Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘COMINT’ Category

Inspire 6: Operational Methods Changes

with 2 comments

Inspire vol 6 came out yesterday and for the most part, it was more of the same ol same ol. Long diatribes on AQ doctrine, the usual shahidi laments and exhortations, a bomb making cook recipe for Acetone Peroxide (I can see more than a few jihobbyist fingers getting taken off accidentally) and then the little section below screen captured titled “Jihadi Experiences”

Jihadi Experiences:

After OBL was sent to his pineapple under the sea, I had written a post titled “Al Qaeda: The Case of A More Diffuse and Autonomous Organisationin which I made the observation that AQ might be re-thinking its C&C structure as well as its organizational groups. This part of the Inspire magazine is saying that very thing.

  • Point one on the list is the fact that they need to re-tool their operations to have more diffused and compartmented cells. They want to have cells that operate in a way that if one of their members gets caught, they will not know the whole picture and be able to give away the rest of the team.
  • Point two notes that they need younger recruits but those recruits seem to not want to commit themselves fully to the cause. They are observing that perhaps they could get the youth involved by contributions but not having them commit fully. This seems to be the essence of the jihobbyist to me. Looks like they want to use this.
  • Point three re-iterates the need for more diffused, mobile, and agile units because the battle space is not longer driven by discreet front lines.
  • Point four makes a key statement that the drone strikes are causing problems for them and backs up point three in that wherever they are meeting or hiding, even underground, we are using technology to find them and strike them.
The summation though from these points is rather telling however;
  • Firstly, they have renamed jihad to “resistance” its a bit more Western friendly term for those jihobbyists who do not speak Arabi well and it is a paradigm change. You are fighting a battle of resistance against the oppressor instead of being mandated by Allah and the Koran to do so. It goes to the whole idea of using the youth as a movement without the absolute commitment to Jihad.
  • The second statement re-iterates the need for a new youth movement that will ease them all into the ideology of jihad. Once again, using the key word of “resistance”
  • The third and fourth statements have key changes but ones that has been building. They are aiming for more lone wolf jihadi acts. They say this though, with the intent of directing those lone wolves to key targets. I believe that they want to deploy the command and control over the propaganda wing’s postings online. This would make sense, just dangle targets out there and exhort the ‘youth ummah’ to go forth and commit jihad.
  • The fifth statement concerns their ongoing efforts online to spread jihadi ‘sciences’ as well as political doctrine. Of late, the forums have been under attack by differing factions. Mostly though, the actors taking down the sites seem to be non state actors (patriot hackers) egged on by the recent spate of Anonymous hacks and attacks. However, there have been other issues the jihobbyists have been facing. Their Facebook jihad has been failing because Facebook keeps taking their pages down. It has been suggested that they create front pages with links to harder content that is hidden to prevent this. All of this though is tempered with the fact that they do not want to be caught, like said Anonymous actors who lately have been scooped up by the authorities.
  • Statements six and seven are interesting. They speak of creating cells of resistance and re-naming them systems of action “Nizam Al-Amal” and not as secret organizations for action “Tandim Lil-Amal” Once again, the movement is looking to have secure cells that will have a C&C but not so much that if any of their members are caught, the cell will not be taken down nor will that effect the upper echelons security.
This section of the magazine is the most interesting to me. It shows just how much harder is has become for the jihad to function with our intelligence apparatus and drone strikes going on. Obviously AQAP has been feeling the bite of counterintelligence operations as well as counter insurgency efforts. The problems they face though are pretty tough. Just how do you go on to inspire the ummah with no way to really have a command and control apparatus to guide them?
Even with all the subtle changes to language here (neuro-linguistic programming) I don’t see that any organization like theirs can have what they seek. After all, the basic premise that AQ and other radical orgs have used to to indoctrinate the youth in places like the madrassa’s of Afghanistan. They only teach them the Koran and they only teach them barely what they need to function, all the while controlling very carefully, the youth’s doctrinal belief. Without this, and seeking a Western cache of jihadi troops to fill their ranks, they are seeking a new way not only to bring them to the ‘resistance’ but also to control them.
Guess what AQ, it will fail. No matter what method you finally try to use.
Look at this from the anonymous perspective of command and control. They claim to be headless but in fact they have always had an underlying structure. There will always be need for command and control over any operational force that goes into battle.
And with that C&C structure, there will always be a method to get inside it and tear it apart…  As the Anonykids are discovering now (see yesterday’s arrests of 14 more anons)
So, we can see that AQAP is grappling with the issue and perhaps their base is eroding even further. I am glad to see that they are having problems and trying to work them out in a public forum for me to watch. I am sure others in the community are as well…
Keep giving us all your ideas AQAP. The more you give, the sooner we will have you all wrapped up.
K.

