Archive for the ‘Counter-Insurgency’ Category
Handwringing, Moralizing, Anonymous, Paedophilia, and Digital Vigilantism
Preamble:
I recently posted about the Hidden Wiki and its prevalence in hosting paedophilia content. This post may or may not have left an impression on some of the anonymous collective to take action and perhaps sow good will for their group by hacking into the “Lolita City” site within the DarkNet and releasing thousands of users email addresses and personal data (such as it is on such a site) for the Internet to feast upon. The Anon’s are doing this for their own reasons, but the upshot of it all is that they are causing the paedophiles pain in making it hard for them to get their content as well as potentially outing them online as purveyors and consumers of this wretched content.
Since my post applauding them and giving them some direction as to how to become more of an intelligence gathering apparatus for the LEO community, some in the infosec world have come forward and voiced concerns about this line of thought. All of the talk about the morals, legalities, and philosophical aspects of Anonymous undertaking such actions has gotten me thinking quite a bit.It all raises some interesting questions and philosophical challenges.
Anonymous and Digital Vigilantism:
What I think that most people with reservations about Anonymous taking up such operations as the DarkNet op have are that these people are for the most part kids without training and without any kind of oversight. Oversight in that they could get too big for their britches (one could say that many already have) and think that they are invulnerable to attack never mind the respective laws of our society. That said, it would seem that Anonymous, Antisec, and LulzSec have already decided to take up the mantle of vigilante’s already. However, the targets have been, for the most part, varied parties that could be seen as hapless victims or as malefactors, it all depends on the point of view really.
In the case of Scientology, well, aside from religious freedoms (trust me, they are not a religion) generally the Scientologists have been pretty much seen as getting what they deserved. Today though, years later, Anonymous has begun to take on the governments of the world as well as the likes of Paedophiles online. Once again, generally, people see what they want to concerning whether governments are good or bad. Paedophiles though, pretty much are outlawed universally. So, when Anonymous decided to attack, I could not fault them one bit. However, I could perhaps fault their methods.. Only in that they were bound to only let the paedo’s get away in the end.
I have said it before and I will say it again.. “One man’s freedom fighter is another man’s terrorist” It all depends upon your perspective really. While I do not think all of their targets have been chosen wisely, I cannot fault the true believers out th4ere that they are doing something out of conscience and good. This is not to say that a certain element of the movement is in fact just in it for the lulz (i.e. Antisec and LulzSec) There certainly are factions at play who just want to see the world burn as well as garner themselves digital street cred.
Overall though, the term Vigilante denotes a person or persons (committee’s) who dole out justice summarily when the law is seen as ineffective by them. In this case, the Anon’s have taken up the mantle of vigilante in order to rid the DarkNet of paedophile content because law enforcement seems unable to effectively. Now this is also the crux of the issue in another way, as the police generally are not allowed to hack into sites and dump the dirt so to speak.. The Anon’s are unhindered here. Just as they have felt the same way about other operations where they have denied service to corporations (likening it to a digital sit in) they have crossed the line of the law, but, their methods and motivations are free of it… Until they get caught that is.
The essence of the thing is this.. “Don’t do the crime unless you can do the time” If they believe in it strongly and act upon it, then they must accept the risks of being caught and incarcerated. So far, much of the motivation I have seen by a good deal of anon’s has been motivated by convictions and beliefs. All others have been for Lulz, which is what made LulzSec even more of a problem as they just did not care. The current Antisec movement that LulzSec begat also seems to lack the conviction of their beliefs and seems more driven by ego than anything else by their writings.
And this is the difference between the chaotic Joker like actors and the Batman types.
Anonymous vs. PLA, vs. Patriot Hackers:
Pulling back a bit now, I would like to look at the macroscopic view of Vigilante behaviour versus nation state sanctioned or perhaps, a better word for it would be “condoned” actions and groups. I have written in the past about groups like the Honker Union in China as well as the colourful character known as th3j35t3r. both of these entities have had an effect on the collective consciousness concerning digital vigilante justice and I think it important that they form the contextual base for Anonymous’ actions in Operation DarkNet.
First off, ALL of these entities have been doing what they do (Jester DDOS of Jihadi sites and Anonymous, Honker, hacking against the enemies of China, and Anonymous, attacking sceintology, the gov, and paedo’s) with a mind toward doing “good” In the case of Jester, he thinks DDoS-ing jihadi sites out of a patriotic bent that will stop them from communicating. In the case of the Honker Union, they are patriots to their homeland and attack others who would do their country slight or harm. Anonymous though, started out of /b/ … Which really is a band of miscreants for the most part. However, a core group decided to take on the mantle of doing right somewhere down the line and we find swaths of them today supporting Occupy Wall Street and other political agenda’s.
The basic idea here is that they are all motivated by a belief in some greater good.. Mostly. I am sure there are on individual levels, many more motives (ego, greed, ego… the list goes on) but I will just put it to a gross generality that these people want to effect some kind of change.
At least I hope that this is the case…
What is really different though is that in the case of Jester and the Honker Union, they both are condoned if not outright supported efforts by the countries they reside in. In the case of the PLA and the Honker, there is clear connection between the state and their actions. In the case of Jester, there are allegations (made by him) that his is state sponsored.. But, I think more to the point he is condoned. Either way, the Anon’s may indeed be getting some support (moral or other) from state sponsors and not even know it. In the case of Anon, they could just become the tool of another nation state and not know any better.
Which is pretty scary.
All of these entities though, have had a greater or less effect upon the internet these last few years through their online shenanigans via hacking. The secret is this, they are just the first. There will be others to be sure.. The genie is out of the bottle on this one.
Anonymous vs. LulzSec & Antisec:
Conversely, we have LulzSec and Antisec, who both wreaked havoc on the corporations and the police of the world lately. Their reasons for doing so pretty much have been stated as “because we are bored” At the core though, there seems to be a couple of motives here from postings online. One is the afore mentioned Lulz, the other, seems to be a kind of abject hatred of authority and police. In recent hacks on the police though, there seems to be a bent toward supporting the Occupy movement as the police have had some transgressions against them. So.. They hacked the police and dumped all their data to spite them. Frankly, I see no value to this and once again, even if motivated by supporting the movement, it has no real effect on the police other than to make them more angry and reactive against the protesters.
Anonymous on the other hand has had its lulz, but seems to be growing up a bit and maturing. The social conscience of anon has begun to take shape and within it (movement wise) may well be the lasting component that will be its Raison d’être in the end. Time will tell though, and I hope that this is the case more so than just a bunch of malcontent’s seeking attention and excitement.
The Hand Wringing by The Infosec Community At Large:
Alright, back to the hand wringing and the moralizing post the Op DarkNet…
Certain people in the community wrote that while the empathised with what Anon was trying to do with Op DarkNet, they felt that these people were not the folks they would have doing this to start. Most of this comes from the fact that many of the players are not trained investigators and not LEO’s. I can agree with this from the perspective of legal proceedings later on. If Anonymous hacks a server and then dumps data, it could have an effect on the court case from a few perspectives;
- Contamination: The defense could claim that the server was hacked and the data planted
- The data could have indeed been tampered with by anon’s
- The backend of the server/dbase could in fact be shared and all those who share could be swept up in the legalities/implications
- The hack is enough to raise reasonable doubt
So, yes, it could be counter productive to have a vigilante force actually hack a system and report it to law enforcement. However, I would advocate that in the case of Anonymous and the paedo’s at the least, they not just hack and dump data, but instead give that data to law enforcement to start an investigation. For that matter, if Anonymous just located the servers and authenticated (sans hacking) that the content was there, they could in fact just tip off the police.
And this is at least part of what they did with Lolita City in the DarkNet. They tried to locate the server location and this alone could be a great boon for the authorities.
On the other hand, there are moral/ethical objections on the parts of some who think that perhaps letting Anonymous do this type of thing, or even encourage it is setting a bad precedent. To them, Vigilante’s are outside the scope of good behaviour and the law.. They cannot be tolerated. Personally, I think that that is a sanctimonious load of crap, but, that’s just me.
Sometimes when the system cannot function other means need to be taken to effect change. In this case, within a network that is anonymized and the authorities have had little success in catching anyone trading in paedophilia, I see no harm in Anonymous outing them.. Though, I would rather they just passed the intelligence to the LEO’s instead. It is my opinion, that if done correctly, intelligence gathering of this type with a tip off to the police has a better chance at actual arrests and convictions than to just let them go on about their peddling of child pornography.
Just one man’s opinion…
Philosophical and Ethical Stands On Being The Digital Batman:
This is the philosophical and ethical standpoint I take in being the digital Batman. Strict utilitarianism dictates that maximizing overall good is key. In this case and perhaps others, the taking down of the paedophile’s content and capturing their login credentials is enough “good” to allow for the action to be seen as acceptable. This is really the basis of The Batman’s ethics in the comics and ideally, for me on this particular incident with Anonymous.
Now, this does not mean I agree with all of their operations as well as certainly not agreeing with the bulk of the actions carried out by the Antisec movement. However, the perspective is the key I suppose. It’s a slippery slope I admit, but, in this case of OpDarkNet, I agree with the greater good being served in this case.
Here we have the Deontologists like Sam Bowne. Deontology is a nice thing to cling to the ethical rules of a governing system of laws. However, it seems to me, and others here, that this system of laws is not working against these offenders in the hidden wiki. Sure, you could say that the LEO’s have ongoing investigations, but, just how many busts have there been as opposed to the massive amount of content located on the hidden wiki and within i2p, Freenet, and TOR?
So far, I have not seen law enforcement really winning this battle.
Oh well, the Deontologists have their point of view and others have theirs. The key here is that Sammy and others like Packetknife are entitled to their point of view. They are right for themselves, and that is the issue with all philosophy and ethics arguments. Like I said, it’s all about your world view. However, I do not ascribe to a moral absolute unlike someone like Sammy.
There are no right answers. There is only what you are willing to accept for yourself.
Legal Aspects of Digital Vigilantism:
Now, on to the legal aspects here.
The US code on activities related to sexual exploitation of minors alludes to the fact that one has to “knowingly” access such content and to have more than 3 pieces of “content” to be considered guilty of child exploitation/pornography. This of course also alludes to the trafficking thereof etc etc in legalese. Where this is important for the digital Batman is where there are caveats.
(c) Affirmative Defense. - It shall be an affirmative defense to a charge of violating paragraph (4) of subsection (a) that the defendant - (1) possessed less than three matters containing any visual depiction proscribed by that paragraph; and (2) promptly and in good faith, and without retaining or allowing any person, other than a law enforcement agency, to access any visual depiction or copy thereof - (A) took reasonable steps to destroy each such visual depiction; or (B) reported the matter to a law enforcement agency and afforded that agency access to each such visual depiction.
So, as I said before, if you are trying to take one of these sites down, then do turn off your browser’s images capabilities.. Hell, why not just use Lynx for that matter so as to negate the issue. However, there is a key point here that you all should take into account. It’s the bit about making the LEO’s aware of the content. This is what I was trying to get at before. If Anonymous or anyone is going to go after this content, then it would be best if you tipped off the LEO’s to the site and the content. Now, the above statement implies that if you make the tip, then you are going to let the police have your system to look at… And we all know Anonymous is not going to do that. So, just be judicious about your tip off’s to the authorities. Do your homework and dump the data to them directly, not on Pastebin.
Of course, then there are the issues of hacking a system in the first place… Well, in the DarkNet, the only thing as I see it that is key would be not leaving a trace that you were there. You know, kinda like the whole hiking ethos of only leaving footprints.. But in this case I would suggest not even a footprint should be left behind. It seems to me, that if you hack a paedo site, even with good intentions, you could get the double whammy from the authorities of hacking as well as accessing child porn…
And that could really be problematic.
So, in the end, I circle back to recommending that you become intelligence gatherers and locate the sources to report. If you locate them, and you get some good details for the authorities without having to SQLi them, all the better. You will be doing a good thing AND you will be satisfying the Deontologists in the room.
Keep your wits about you kids.
K.
