja site links there as well as other Urdu sites so this is a recent addition.

Along with this Facebook site our boy has set up two wordpress sites:

forgottenobligation.wordpress.com
urduansaar.wordpress.com

Each of these sites have even more current content and commentary in English and Urdu on Jihads precepts and sing its praises from the likes of GIMF and a jihadist youth movement group Al-Shebaab.

I am still doing the final work on collating all the data on these sites but I certainly hope that Facebook and WordPress both take the time to read their emails and lock the sites out as well as get the feds involved.

Meanwhile, Mr Ghlam Ali I think your about to get some interesting internet traffic coming your way. And anyone who might be using his services to outsource their coding or whatever else should maybe not work with him any more… Or at the very least do some research….

CoB

Written by Krypt3ia

2010/05/18 at 23:54

McAfee: “Al-Qaeda Engaged in Online Military Training” You don’t say!….

leave a comment »

Thus along with real-world activities, the jihadists use the Internet to pursue a psychological war, communicate and coordinate, finalize their strategies, and obtain financing. With structures such as the GIMF, they also distribute the necessary tools to see the jihad through to the end. They wish to create a “jihad virtual university” with the creation of a worldwide caliphate as its ultimate objective. Through the Internet they attempt to indoctrinate and encourage people to commit themselves to violent activities against their enemies.

One activity the GIMF is working on is the Caliphate Voice Channel (CVC) for video distribution. Another is the development and distribution of their own VPN and encryption software. The jihadist movements are reluctant to use standard encryption software such as PGP because they fear a backdoor within the implementation.

Evidently while not actually making sure that their product wasn’t going to hose the svchost.exe file, someone was attending a conference on Jihadist activities on the internet and their threat. Though I am glad that they are getting a rudimentary knowledge base on how the Jihadi’s are working online, I really wish McAfee would just stick to trying to not crash all our systems out there with a false positive on a known good file.

Anyway, the McAfee post does have some interest for me because I rarely see this kind of attention being given to the MO for these guys online. The only times I really see this is if you are at a conference or reading in specific LEO type journals as to how to find and combat “Internet Jihad” This information though is not new, the jihadists have been doing this since about 2003 with more reliance on the internet because their lines of communications have been scattered locally.

With the onset of the war in Afghanistan and Iraq, the impetus to not only communicate via the interent but to also recruit by it has become more a necessity for the likes of Al Qaeda. By making their reach more global with easy access from any point in the world that has an internet connection, they are able to proselytize, propagandize, and have a new form of C&C to pull the strings of jihad from anywhere, even that alleged cave in Tora Bora potentially.

Where the Jihadi’s have been doing new things is with the media. They have become very adept at creating not only phone cam videos of their shahid blowing up trucks etc, but now have full editing software packages and mobile editing rooms to create all kinds of propaganda videos like the recent Gadhan video dawa. They then propigate the videos to the internet via their own sites as well as stealth uploads to other legitimate sites unbeknownst to their admins.

What is more interesting though to me is the talk of using their own home grown VPN software. This would make it rather hard for anyone on the opposing team to see their traffic on the wire unless they had some man in the middle attack or had broken their particular version of crypto for a replay attack. The use of a VPN though, if they had set up an analogous TOR type of session that is an encrypted tunnel, then this would make things a bit more difficult to track.

The only thing I had heard them talk about of late was PalTalk, which indeed may be somewhat the same thing. PalTalk is a chat/voip product that they use to talk to one another securely.. Well as secure as it is.. I have not looked into that as yet. However, imagine then if they had set up stealth servers on popped boxes and are only using SSH sessions to shell in and chat? Perhaps super stealth sites or bulletin boards that are web headless but would serve a purpose as a meeting place as well as dead drop?

… But that would be for the tech savvy… Have no doubt that there are more than a few who are… But it’s certainly not mainstream for them as yet.

No, for the jihadi’s purposes, they want to have some security but also great accessibility to their content. They want to get the word out and to lure in the weak minded to their cause. Just as BVD bomber was posting on chat groups, these sites, like the ones I have been posting about, are advertised if you know where to look. Many of them are invite only and you have to know someone to get in anyway. This doesn’t stop them though from using YouTube and other sites to post videos of jihadi songs (nasheeds) to sing the praises of their comrades who have fallen as well as dawa’s and other recruitment materials. Just take a surf through there and you can see all the videos that go up daily.

Oh well, I am sure now that McAfee is on the case we are all safe….

