Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘GWOT’ Category

Inspire 6: Operational Methods Changes

with 2 comments

Inspire vol 6 came out yesterday and for the most part, it was more of the same ol same ol. Long diatribes on AQ doctrine, the usual shahidi laments and exhortations, a bomb making cook recipe for Acetone Peroxide (I can see more than a few jihobbyist fingers getting taken off accidentally) and then the little section below screen captured titled “Jihadi Experiences”

Jihadi Experiences:

After OBL was sent to his pineapple under the sea, I had written a post titled “Al Qaeda: The Case of A More Diffuse and Autonomous Organisationin which I made the observation that AQ might be re-thinking its C&C structure as well as its organizational groups. This part of the Inspire magazine is saying that very thing.

  • Point one on the list is the fact that they need to re-tool their operations to have more diffused and compartmented cells. They want to have cells that operate in a way that if one of their members gets caught, they will not know the whole picture and be able to give away the rest of the team.
  • Point two notes that they need younger recruits but those recruits seem to not want to commit themselves fully to the cause. They are observing that perhaps they could get the youth involved by contributions but not having them commit fully. This seems to be the essence of the jihobbyist to me. Looks like they want to use this.
  • Point three re-iterates the need for more diffused, mobile, and agile units because the battle space is not longer driven by discreet front lines.
  • Point four makes a key statement that the drone strikes are causing problems for them and backs up point three in that wherever they are meeting or hiding, even underground, we are using technology to find them and strike them.
The summation though from these points is rather telling however;
  • Firstly, they have renamed jihad to “resistance” its a bit more Western friendly term for those jihobbyists who do not speak Arabi well and it is a paradigm change. You are fighting a battle of resistance against the oppressor instead of being mandated by Allah and the Koran to do so. It goes to the whole idea of using the youth as a movement without the absolute commitment to Jihad.
  • The second statement re-iterates the need for a new youth movement that will ease them all into the ideology of jihad. Once again, using the key word of “resistance”
  • The third and fourth statements have key changes but ones that has been building. They are aiming for more lone wolf jihadi acts. They say this though, with the intent of directing those lone wolves to key targets. I believe that they want to deploy the command and control over the propaganda wing’s postings online. This would make sense, just dangle targets out there and exhort the ‘youth ummah’ to go forth and commit jihad.
  • The fifth statement concerns their ongoing efforts online to spread jihadi ‘sciences’ as well as political doctrine. Of late, the forums have been under attack by differing factions. Mostly though, the actors taking down the sites seem to be non state actors (patriot hackers) egged on by the recent spate of Anonymous hacks and attacks. However, there have been other issues the jihobbyists have been facing. Their Facebook jihad has been failing because Facebook keeps taking their pages down. It has been suggested that they create front pages with links to harder content that is hidden to prevent this. All of this though is tempered with the fact that they do not want to be caught, like said Anonymous actors who lately have been scooped up by the authorities.
  • Statements six and seven are interesting. They speak of creating cells of resistance and re-naming them systems of action “Nizam Al-Amal” and not as secret organizations for action “Tandim Lil-Amal” Once again, the movement is looking to have secure cells that will have a C&C but not so much that if any of their members are caught, the cell will not be taken down nor will that effect the upper echelons security.
This section of the magazine is the most interesting to me. It shows just how much harder is has become for the jihad to function with our intelligence apparatus and drone strikes going on. Obviously AQAP has been feeling the bite of counterintelligence operations as well as counter insurgency efforts. The problems they face though are pretty tough. Just how do you go on to inspire the ummah with no way to really have a command and control apparatus to guide them?
Even with all the subtle changes to language here (neuro-linguistic programming) I don’t see that any organization like theirs can have what they seek. After all, the basic premise that AQ and other radical orgs have used to to indoctrinate the youth in places like the madrassa’s of Afghanistan. They only teach them the Koran and they only teach them barely what they need to function, all the while controlling very carefully, the youth’s doctrinal belief. Without this, and seeking a Western cache of jihadi troops to fill their ranks, they are seeking a new way not only to bring them to the ‘resistance’ but also to control them.
Guess what AQ, it will fail. No matter what method you finally try to use.
Look at this from the anonymous perspective of command and control. They claim to be headless but in fact they have always had an underlying structure. There will always be need for command and control over any operational force that goes into battle.
And with that C&C structure, there will always be a method to get inside it and tear it apart…  As the Anonykids are discovering now (see yesterday’s arrests of 14 more anons)
So, we can see that AQAP is grappling with the issue and perhaps their base is eroding even further. I am glad to see that they are having problems and trying to work them out in a public forum for me to watch. I am sure others in the community are as well…
Keep giving us all your ideas AQAP. The more you give, the sooner we will have you all wrapped up.
K.