The Psychology of “Neo Jihad” Radicalization
The Paradigm Pivot:
Soon after the attacks on 9/11 the US and other countries began a “War On Terror” that attempted to disrupt and destroy the Al Qaeda networks. The military and intelligence wars on AQ have been very successful in that they have splintered the group, cut its main lines of C&C, and forced them to scatter into the hills of Waziristan and other places. The intelligence war began with stepped up surveillance technically as well as, after much spin up, getting physical assets on the ground and inserted into the intelligence gathering apparatus. Once the networks were set up, and the AQ infrastructure fractured, it became apparent to the leaders of AQ that they needed to proselytize in a different way to get more “recruits” for the global jihad that they wanted.
Once the realization set in, the AQ leadership began to move online to communicate, radicalize, and recruit new jihadi’s to the cause. As time went by and more of the networks were broken, the ranks of jihad began to thin out. This became a real problem for Al Qaeda and it realized that it needed a new paradigm to reach the “Western” ummah that they could try to sway to jihad. With the creation of GIMF, and AQAP later on, the footprint of jihadi propaganda and radicalization took shape online. Since 2001, we have seen AQ and affiliates grapple with how to get their message across as well as create channels for those who are not in the 2 lands, to radicalize, and then come to jihad.
This post is about not only the means that AQ, AQAP, and others have come up with as a response to the problem, but also a profile of the GEN2 jihadi’s online that are being radicalized and who have acted in the past as well as those who may in the future.
Online Jihad: 10 Years of Internet Jihad
A plethora of sites on the internet have been set up over the years by AQ and its affiliates to propagandize and communicate. many of these sites at first were just simple file upload areas and small bulletin boards. Today we have many mass media style sites including videos, tutorials, online chat areas, and private messaging. The PHP bulletin boards set up on domain named sites or on servers (stealth) that have been hacked, have been the most popular of all. With these sites, the jihad radicalization goes on with postings within pass-worded group sites like Shamukh (AQ) or Ansar.com.
For the most part, these sites have only been partially successful in being a command and control mechanism for AQ. They have failed to gather the swelling support that they would have liked on the part of the Western ummah and it is this lack of fervor that has them vexed. I have personally seen this vexation in AQAP’s “Inspire Magazine” as they have been trying to become more “Hip and Western” to get a new audience. All of their efforts though, have had lackluster returns. This lack of response on the part of the young westernized groups that they are targeting is likely to a few factors;
- The radicalization process is not in person
- The western mindset of the targets is more secular in nature and separate from the core AQ groups experiences
- These youths are not living in lands where war is ongoing
The Psychology of Radicalization:
Radicalization: The process in which an individual changes from passiveness or activism to become more revolutionary, militant or extremist. Radicalization is often associated with youth, adversity, alienation, social exclusion, poverty, or the perception of injustice to self or others.
Much of the classic radicalizing that happens within movements such as Al Qaeda happens when the like minded get together under the penumbra of a stronger personality that leads them. In the case of Islamic Jihad, there have been many Imam’s and leaders who preach this type of thought within their right wing versions of Islam. This is the core of the idea behind raising the ummah army to fight a jihad, the radicalization of the parishioners through direct proselytizing. Since 9/11 though, much of the Muslim community has come under scrutiny from intelligence gathering groups seeking to find the next cell of terrorists being exhorted to jihad by an imam or another leader.
In other cases secular leaders may arise, this may take shape in the form of someone like Mohammad Atta, or the like who are within a circle of like minded people (What Dr. Marc Sageman calls “a group of guys” theory) who “self radicalize” and either make contact with core AQ, or, they decide to act on their own, using the internet as their guide to jihad techniques and ideals. This may happen with two or more individuals seeking like minded people, or, a leader may inculcate them into their particular brand of thought.
A third and seemingly rising type of radicalization seems to be the Lone Wolf or Loner. This is a person either seeking to belong to something greater than they are, or, someone mentally unbalanced and moving along the lines of their own particular mental illness. The Lone Wolves and the Loner’s are dangerous in that they are now one of the primary targets of AQ and their propaganda/radicalization drive other than the “group of guys” The reason for this is that all of these groups can “self radicalize” without having to step into a mosque by reading online and digitally relating with other like minded jihadi’s online. The major difference being that there is no direct contact and, for most, this method of contact and radicalizing lacks the added social element of being in person as a part of a group.
This is a key feature of radicalization that needs to be understood. Since we are social animals, we need to feel that kinship and the only real way to do this primarily is to be within a social dynamic structure that includes physically being there. Online it seems, just does not cut it for most. However, there are others, the mentally ill, and those who are so socially awkward, that online seems to be the only way that they can relate, that have become the next generation of jihobbyists. This in tandem with the fact that now it is rather hard to make contact with, and access the core AQ group physically (i.e. going to a training camp in Waziristan) has made the online radicalization process the pre-eminent way for the jihadi process to carry on.
Jihad GEN 2.0: Lone Wolves, Wolf Packs, & Loners
- Lone Wolves: Single actors who radicalize either by self or online groups but act alone
- Wolf Packs: “The Group of Guys” Who radicalize together as a unit and attempt jihad
- Loners: The single player who radicalizes online and may have contacts with some but is not a team player
Lone Wolves, or the “Lone Wolf” The most likely candidate for the lone wolf is a second generation immigrant who feels some sort of synergy with their parents homeland. There have been a spate of cases where Al Shebaab had converts sneak off from the US to Somalia to train with them. The majority of these lone wolves in this case, were kids in their teens or early twenties that took off to join the jihad there. The premise though, is that these are people who are not necessarily part of any one group but seek out the jihad on their own. They often connect with the core jihadi groups in some way (Malik Hassan and Anwar Al Awlaki) and then act on their own in a more constructed and supported way from the core AQ groups.
Wolf Packs are groups of like minded individuals who have either come together and then radicalized, or, have formed due to a strong leader. These are the most dangerous of the groups because they tend to be groomed by core AQ and, as a group, not only self radicalize, but they re-enforce their belief and action as a social dynamic. Wolf packs have been seen as the more organized and thus more dangerous element in this behavior model. An example of the wolf pack would be the Lackawana 6 or others who banded together and eventually went to an AQ training camp. Though, in the case of the Lackawanna 6, it seems as though they came back from the trip decidedly lacking the motivation to carry out a mission. This is likely because of their Westernized mind set. They did however provide material support to the jihad, and were convicted of this.
Loners are the last type of jihadi that the AQ core are seeking to incite. The loner tends to be an individual who is socially inept to the degree that some have actually been diagnosed with Aspergers Syndrome. Still others have proven to be mentally ill individuals who latch onto the jihad for whatever reasons are driving their psyche. On average, the loner can be seen as the spree killer of the group that feeds the need of the jihad in that they sow fear and confusion while potentially taking out numbers of people. An example of a loner would be Nidal Malik Hassan (Ft. Hood Shooter) who clearly was mentally unstable and went on a shooting rampage injuring 30 and killing 13.
Loners tend to be more the spree killers with guns than they are bomb makers. Another loner type would be Faisal Shahzad, who attempted to make a propane bomb alone. His training was incomplete or he was inept, because the device failed to go off. In the case of Shahzad, he also spent time in Pakistan (from where he emigrated to the US) with the Pakistani Taliban. His radicalization went on unseen by others around him and his actions became more erratic as time went on. I have not seen a psych evaluation of him, but from all that I have seen, it may well be that he too is mentally unstable.
Another couple of reasons to worry more about the “loner” type of jihadi are these:
- They are loners, thus unless someone in the family see’s whats going on, it will likely go unseen until its too late
- They are often here in the US and with guns easily available, make their spree killing scenarios most likely to work
Online Radicalization: Propaganda, Congregation, Synergy & The Online Shadow War
As mentioned above, the radicalization process online has mainly consisted of websites that cater to the newbie to the jihad up to the hard core members. Primarily though, these sites have been a means to gain new recruits for the holy war. These sites had been for a long time, rather blatantly operating online because the governments had not caught up with the technology. Recently though, there has been a change going on within the online jihad. Due to many factors including actions on the part of the hacker community, the propaganda machine that has been the jihadi bulletin board system online has begun to go underground as well as redouble its propaganda efforts.
AQAP’s “Inspire Magazine” releases also have been slowed down and the core’s processes for distribution tightened because of tampering with the files in the past and the worries that they have been compromised as a network online. Spooks and hackers have been infiltrating their networks and websites for a while now and they have caught on. Of course in some ways, the assumption should always have been so. However, attacks on the AQ propaganda sites have increased over the last couple of years to include complete take downs of certain sites through DD0S as well as compromise and destruction of their back ends. Since these occurrences, the smarter of the group have decided that it was time to create a new propaganda jihad.
Abu Hafs al–Sunni al–Sunni, is an exemplar of this mindset. He espouses that the propaganda jihad needs to be more layered and secret. His proposal is to hide the online jihad in plain sight, by making pages that have stealth links (gateway sites) that will lead the knowing, to the real sites where content can be obtained and ideas shared. His ideas were a bit ahead of the curve for most on the boards, but now, post 2011, the administrators and the core AQ I think, are taking a closer look at this model. As online sites that are non secret become more and more targeted, it is only natural that they jihad would eventually have to go underground to continue and flourish from a command and control as well as radicalization standpoint. By locking down the content with gateways to it, those who are serious could congregate behind the digital curtain and carry on, while the digital bill boards call to all those thinking about joining the fray.
As the online jihad progresses technically, so too will their followers and this is a concern. With technologies such as TOR (The Onion Router) and their “Hidden Services” one can now easily hide all content behind a network that cannot be tracked or traced. Online chats can be had in total anonymity as well as files can be left within the confines of such networks for only those who have the right address to get them (net/net meet the new digital anonymous dead drops) and it is here that once again the pivot happens within the dynamic of online jihad. Once the technological skills of the jihadi’s come online, so too will the types of attacks online that could be carried out by them as well as the success rates of kinetic attacks because they are using solid methods to transmit and connect with each other to plan operations.
Already we have seen this movement happening on the forums and it really is only a matter of time until some of these guys read the man page on how to configure their own TOR node with hidden services turned on. It is clear that the technologies are making it easier for them to hide in plain site as well as behind the technical curtain, so, it is my proposition that the next iteration of the GWOT have a component of psychological operations more involved. Just as I have said about the Anonymous situation ongoing, the greater successes are likely to come about because we better understand the players motivations and psyche’s.
Countering The Threat:
In conclusion, I see a two pronged method of attack to fight the online jihad:
- Psyops: The idea that psychological operations has always been a part of the counter insurgency effort. However, in the digital world this has been more the spooks territory than the digital warfighter. Of course the digital war is new as is the online jihad so it is a natural progression to see this type of warfare as well as detective process being implemented.
- Technical Counter-Insurgency Operations: As the technological adroitness grows on the part of the jihadi’s so should the capabilities on the counter insurgency online. It is understood that the US has quite a bit of technical know how online so it is an easier supposition to make that we will be able to step up quickly. However, it is the melding of the two (psyops/pscyhology and technical ops) that must happen to wage this battle well.
APPENDIX A:US Cases of Terrorism since 9/11
2002
• José Padilla. José Padilla (32), a native U.S. citizen, convert to Islam, and al Qaeda
operative, was arrested upon his return from the Middle East to the United States.
Although there is no question of his al Qaeda connection, his mission remains unclear.
He was convicted for providing material support to al Qaeda and sentenced in 2008.
A co-defendant, Kifah Wael Jayyousi (40), a naturalized U.S. citizen from Jordan, was
also convicted.
• The Lackawanna Six. Six Yemeni-Americans—Sahim Alwar (26), Yahya Goba (25),
Yasein Taher (24), Faysal Galab (25), Shafal Mosed (23), all born in the United States,
and Muktar al-Bakri (21), a naturalized citizen—were arrested for training at an
al Qaeda camp in Afghanistan.
• The Portland Seven. Seven individuals—Patrice Lumumba Ford (31), Jeffrey Leon
Battle (31), October Martinique Laris (25), Muhammad Ibrahim Bilal (22), Ahmed
Ibrahim Bilal (24), all native U.S. citizens; Habis Abdulla al Saoub (37), a U.S. perma-
nent resident from Jordan; and Maher Hawash (38), a naturalized U.S. citizen from
Jordan—were arrested for attempting to join al Qaeda and the Taliban.