CoB

Al-Falluja Forums: The Survivor Is….

Well, post the little incident with Al-Falluja forums going boom, and then finding my site mirrored on their last “stealth” server, I just had to pay  more attention to my pals at Al-Falluja! What with the Nmaps from Bangkok, threats via email/posts and all, I felt the need to check out the site and see just what was what. Well, they are still there, the sole outpost out of a mirror list of about 8 sites.

Poor bastards.. down to one mirror… heh.

Anywho, I managed to enumerate about 60 users who are native English speakers (they have English user names, so its an assumption on my part) as well as conducted a vulnerability assessment on the stealth site. All of the data has been collated into a report for Johnny Utah and the Dead Presidents and will be passed on next week. Some interesting tidbits are the following:

ibenfalastin http://myworld.ebay.nl/ibenfalastin

tholqarnain http://www.youtube.com/user/tholqarnain Also uploads on bittorrent

7amoood email address: king7amoood@hotmail.com

jund1986 email address: for@dl4all.com http://www.dl4all.com/index.php?do=lastcomments&userid=564387

al9a39a3 Email: schwert22@yahoo.de http://www.youtube.com/user/bourtoukali1234 could be same person Location UK http://www.muslimmatch.com/profile.php?user=al9a39a3

almojahid10 Location: Morocco

http://vip611.com/vb/member.php?u=4064

http://cars-club.maktoob.com/vb/member.php?u=689016

Khalidibnalwaled http://www.japanesesportcars.com/videos/watchthis/-EZNpVcpCZs/nasheed-o-who-blames-me—.html

Alnaheem007 http://www.youtube.com/user/alnaheem007

thelordofpc aka Amir monir hosni

The biggest potential find was the actual name that relates to thelordofpc… Amir Monir Hosni if that is his real name. I found this on a post with his user name on a programming site. The Maltego of this user name gives me some indication though that I am right with this one. I am just hoping that he did not use a false name when he wrote his little post on programming on another site.

All in all, not much more I can give up here. Johnny Utah gets the rest. Suffice to say though, I think the last Falluja site is about to go dark soon.. Oh, and you Jihadi’s, if you see this post and get all in a lather, please feel free to hit up the server… I would love to audit all the traffic.

Ciao boys.