Written by Krypt3ia

2011/07/20 at 10:36

Internet Jihad vs. Internet Propaganda Jihad: When The Media Gives Me Tourrettes

with 2 comments

From dnaindia.com

I followed a link today off of esecurityintelligence.net and after reading the first graph of the piece I pretty much had a bad case of Tourrettes syndrome. This is some of the WORST reporting I have seen where it concerns the state of internet jihad. Now, I know why these places all do this, they just want a lead story and headline that will draw people in and make them click into the site. I get it… But.. It’s just wrong. The internet jihad is more a propaganda campaign than anything else and as you can see from the piece below from of all places, “The Sun” did a bit of a better job on the facts than dnaindia did!

Now that is surprising.

From thesun.co.uk

So, as I was saying, a ‘bit’ of a better job.. Then they too go off the rails. Look, the cyber jihad or Internet jihad is comprised mostly of jihobbyists, guys who want to get in on the action but are too clueless to actually go to the battlefield in some cases. In others, they are deluded individuals with mental health issues that need to be medicated and taken care of. In either case, the needed skills to really cause greater issues other than setting up php bulletin boards to throw propaganda on are lacking on the part of the general jihobbyist populace. Just how many of the attacks by LulzSec were attributed to the likes of Al Qaeda?

hint: NONE

Yet the media persists in perpetuating this idea the there are some 31337 jihadi’s out there who are going to pwn the grid. Really guys, get your shit straight when reporting on things ok? I have seen some strives in the Jihadi hacking scene these last few years, but NOTHING like what you are talking about. Hell, their real hacker went to jail years ago (Irhabi007) What is worse it seems, is that likes of Home Secretary May, may in fact be spinning half truths about Internet jihad for whatever political expediency she needs. I have reported in the past about the Facebook Jihad (notice 2010) and pretty much sum it up to propaganda and thats it. Sure, there may be some illicit comms channels here, but, its Facebook for God’s sake! They are on top of this shit, TRUST ME! The jihadi’s have been complaining that as soon as they set up a Facebook page it gets taken down by Zucky and company! So really, there is no threat there.

So, lets take another look at it from the post LulzSec perspective.

Lulz have been wreaking digital havoc with some pretty low level hacks. They carried out DD0S, they hacked low hanging fruit and stole data which they then published. LULZ did it, NOT Al Qaeda. Now, don’t you think that if AQ was adroit at hacking and wanted to cause pandemonium they would have beaten LulzSec to it all? Don’t you further think that perhaps when and if they hacked the servers with the low hanging fruit hacks (SQLi) that instead of just publishing the data, they would have say RM’d the whole databases?

Think about it;

  • Economic targets like the stock market
  • Military targets like the recent Anon attacks on Booz Allen
  • Attacks on grid and other key infrastructure targets

ALL of these things likely already harbor vulnerabilities that the likes of Anonymous could already have access to! The difference? The LULZ don’t want to be thrown in a hole forever and know their limits I suspect. Now, if you were AQ though, what’s to lose?

NADA

AQ, if they had the capabilities would already have used it! They haven’t, which means to me they lack the critical skills in their jihobbyist base to be a threat in this arena. It is as simple as that. So please Media, fucking buy a clue and stop just trying to use the “If it bleeds it leads” mentality to get clicks. Do your JOB’s and get subject matter experts with credentials to talk about this stuff instead of just trying to scare the straights with false reports.

I have often written on this topic in the past and from what I have seen here is the overall picture of the state of Jihadi hacking tech.