• Earnest James Ujaama. Earnest James Ujaama (36), a native U.S. citizen, was arrested
for providing support to the Taliban.
• Imran Mandhai. Imran Mandhai (20), a U.S. permanent resident from Pakistan, told
an FBI informant that he wanted to wage war against the United States. He planned
to assemble an al Qaeda cell and attack various targets in Florida, including electrical
substations, Jewish businesses, a National Guard armory, and also, improbably, Mount
Rushmore. Under surveillance for a long time, Mandhai was arrested and subsequently
convicted of conspiracy to destroy property.
• Anwar al-Awlaki. Anwar al-Awlaki (31), a U.S. citizen born in New Mexico, studied
engineering in college and motivation in graduate school, then became an increasingly
radical imam. After being questioned by the FBI several times, he left the United States
in 2002 and went to Yemen, where he is now a leading spokesperson for al Qaeda.
2003
• Adnan Gulshair el Shukrijumah. A provisional arrest warrant was issued for Adnan
Gulshair el Shukrijumah (27), a Saudi national and legal permanent resident, who grew
up and worked in the United States. Shukrijumah was suspected of involvement in a
number of terrorist plots. In 2010, he was indicted for his involvement in the 2009 Zazi
plot to blow up New York subways.
• Iyman Faris. Iyman Faris (34), a naturalized U.S. citizen from Pakistan, was arrested
for reconnoitering the Brooklyn Bridge for a possible al Qaeda attack.
• The Northern Virginia Cluster. Eleven men were arrested in June 2003 for training
at a jihadist training camp abroad, intending to join Lashkar-e-Toiba, and planning
terrorist attacks: Caliph Basha Ibn Abdur Raheem (28), a native U.S. citizen; Sabri
Benkhala (27), a native U.S. citizen; Randoll Todd Royer (39), a native U.S. citizen;
Ibrahim al-Hamdi (25), a Yemeni national; Khwaja Mahmood Hasan (27), a natural-
ized U.S. citizen from Pakistan; Muhammed Aatique (30), a legal permanent resident
from Pakistan; Donald T. Surratt (30), a native U.S. citizen; Masoud Ahmad Khan
(33), a naturalized U.S. citizen from Pakistan; Seifullah Chapman (31), a native U.S.
citizen; Hammad Abdur-Raheem (34), a U.S.-born citizen and Army veteran of the
first Gulf War; and Yong Ki Kwon (27), a naturalized U.S. citizen from Korea. Two
other individuals were also arrested in connection with the group: Ali al-Timimi (40), a
U.S.-born citizen, and Ali Asad Chandia (26), a citizen of Pakistan. Six of the accused
pleaded guilty, and another three were convicted. Benkhala was acquitted but was later
charged and convicted of making false statements to the FBI. Al-Timimi was convicted
in 2005. The case against Caliph Basha Ibn Abdur Raheem was dismissed.
• Uzair Paracha. Uzair Paracha (23), a legal permanent resident from Pakistan, was
indicted for attempting to help an al Qaeda operative enter the United States in order
to attack gas stations. He was convicted in 2005.
• Abdurahman Alamoudi. Abdurahman Alamoudi (51), a naturalized U.S. citizen from
Eritrea, was indicted in the United States for plotting to assassinate Saudi Arabia’s
Prince Abdullah.
• Ahmed Omar Abu Ali. Ahmed Omar Abu Ali (22), a native U.S. citizen, was arrested
by Saudi authorities and later extradited to the United States for providing support to
a terrorist organization and plotting to assassinate the president of the United States.
2004
• Mohammed Abdullah Warsame. Mohammed Abdullah Warsame (31), a legal perma-
nent resident from Somalia, was arrested for conspiring to support al Qaeda. He was
found guilty and sentenced in 2009.
Chronology of the Cases
• Ilyas Ali. Ilyas Ali (55), a naturalized U.S. citizen from India, pleaded guilty to provid-
ing material support to the Taliban and al Qaeda. He attempted to sell hashish and
heroin in return for Stinger missiles, which he then planned to sell to the Taliban. Two
other defendants, Muhammed Abid Afridi and Syed Mustajab Shah, both Pakistani
nationals, were also convicted in the case.
• Amir Abdul Rashid. Ryan Gibson Anderson (26)—a native U.S. citizen and convert to
Islam who called himself Amir Abdul Rashid—was a soldier in the U.S. Army at Fort
Lewis, Washington, when he was arrested in February 2004 for contacting Islamic
websites related to al Qaeda and offering information about the U.S. Army.
• Mark Robert Walker. A Wyoming Technical Institute student, Mark Robert Walker
(19), a native U.S. citizen who, according to reports, became obsessed with jihad, was
charged with attempting to assist the Somali-based group, Al-Ittihad al Islami. He
planned to provide the group with night-vision devices and bulletproof vests.
• Mohammed Junaid Babar. Mohammed Junaid Babar (31), a naturalized U.S. citizen
from Pakistan, was arrested in New York for providing material support to al Qaeda.
• The Herald Square Plotters. Shahawar Martin Siraj (22), a Pakistani national, and
James Elshafy (19), a U.S.-born citizen, were arrested for plotting to carry out a terrorist
attack on New York City’s Herald Square subway station.
• The Albany Plotters. Yassin Aref (34), an Iraqi refugee in the United States, and
Mohammad Hossain (49), a naturalized U.S. citizen from Bangladesh, two leaders of a
mosque in Albany, New York, were arrested for attempting to acquire weapons in order
to assassinate a Pakistani diplomat.
• Adam Yahiye Gadahn. Adam Yahiye Gadahn (26), a native U.S. citizen and convert to
Islam, moved to Pakistan in 1998. By 2004, he was identified as a member of al Qaeda
planning terrorist attacks in the United States, and he subsequently became one of
al Qaeda’s principal spokesmen. He was formally indicted in 2006.
• The Abdi Case. Nuradin Abdi (32), a Somali national granted asylum in the United
States, was indicted in June 2004 for plotting with Iyman Faris to blow up a Colum-
bus, Ohio, shopping mall. (He was arrested in November 2003.)
• Gale Nettles. Gale Nettles (66), a native U.S. citizen and ex-convict, was arrested in
August in an FBI sting for plotting to bomb the Dirksen Federal Building in Chi-
cago and for attempting to provide al Qaeda with explosive material. His motive was
revenge for his conviction as a counterfeiter, but he wanted to connect with al Qaeda,
which he figured would pay him for his excess explosive materials. He was convicted
on the terrorist charge in 2005.
• Carpenter and Ransom. Two New Orleans men, Cedric Carpenter (31), a convicted
felon, and Lamont Ransom (31), both native U.S. citizens, intended to sell fraudulent
identity documents to the Philippine jihadist terrorist group Abu Sayyaf in return for
cash and heroin. Ransom, who had previously served in the U.S. Navy, was familiar
with the group. Both were convicted and sentenced in 2005.
2005
• The New York Defendants. Three defendants—Mahmud Faruq Brent (32), a U.S.-
born citizen who had attended a training camp in Pakistan run by Lashkar-e-Toiba;
Rafiq Abdus Sabir (50), a U.S.-born citizen and medical doctor who volunteered to pro-
vide medical treatment to al Qaeda terrorists; and Abdulrahman Farhane (52), a natu-
ralized U.S. citizen from Morocco who agreed to assist in fundraising for the purchase
of weapons for insurgents in Chechnya and Afghanistan—were linked to defendant-
turned-informant Tarik Shah (42), a U.S.-born citizen who was arrested in May 2005
for offering to provide training to insurgents in Iraq. Shah identified his co-defendants,
and all four were convicted.
• The Lodi Case. Hamid Hayat (22), a native-born U.S. citizen, and his father, Umar
Hayat, a naturalized U.S. citizen from Pakistan, were arrested in June 2005 for secretly
attending a terrorist training camp in Pakistan. Umar Hayat ultimately pleaded guilty
of lying to federal authorities.
• The Torrance Plotters. Kevin James (29), Levar Washington (21), and Gregory
Patterson (25), all native U.S. citizens and converts to Islam, and Hammad Riaz Samana
(21), a permanent resident from Pakistan, were charged in August 2005 with planning
to carry out terrorist attacks on National Guard armories, a U.S. military recruiting
center, the Israeli consulate, and Los Angeles International airport. (This case is some-
times referred to as the Sacramento Plot.)
• Michael Reynolds. Michael Reynolds (47), a native U.S. citizen, acquired explosives
and offered them to an informant whom he believed was an al Qaeda official to blow
up the Alaska Pipeline in return for $40,000.
• Ronald Grecula. Ronald Grecula (70), a native U.S. citizen, was arrested in Texas in
May 2005 for offering to build an explosive device for informants he believed to be
al Qaeda agents. He pleaded guilty to the charge in 2006.
2006
• The Liberty City Seven. Seven men—Narseal Batiste (32), a native U.S. citizen;
Patrick Abraham (39), a Haitian national illegally in the United States after over-
staying his visa; Stanley Grunt Phanor (31), a naturalized U.S. citizen; Naudimar
Herrera (22), a native U.S. citizen; Burson Augustin (21), a native U.S. citizen; Rothschild
Augustin (26), a native U.S. citizen; and Lyglenson Lemorin (31), a legal permanent resi-
dent from Haiti—were charged in June 2006 with plotting to blow up the FBI build-
ing in Miami and the Sears Tower in Chicago. Herrera and Lemorin were acquitted.
Chronology of the Cases
• Syed Hashmi. Syed “Fahad” Hashmi (30), a Pakistani-born U.S. citizen, was arrested
in London on charges of providing material support to al Qaeda.
• Derrick Shareef. Derrick Shareef (22), a native U.S. citizen and convert to Islam, was
arrested for planning a suicide attack on an Illinois shopping mall. He intended to
place hand grenades in garbage cans, but the plot also involved handguns.
• The Fort Dix Plotters. Six men—Mohammad Ibrahim Shnewer (22), a naturalized
U.S. citizen from Jordan; Serdar Tatar (23), a legal permanent resident from Turkey;
Agron Abdullahu (24), a U.S. permanent resident from Kosovo; and Dritan Duka (28),
Shain Duka (26), and Elljvir Duka (23), three brothers from Albania living in the
United States illegally—were charged with plotting to carry out an armed attack on
soldiers at Fort Dix, New Jersey.
• The Toledo Cluster. Mohammad Zaki Amawi (26) and Marwan El-Hindi (43), both
naturalized U.S. citizens from Jordan, and Wassim Mazloum (25), a legal permanent
resident from Lebanon, were arrested in Toledo, Ohio, for plotting to build bombs to
use against American forces in Iraq. Two additional persons were also charged in this
case: Zubair Ahmed (26), a U.S.-born citizen, and his cousin Khaleel Ahmed (25), a
naturalized U.S. citizen from India.
• The Georgia Plotters. Syed Harris Ahmed (21), a naturalized U.S. citizen, and Ehsanul
Islam Sadequee (20), a U.S.-born citizen from Atlanta, Georgia, were arrested in April
2006 for discussing potential targets with terrorist organizations and receiving instruc-
tion in reconnaissance.
• Daniel Maldonado. Daniel Maldonado (27), a native U.S. citizen and convert to
Islam, was arrested for joining a jihadist training camp in Somalia. He was captured
by the Kenyan armed forces and returned to the United States.
• Williams and Mirza. Federal authorities charged two students at Houston Commu-
nity College—Kobie Diallo Williams (33), a native U.S. citizen and convert to Islam,
and Adnan Babar Mirza (29), a Pakistani national who had overstayed his student
visa—with aiding the Taliban. According to the indictment, the two planned to join
and train with the Taliban in order to fight U.S. forces in the Middle East.
• Ruben Shumpert. Ruben Shumpert (26), also known as Amir Abdul Muhaimin, a
native U.S. citizen who had been convicted for drug trafficking, converted to Islam
shortly after his release from prison. When the FBI came looking for him in 2006, he
fled to Somalia and joined al-Shabaab. He was reportedly killed in Somalia in Decem-
ber 2008.
2007
• Hassan Abujihaad. Hassan Abujihaad (31), formerly known as Paul R. Hall, a native
U.S. citizen and convert to Islam who had served in the U.S. Navy, was arrested in
April 2007 for giving the locations of U.S. naval vessels to an organization accused of
supporting terrorists.