And The Nmap’s Begin…

with one comment

4    4/1/2010 6:14    SCAN nmap TCP    61.150.43.96
5    4/1/2010 6:14    SCAN nmap TCP    117.35.158.20
15    4/1/2010 3:45    SCAN nmap TCP    61.150.43.96
16    4/1/2010 3:45    SCAN nmap TCP    117.35.158.20
24    4/1/2010 1:46    SCAN nmap TCP    61.150.43.96
25    4/1/2010 1:46    SCAN nmap TCP    117.35.158.20
72    3/31/2010 17:45    SCAN nmap TCP    118.175.133.51
73    3/31/2010 17:44    SCAN nmap TCP    118.175.133.51
74    3/31/2010 17:43    SCAN nmap TCP    118.175.133.51
75    3/31/2010 17:42    SCAN nmap TCP    118.175.133.51
76    3/31/2010 17:39    SCAN nmap TCP    118.175.133.51
77    3/31/2010 17:38    SCAN nmap TCP    118.175.133.51
78    3/31/2010 17:37    SCAN nmap TCP    118.175.133.51
79    3/31/2010 17:36    SCAN nmap TCP    118.175.133.51
80    3/31/2010 17:19    SCAN nmap TCP    118.175.133.51
81    3/31/2010 17:18    SCAN nmap TCP    118.175.133.51
82    3/31/2010 17:17    SCAN nmap TCP    118.175.133.51
83    3/31/2010 17:15    SCAN nmap TCP    118.175.133.51
84    3/31/2010 16:55    SCAN nmap TCP    118.175.133.51
85    3/31/2010 16:54    SCAN nmap TCP    118.175.133.51
86    3/31/2010 16:53    SCAN nmap TCP    118.175.133.51
88    3/31/2010 16:52    SCAN nmap TCP    118.175.133.51
96    3/31/2010 16:51    SCAN nmap TCP    118.175.133.51
97    3/31/2010 16:50    SCAN nmap TCP    118.175.133.51
98    3/31/2010 16:49    SCAN nmap TCP    118.175.133.51
99    3/31/2010 16:48    SCAN nmap TCP    118.175.133.51
100    3/31/2010 16:47    SCAN nmap TCP    118.175.133.51
101    3/31/2010 16:46    SCAN nmap TCP    118.175.133.51
121    3/31/2010 15:45    SCAN nmap TCP    118.175.133.51
122    3/31/2010 15:43    SCAN nmap TCP    118.175.133.51
123    3/31/2010 15:42    SCAN nmap TCP    118.175.133.51
124    3/31/2010 15:41    SCAN nmap TCP    118.175.133.51
125    3/31/2010 15:40    SCAN nmap TCP    118.175.133.51
126    3/31/2010 15:39    SCAN nmap TCP    118.175.133.51
127    3/31/2010 15:38    SCAN nmap TCP    118.175.133.51
128    3/31/2010 15:37    SCAN nmap TCP    118.175.133.51
129    3/31/2010 15:36    SCAN nmap TCP    118.175.133.51
130    3/31/2010 15:35    SCAN nmap TCP    118.175.133.51
132    3/31/2010 14:20    SCAN nmap TCP    118.175.133.51
133    3/31/2010 14:19    SCAN nmap TCP    118.175.133.51
134    3/31/2010 14:18    SCAN nmap TCP    118.175.133.51
135    3/31/2010 14:17    SCAN nmap TCP    118.175.133.51
136    3/31/2010 14:16    SCAN nmap TCP    118.175.133.51
137    3/31/2010 14:15    SCAN nmap TCP    118.175.133.51
138    3/31/2010 14:14    SCAN nmap TCP    118.175.133.51
139    3/31/2010 14:13    SCAN nmap TCP    118.175.133.51
140    3/31/2010 14:12    SCAN nmap TCP    118.175.133.51
141    3/31/2010 14:11    SCAN nmap TCP    118.175.133.51
142    3/31/2010 14:06    SCAN nmap TCP    118.175.133.51
143    3/31/2010 14:05    SCAN nmap TCP    118.175.133.51
144    3/31/2010 14:04    SCAN nmap TCP    118.175.133.51
145    3/31/2010 14:03    SCAN nmap TCP    118.175.133.51
146    3/31/2010 14:02    SCAN nmap TCP    118.175.133.51
147    3/31/2010 14:01    SCAN nmap TCP    118.175.133.51
148    3/31/2010 14:00    SCAN nmap TCP    118.175.133.51
149    3/31/2010 13:59    SCAN nmap TCP    118.175.133.51
150    3/31/2010 13:58    SCAN nmap TCP    118.175.133.51
151    3/31/2010 13:57    SCAN nmap TCP    118.175.133.51
154    3/31/2010 12:59    SCAN nmap TCP    118.175.133.51
155    3/31/2010 12:00    SCAN nmap TCP    118.175.133.51
156    3/31/2010 11:59    SCAN nmap TCP    118.175.133.51
157    3/31/2010 11:58    SCAN nmap TCP    118.175.133.51
158    3/31/2010 11:57    SCAN nmap TCP    118.175.133.51
159    3/31/2010 11:55    SCAN nmap TCP    118.175.133.51
160    3/31/2010 11:54    SCAN nmap TCP    118.175.133.51
161    3/31/2010 11:54    SCAN nmap TCP    118.175.133.51
162    3/31/2010 11:53    SCAN nmap TCP    118.175.133.51