  • They are using OLD malware packages to infect machines to steal data/money (mostly money)
  • They are using OLD hacking exploits for the most part just as they are with the malware packages
  • SOME jihadi hackers (TNT_ON) are clued in and know what they are doing technically, but yet are inept enough to leave their real IP addresses in their tutorial videos (I see you!)
  • They are learning.. Slowly.. but their sites still keep getting popped and their super sekret rooms online have been penetrated
  • Their crypto program (Mujahid Secrets) has been cracked/Reverse Engineered

Finally, let me leave you with this little bit of wisdom post the demise of OBL:

  • They got him because his lackeys were tracked by their electronic comms
  • Even though they were using sneakernet  and email Dead Drops we managed to catch on (these techniques are not hacking)

Were OBL and his crew using high tech hacking techniques or crypto (aka steg) as their main means of communications, judiciously, it would have been even harder to get a line on what they were up to, where they were, and moving forward, determine future plans from OBL’s hard drives etc. Instead, they were using old spy tactics with minor digital twists to evade the US and other countries. This says a lot about their abilities and ours to detect them. They decided it was better to go old school because we cornered the digital market.

This follows today to the hacking scene, where we have some muslim hacker groups out there defacing pages, but not doing much else in the way of Islamic Electronic Jihad. So, media, let me put it plainly again;

They don’t have the skills to be super scary like you want them to be in your exaggerated reports!

CUT IT OUT!

I will let you know when they have their shit together.. Trust me.

K.

Past posts on this subject:

Cyber Jihad: Malaysia

Great Likelihood of Cyber Attacks By Terrorists: You Don’t Say!

Inspire Magazine Analysis: Going Green for College Age Recruits

Abo Yahya and Metadata Cleaning

TNT_ON@hotmail.com —> zmm@hotmail.com = Sword Azzam?

Inspire vol II: Rationalization, Operational Directions, Open-Source Jihad, and Pivoting the Battle-Space

Jihadi Malware 2010, Al Mojahden’s User Acct Boo Boo, & The Jihadi Technical Forums

Jihadi Hacking Tutorials: Irhabi 007′s Text and More

Jihadi Penetration Tutorials: Metoovet

The Jihadist Repertoire Expands

MJAHDEN: Jihadi Crypto Progam

Al-Qaida Goes “Old School” With Tradecraft and Steganography

 

 

AQ’s New Digital Shingle: Al-Fidaa

leave a comment »

AQ’s New Propaganda Board:

Al-Fidaa, the newest site in the Al Qaeda webring to spread the usual propaganda. This site popped up last week and I am just getting round to checking it out fully. The site is undoubtedly a response to the takedown of Al-Shamukh a couple weeks back and this is their answer, to make even more redundant sites to pump out their agenda.

The difference so far with this site is that security wise (at first sniff) it has been upgraded. Google has been spidering the site, but even when you attempt to look at the content in the cache, you get nothing but the login page. This is a decidedly large change from their past sites that leaked data. A further examination of the site structure and back end servers will tell if there is more to work with on fidaa.

Domain Data:

Another major change is that these site domains have been set up as privacy protected. This is a newer thing to most of these sites and the domains were set up in May of this year, probably in case they needed them, like the Al-Shamikh1 site that popped up so quickly after the original domain was capped by Godaddy and allegedly “BlackKatSec”

I would love to see the government go to these domain registries and locate how, who, and where the funds were transferred to create these sites. I am willing to bet that they were set up using cutout companies or individuals, but, maybe they will get lucky and get a line on a real person or two to ask some questions concerning ownership and connection to AQ.

Server Locations:

While the site is registered in the US, the actual servers are all located in Malaysia. So, once again we see that Malaysia seems to be a hub where the Internet Jihad is concerned. I have to wonder just how well our government gets along with the Malay government. Could we in fact get some digital forensics love on those boxes out there? One also wonders just how many Malay jihadi’s there are out there and how many of them may in fact work for networks like Piradius. I ask this because many a server has been stealthed onto boxes run in those networks and I think from the looks of them, that they are being managed locally, not just hacked.

The Nature of AQ Sites:

Overall, it seems that this site is just another mirror like all the rest out there. They will have secret little rooms to chat amongst themselves, but the real Jihad goes on elsewhere. Primarily these sites are for the distribution of propaganda and to recruit the lone wolves in the West. I expect that it will just be the same thing with a different color scheme really… But, it will be something to watch.