• The JFK Airport Plotters. Russell Defreitas (63), a naturalized U.S. citizen from
Guyana; Abdul Kadir (55) a Guyanese citizen; Kareem Ibrahim (56), a Trinidadian;
and Abdal Nur (57), another Guyanese citizen, were charged in June 2007 with plot-
ting to blow up aviation fuel tanks at John F. Kennedy Airport in New York. Defreitas
was arrested in Brooklyn. The other three plotters were arrested in Trinidad and extra-
dited to the United States.
• Ahmed Abdellatif Sherif Mohamed. Ahmed Abdellatif Sherif Mohamed (26), a U.S.
permanent resident from Egypt, was arrested for providing material support to terror-
ists by disseminating bomb-making instructions on YouTube. He pleaded guilty to the
charge.
• Omar Hammami. Now known as Abu Mansour al-Amriki, Omar Hammami
(23), a native-born U.S. citizen, left Alabama some time not later than 2007 to join
al-Shabaab in Somalia. He later appeared in the group’s recruiting videos. Hammami
was indicted in 2010 for providing support to al-Shabaab.
• Jaber Elbaneh. Jaber Elbaneh (41), a naturalized U.S. citizen from Yemen, was con-
victed in absentia by a Yemeni court for plotting to attack oil and gas installations in
Yemen. He had previously been charged in the United States with conspiring with the
Lackawanna Six. He was one of a number of al Qaeda suspects who escaped from a
Yemeni prison in 2006. He subsequently turned himself in to Yemeni authorities.
• The Hamza Case. Federal authorities charged the owner and several officials of Hamza,
Inc., a financial institution, for money laundering and secretly providing money to
al Qaeda. Those charged included Saifullah Anjum Ranjha (43), a legal permanent U.S.
resident from Pakistan; Imdad Ullah Ranjha (32), also a legal permanent resident from
Pakistan; and Muhammed Riaz Saqi, a Pakistani national living in Washington, D.C.
Also charged in the case were three Pakistani nationals living in Canada and Spain.
2008
• Christopher Paul. Christopher “Kenyatta” Paul (43), a native U.S. citizen and convert
to Islam living overseas, was arrested upon his return to the United States in April 2008
for having plotted terrorist attacks on various U.S. targets. He later pleaded guilty.
• Bryant Vinas. Bryant Vinas (26), a native U.S. citizen and convert to Islam, was
arrested in Pakistan and extradited to the United States for having joined al Qaeda in
Pakistan. He also provided al Qaeda with information to help plan a bombing attack
on the Long Island Rail Road.
• Somali Recruiting Case I. As many as a dozen Somalis may have been recruited in
the Minneapolis, Minnesota, area by Shirwa Ahmed (26), a naturalized U.S. citizen
Chronology of the Cases from Somalia, to fight in Somalia. Ahmed subsequently was
killed in a suicide bomb- ing in Somalia.
• Sharif Mobley. Sharif Mobley (26), a native U.S. citizen of Somali descent, moved
to Yemen in 2008, ostensibly to study Arabic and religion, but in reality, authorities
believe, to join a terrorist organization. He was later arrested by Yemeni authorities in
a roundup of al Qaeda and al-Shabaab militants. In March 2010, he killed one guard
and wounded another in an attempt to escape.
2009
• The Riverdale Synagogue Plot. Native U.S. citizens James Cromite (55), David
Williams (28), Onta Williams (32), and Laguerre Payen (27), a Haitian national, all con-
verts to Islam, were arrested in an FBI sting in New York in May 2009 for planning to
blow up synagogues.
• Abdulhakim Mujahid Muhammad. In June 2009, Abdulhakim Mujahid
Muhammad (23), also known as Carlos Bledsoe, a native U.S. citizen and Muslim con-
vert, killed one soldier and wounded another at an Army recruiting station in Arkansas.
• The North Carolina Cluster. Daniel Boyd (39), a native U.S. citizen and convert to
Islam who fought against the Soviets in Afghanistan in the late 1980s, was arrested
in July 2009 along with his two sons, Zakarlya Boyd (20) and Dylan Boyd (22), also
converts to Islam, and four others, including three U.S. citizens—Anes Subasic (33), a
naturalized U.S. citizen from Bosnia; Mohammad Omar Aly Hassan (22), a U.S.-born
citizen; and Ziyad Yaghi (21), a naturalized U.S. citizen—and Hysen Sherifi (24), a
legal U.S. resident from Kosovo, for plotting terrorist attacks in the United States and
abroad. Jude Kenan Mohammad (20), a U.S.-born citizen, was also a member of the
group. He was arrested by Pakistani authorities in 2008. Boyd reportedly reconnoi-
tered the Marine Corps base at Quantico, Virginia.
• Betim Kaziu. Betim Kaziu (21), a native U.S. citizen, was arrested in September
2009 for traveling overseas to join al-Shabaab or to attend a terrorist training camp in
Somalia.
• Ali Saleh Kahlah al-Marri. Ali Saleh Kahlah al-Marri (38), a U.S. permanent resi-
dent and dual national of Qatar and Saudi Arabia, was charged with attending an
al Qaeda training camp in Pakistan. He pleaded guilty to providing material support
to a terrorist group.
• Michael Finton. Michael Finton (29), a native U.S. citizen and convert to Islam, was
arrested in September 2009 in an FBI sting for planning to blow up a federal court-
house in Springfield, Illinois.
• Hosam Maher Smadi. Hosam Maher Smadi (19), a Jordanian citizen living in the
United States, was arrested in September 2009 in an FBI sting for planning to blow up
an office building in Dallas, Texas.
• Najibullah Zazi. Najibullah Zazi (25), a permanent U.S. resident from Afghanistan,
was arrested in September 2009 for receiving training in explosives at a terrorist train-
ing camp in Pakistan and buying ingredients for explosives in preparation for a ter-
rorist attack in the United States. Indicted with Zazi were his father, Mohammed Zazi
(53), a naturalized U.S. citizen from Afghanistan, and Ahmad Afzali (38), a U.S. per-
manent resident from Afghanistan, both for making false statements to federal inves-
tigators; neither was involved in the terrorist plot. In January 2010, authorities arrested
Adis Medunjanin (24), a naturalized U.S. citizen from Bosnia, and Zarein Ahmedzay
(25), a naturalized U.S. citizen from Afghanistan, and charged them with participat-
ing in the plot.
• Tarek Mehana. In October 2009, federal authorities in Massachusetts arrested Tarek
Mehana (27), a dual citizen of the United States and Egypt, for conspiring over a seven-
year period to kill U.S. politicians, attack American troops in Iraq, and target shopping
malls in the United States. Two other individuals, including Ahmad Abousamra (27), a
U.S. citizen, were allegedly part of the conspiracy. Abousamra remains at large.
• David Headley. In an increasingly complicated case, David Headley (49), a U.S.-born
citizen of Pakistani descent and resident of Chicago, was arrested in October 2009
along with Tahawar Rana (48), a native of Pakistan and a Canadian citizen, for plan-
ning terrorist attacks abroad. Headley was subsequently discovered to have partici-
pated in the reconnaissance of Mumbai prior to the November 2008 attack by the ter-
rorist group Lashkar-e-Toiba. He pleaded guilty in March 2010.
• Colleen Renee LaRose. Calling herself “Jihad Jane” on the Internet, Colleen Renee
LaRose (46), a native U.S. citizen and convert to Islam, was arrested in October 2009
for plotting to kill a Swedish artist whose drawings of Muhammad had enraged Mus-
lims and for attempting to recruit others to terrorism. Her arrest was concealed until
March 2010. LaRose pleaded guilty to the charges.
• Nidal Hasan. In November 2009, Nidal Hasan (38), a native U.S. citizen and Army
major, opened fire on fellow soldiers at Fort Hood, Texas, killing 13 and wounding 31.
• The Pakistan Five. In November 2009, five Muslim Americans from Virginia—
Umar Farooq (25), a naturalized U.S. citizen from Pakistan; Ramy Zamzam (22), who
was born in Egypt, immigrated to the United States at the age of two, and became a
citizen by virtue of his parents becoming citizens; Waqar Hassan Khan (22), a natu-
ralized U.S. citizen from Pakistan; Ahmad Abdullah Mimi (20), a naturalized U.S.
citizen from Eritrea; and Aman Hassan Yemer (18), a naturalized U.S. citizen from
Ethiopia—were arrested in Pakistan for attempting to obtain training as jihadist guer-
rillas. Khalid Farooq, Umar Farooq’s father, was also taken into custody but was later
released. The five were charged by Pakistani authorities with planning terrorist attacks.
• Somali Recruiting Case II. In November 2009, federal authorities indicted eight
men for recruiting at least 20 young men in Minnesota for jihad in Somalia and rais-
ing funds on behalf of al-Shabaab. By the end of 2009, a total of 14 indictments had
been handed down as a result of the ongoing investigation. Those indicted, all but
one of whom are Somalis, were Abdow Munye Abdow, a naturalized U.S. citizen from
Somalia; Khalid Abshir; Salah Osman Ahmad; Adarus Abdulle Ali; Cabdulaahi Ahmed
Faarax; Kamal Hassan; Mohamed Hassan; Abdifatah Yusef Isse; Abdiweli Yassin Isse;
Zakaria Maruf; Omer Abdi Mohamed, a legal permanent resident from Somalia; Ahmed
Ali Omar; Mahanud Said Omar; and Mustafa Salat. No age information is available.
• Abdul Tawala Ibn Ali Alishtari. Abdul Tawala Ibn Ali Alishtari (53), also known as
Michael Mixon, a native U.S. citizen, was indicted and pleaded guilty to attempting to
provide financing for terrorist training in Afghanistan.
2010
• Raja Lahrasib Khan. Raja Lahrasib Khan (57), a naturalized U.S. citizen from Paki-
stan, was charged with sending money to Ilyas Kashmiri, an al Qaeda operative in
Pakistan, and for discussing blowing up an unidentified stadium in the United States.
• Times Square Bomber. Faisal Shazad (30), a naturalized U.S. citizen from Pakistan,
had studied and worked in the United States since 1999. In 2009, he traveled to Paki-
stan and contacted the TTP (Pakistan Taliban), who gave him instruction in bomb-
building. Upon his return to the United States, he built a large incendiary device
in a sport utility vehicle (SUV) and attempted unsuccessfully to detonate it in New
York City’s Times Square. He was arrested in May 2010. Three other individuals were
arrested in the investigation but were never charged with criminal involvement in the
case.
• Jamie Paulin-Ramirez. The arrest of Colleen R. LaRose (“Jihad Jane”) in 2009 led to
further investigations and the indictment of Jamie Paulin-Ramirez (31), also known as
“Jihad Jamie.” Paulin-Ramirez, a native-born U.S. citizen and convert to Islam, alleg-
edly accepted an invitation from LaRose to join her in Europe in order to attend a
training camp there. According to the indictment, she flew to Europe with “the intent
to live and train with jihadists.” She was detained in Ireland and subsequently returned
to the United States, where she was arraigned in April 2010.
Wesam el-Hanafi and Sabirhan Hasanoff. Wesam el-Hanafi (33), also known
as “Khaled,” a native-born U.S. citizen, and Sabirhan Hasanoff (34), also known as
“Tareq,” a dual U.S.-Australian citizen, were indicted for allegedly providing material
In September 2010, Sami Samir Hassoun (22), was arrested in an FBI sting in Chicago
for attempting to carry out a ter-rorist bombing. Hassoun expressed anger at Chicago
Mayor Richard Daley. It is not clear that the case is jihadist-related.
In December 2010, Awais Younis (26), a naturalized U.S. citizen from Afghanistan, was
arrested for threatening to bomb the Washington, D.C., Metro system. He made the threat on
Facebook, and it was reported to the authorities. Neither of these cases is included in the chronology.
support to a terrorist group. The two men, one of whom traveled to Yemen in 2008,
provided al Qaeda with computer advice and assistance, along with other forms of aid.
• Khalid Ouazzani. Khalid Ouazzani (32) pleaded guilty in May to providing material
support to a terrorist group. Ouazzani, a Moroccan-born U.S. citizen, admitted to rais-
ing money for al Qaeda through fraudulent loans, as well as performing other tasks at
the request of the terrorist organization between 2007 and 2008.