163    3/31/2010 11:52    SCAN nmap TCP    118.175.133.51
164    3/31/2010 11:36    SCAN nmap TCP    118.175.133.51
165    3/31/2010 10:46    SCAN nmap TCP    118.175.133.51
166    3/31/2010 10:42    SCAN nmap TCP    118.175.133.51
167    3/31/2010 10:04    SCAN nmap TCP    61.150.43.96
168    3/31/2010 10:04    SCAN nmap TCP    117.35.158.20
169    3/31/2010 10:04    SCAN nmap TCP    118.175.133.51
170    3/31/2010 10:02    SCAN nmap TCP    118.175.133.51
171    3/31/2010 10:02    SCAN nmap TCP    118.175.133.51
172    3/31/2010 10:01    SCAN nmap TCP    118.175.133.51
173    3/31/2010 10:01    SCAN nmap TCP    118.175.133.51
174    3/31/2010 10:00    SCAN nmap TCP    118.175.133.51
175    3/31/2010 9:59    SCAN nmap TCP    118.175.133.51
176    3/31/2010 9:59    SCAN nmap TCP    118.175.133.51
177    3/31/2010 9:58    SCAN nmap TCP    118.175.133.51
178    3/31/2010 9:58    SCAN nmap TCP    118.175.133.51
179    3/31/2010 9:57    SCAN nmap TCP    118.175.133.51
180    3/31/2010 9:57    SCAN nmap TCP    118.175.133.51
181    3/31/2010 9:56    SCAN nmap TCP    118.175.133.51
182    3/31/2010 9:55    SCAN nmap TCP    118.175.133.51
183    3/31/2010 9:55    SCAN nmap TCP    118.175.133.51
184    3/31/2010 9:54    SCAN nmap TCP    118.175.133.51
185    3/31/2010 9:53    SCAN nmap TCP    118.175.133.51
187    3/31/2010 9:09    SCAN nmap TCP    118.175.133.51
188    3/31/2010 9:08    SCAN nmap TCP    118.175.133.51
189    3/31/2010 9:07    SCAN nmap TCP    118.175.133.51
190    3/31/2010 9:06    SCAN nmap TCP    118.175.133.51
191    3/31/2010 9:05    SCAN nmap TCP    118.175.133.51
192    3/31/2010 9:03    SCAN nmap TCP    118.175.133.51
193    3/31/2010 9:02    SCAN nmap TCP    118.175.133.51
194    3/31/2010 9:01    SCAN nmap TCP    118.175.133.51
195    3/31/2010 9:00    SCAN nmap TCP    118.175.133.51
196    3/31/2010 8:59    SCAN nmap TCP    118.175.133.51
198    3/31/2010 8:22    SCAN nmap TCP    118.175.133.51
199    3/31/2010 8:21    SCAN nmap TCP    118.175.133.51
200    3/31/2010 8:20    SCAN nmap TCP    118.175.133.51
201    3/31/2010 8:19    SCAN nmap TCP    118.175.133.51
205    3/31/2010 6:48    SCAN nmap TCP    118.175.133.51
206    3/31/2010 6:47    SCAN nmap TCP    118.175.133.51
207    3/31/2010 6:46    SCAN nmap TCP    118.175.133.51
208    3/31/2010 6:45    SCAN nmap TCP    118.175.133.51
209    3/31/2010 6:44    SCAN nmap TCP    118.175.133.51
210    3/31/2010 6:43    SCAN nmap TCP    118.175.133.51
211    3/31/2010 6:42    SCAN nmap TCP    118.175.133.51
212    3/31/2010 6:41    SCAN nmap TCP    118.175.133.51
213    3/31/2010 6:40    SCAN nmap TCP    118.175.133.51
214    3/31/2010 6:39    SCAN nmap TCP    118.175.133.51
215    3/31/2010 6:37    SCAN nmap TCP    118.175.133.51
216    3/31/2010 6:35    SCAN nmap TCP    118.175.133.51
217    3/31/2010 6:34    SCAN nmap TCP    118.175.133.51
218    3/31/2010 6:33    SCAN nmap TCP    118.175.133.51
219    3/31/2010 6:32    SCAN nmap TCP    118.175.133.51
220    3/31/2010 6:31    SCAN nmap TCP    118.175.133.51
221    3/31/2010 6:29    SCAN nmap TCP    118.175.133.51
222    3/31/2010 6:28    SCAN nmap TCP    118.175.133.51
223    3/31/2010 6:27    SCAN nmap TCP    118.175.133.51
224    3/31/2010 6:26    SCAN nmap TCP    118.175.133.51
225    3/31/2010 6:25    SCAN nmap TCP    118.175.133.51
226    3/31/2010 6:13    SCAN nmap TCP    118.175.133.51
227    3/31/2010 6:07    SCAN nmap TCP    118.175.133.51
228    3/31/2010 6:06    SCAN nmap TCP    118.175.133.51
229    3/31/2010 6:05    SCAN nmap TCP    118.175.133.51
230    3/31/2010 6:04    SCAN nmap TCP    118.175.133.51
231    3/31/2010 6:03    SCAN nmap TCP    118.175.133.51
232    3/31/2010 6:02    SCAN nmap TCP    118.175.133.51
233    3/31/2010 6:01    SCAN nmap TCP    118.175.133.51
234    3/31/2010 6:00    SCAN nmap TCP    118.175.133.51
235    3/31/2010 5:59    SCAN nmap TCP    118.175.133.51
236    3/31/2010 5:58    SCAN nmap TCP    118.175.133.51