If I find something tasty I’ll let you know.

K.

Written by Krypt3ia

2011/07/13 at 20:23

Team Inject0r: The Multinational Connection

with 6 comments

The recent compromise of a NATO server by “Team Inj3ct0r” has recently made the news, but, as the media usually do, they did not look any deeper than the website for Inj3ct0r and perhaps a little data as to what the team said in a text doc on the compromised server. A further examination of the group shows that Inj3ctor has been around since 2008, and has ties to Chinese hackers as well as Russia, Turkey and other countries.

This could change the paradigm on the “hacktivism” moniker that Team Inj3ctor has branded themselves with recently (post the goings on with Anonymous and LulzSec/Antisec movements) Before these movements, this site and the teams all were loosely linked and purveyors of 0day, and not so much in it for any political means. What has changed? Who might benefit here to use the hacktivism movement as a cover for hacking activities that could cause a stir?

… Maybe the PLA? Maybe the FSB?…Some other political orgs from Gaza? or Turkey?

Or, perhaps they are just a bunch of hackers who like the cause celebre of hacktivism? It’s hard to say really, but, when you get China into the mix, the lines blur very very fast.

Below I am outlining the data I collected on the main inj3ct0r site, its owner, and two of the players who are on both teams of hackers that span China and Russian hacking. This makes for a new wrinkle in the Anonymous/Lulz movement in that the NATO hack was claimed by someone using the name “Team Inj3ct0r” and this site seems to fit the bill as the source of the attack since it has been quoted by the hackers that they used 0day on the NATO server to crack it and keep access. If indeed there are connections to state sponsored hacking (as the China connection really does lead me to believe) then we have a new problem, or perhaps this has been the case all along that the state sponsored hackers have been within Anonymous, using them as cover.

Another interesting fact is the decision to attack NATO. Was it a hack of opportunity? Or was there a political motive here? As I have seen that these groups are multi-national, perhaps this attack had a overall political agenda in that NATO is supposed to be the worlds policeman. I am still unsure.

Teams and Members:

In looking at the sites and the members, it came to light that two members belong to each of the teams (inj3ct0r and DIS9) The two are “knockout” and “Kalashinkov3” The teams are tied together in the way they present their pages and the data they mirror so it is assumed that they have a greater connection underneath. In fact, more of them may be working together without being named in the teams listed below. Each of these people have particular skills and finding 0day and posting them to this site and others for others to use.

Team Inj3ct0r: http://77.120.120.218/team

Team Inj3ct0r’s site is located in Ukraine and is registered to a Matt Farrell (mr.r0073r@gmail.com) My assumption is that the name given as well as the address and phone numbers are just bogus as you can see they like to use the netspeak word “1337” quite a bit. A secondary tip on this is that the name “Matt Farrel” is the character name for the hacker in “Live Free or Die Hard” Someone’s a fan…

Team Inj3ct0r

r0073r – r0073r is the founder of inj3ct0r and I believe is Russian. The site r0073r.com owned by Mr. Czeslaw Borski according to whois. However, a whois of inj3ctor.com comes up with a Anatoly Burdenko of 43 Moskow Moskovskaya Oblast RU. Email: e-c-h-0@mail.ru

  • The domain r0073r.com owned by a Mr. Czeslaw Borski out of Gdansk Poland (another red herring name) domain hosted in Germany with a .ru name server
  • The domain inj3ct0r.com created in 2008 belongs to Anatoly Burdenko and has been suspended
  • The domain inject0r.com was hosted in China  61.191.0.0 – 61.191.255.255 on China net
  • Another site confirms that r0073r is the founder of team inj3ct0r aka l33tday
  • Another alias seems to be the screen name str0ke
  • Also owned www.0xr00t.com

http://www.inj3ct0r.com domain details:

Registrant:
Inj3ct0r LTD
r0073r        (e-c-h-0@mail.ru)
Burdenko, 43
Moskow
Moskovskaya oblast,119501
RU
Tel. +7.4959494151
Creation Date: 13-Dec-2008
Expiration Date: 13-Dec-2013
Domain servers in listed order:
ns1.suspended-domain.com
ns2.suspended-domain.com
Administrative Contact:
Inj3ct0r LTD
r0073r        (e-c-h-0@mail.ru)
Burdenko, 43
Moskow
Moskovskaya oblast,119501
RU
Tel. +7.4959494151                     
Sid3^effectsr
4dc0reSeeMe
XroGuE
gunslinger_

indoushka
KnocKout

  • knockout@e-mail.com.tr
  • knockoutr@msn.com
  • Alleged to be Turkish and located in Istanbul
  • Member of the Turkish cyber warrior site cyber-warrior.org last access July 4rth 2011

ZoRLu
anT!-Tr0J4n
eXeSoul
KedAns-Dz
^Xecuti0n3r
Kalashinkov3


DIS9.com:

DIS9.com is a hacker group that is linked to and shares two members with Team Inj3ct0r (Kalashinkov3 and KnocKout) Both sites are very similar in design and content. DIS9.com resolves to an address in China and is registered to a YeAilin ostensibly out of Hunan Province in China. The owner/registrar of the site has a familiar email address of yeailin225@126.com also a domain registered and physically in China.

A Maltego of this data presents the following interesting bits: A connection to the site http://www.vi-xi.com a now defunct bbs which lists the yeailin225 account and other data like his QQ account. This site also lists another name attached to him: Daobanan ( 版主 )  vi-xi.com had hacking discussions that involved 0day as well. The domain of vi-xi.com was registered to jiang wen shuai with an email address of jwlslm@126.com and listed it out of Hunan Province.

The connections from DIS9 to other known hackers who are state actors was found within the Maltego maps and analogous Google searches. As yet, I am still collecting the data out there because there is so much of it. I have been inundated with links and user names, so once I have more detailed findings I will post them. Suffice to say though, that there is enough data here to infer that at the very least, hackers who work for the state in China are working with others on these two sites at the very least, sharing 0day and perhaps hacking together as newly branded “hactivists”

DIS9 Team:
Rizky Ariestiyansyah
Blackrootkit – 
Kedans-Dz

: Team Exploit :

Nick
Kalashinkov3
KnocKout
K4pt3N
Liquid
Backdoor Draft

h4x0er.org aka DIS9 Team

Another interesting fact is that a link to the site h4x0er.org itself shows that the DIS9 team is the umbrella org for Inj3ct0r and other teams. This is a common practice I have found with the Chinese hacking groups to have interconnected sites and teams working together. This looks to be the case here too, and I say this because of the Chinese connections that keep turning up in the domains, sites, and team members.

Other Teams within the DIS9 umbrella:

In the end, it seems that there is more to the inj3ct0r team than just some random hackers and all of this data bears this out. I guess we will just have to wait and see what else they hit and determine what their agenda is.

More when I have it…

K.

BlackkatSec: The New Kids on the Block Who Allege They Took Down Al-Qaeda

leave a comment »

From GamerCrypt

Last week, the AQ site shamikh1.net was taken down by unknown persons and their domain suspended by Godaddy for abuse. Evan Kohlmann of Flashpoint Global was making the rounds on the media circuit pimping that it was in fact MI6 or the like that took the site down. However, Evan had little to no evidence to back this claim, and frankly, the media just ate it up evidence be damned. I came to the party after hearing online the previous weekend that the site was under attack and going down from an unknown type of attack. However, I knew from past experience that the site was likely being attacked through some SQLi or a DD0S of some kind. The reasoning I have had is that the site was vulnerable to attack in the past and as far as I knew, the admin’s at Shamikh1 had not fixed the problems.. Not that anyone was goint to tell them that their site was vulnerable.

As time passed and more stories circulated, Evan’s tale changed slightly to include the fact that he thought there was a domain hijack that had happened. There is once again no evidence of a domain hijack at all, but, there still lingers the idea that the site was taken down by someone other than skiddies out for a good time. Once again, there was no evidence to back up any claims, but the media is.. well the media.. They will buy anything if it gets them attention. So on it went, and on Saturday the back up site that AQ had registered in May (as I surmised that it was the backup in my earlier post) was back up serving the main page. To date the page is not fully functional and once again Evan has made a claim on the news that they are back up for registration, another false claim as they are not taking submissions.