Written by Krypt3ia

2011/07/20 at 10:36

Internet Jihad vs. Internet Propaganda Jihad: When The Media Gives Me Tourrettes

with 2 comments

From dnaindia.com

I followed a link today off of esecurityintelligence.net and after reading the first graph of the piece I pretty much had a bad case of Tourrettes syndrome. This is some of the WORST reporting I have seen where it concerns the state of internet jihad. Now, I know why these places all do this, they just want a lead story and headline that will draw people in and make them click into the site. I get it… But.. It’s just wrong. The internet jihad is more a propaganda campaign than anything else and as you can see from the piece below from of all places, “The Sun” did a bit of a better job on the facts than dnaindia did!

Now that is surprising.

From thesun.co.uk

So, as I was saying, a ‘bit’ of a better job.. Then they too go off the rails. Look, the cyber jihad or Internet jihad is comprised mostly of jihobbyists, guys who want to get in on the action but are too clueless to actually go to the battlefield in some cases. In others, they are deluded individuals with mental health issues that need to be medicated and taken care of. In either case, the needed skills to really cause greater issues other than setting up php bulletin boards to throw propaganda on are lacking on the part of the general jihobbyist populace. Just how many of the attacks by LulzSec were attributed to the likes of Al Qaeda?

hint: NONE

Yet the media persists in perpetuating this idea the there are some 31337 jihadi’s out there who are going to pwn the grid. Really guys, get your shit straight when reporting on things ok? I have seen some strives in the Jihadi hacking scene these last few years, but NOTHING like what you are talking about. Hell, their real hacker went to jail years ago (Irhabi007) What is worse it seems, is that likes of Home Secretary May, may in fact be spinning half truths about Internet jihad for whatever political expediency she needs. I have reported in the past about the Facebook Jihad (notice 2010) and pretty much sum it up to propaganda and thats it. Sure, there may be some illicit comms channels here, but, its Facebook for God’s sake! They are on top of this shit, TRUST ME! The jihadi’s have been complaining that as soon as they set up a Facebook page it gets taken down by Zucky and company! So really, there is no threat there.

So, lets take another look at it from the post LulzSec perspective.

Lulz have been wreaking digital havoc with some pretty low level hacks. They carried out DD0S, they hacked low hanging fruit and stole data which they then published. LULZ did it, NOT Al Qaeda. Now, don’t you think that if AQ was adroit at hacking and wanted to cause pandemonium they would have beaten LulzSec to it all? Don’t you further think that perhaps when and if they hacked the servers with the low hanging fruit hacks (SQLi) that instead of just publishing the data, they would have say RM’d the whole databases?

Think about it;

  • Economic targets like the stock market
  • Military targets like the recent Anon attacks on Booz Allen
  • Attacks on grid and other key infrastructure targets

ALL of these things likely already harbor vulnerabilities that the likes of Anonymous could already have access to! The difference? The LULZ don’t want to be thrown in a hole forever and know their limits I suspect. Now, if you were AQ though, what’s to lose?

NADA

AQ, if they had the capabilities would already have used it! They haven’t, which means to me they lack the critical skills in their jihobbyist base to be a threat in this arena. It is as simple as that. So please Media, fucking buy a clue and stop just trying to use the “If it bleeds it leads” mentality to get clicks. Do your JOB’s and get subject matter experts with credentials to talk about this stuff instead of just trying to scare the straights with false reports.

I have often written on this topic in the past and from what I have seen here is the overall picture of the state of Jihadi hacking tech.

  • They are using OLD malware packages to infect machines to steal data/money (mostly money)
  • They are using OLD hacking exploits for the most part just as they are with the malware packages
  • SOME jihadi hackers (TNT_ON) are clued in and know what they are doing technically, but yet are inept enough to leave their real IP addresses in their tutorial videos (I see you!)
  • They are learning.. Slowly.. but their sites still keep getting popped and their super sekret rooms online have been penetrated
  • Their crypto program (Mujahid Secrets) has been cracked/Reverse Engineered

Finally, let me leave you with this little bit of wisdom post the demise of OBL:

  • They got him because his lackeys were tracked by their electronic comms
  • Even though they were using sneakernet  and email Dead Drops we managed to catch on (these techniques are not hacking)

Were OBL and his crew using high tech hacking techniques or crypto (aka steg) as their main means of communications, judiciously, it would have been even harder to get a line on what they were up to, where they were, and moving forward, determine future plans from OBL’s hard drives etc. Instead, they were using old spy tactics with minor digital twists to evade the US and other countries. This says a lot about their abilities and ours to detect them. They decided it was better to go old school because we cornered the digital market.