• Mohamed Mahmood Alessa and Carlos Eduardo Almonte. Two New Jersey men,
Mohamed Mahmood Alessa (20), a native U.S. citizen, and Carlos Eduardo Almonte
(24), a naturalized citizen from the Dominican Republic and convert to Islam, were
arrested in June at New York’s JFK Airport for conspiring to kill persons outside the
United States. The two were on their way to join al-Shabaab in Somalia.
• Barry Walter Bujol, Jr. Barry Walter Bujol, Jr. (29), a native U.S. citizen and convert
to Islam, was arrested as he attempted to leave the United States to join al Qaeda in
Yemen. He had been under investigation for two years and was in contact with an
undercover agent he believed to be an al Qaeda operative.
• Samir Khan. In June 2010, the Yemen-based affiliate of al Qaeda began publishing
Inspire, a slick, English-language online magazine devoted to recruiting Western youth
to violent jihad. The man behind the new publication was Samir Khan (24), a Saudi-
born naturalized U.S. citizen who moved to the United States with his parents when
he was seven years old. He began his own journey to violent jihad when he was 15. He
reportedly left the United States in late 2009, resurfacing in Yemen in 2010.
• Rockwood’s Hitlist. Paul Rockwood (35), a U.S. citizen who served in the U.S. Navy
and converted to Islam while living in Alaska, was convicted in July 2010 for lying
to federal authorities about drawing up a list of 15 targets for assassination; they were
targeted because, in his view, they offended Islam. He was also accused of research-
ing how to build the explosive devices that would be used in the killings. His wife,
Nadia Rockwood (36), who has dual UK-U.S. citizenship, was convicted of lying to
authorities.
• Zachary Chesser. Zachary Chesser (20), a native U.S. citizen and convert to Islam, was
arrested for supporting a terrorist group in July as he attempted to board an airplane to
fly to Somalia and join al-Shabaab. Chesser had earlier threatened the creators of the
television show South Park for insulting Islam in one of its episodes.
• Shaker Masri. A U.S. citizen by birth, Shaker Masri (26) was arrested in August 2010,
allegedly just before he planned to depart for Afghanistan to join al Qaeda or Somalia
to join al-Shabaab.
• Somali Recruiting Case III. As part of a continuing investigation of recruiting and
funding for al Qaeda ally al-Shabaab, the U.S. Department of Justice announced four
indictments charging 14 persons with providing money, personnel, and services to the
terrorist organization. In Minnesota, 10 men were charged with terrorism offenses for
leaving the United States to join al-Shabaab: Ahmed Ali Omar (27), a legal permanent
resident; Khalid Mohamud Abshir (27); Zakaria Maruf (31), a legal permanent resident;
Mohamed Abdullahi Hassan (22), a legal permanent resident; Mustafa Ali Salat (20), a
legal permanent resident; Cabdulaahi Ahmed Faarax (33), a U.S. citizen; and Abdiweli
Yassin Isse (26). Three were new on the list and had been the subject of previous indict-
ments: Abdikadir Ali Abdi (19), a U.S. citizen; Abdisalan Hussein Ali (21), a U.S. citi-
zen; and Farah Mohamed Beledi (26). A separate indictment named Amina Farah Ali
(33) and Hawo Mohamed Hassan (63), both naturalized U.S. citizens, for fundraising
on behalf of al-Shabaab. A fourth indictment charged Omar Shafik Hammami (26),
a U.S. citizen from Alabama, and Jehad Sherwan Mostafa (28) of San Diego, Califor-
nia, with providing material support to al-Shabaab. (Hammami’s involvement is listed
in this chronology under the year 2007, when he first left the United States to join
al-Shabaab; Mostafa is listed separately in the next entry.)
• Jehad Serwan Mostafa. In August 2010, Jehad Serwan Mostafa (28), a native U.S.
citizen, was indicted for allegedly joining al-Shabaab in Somalia. He reportedly left
the United States in December 2005 and was with al-Shabaab between March 2008
and June 2009.
• Abdel Hameed Shehadeh. Abdel Hameed Shehadeh (21), a U.S.-born citizen of Pal-
estinian origin, was arrested in October for traveling to Pakistan to join the Taliban
or another group to wage jihad against U.S. forces. Denied entry to Pakistan, then
Jordan, Shehadeh returned to the United States and subsequently attempted to join
the U.S. Army. He allegedly hoped to deploy to Iraq, where he planned to desert and
join the insurgents. When that did not work out, he tried again to leave the country
to join the Taliban.
• Farooque Ahmed. Farooque Ahmed (34), a naturalized U.S. citizen from Pakistan, was
arrested in October for allegedly plotting to bomb Metro stations in Washington, D.C.
FBI undercover agents learned of Ahmed’s intentions by posing as al Qaeda operatives.
• Shabaab Support Network in San Diego. Saeed Moalin (33), a naturalized U.S. cit-
izen from Somalia, Mohamed Mohamed Mohamud (38), born in Somalia, and Issa
Doreh (54), a naturalized U.S. citizen from Somalia, all residents of San Diego, were
arrested for allegedly providing material support to al-Shabaab. The investigation of
this network is continuing, and a fourth man from Southern California, Ahmed Nasir
Taalil Mohamud (35), was subsequently indicted.
• Al-Shabaab Fundraising II. In November, federal authorities arrested Mohamud
Abdi Yusuf (24), a St. Louis resident, and Abdi Mahdi Hussein (35) of Minneapolis,
both immigrants from Somalia. The two are accused of sending money to al-Shabaab
in Somalia. A third person, Duane Mohamed Diriye, believed to be in Africa, was also
indicted.
• Nima Ali Yusuf. Nima Ali Yusuf (24), a legal permanent resident originally from Soma-
lia, was arrested in November for allegedly providing material support to a terrorist
group. She was accused of attempting to recruit fighters and raise funds for al-Shabaab.
• Mohamed Osman Mohamud. Mohamed Osman Mohamud (19), a naturalized U.S.
citizen originally from Somalia, was arrested in December for attempting to detonate
what he believed to be a truck bomb at an outdoor Christmas-tree-lighting ceremony
in Portland, Oregon. He reportedly had wanted to carry out some act of violent jihad
since the age of 15. His bomb was, in fact, an inert device given to him by the FBI,
which set up the sting after it became aware of his extremism through a tip and subse-
quent monitoring of his correspondence on the Internet.
• Antonio Martinez. Antonio Martinez (21), also known as Muhaamed Hussain, a nat-
uralized U.S. citizen and convert to Islam, was arrested in December for allegedly plot-
ting to blow up the Armed Forces Career Center in Catonsville, Maryland. The car
bomb he used to carry out the attack was a fake device provided to him by the FBI,
which had been communicating with him for two months.
APPENDIX B: Research Materials
1302002992ICSRPaper_ATypologyofLoneWolves_Pantucci
Wk 6-3 Terrorism background psychology Sageman
Yes Virginia, There Are Hackers and Spooks On Militant Boards…
A prominent poster on the elite password-protected jihadi web site Shumukh has told fellow forum members his account on the site has been hacked to send spyware to fellow forum participants.
The user, who goes by the handle “Yaman Mukhadab,” posted on August 28 that “it seems that someone is using my account and is somehow sending messages with my name to the members,” according to Flashpoint Partners, which translated the discussion for Danger Room. Shumukh uses software from vBulletin, which allows members to send private messages to each other.
Mukhadab’s handiwork has attracted attention beyond the forum. He was one of the contributors to the site’s lame recent attempt at creating a fantasy target wishlist comprised of American security industry leaders, defense officials and other public figures.
From Wired
Yeah, yeah, yeah, once again Wired got a little tidbit from Evan Kohlmann to keep his Flashpoint company relevant and in the news. Blah blah blah. Look, Adam is it? Yeah, Adam, there is much more that goes on on this site and the myriad others that Evan isn’t telling you. Sure, this guy Yaman got a little twitchy and he is right to be so lately. There has been A LOT of other things going on on both sides of the fence lately that ol’ Evan hasn’t let you in on, or more likely, has no clue of.
- There are hackers, both at the behest of the government and those not avowed going at these sites. Some are just knocking them down for periods of time (Jester etc) Some who are auditing the sites and actually interacting at times with the players after owning them, and SOME who are just hacking the shit out of the sites and wreaking havoc. The latter was seen back a month or two ago with the take down of Ansar. They just RM’d that sucker, but, the jihadi’s had a backup and they were online within days. (which you mentioned.. good)
- Most of these sites have sections where the the newbies are being taught hacking skills. Some of these tutorials are low level (like the lulz types we saw not too long ago *protect your MACIP’s) Others are quite well versed in hacking and have tutorials on the level of something to worry about. In fact, some of these sites contain the works of friends of mine in the security community that they have posted as research. Within these sections we have areas where the jihadi’s have an assortment of upload/download sites for malware (mostly these are older packages) but some of the newer posts have malware and creation kits that are up to today’s standards (which you failed to mention)
- The version of AQAP’s “Inspire you talk about was tampered with *cupcakes* as well as one version did in fact have a trojan. (which you failed to mention)
- The list of targets wasn’t so much lame as it was a new call to the “lone wolves” on these boards to act on it. There is a change in the way these guys are waging jihad that is not really covered by Evan and you. Did you know for instance that there is a Facebook Jihad (propaganda war) that is ongoing? As well as guys like Abu Hafs Al Suni Al Suni are advocating for a ‘stealth jihad’ ? Yeah, they are, and they have been busy trying to propagandise and get the word out to those lone nutjobs that might in fact try something like say, pick a name off of that ‘lame’ list as you called it. It wouldn’t be so lame after they actually whacked someone would it?
Sure, a good deal of this and the other jihobbyist sites are full of dreck, but, there are pockets of true believers, and your little piece in Wired downplays it all.
For more:
GCHQ/SIS AQ Media PSY-OP: Messin With Jihobbyists
Also try this little Google Search for spyware posts on the board. They have been busy.
As a side note, the Jihadi’s also went further and opted to go after the MEMRI organization as well. In a later post by Yaman, they list out the leaders of the org as targets as well. What makes me wonder is which one of them has a log and pass for MEMRI (hint hint MEMRI check your logs)
All in all, another bang up job Wired… *sarcasm implied*
K.
DEFCON PANEL: Whoever Fights Monsters: Confronting Aaron Barr, Anonymous, and Ourselves Round Up
A week before this year’s DEFCON, I got a message that I was being considered to replace Aaron in the the “Confronting Aaron Barr” panel discussion. It was kind of a surprise in some ways, but seemed like a natural choice given my tet-e-tet with Anonymous, LulzSec, and even Mr. Barr. After coming to BlackHat and seeing the keynote from Cofer Black, it became apparent that this year, all of these conferences were about to see a change in the politics of the times with reference to the hacking/security community and the world of espionage and terrorism. Two things that I have been writing about for some time and actually seeing take place on the internet for more than a few years with APT attacks on Defense Base contractors and within Jihadist propaganda wars.
Going into the planning for the panel discussion, I was informed that I was hoped to be the stand in for Aaron in that I too see the world as very grey. Many of my posts on the Lulz and Anonymous as well as the state of affairs online have been from the grey perspective. The fact is, the world is grey. There is no black and white. We all have varying shades of grey within our personalities and our actions are dictated by the levels to which our moral compasses allow. I would suggest that the example best and most used is that of torture. Torture, may or may not actually gain the torturer real intelligence data and it has been the flavor of the day since 9/11 and the advent of Jack Bauer on “24” face it, we all watched the show and we all did a fist pump when Jack tortured the key info out of the bad guy to save the day. The realities of the issue are much more grey (complex) and involve many motivations as well as emotions. The question always comes down to this though;
If you had a terrorist before you who planted a dirty nuke in your city, would you ask him nicely for the data? Give him a cookie and try to bond with him to get the information?
Or, would you start using sharp implements to get him to talk in a more expedient fashion?