237    3/31/2010 5:30    SCAN nmap TCP    118.175.133.51
238    3/31/2010 5:29    SCAN nmap TCP    118.175.133.51
239    3/31/2010 5:28    SCAN nmap TCP    118.175.133.51
240    3/31/2010 5:27    SCAN nmap TCP    118.175.133.51
241    3/31/2010 5:26    SCAN nmap TCP    118.175.133.51
243    3/31/2010 5:03    SCAN nmap TCP    118.175.133.51
245    3/31/2010 4:55    SCAN nmap TCP    118.175.133.51
246    3/31/2010 4:54    SCAN nmap TCP    118.175.133.51
247    3/31/2010 4:53    SCAN nmap TCP    118.175.133.51
248    3/31/2010 4:52    SCAN nmap TCP    118.175.133.51
249    3/31/2010 4:51    SCAN nmap TCP    118.175.133.51
250    3/31/2010 4:50    SCAN nmap TCP    118.175.133.51
251    3/31/2010 4:36    SCAN nmap TCP    118.175.133.51
254    3/31/2010 3:15    SCAN nmap TCP    61.150.43.96
255    3/31/2010 3:15    SCAN nmap TCP    117.35.158.20
256    3/31/2010 2:39    SCAN nmap TCP    61.150.43.96
257    3/31/2010 2:38    SCAN nmap TCP    117.35.158.20
258    3/31/2010 1:51    SCAN nmap TCP    61.150.43.96
259    3/31/2010 1:50    SCAN nmap TCP    117.35.158.20
261    3/31/2010 1:06    SCAN nmap TCP    203.86.7.130
262    3/31/2010 1:06    SCAN nmap TCP    220.112.41.194
264    3/31/2010 0:40    SCAN nmap TCP    61.150.43.96
265    3/31/2010 0:40    SCAN nmap TCP    117.35.158.20
272    3/30/2010 23:24    SCAN nmap TCP    61.150.43.96
273    3/30/2010 23:23    SCAN nmap TCP    117.35.158.20
277    3/30/2010 22:17    SCAN nmap TCP    61.150.43.96
278    3/30/2010 22:17    SCAN nmap TCP    117.35.158.20
280    3/30/2010 22:09    SCAN nmap TCP    60.12.14.250
281    3/30/2010 22:05    SCAN nmap TCP    61.150.43.96
282    3/30/2010 22:05    SCAN nmap TCP    117.35.158.20
283    3/30/2010 21:48    SCAN nmap TCP    58.252.173.218
295    3/30/2010 19:50    SCAN nmap TCP    61.150.43.96
296    3/30/2010 19:50    SCAN nmap TCP    117.35.158.20
297    3/30/2010 19:46    SCAN nmap TCP    58.252.173.218
351    3/30/2010 19:04    SCAN nmap TCP    222.223.11.34
358    3/30/2010 19:04    SCAN nmap TCP    60.2.167.130
2347    3/28/2010 13:52    SCAN nmap TCP    124.42.41.2
2349    3/28/2010 12:38    SCAN nmap TCP    211.24.154.130
2350    3/28/2010 12:38    SCAN nmap TCP    210.19.140.130
2603    3/27/2010 19:34    SCAN nmap TCP    221.12.47.34
2604    3/27/2010 19:34    SCAN nmap TCP    60.190.59.194
3327    3/20/2010 16:51    SCAN nmap TCP    61.150.43.96
3328    3/20/2010 16:51    SCAN nmap TCP    117.35.158.20
3402    3/18/2010 20:03    SCAN nmap TCP    203.86.7.130
3403    3/18/2010 20:03    SCAN nmap TCP    220.112.41.194
3428    3/18/2010 16:32    SCAN nmap TCP    203.86.7.130
3429    3/18/2010 16:32    SCAN nmap TCP    220.112.41.194
3430    3/18/2010 16:03    SCAN nmap TCP    203.86.7.130
3431    3/18/2010 16:03    SCAN nmap TCP    220.112.41.194
3432    3/18/2010 15:31    SCAN nmap TCP    203.86.7.130
3433    3/18/2010 15:31    SCAN nmap TCP    220.112.41.194
3446    3/18/2010 12:03    SCAN nmap TCP    203.86.7.130
3447    3/18/2010 12:02    SCAN nmap TCP    220.112.41.194
3448    3/18/2010 11:34    SCAN nmap TCP    220.191.241.2
3449    3/18/2010 11:34    SCAN nmap TCP    60.12.6.238
3460    3/18/2010 10:01    SCAN nmap TCP    203.86.7.130
3462    3/18/2010 10:01    SCAN nmap TCP    220.112.41.194
3463    3/18/2010 9:41    SCAN nmap TCP    61.179.124.5
3464    3/18/2010 9:33    SCAN nmap TCP    203.86.7.130
3465    3/18/2010 9:33    SCAN nmap TCP    220.112.41.194
3467    3/18/2010 8:50    SCAN nmap TCP    218.246.65.21
3468    3/18/2010 8:50    SCAN nmap TCP    61.148.100.130
3469    3/18/2010 8:31    SCAN nmap TCP    203.86.7.130
3470    3/18/2010 8:30    SCAN nmap TCP    220.112.41.194
3520    3/17/2010 20:22    SCAN nmap TCP    61.150.43.96
3521    3/17/2010 20:22    SCAN nmap TCP    117.35.158.20
3556    3/17/2010 18:30    SCAN nmap TCP    220.242.75.2
3557    3/17/2010 18:30    SCAN nmap TCP    58.252.173.218