This follows today to the hacking scene, where we have some muslim hacker groups out there defacing pages, but not doing much else in the way of Islamic Electronic Jihad. So, media, let me put it plainly again;

They don’t have the skills to be super scary like you want them to be in your exaggerated reports!

CUT IT OUT!

I will let you know when they have their shit together.. Trust me.

K.

Past posts on this subject:

Cyber Jihad: Malaysia

Great Likelihood of Cyber Attacks By Terrorists: You Don’t Say!

Inspire Magazine Analysis: Going Green for College Age Recruits

Abo Yahya and Metadata Cleaning

TNT_ON@hotmail.com —> zmm@hotmail.com = Sword Azzam?

Inspire vol II: Rationalization, Operational Directions, Open-Source Jihad, and Pivoting the Battle-Space

Jihadi Malware 2010, Al Mojahden’s User Acct Boo Boo, & The Jihadi Technical Forums

Jihadi Hacking Tutorials: Irhabi 007′s Text and More

Jihadi Penetration Tutorials: Metoovet

The Jihadist Repertoire Expands

MJAHDEN: Jihadi Crypto Progam

Al-Qaida Goes “Old School” With Tradecraft and Steganography

 

 

AQ’s New Digital Shingle: Al-Fidaa

leave a comment »

AQ’s New Propaganda Board:

Al-Fidaa, the newest site in the Al Qaeda webring to spread the usual propaganda. This site popped up last week and I am just getting round to checking it out fully. The site is undoubtedly a response to the takedown of Al-Shamukh a couple weeks back and this is their answer, to make even more redundant sites to pump out their agenda.

The difference so far with this site is that security wise (at first sniff) it has been upgraded. Google has been spidering the site, but even when you attempt to look at the content in the cache, you get nothing but the login page. This is a decidedly large change from their past sites that leaked data. A further examination of the site structure and back end servers will tell if there is more to work with on fidaa.

Domain Data:

Another major change is that these site domains have been set up as privacy protected. This is a newer thing to most of these sites and the domains were set up in May of this year, probably in case they needed them, like the Al-Shamikh1 site that popped up so quickly after the original domain was capped by Godaddy and allegedly “BlackKatSec”

I would love to see the government go to these domain registries and locate how, who, and where the funds were transferred to create these sites. I am willing to bet that they were set up using cutout companies or individuals, but, maybe they will get lucky and get a line on a real person or two to ask some questions concerning ownership and connection to AQ.

Server Locations:

While the site is registered in the US, the actual servers are all located in Malaysia. So, once again we see that Malaysia seems to be a hub where the Internet Jihad is concerned. I have to wonder just how well our government gets along with the Malay government. Could we in fact get some digital forensics love on those boxes out there? One also wonders just how many Malay jihadi’s there are out there and how many of them may in fact work for networks like Piradius. I ask this because many a server has been stealthed onto boxes run in those networks and I think from the looks of them, that they are being managed locally, not just hacked.

The Nature of AQ Sites:

Overall, it seems that this site is just another mirror like all the rest out there. They will have secret little rooms to chat amongst themselves, but the real Jihad goes on elsewhere. Primarily these sites are for the distribution of propaganda and to recruit the lone wolves in the West. I expect that it will just be the same thing with a different color scheme really… But, it will be something to watch.

If I find something tasty I’ll let you know.

K.

Written by Krypt3ia

2011/07/13 at 20:23

BlackkatSec: The New Kids on the Block Who Allege They Took Down Al-Qaeda

leave a comment »

From GamerCrypt

Last week, the AQ site shamikh1.net was taken down by unknown persons and their domain suspended by Godaddy for abuse. Evan Kohlmann of Flashpoint Global was making the rounds on the media circuit pimping that it was in fact MI6 or the like that took the site down. However, Evan had little to no evidence to back this claim, and frankly, the media just ate it up evidence be damned. I came to the party after hearing online the previous weekend that the site was under attack and going down from an unknown type of attack. However, I knew from past experience that the site was likely being attacked through some SQLi or a DD0S of some kind. The reasoning I have had is that the site was vulnerable to attack in the past and as far as I knew, the admin’s at Shamikh1 had not fixed the problems.. Not that anyone was goint to tell them that their site was vulnerable.

As time passed and more stories circulated, Evan’s tale changed slightly to include the fact that he thought there was a domain hijack that had happened. There is once again no evidence of a domain hijack at all, but, there still lingers the idea that the site was taken down by someone other than skiddies out for a good time. Once again, there was no evidence to back up any claims, but the media is.. well the media.. They will buy anything if it gets them attention. So on it went, and on Saturday the back up site that AQ had registered in May (as I surmised that it was the backup in my earlier post) was back up serving the main page. To date the page is not fully functional and once again Evan has made a claim on the news that they are back up for registration, another false claim as they are not taking submissions.