We all know in our darkest hearts that had we families and friends in that city we would most likely let things get bloody. Having once decided this, we would have to rationalize for ourselves what we are doing and the mental calculus would have to be played out in the equation of “The good of the one over the good of the many” If you are a person who could not perform the acts of torture, then you would have to alternatively resolve yourself to the fates as you forever on will likely be saying “I could have done something” Just as well, if you do torture the terrorist and you get nothing, you will also likely be saying “What more could I have done? I failed them all” should the bomb go off and mass casualties ensue.
I see both options as viable, but it depends on the person and their willingness to either be black and white or grey.
Within the security community, we now face a paradigm shift that has been coming for some time, but only recently has exploded onto the collective conscious. We are the new front line on the 5th battlespace. Terrorists, Spies, Nation States, Individuals, Corporations, and now ‘collectives’ are all now waging war online. This Black Hat and Defcon have played out in the shadow of Stuxnet, a worm that showed the potential for cyber warfare to break into the real world and cause kinetic attacks with large repurcussions physically and politically. Cofer Black made direct mention of this and there were two specific talks on SCADA (one being on the SYSTEM7’s that Iran’s attack was predicated on) so we all ‘know’ that this is a new and important change. It used to be all about the data, now its all about the data AND the potential for catastrophic consequences if the grid, or a gas pipeline are blown up or taken down.
We all will have choices to make and trials to overcome… Cofer was right.
“May you live in interesting times” the Chinese say…
Then we have the likes of Anonymous, Wikileaks, and the infamous ‘LulzSec’ Called a ‘Collective’ by themselves and others, it is alleged to be a loose afiliation of individuals seeking to effect change (or maybe just sew chaos) through online shenannigans. Theirs and now their love child ‘LulzSec’ ideas on moral codes and ethics really strike me more in line with what “The Plague” said in “Hackers” than anything else;
“The Plague: You wanted to know who I am, Zero Cool? Well, let me explain the New World Order. Governments and corporations need people like you and me. We are Samurai… the Keyboard Cowboys… and all those other people who have no idea what’s going on are the cattle… Moooo.”
Frankly, the more I hear out of Anonymous’ mouthpieces as well as Lulzs’ I think they just all got together one night after drinking heavily, taking E, and watching “Hackers” over and over and over again and I feel like Curtis exclaiming the following;
“Curtis: If it isn’t Leopard Boy and the Decepticons.”
So, imagine my surprise to be involved in the panel and playing the grey hat so to speak. The panel went well and the Anon’s kept mostly quiet until the question and answer after, but once they got their mouths open it was a deluge. For those of you who did not see the panel discussion you can find the reporting below. My take on things though boils down to the following bulletized points:
- Anons and Lulz need to get better game on if they indeed do believe in making change happen. No more BS quick hits on low hanging fruit.
- Targets need recon and intelligence gathered has to be vetted before dumping
- Your structure (no matter how many times you cry you don’t have one) can be broken so take care in carrying out your actions and SECOPS
- Insiders have the best data… Maybe you should be more like Wikileaks or maybe an arm of them.
- Don’t be dicks! Dumping data that can get people killed (i.e. police) serves no purpose. Even Julian finally saw through is own ego enough on that one
- If you keep going the way you have been, you will see more arrests and more knee jerk reactions from the governments making all our lives more difficult
- Grow up
- The governments are going to be using the full weight of the law as well as their intelligence infrastructure to get you. Aaron was just one guy making assertions that he may or may not have been able to follow through on. The ideas are sound, the implementation was flawed. Pay attention.
- If you don’t do your homework and you FUBAR something and it all goes kinetically sideways, you are in some deep shit.
- You can now be blamed as well as used by state run entities for their own ends… Expect it. I believe it has already happened to you and no matter how many times you claim you didn’t do something it won’t matter any more. See, all that alleged security you have in anonymous-ness cuts both ways…
- Failure to pay attention will only result in fail.
There you have it, the short and sweet. I am sure there are a majority of you anonytards out there who might not comprehend what I am saying or care.. But, don’t cry later on when you are being oppressed because I warned you.
K.
http://www.darkreading.com/security/attacks-breaches/231300360/building-a-better-anonymous.html
http://www.pcworld.idg.com.au/article/396320/three_tips_better_anonymous
http://www.wired.com/threatlevel/2011/08/defcon-anonymous-panel/
http://venturebeat.com/2011/08/06/defcon-panel-anonymous-is-here-lulzsec-is-here-theyre-everywhere/
Not So 3R337 Kidz
Once again we find ourselves following the story of a new uber dump of data on a Friday (Fuck FBI Friday’s) as they have been dubbed by the skiddies. It seems that 4cid 8urn, C3r3al Kill3r, and Zer0C00l once again have failed to deliver the goods in their #antisec campaign with their ManTech dump. ManTech, for those who don’t know, is a company that handles defense and government security contracts for such things as secure networks etc. The skiddies decided to try and haxx0r the Gibson and get the goods on the bad bad men at ManTech.
Once again, they failed.
The files are mostly UNCLASS (kids, that means UN-CLASSIFIED mmkay?) with a few SBU (Sensitive but UNCLASSIFIED) as well. Many of the files are just documents of finances, bills, resume’s and email addresses that frankly you could get with a good Googling session. Again, we are not impressed by this crap Lulz skiddies. I have told you once, and now I till tell you again, you are failing to deliver anything of interest really.
Now, if you were real APT, then you would have used the data in the excel sheets to create some nice phishing exploits and then gone on to root some good shit. But no, you aren’t that advanced are you? You just want to do the quick hit and dump your ‘booty’ to collect the love from your adoring, albeit stupid, fans. I am sure some of them are at home now wanking off to the idea that you have really stuck it to ManTech and by proxy ‘the man’
Well, you haven’t.. Not so 3r337 as Raz0r and Bl4d3 say.
What you keep failing to understand are sever key things here:
- The good shit is in more protected systems, ya know, like the ones Manning had access to
- You have no idea what you are taking or what you are dumping! Bitch please, understand the classification markings!
- It’s only important to your ‘movement’ if the data actually uncovers bad behavior on the part of the government!
And it’s on that last point I want to harp a little more on. You guys say you are exposing fraud and devious behavior (other than your own subversive tendencies?) and yet, you keep missing the mark. There have been no cohesive plots outed by you other than Aaron and HB Gary’s little foray into creating 0day and programs for propaganda tools online.
Yay you!… ehhh… not so much.
You certainly did spank Aaron though, and for that my top hat and monocle are off to you. He rather deserved what he got for being so God damned stupid. However, you must all understand that these are the standard operating procedures in warfare (PSYOPS, INFOWAR, PROPAGANDA) every nation plays the game and its just the way of life. So, unless you get some real data of a plan to use this type of tech by the US on the US, (other than Rupert & Co.) Once again, I am not really so impressed.
Of course, you have to know that you are now the target of all of those tools right? Not only by the US, but other nations as I have mentioned before. Do you really think that you have not opened the door for other nation states to attack using your name? No one mentioned yet that you are now considered domestic terrorists and could even be considered non domestic after you get caught? You have opened Pandora’s box and all the bad shit is coming.. And much of it is going to be aimed straight at you.
The ironic thing is this.. You have delivered shit. It’s the idea and the cover you have given other nation states or individuals that is key here. You say you can’t arrest an idea… I say certainly not! BUT They can arrest YOU and then make that IDEA not so appealing to the other skiddies once your prosecutions begin on national TV.
So keep it up.. That hornets nest won’t spew hundreds of angry wasps…
ウェブ忍者が失敗する : Dox-ing, Disinformation, and The Fifth Battlespace
Digital Ninja Fail: ウェブ忍者が失敗する
The recent arrests of alleged key members of LulzSec and Anonymous have been called into question by the ‘Web Ninja’s‘, a group of would be hackers who have been ‘DOX-ing” the anonymous hierarchy for some time now. Yesterday, they posted the following on their page concerning the arrest of a man from the Shetland Islands who is purported to be ‘Topiary‘ by the Met and SOCA.
Now, this is a bold statement for anyone who really knows what they are doing in the intelligence analysis field. So, it is my supposition that these guys have no clue about what they are doing by making bold assertions like this. The data they have is tenuous at best and by making such bold statements, I have to wonder if indeed the so called ‘Ninja’s” themselves might not be a tool of anonymous to in fact sow that disinformation.
Here are the facts as I see them;
- To date, the federal authorities have not questioned anyone who was DOX’d by the Ninja’s that I am aware of
- The individuals who were DOX’d that were investigated by the authorities were in fact outed by LulzSec/Anonymous themselves
- Adrian Chen has spoken to the person that the Ninja’s have fingered and claims that he (said person) went to the authorities himself. So far he is still not a suspect.
So, taking into account these facts, I would have to say that the Ninja’s have failed in their stated mission so far and I would suffice to say that if they are indeed a part of a disinformation campaign, then that too has failed. After all, the police seem to be ignoring the data put on the interent by the likes of the Ninja’s in favour of other tried and true tactics. The primary tactic as I see it, is grab one individual and then get them to roll over on their compatriots in the face of massive jail time.
This pretty much works all the time as we, as human beings, are most willing to sacrifice others for the self. In the case of the likes of LulzSec skiddies, I would have to say that the ages of the players, and their generational tendencies will allow them to cut deals pretty quickly. It’s my assessment that they are in it for the self gratification and lulz, not for the altruism that the LulzSec and Anonymous press releases have been trying to have one believe. My assumption is that if indeed the 19 year old guy they popped in Scotland is involved with LulzSec, and is in fact Topiary, he will roll over soon enough.
I also believe that these are all untrained operatives and they have made and will make more mistakes. I am pretty sure that the alleged “leaderless” group has leaders AND that unlike a true guerrilla warfare cell, will know the other players personal details. Essentially, they have had no compartmentalisation and they will all fall eventually though interrogation and deal making. As I said before, the insider threat to the organisation is key here, and it was this idea I think the Ninja’s had.. Well, at least that was the original idea of the Ninja Warrior. They were spies who infiltrated the ranks and destroyed from within.
So far with these guys.. Not so much.
Welcome To Spook World: Disinformation Campaigns and Intelligence Analysis
Now, on the whole disinformation thing, I know that the Lulz and Anonymous have said that they are using disinformation as well to try and create a smoke screen. Frankly, all of the intelligence out there that is open source is suspect. Maltego map’s of end user names as I have shown in the past can be useful in gathering intelligence… Sometimes. For the most part, if a user keeps using a screen name in many places and ties that name to real data, then they can be tracked, but, it takes a lot of analysis and data gathering to do it. Though, many of the foot soldiers within the Anon movement are young and foolish enough to just keep using the same screen names for everything so there is a higher likelihood that the data being pulled up on Maltego and with Google searches is solid enough to make some justified conclusions.
With the more experienced people though, there has been some forethought and they have protected their identities as best they could. What became their real downfall was that they could not rise above petty infighting and dox-ing each other. Thus you have the start of the potential domino effect on the core group as well as anyone who has any peripheral affiliation with the Lulz. Be assured, those who have been pinched are giving up as many names as possible as well as whatever is on their hard drives, Anon hacker manuals or not. All of these scenarios lead to the conclusion of more arrests by the authorities and even more skiddies getting into legal trouble around the globe. Meanwhile though, if the core group has been smart, then perhaps the leaders will skate for a time, using the masses as canon fodder.
Gee kids.. Did you know that you were all expendable?
On another tac, I would like to speak about the potential of the disinformation campaigns being perpetrated by the authorities as well. Consider that the trained professionals out there who are hunting these characters (Topiary, Sabu, et al.) are also adept at using not only the technologies of the fifth battlespace, but also the training afforded them in ‘spook world’ This means disinformation campaigns, mole hunts, and insurgencies of their own, getting to the inner core of Anonymous and Lulz. Now, that there were six (alleged) lulzer’s it would be more difficult to do, especially if those LulzSec folks really do know one another (as they claim they do not, which, I just don’t buy.. Remember the compartmentalisation issue) The agent provocateur’s are out there I am sure and with each rung of the ladder, they get closer to the core group.
That is unless the core group falls apart on their own and DOX’s each other out. In the end, I am going to suggest that the authorities will use all of the tricks of the trade on the Anon/Lulz folks to bag them… And with concerted effort by government resources, they will get their men/women.