Either way, the site is online (mostly) and seems to be getting back into the swing while a new dark horse has entered the race as to who did it and perhaps why. @blackkatsec or BlackKatSec, is a new splinter group of LulzSec/AntiSec/Anonymous that has turned up quietly making claim to the hack on shamikh1. They so far, have not said much on why never mind how, but, it would be interesting to hear from them on the pastebin site as to what data they may want to release on their hack. If indeed they used SQLi attacks and in the end rm –rf * ‘d the site, then I would LOVE to see what they got out of it before they did so. If on the other hand, they just attacked the site and the admins as well as Godaddy took it down, then I would like to know.

Speculation is.. Well it’s mental masturbation really. Good for the media, bad for those who really want to know something.

So, dear BlackKatSec, if you feel so moved, please do drop me some data.. I will make sure its used to cause the boys from Shamikh1 more heartburn. Otherwise, please do keep us up on your attacks as I do not look forward to hearing all the damned speculation that comes out of the spinning media heads like a certain someone who I mentioned above. Of course you could just be trying to claim the hack for whatever reasons and not done it… But, the lack of trumpeting it to the world says to me that maybe you were involved…

Say.. You guy’s aren’t MI6 are ya?

HA!

More when I have it.

K.

Shamikh1.info: The New Den of Scum and Villainy

leave a comment »

Well, that didn’t take long did it. At least Evan got one thing right, they’d be back up soon. So, here is the skinny on the new site and the core server that they have stood up. The site is still not fully back online, but this stage of things allows one to get a lot of intel on the server makeup and who is operating/hosting it because they had a direct link back to the sql instance. The site is not fully operational yet, but they are setting it up rapidly as I surmised they would on the domain of shamikh1.info which was registered in May as the backup domain.

I have begun the work of getting all of the pertinent details on the address owners/ops in Indonesia so soon all of their details will be available to those who want them. However, just with the short bit of work I have done here, I pretty much think you can all get a grasp of who’s where and what’s up huh? Sure, the server is in Indonesia, and, well, they are rather tepid on the whole GWOT thing so nothing much may happen…

But..

You intelligence agencies out there looking for a leg up.. Well here it is… Enjoy.

Now, back to the events that brought us to today. The take down of the original site may have been only because someone got into the server and wiped it out as Evan suggests (without any proof as yet mind you) or, it may in fact be because the site was blocked at the domain level as I pointed out in my last post on this matter. Godaddy had suspended the domain and I am not sure if the mirrors on piradius were working before the alleged attack happened or not. At this point, it is anyone’s guess as to the attacks perpatraitors, methods, and final outcome until someone from the AQ camp speaks up on exactly what happened.

Meanwhile, the media will continue to spin on about MI6 hacking them or perhaps it was those mysterious “Brit” hackers that so many articles mentioned.

“Bollocks” As they say in England.

DATA:

Domain ID:D38010794-LRMS
Domain Name:SHAMIKH1.INFO
Created On:14-May-2011 00:22:30 UTC
Last Updated On:27-Jun-2011 07:43:57 UTC
Expiration Date:14-May-2012 00:22:30 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:fce7ae13f22aa29d
Registrant Name:WhoisGuard  Protected
Registrant Organization:WhoisGuard
Registrant Street1:11400 W. Olympic Blvd. Suite 200
Registrant Street2:
Registrant Street3:
Registrant City:Los Angeles
Registrant State/Province:CA
Registrant Postal Code:90064
Registrant Country:US
Registrant Phone:+1.6613102107
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:06b6ac7646b147ccb6aed6d1f0248d70.protect@whoisguard.com
Admin ID:fce7ae13f22aa29d
Admin Name:WhoisGuard  Protected
Admin Organization:WhoisGuard
Admin Street1:11400 W. Olympic Blvd. Suite 200

Core Server:

Ip address: 180.235.150.135

Location: Indonesia


Persons Attached: Daru Kuncoro & Yogie Nareswara

Names of Admins: Yogie Nareswara & Daru Kuncoro

Email Contacts: ahmad@koneksikita.com yogie@arhdglobal.com

Nmap Scan Report:

Starting Nmap 5.21 ( http://nmap.org ) at 2011-07-02 07:39 EDT
Initiating Ping Scan at 07:39
Scanning 180.235.150.135 [2 ports]
Completed Ping Scan at 07:39, 0.32s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 07:39
Completed Parallel DNS resolution of 1 host. at 07:39, 0.53s elapsed
Initiating Connect Scan at 07:39
Scanning 180.235.150.135 [1000 ports]
Discovered open port 80/tcp on 180.235.150.135
Discovered open port 110/tcp on 180.235.150.135
Discovered open port 993/tcp on 180.235.150.135
Discovered open port 143/tcp on 180.235.150.135
Discovered open port 21/tcp on 180.235.150.135
Discovered open port 443/tcp on 180.235.150.135
Discovered open port 3306/tcp on 180.235.150.135
Discovered open port 995/tcp on 180.235.150.135
Completed Connect Scan at 07:39, 11.74s elapsed (1000 total ports)
Nmap scan report for 180.235.150.135
Host is up (0.30s latency).
Not shown: 958 filtered ports, 34 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
110/tcp  open  pop3
143/tcp  open  imap
443/tcp  open  https
993/tcp  open  imaps
995/tcp  open  pop3s
3306/tcp open  mysql

Tasty, they have a few ports open. Hey antisec skiddies, wanna play with some SQLi ?

Meh.

Site Contact Data:

Daru Kuncoro:

Yogie Nareswara:

Current State:

Guess they are still working on the server connections… I am sure as well, that soon they will have more stealth servers out there in Malaysia as well. So the mirroring will begin for the sql instance to do the push from. Lets see how long it is before this one is taken down shall we? Oh, and next time an attack happens, lets all get a lock on how it is happening as well as exactly what it is. I have had enough of the media hype with talking heads who have no idea what they are talking about when it comes to information warfare or network security.

More later.

K.

The Eternal Game of Whack-A-Mole Goes On: Was Al-Shamukh Hacked?

with 2 comments

The Eternal Game of Whack-A-Mole Goes On:

Al-Shamikh1, the Shamukh Al-Islam AQ site is down, and has been allegedly under attack since this weekend. It’s mirrors are down as well and according to the news media Here and Here citing Evan Kohlmann of Flashpoint Global. The problem I have with the stories that the media is ravening over now is either that Evan is not painting the full picture or the media, as usually, is not understanding what he is saying. As for my take on it, it’s a little of both really. Evan has been around for a long time working as a consultant on terrorism, but as far as I know, he is not a network security specialist.

Over the weekend I had heard and re-tweeted reports that Shamikh was under an attack of some kind and the site was intermittently unavailable. as I had a whiskey in hand and no motivation, I let it be and figured it was maybe Jester doing his usual thing. Then today I see the barrage of bad media accounts with headlines like;

British Hackers Take Down Al-Qaeda Websites

and

NBC News: Hacker attack cripples al-Qaida Web communications

*Facepalm*

None of the articles cites any clear evidence of who did what never mind what actually happened to the site! Upon investigation this morning after being contacted by someone in the UK press, I found the following salient point:

From: robtex.com The domain and NS pointers have been suspended by GoDaddy

The domain and the name servers have been suspended by Godaddy. This is why it is offline now. Perhaps it was DD0S’d for a while and the traffic was the final straw for Godaddy on this site. You see, this site has been on the Godaddy for some time and many have pointed this fact out before, to no avail.. Well, actually one might assume that the feds just wanted to know where it was and leave it be to monitor.. But, that’s a bit too subtle for the media.

Whois data for shamikh1.net

Either way, the site is down now because they cannot route to it via the domain. Backups of the site hosted on non domain named boxes are down and the core server may have been compromised. It’s all up in the air at the moment but the media is just trucking along with the story. It may in fact be that the server was core was pulled by the jihadi’s themselves because they have been real twitchy since the 2010 roll up of al-faloja.

In the case of Shamikh, I had seen in the past that this site had some security issues to begin with. The implementation of the phpbb was weak and there were ways to get into the board and collect data. In one case, they had even re-set passwords and one could get them from the site itself for those users as they had passed them in the clear in what they thought was a secure space. Others have been using these vulns for some time to audit what is going on in the boards and have in the past run operations that have kept the admin’s and the jihadi’s on edge. This is why today you see so many more discussion groups on computer security, but more so how to configure and secure phpbb today on sites like As-Ansar.