inetnum:      118.175.133.0 - 118.175.133.255
 netname:      totnet
 descr:        TOT Public Company Limited Bangkok
 country:      th
 tech-c:       tk56-ap
 admin-c:      pa82-ap
 status:       assigned non-portable
 mnt-by:       maint-th-tot
 changed:      hm-changed@apnic.net
 20050922
 changed:      ag100.ap@gmail.com

So, someone is very interested in my server huh? Well Mr. Bangkok, I only have one thing to say to you…

One night in Bangkok makes a hard man humble
Not much between despair and ecstasy
One night in Bangkok and the tough guys tumble
Can’t be too careful with your company
I can feel the devil walking next to me

[THE AMERICAN]
Siam’s gonna be the witness
To the ultimate test of cerebral fitness
This grips me more than would a
Muddy old river or reclining Buddha

And thank God I’m only watching the game — controlling it —

I don’t see you guys rating
The kind of mate I’m contemplating
I’d let you watch, I would invite you
But the queens we use would not excite you

So you better go back to your bars, your temples, your massage
parlours —

Enjoy your scans.. and mine back at ya…

But seriously… really? Nmap scans all the time? Really? You think that is going to get you somewhere? I mean, hell I understand the Chinese always hitting me.. and a ZILLION other people *Hi Xanui provices! waves* but really Mr. Jihadi wanna be hacker..

Go back to your windows ME and watch some more l33t youtube vids on how to hack.

CoB

Al-Faloja Forums Fall Down… Go Boom…

It looks like Al-Falluja forums were part of the take down by the military/NSA last week. All of the mirrors are gone as well as the main site. This is one of the places I had been collecting on (previous post) and I am not sure if this was just collateral damage or if this was a main site of theirs. Interesting though, this site had some real good data including a message that OBL would be making a statement soon, and there was one this week (OBL message)

This all brings up the issue of why they took this site down and perhaps others. The arrest of 100 jihadi’s this week that was announced by Saudi kinda tips the hand I think. I believe that they had a massive plan and that the data was being trafficked on this site and others that were either being run by or had been compromised by the intelligence agencies. Either that is the case or, as the site that was taken down had affiliations with Al-Faloja, they may have just taken Faloja down to prevent blowback on themselves.

So, now I am going through the sites I have been auditing to see what’s left on the internet and what’s been taken down this last week or so. Thus far though, Faloja is the big one that is missing. With that though, I am going to segue way into talking about CAUI It seems that these sites may have been a direct effect of the NSA CAUI program. This has ruffled feathers at the CIA and other intelligence agencies but one has to look at the proportions of the arrests and the geopolitical/economic ramifications should the jihadist’s plans come to a successful conclusion. It would have been a nightmare with attacks on the main oil production facilities in Saudi being damaged or destroyed. The overall economic damage would have been immense as well as the capital it would have given the jihadi propaganda machine.

In the end, I really wish that the NSA and others had been able to keep the site up and just pass the data/make the arrests. However, it seems that they had their reasons for doing what they did. It does however leave the jihadis now wondering just what site is theirs and or has not been pwnd by some intelligence agency. This makes me wonder about their next steps. What is the likelihood that they are going to go underground with their comm’s or will they just be more careful and start creating more stealth sites?

Time will tell…

It also has me wondering whether or not a certain jokey might also be feeling a little more worried for DoS’ing sites that may indeed be run by certain intelligence agencies. Piss off the wrong people and ya might just find them at your door soon enough…. It’s much easier to get router logs from ISP’s these days ya know.

CoB