Untrained, Unruly, and Unprofessional Operators:
“Discretion is the better part of valour” as they say, and in the case of the Lulz and Anon crews, they seem to not have a clue. Perhaps the Lulz think that by being unruly and unpredictable to a certain amount, will be just the cover they need, but, I think that their lack of discretion will be their undoing as well as their hubris. Had many of these folks had some real training, they might have just stood down for a while (not just a week or so) after setting sail into the sunset.
As I have said before, it was a bad idea to recruit and have comm’s out in the open on IRC servers even if they had ‘invite only’ channels. As is being seen now, someone (jester perhaps) has taken down their servers again after other outages due to Ryan Cleary’s attack and pressure from the government on those connection sources that the Anon’s were using. I am sure the idea was to have a movement that could also serve as diversion for the core users as well as to LOIC, but this all failed in the end didn’t it? The LOIC is what has given the FBI the 1,000 IP addresses as a hit list, so to speak, that they are now using to collect people and charge them for the DD0S attacks.
Had these people been trained or not been so compulsive, they might have had more of a chance to keep this up for a much much longer time. As I write, the Lulz do continue, but they have slowed quite a bit since the arrests started again. This I think is because the cages are starting to get rattled and people are finally coming to the conclusion that some discretion is needed to not end up Bubba’s play pal in prison. It’s a learning curve, and likely going to be a painful one for the kiddies.
Unprofessional actions within this area of battle will end up with your being put in jail kids.
To end this section I would also like to add this thought. My assessment of the Lulz core group is this;
- They were drunk on the power of their escapades
- The more followers they had and more attention, the less risk averse they became
- They seem to have compulsion disorders (don’t say it.. Aspergers!) that seem to not allow them to lay low (until now it seems)
- The ego has eaten their id altogether
- Base ages are within the teens with a couple over 20
Technical Issues Within The Fifth Battlespace:
Another BIG issue within this battlespace is the technology. The Anon’s and Lulz have been ascribing to the idea of “Proxies, we haz them! So we’re secure!” and to a certain extent they are right. There are always ways around that though and certainly leaks in data (such as the TOR leaks that have happened) that could lead someone to locate the end user behind the proxy, so they are not fool proof. Certainly not if the fool in question is some skiddie 12 year old using LOIC un-proxied and not obfuscated while they D0S Paypal.
The problem is that the technology could fail you as well as the untrained operative could make small and large mistakes that could lead authorities right back to their IP and home accts. On the other side of that equation is that when properly done, it is damn hard to prove a lot in hacking cases because of obfuscation, as well as mis-configured end systems that have been hit. I cannot tell you how many times I have seen incidents play out where the target systems had no logging on as well as being completely un-secured, thus leaving practically nothing for a forensics team to find and use.
Once again, this brings us back to the insider threat, whether they be the insider who decides to go turncoat, or, the agent provocateur (i.e. Jester and the Ninja’s as well as others from the authorities) who infiltrate the Lulz and then gut them from the inside. What it really boils all down to is that in the end, it will be the foibles of the Lulz core and the actions of spooks that will bring them down.. And I think they are learning that very fact now.
JIN; One Must Know The Enemies Mind To Be Victorious:
As a last note, I would like to say to the Ninja’s, you need to learn and practice your Kuji-in. It is obvious to me that you have failed on the ‘Jin’ (knowing the opponents mind) with your dox attempts. Until such time as I see people being hauled in that directly relate to your documents posted, then I am going to consider the following to be the case:
- DOX-ing is mostly useless and takes quite a bit of analysis before just releasing names
- The Feds are not taking your data as gospel, nor should the general public or media
- You yourselves may in fact be a tool of Anonymous/Lulz and as such, spewing disinformation
- You could be right, but by releasing it to the public at large, you are letting the Lulz know to destroy evidence and create obfuscation that will hinder arrests later.
Ninja’s got results.. Not so much for ‘Web’ Ninjas. At least Jester, if his claims are true, is breaking their C&C channels lately.. Which has its own problematic issues.. Just like his meddling in the Jihadi area, but, that’s a story for another time.
K.
Team Inject0r: The Multinational Connection
The recent compromise of a NATO server by “Team Inj3ct0r” has recently made the news, but, as the media usually do, they did not look any deeper than the website for Inj3ct0r and perhaps a little data as to what the team said in a text doc on the compromised server. A further examination of the group shows that Inj3ctor has been around since 2008, and has ties to Chinese hackers as well as Russia, Turkey and other countries.
This could change the paradigm on the “hacktivism” moniker that Team Inj3ctor has branded themselves with recently (post the goings on with Anonymous and LulzSec/Antisec movements) Before these movements, this site and the teams all were loosely linked and purveyors of 0day, and not so much in it for any political means. What has changed? Who might benefit here to use the hacktivism movement as a cover for hacking activities that could cause a stir?
… Maybe the PLA? Maybe the FSB?…Some other political orgs from Gaza? or Turkey?
Or, perhaps they are just a bunch of hackers who like the cause celebre of hacktivism? It’s hard to say really, but, when you get China into the mix, the lines blur very very fast.
Below I am outlining the data I collected on the main inj3ct0r site, its owner, and two of the players who are on both teams of hackers that span China and Russian hacking. This makes for a new wrinkle in the Anonymous/Lulz movement in that the NATO hack was claimed by someone using the name “Team Inj3ct0r” and this site seems to fit the bill as the source of the attack since it has been quoted by the hackers that they used 0day on the NATO server to crack it and keep access. If indeed there are connections to state sponsored hacking (as the China connection really does lead me to believe) then we have a new problem, or perhaps this has been the case all along that the state sponsored hackers have been within Anonymous, using them as cover.
Another interesting fact is the decision to attack NATO. Was it a hack of opportunity? Or was there a political motive here? As I have seen that these groups are multi-national, perhaps this attack had a overall political agenda in that NATO is supposed to be the worlds policeman. I am still unsure.
Teams and Members:
In looking at the sites and the members, it came to light that two members belong to each of the teams (inj3ct0r and DIS9) The two are “knockout” and “Kalashinkov3” The teams are tied together in the way they present their pages and the data they mirror so it is assumed that they have a greater connection underneath. In fact, more of them may be working together without being named in the teams listed below. Each of these people have particular skills and finding 0day and posting them to this site and others for others to use.
Team Inj3ct0r: http://77.120.120.218/team
Team Inj3ct0r’s site is located in Ukraine and is registered to a Matt Farrell (mr.r0073r@gmail.com) My assumption is that the name given as well as the address and phone numbers are just bogus as you can see they like to use the netspeak word “1337” quite a bit. A secondary tip on this is that the name “Matt Farrel” is the character name for the hacker in “Live Free or Die Hard” Someone’s a fan…
Team Inj3ct0r
r0073r – r0073r is the founder of inj3ct0r and I believe is Russian. The site r0073r.com owned by Mr. Czeslaw Borski according to whois. However, a whois of inj3ctor.com comes up with a Anatoly Burdenko of 43 Moskow Moskovskaya Oblast RU. Email: e-c-h-0@mail.ru
- The domain r0073r.com owned by a Mr. Czeslaw Borski out of Gdansk Poland (another red herring name) domain hosted in Germany with a .ru name server
- The domain inj3ct0r.com created in 2008 belongs to Anatoly Burdenko and has been suspended
- The domain inject0r.com was hosted in China 61.191.0.0 – 61.191.255.255 on China net
- Another site confirms that r0073r is the founder of team inj3ct0r aka l33tday
- Another alias seems to be the screen name str0ke
- Also owned www.0xr00t.com
http://www.inj3ct0r.com domain details:
Registrant:
Inj3ct0r LTD
r0073r (e-c-h-0@mail.ru)
Burdenko, 43
Moskow
Moskovskaya oblast,119501
RU
Tel. +7.4959494151
Creation Date: 13-Dec-2008
Expiration Date: 13-Dec-2013
Domain servers in listed order:
ns1.suspended-domain.com
ns2.suspended-domain.com
Administrative Contact:
Inj3ct0r LTD
r0073r (e-c-h-0@mail.ru)
Burdenko, 43
Moskow
Moskovskaya oblast,119501
RU
Tel. +7.4959494151
indoushka
KnocKout
- knockout@e-mail.com.tr
- knockoutr@msn.com
- Alleged to be Turkish and located in Istanbul
- Member of the Turkish cyber warrior site cyber-warrior.org last access July 4rth 2011
ZoRLu
anT!-Tr0J4n
eXeSoul
KedAns-Dz
^Xecuti0n3r
Kalashinkov3
- Claims to be from Algeria
- kalashinkov3[at]Hotmail[dot]Fr
- http://internetblog.pl/tag/kalashinkov3/
- He’s a member of GazaHackers
DIS9.com:
DIS9.com is a hacker group that is linked to and shares two members with Team Inj3ct0r (Kalashinkov3 and KnocKout) Both sites are very similar in design and content. DIS9.com resolves to an address in China and is registered to a YeAilin ostensibly out of Hunan Province in China. The owner/registrar of the site has a familiar email address of yeailin225@126.com also a domain registered and physically in China.
A Maltego of this data presents the following interesting bits: A connection to the site http://www.vi-xi.com a now defunct bbs which lists the yeailin225 account and other data like his QQ account. This site also lists another name attached to him: Daobanan ( 版主 ) vi-xi.com had hacking discussions that involved 0day as well. The domain of vi-xi.com was registered to jiang wen shuai with an email address of jwlslm@126.com and listed it out of Hunan Province.
The connections from DIS9 to other known hackers who are state actors was found within the Maltego maps and analogous Google searches. As yet, I am still collecting the data out there because there is so much of it. I have been inundated with links and user names, so once I have more detailed findings I will post them. Suffice to say though, that there is enough data here to infer that at the very least, hackers who work for the state in China are working with others on these two sites at the very least, sharing 0day and perhaps hacking together as newly branded “hactivists”
DIS9 Team:
Rizky Ariestiyansyah
Blackrootkit –
Kedans-Dz
: Team Exploit :
Nick
Kalashinkov3
KnocKout
K4pt3N
Liquid
Backdoor Draft
h4x0er.org aka DIS9 Team
Another interesting fact is that a link to the site h4x0er.org itself shows that the DIS9 team is the umbrella org for Inj3ct0r and other teams. This is a common practice I have found with the Chinese hacking groups to have interconnected sites and teams working together. This looks to be the case here too, and I say this because of the Chinese connections that keep turning up in the domains, sites, and team members.
Other Teams within the DIS9 umbrella:
In the end, it seems that there is more to the inj3ct0r team than just some random hackers and all of this data bears this out. I guess we will just have to wait and see what else they hit and determine what their agenda is.
More when I have it…
K.
BlackkatSec: The New Kids on the Block Who Allege They Took Down Al-Qaeda
From GamerCrypt
Last week, the AQ site shamikh1.net was taken down by unknown persons and their domain suspended by Godaddy for abuse. Evan Kohlmann of Flashpoint Global was making the rounds on the media circuit pimping that it was in fact MI6 or the like that took the site down. However, Evan had little to no evidence to back this claim, and frankly, the media just ate it up evidence be damned. I came to the party after hearing online the previous weekend that the site was under attack and going down from an unknown type of attack. However, I knew from past experience that the site was likely being attacked through some SQLi or a DD0S of some kind. The reasoning I have had is that the site was vulnerable to attack in the past and as far as I knew, the admin’s at Shamikh1 had not fixed the problems.. Not that anyone was goint to tell them that their site was vulnerable.
As time passed and more stories circulated, Evan’s tale changed slightly to include the fact that he thought there was a domain hijack that had happened. There is once again no evidence of a domain hijack at all, but, there still lingers the idea that the site was taken down by someone other than skiddies out for a good time. Once again, there was no evidence to back up any claims, but the media is.. well the media.. They will buy anything if it gets them attention. So on it went, and on Saturday the back up site that AQ had registered in May (as I surmised that it was the backup in my earlier post) was back up serving the main page. To date the page is not fully functional and once again Evan has made a claim on the news that they are back up for registration, another false claim as they are not taking submissions.