Distributed Sites:

“Al-Qaida’s online communications have been temporarily crippled, and it does not have a single trusted distribution channel available on the Internet,” said Evan Kohlmann, of Flashpoint Global Partners, which monitors the group’s communications.

This one line really just grinds my gears here. I am sorry Evan, but this site is not the only one out there that has this type of content and even though the core is down, the content lives on in other sites. The Jihadi’s have created redundancy in the number of sites, not just put all their terrorist eggs in one digital basket. All of the sites link to one another as fraternal organisations do (i.e. As-Ansar has much the same content as Shamikh1). Remember, this is an group performing insurgency who know the power of cells and this is no different online. An example of this is the site in question of Shamikh, which has had many sites online at different times. Some get pulled down as they have issues with the hosts removing them. Others still have stealth sites on compromised systems, or in cases like the boxes in Malaysia, hosted secretly with complicity on the part of someone in the network (see paradius net)

In the case of Shamikh1 the following sites are known to have hosted or, as in the case of shamikh1.info, was scheduled to be soon.

http://shamikh1.net

http://shamikh1.info

http://202.149.72.130/~shamikh/vb/

http://202.149.72.131/~shamikh/vb/

http://202.75.56.237/~shamikh/vb/

All of these systems are down at least content wise for Shamikh, the .info though is online and untouched but hosts no content as yet. It seems to me that it was still being staged to host the content or maybe was set to be a backup.

shamikh1.info whois data

This has been the SOP for the jihadi sites for some time. In case one site is hit, the rest are online to keep the content online. In this case though, it seems that the “sophisticated and coordinated attack” really just means that they hit the core server for Shamikh so the content is not getting to the satellite sites. Of course once again, there is no data to say how this attack was carried out and how massive it may have been. Like I said, lately the e-jihadi’s have been twitchy about security for a while now because they have been compromised in the past.

So, all of this reporting that it was a huge state run hack and was massive takedown is mostly media hype and, I am afraid, as you can see from the reporting, it all seems to be coming from Mr. Kohlmann. Who’s privately run consultancy is getting quite a bit of attention now.. Isn’t it?

Cupcake Recipies Instead of IED’s Do Not A Hack Make:

Another thing that is sticking in my craw is this whole linking this outage/hack to the “cupcake” incident with Inspire Magazine. These two things are NOT alike and the media needs to pay attention to the facts. Nor is there any evidence cited or even hinted at in the real world that MI6 or Five for that matter had anything to do with this. For all they know, it could have been Jester or someone with like technology that dos’d them and got them yanked offline by their host.

Let me set the record straight here. The MI6 operation on Inspire was a PSYOP. They poisoned the well (i.e. Al-Malahem’s media apparatus) by intercepting the AQ file and replacing it with their own. Just where this happened no one is sure. Was it on some desktop somewhere before being put out? Or, was it replaced with the edited file on the megashare?

No one has said.

This operation though served two purposes. First off, it managed to stop AQ from getting the IED manual out to everyone, but secondly, and more importantly, it make AQ question its communications security. This was even more important and we can see the effects of that today in posts on the boards about security.

They are worried.

Oh dear media, pay attention and get the story straight. While the Cupcake operation had style and was claimed by MI6, this current claimed attack on Shamikh has no attribution by anyone and there is no proof that I have seen to say that anyone did anything… Save that their site is down.

Whodunnit:

This all leaves me wondering just who may have attacked Shamikh and why. Given that the sites are often taken down only to show up elsewhere makes me question why it was done at all. It would be simpler to monitor the site and capture data than to send them all scurrying into the woods would it not? This was my primary issue with the Jester’s campaign, it did no good. Even if you are driving them off the sites, they will only move toward less visible ones and use more covert means of communication. Why not let them feel fat, dumb, and happy while we watch their every move?

All I can think of, if this was state sanctioned, was that the Shamikh site was about to drop some content that someone did not want out there so they took the network down. If it wasn’t state sanctioned and some hacker or hackers decided to mess with them they did it for their own reasons. Either way, the sites got taken down..

But, they will be back again… Let the great game of whack a mole begin!

K.