Either way, the site is online (mostly) and seems to be getting back into the swing while a new dark horse has entered the race as to who did it and perhaps why. @blackkatsec or BlackKatSec, is a new splinter group of LulzSec/AntiSec/Anonymous that has turned up quietly making claim to the hack on shamikh1. They so far, have not said much on why never mind how, but, it would be interesting to hear from them on the pastebin site as to what data they may want to release on their hack. If indeed they used SQLi attacks and in the end rm –rf * ‘d the site, then I would LOVE to see what they got out of it before they did so. If on the other hand, they just attacked the site and the admins as well as Godaddy took it down, then I would like to know.
Speculation is.. Well it’s mental masturbation really. Good for the media, bad for those who really want to know something.
So, dear BlackKatSec, if you feel so moved, please do drop me some data.. I will make sure its used to cause the boys from Shamikh1 more heartburn. Otherwise, please do keep us up on your attacks as I do not look forward to hearing all the damned speculation that comes out of the spinning media heads like a certain someone who I mentioned above. Of course you could just be trying to claim the hack for whatever reasons and not done it… But, the lack of trumpeting it to the world says to me that maybe you were involved…
Say.. You guy’s aren’t MI6 are ya?
HA!
More when I have it.
K.
Shamikh1.info: The New Den of Scum and Villainy
Well, that didn’t take long did it. At least Evan got one thing right, they’d be back up soon. So, here is the skinny on the new site and the core server that they have stood up. The site is still not fully back online, but this stage of things allows one to get a lot of intel on the server makeup and who is operating/hosting it because they had a direct link back to the sql instance. The site is not fully operational yet, but they are setting it up rapidly as I surmised they would on the domain of shamikh1.info which was registered in May as the backup domain.
I have begun the work of getting all of the pertinent details on the address owners/ops in Indonesia so soon all of their details will be available to those who want them. However, just with the short bit of work I have done here, I pretty much think you can all get a grasp of who’s where and what’s up huh? Sure, the server is in Indonesia, and, well, they are rather tepid on the whole GWOT thing so nothing much may happen…
But..
You intelligence agencies out there looking for a leg up.. Well here it is… Enjoy.
Now, back to the events that brought us to today. The take down of the original site may have been only because someone got into the server and wiped it out as Evan suggests (without any proof as yet mind you) or, it may in fact be because the site was blocked at the domain level as I pointed out in my last post on this matter. Godaddy had suspended the domain and I am not sure if the mirrors on piradius were working before the alleged attack happened or not. At this point, it is anyone’s guess as to the attacks perpatraitors, methods, and final outcome until someone from the AQ camp speaks up on exactly what happened.
Meanwhile, the media will continue to spin on about MI6 hacking them or perhaps it was those mysterious “Brit” hackers that so many articles mentioned.
“Bollocks” As they say in England.
DATA:
Domain ID:D38010794-LRMS Domain Name:SHAMIKH1.INFO Created On:14-May-2011 00:22:30 UTC Last Updated On:27-Jun-2011 07:43:57 UTC Expiration Date:14-May-2012 00:22:30 UTC Sponsoring Registrar:eNom, Inc. (R126-LRMS) Status:CLIENT TRANSFER PROHIBITED Status:TRANSFER PROHIBITED Registrant ID:fce7ae13f22aa29d Registrant Name:WhoisGuard Protected Registrant Organization:WhoisGuard Registrant Street1:11400 W. Olympic Blvd. Suite 200 Registrant Street2: Registrant Street3: Registrant City:Los Angeles Registrant State/Province:CA Registrant Postal Code:90064 Registrant Country:US Registrant Phone:+1.6613102107 Registrant Phone Ext.: Registrant FAX: Registrant FAX Ext.: Registrant Email:06b6ac7646b147ccb6aed6d1f0248d70.protect@whoisguard.com Admin ID:fce7ae13f22aa29d Admin Name:WhoisGuard Protected Admin Organization:WhoisGuard Admin Street1:11400 W. Olympic Blvd. Suite 200
Core Server:
Ip address: 180.235.150.135
Location: Indonesia
Persons Attached: Daru Kuncoro & Yogie Nareswara
Names of Admins: Yogie Nareswara & Daru Kuncoro
Email Contacts: ahmad@koneksikita.com yogie@arhdglobal.com
Nmap Scan Report:
Starting Nmap 5.21 ( http://nmap.org ) at 2011-07-02 07:39 EDT Initiating Ping Scan at 07:39 Scanning 180.235.150.135 [2 ports] Completed Ping Scan at 07:39, 0.32s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 07:39 Completed Parallel DNS resolution of 1 host. at 07:39, 0.53s elapsed Initiating Connect Scan at 07:39 Scanning 180.235.150.135 [1000 ports] Discovered open port 80/tcp on 180.235.150.135 Discovered open port 110/tcp on 180.235.150.135 Discovered open port 993/tcp on 180.235.150.135 Discovered open port 143/tcp on 180.235.150.135 Discovered open port 21/tcp on 180.235.150.135 Discovered open port 443/tcp on 180.235.150.135 Discovered open port 3306/tcp on 180.235.150.135 Discovered open port 995/tcp on 180.235.150.135 Completed Connect Scan at 07:39, 11.74s elapsed (1000 total ports) Nmap scan report for 180.235.150.135 Host is up (0.30s latency). Not shown: 958 filtered ports, 34 closed ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 110/tcp open pop3 143/tcp open imap 443/tcp open https 993/tcp open imaps 995/tcp open pop3s 3306/tcp open mysql
Tasty, they have a few ports open. Hey antisec skiddies, wanna play with some SQLi ?
Meh.
Site Contact Data:
Daru Kuncoro:
Yogie Nareswara:
Current State:
Guess they are still working on the server connections… I am sure as well, that soon they will have more stealth servers out there in Malaysia as well. So the mirroring will begin for the sql instance to do the push from. Lets see how long it is before this one is taken down shall we? Oh, and next time an attack happens, lets all get a lock on how it is happening as well as exactly what it is. I have had enough of the media hype with talking heads who have no idea what they are talking about when it comes to information warfare or network security.
More later.
K.
The Eternal Game of Whack-A-Mole Goes On: Was Al-Shamukh Hacked?
The Eternal Game of Whack-A-Mole Goes On:
Al-Shamikh1, the Shamukh Al-Islam AQ site is down, and has been allegedly under attack since this weekend. It’s mirrors are down as well and according to the news media Here and Here citing Evan Kohlmann of Flashpoint Global. The problem I have with the stories that the media is ravening over now is either that Evan is not painting the full picture or the media, as usually, is not understanding what he is saying. As for my take on it, it’s a little of both really. Evan has been around for a long time working as a consultant on terrorism, but as far as I know, he is not a network security specialist.
Over the weekend I had heard and re-tweeted reports that Shamikh was under an attack of some kind and the site was intermittently unavailable. as I had a whiskey in hand and no motivation, I let it be and figured it was maybe Jester doing his usual thing. Then today I see the barrage of bad media accounts with headlines like;
British Hackers Take Down Al-Qaeda Websites
and
NBC News: Hacker attack cripples al-Qaida Web communications
*Facepalm*
None of the articles cites any clear evidence of who did what never mind what actually happened to the site! Upon investigation this morning after being contacted by someone in the UK press, I found the following salient point:
From: robtex.com The domain and NS pointers have been suspended by GoDaddy
The domain and the name servers have been suspended by Godaddy. This is why it is offline now. Perhaps it was DD0S’d for a while and the traffic was the final straw for Godaddy on this site. You see, this site has been on the Godaddy for some time and many have pointed this fact out before, to no avail.. Well, actually one might assume that the feds just wanted to know where it was and leave it be to monitor.. But, that’s a bit too subtle for the media.
Whois data for shamikh1.net
Either way, the site is down now because they cannot route to it via the domain. Backups of the site hosted on non domain named boxes are down and the core server may have been compromised. It’s all up in the air at the moment but the media is just trucking along with the story. It may in fact be that the server was core was pulled by the jihadi’s themselves because they have been real twitchy since the 2010 roll up of al-faloja.
In the case of Shamikh, I had seen in the past that this site had some security issues to begin with. The implementation of the phpbb was weak and there were ways to get into the board and collect data. In one case, they had even re-set passwords and one could get them from the site itself for those users as they had passed them in the clear in what they thought was a secure space. Others have been using these vulns for some time to audit what is going on in the boards and have in the past run operations that have kept the admin’s and the jihadi’s on edge. This is why today you see so many more discussion groups on computer security, but more so how to configure and secure phpbb today on sites like As-Ansar.
Distributed Sites:
“Al-Qaida’s online communications have been temporarily crippled, and it does not have a single trusted distribution channel available on the Internet,” said Evan Kohlmann, of Flashpoint Global Partners, which monitors the group’s communications.
This one line really just grinds my gears here. I am sorry Evan, but this site is not the only one out there that has this type of content and even though the core is down, the content lives on in other sites. The Jihadi’s have created redundancy in the number of sites, not just put all their terrorist eggs in one digital basket. All of the sites link to one another as fraternal organisations do (i.e. As-Ansar has much the same content as Shamikh1). Remember, this is an group performing insurgency who know the power of cells and this is no different online. An example of this is the site in question of Shamikh, which has had many sites online at different times. Some get pulled down as they have issues with the hosts removing them. Others still have stealth sites on compromised systems, or in cases like the boxes in Malaysia, hosted secretly with complicity on the part of someone in the network (see paradius net)
In the case of Shamikh1 the following sites are known to have hosted or, as in the case of shamikh1.info, was scheduled to be soon.
http://202.149.72.130/~shamikh/vb/
http://202.149.72.131/~shamikh/vb/
http://202.75.56.237/~shamikh/vb/
All of these systems are down at least content wise for Shamikh, the .info though is online and untouched but hosts no content as yet. It seems to me that it was still being staged to host the content or maybe was set to be a backup.
shamikh1.info whois data
This has been the SOP for the jihadi sites for some time. In case one site is hit, the rest are online to keep the content online. In this case though, it seems that the “sophisticated and coordinated attack” really just means that they hit the core server for Shamikh so the content is not getting to the satellite sites. Of course once again, there is no data to say how this attack was carried out and how massive it may have been. Like I said, lately the e-jihadi’s have been twitchy about security for a while now because they have been compromised in the past.
So, all of this reporting that it was a huge state run hack and was massive takedown is mostly media hype and, I am afraid, as you can see from the reporting, it all seems to be coming from Mr. Kohlmann. Who’s privately run consultancy is getting quite a bit of attention now.. Isn’t it?
Cupcake Recipies Instead of IED’s Do Not A Hack Make:
Another thing that is sticking in my craw is this whole linking this outage/hack to the “cupcake” incident with Inspire Magazine. These two things are NOT alike and the media needs to pay attention to the facts. Nor is there any evidence cited or even hinted at in the real world that MI6 or Five for that matter had anything to do with this. For all they know, it could have been Jester or someone with like technology that dos’d them and got them yanked offline by their host.
Let me set the record straight here. The MI6 operation on Inspire was a PSYOP. They poisoned the well (i.e. Al-Malahem’s media apparatus) by intercepting the AQ file and replacing it with their own. Just where this happened no one is sure. Was it on some desktop somewhere before being put out? Or, was it replaced with the edited file on the megashare?
No one has said.
This operation though served two purposes. First off, it managed to stop AQ from getting the IED manual out to everyone, but secondly, and more importantly, it make AQ question its communications security. This was even more important and we can see the effects of that today in posts on the boards about security.
They are worried.
Oh dear media, pay attention and get the story straight. While the Cupcake operation had style and was claimed by MI6, this current claimed attack on Shamikh has no attribution by anyone and there is no proof that I have seen to say that anyone did anything… Save that their site is down.
Whodunnit:
This all leaves me wondering just who may have attacked Shamikh and why. Given that the sites are often taken down only to show up elsewhere makes me question why it was done at all. It would be simpler to monitor the site and capture data than to send them all scurrying into the woods would it not? This was my primary issue with the Jester’s campaign, it did no good. Even if you are driving them off the sites, they will only move toward less visible ones and use more covert means of communication. Why not let them feel fat, dumb, and happy while we watch their every move?
All I can think of, if this was state sanctioned, was that the Shamikh site was about to drop some content that someone did not want out there so they took the network down. If it wasn’t state sanctioned and some hacker or hackers decided to mess with them they did it for their own reasons. Either way, the sites got taken down..
But, they will be back again… Let the great game of whack a mole begin!
K.
Krypt3ia 