Either way, the site is online (mostly) and seems to be getting back into the swing while a new dark horse has entered the race as to who did it and perhaps why. @blackkatsec or BlackKatSec, is a new splinter group of LulzSec/AntiSec/Anonymous that has turned up quietly making claim to the hack on shamikh1. They so far, have not said much on why never mind how, but, it would be interesting to hear from them on the pastebin site as to what data they may want to release on their hack. If indeed they used SQLi attacks and in the end rm –rf * ‘d the site, then I would LOVE to see what they got out of it before they did so. If on the other hand, they just attacked the site and the admins as well as Godaddy took it down, then I would like to know.

Speculation is.. Well it’s mental masturbation really. Good for the media, bad for those who really want to know something.

So, dear BlackKatSec, if you feel so moved, please do drop me some data.. I will make sure its used to cause the boys from Shamikh1 more heartburn. Otherwise, please do keep us up on your attacks as I do not look forward to hearing all the damned speculation that comes out of the spinning media heads like a certain someone who I mentioned above. Of course you could just be trying to claim the hack for whatever reasons and not done it… But, the lack of trumpeting it to the world says to me that maybe you were involved…

Say.. You guy’s aren’t MI6 are ya?

HA!

More when I have it.

K.

Shamikh1.info: The New Den of Scum and Villainy

leave a comment »

Well, that didn’t take long did it. At least Evan got one thing right, they’d be back up soon. So, here is the skinny on the new site and the core server that they have stood up. The site is still not fully back online, but this stage of things allows one to get a lot of intel on the server makeup and who is operating/hosting it because they had a direct link back to the sql instance. The site is not fully operational yet, but they are setting it up rapidly as I surmised they would on the domain of shamikh1.info which was registered in May as the backup domain.

I have begun the work of getting all of the pertinent details on the address owners/ops in Indonesia so soon all of their details will be available to those who want them. However, just with the short bit of work I have done here, I pretty much think you can all get a grasp of who’s where and what’s up huh? Sure, the server is in Indonesia, and, well, they are rather tepid on the whole GWOT thing so nothing much may happen…

But..

You intelligence agencies out there looking for a leg up.. Well here it is… Enjoy.

Now, back to the events that brought us to today. The take down of the original site may have been only because someone got into the server and wiped it out as Evan suggests (without any proof as yet mind you) or, it may in fact be because the site was blocked at the domain level as I pointed out in my last post on this matter. Godaddy had suspended the domain and I am not sure if the mirrors on piradius were working before the alleged attack happened or not. At this point, it is anyone’s guess as to the attacks perpatraitors, methods, and final outcome until someone from the AQ camp speaks up on exactly what happened.

Meanwhile, the media will continue to spin on about MI6 hacking them or perhaps it was those mysterious “Brit” hackers that so many articles mentioned.

“Bollocks” As they say in England.

DATA:

Domain ID:D38010794-LRMS
Domain Name:SHAMIKH1.INFO
Created On:14-May-2011 00:22:30 UTC
Last Updated On:27-Jun-2011 07:43:57 UTC
Expiration Date:14-May-2012 00:22:30 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:fce7ae13f22aa29d
Registrant Name:WhoisGuard  Protected
Registrant Organization:WhoisGuard
Registrant Street1:11400 W. Olympic Blvd. Suite 200
Registrant Street2:
Registrant Street3:
Registrant City:Los Angeles
Registrant State/Province:CA
Registrant Postal Code:90064
Registrant Country:US
Registrant Phone:+1.6613102107
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:06b6ac7646b147ccb6aed6d1f0248d70.protect@whoisguard.com
Admin ID:fce7ae13f22aa29d
Admin Name:WhoisGuard  Protected
Admin Organization:WhoisGuard
Admin Street1:11400 W. Olympic Blvd. Suite 200

Core Server:

Ip address: 180.235.150.135

Location: Indonesia


Persons Attached: Daru Kuncoro & Yogie Nareswara

Names of Admins: Yogie Nareswara & Daru Kuncoro

Email Contacts: ahmad@koneksikita.com yogie@arhdglobal.com

Nmap Scan Report:

Starting Nmap 5.21 ( http://nmap.org ) at 2011-07-02 07:39 EDT
Initiating Ping Scan at 07:39
Scanning 180.235.150.135 [2 ports]
Completed Ping Scan at 07:39, 0.32s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 07:39
Completed Parallel DNS resolution of 1 host. at 07:39, 0.53s elapsed
Initiating Connect Scan at 07:39
Scanning 180.235.150.135 [1000 ports]
Discovered open port 80/tcp on 180.235.150.135
Discovered open port 110/tcp on 180.235.150.135
Discovered open port 993/tcp on 180.235.150.135
Discovered open port 143/tcp on 180.235.150.135
Discovered open port 21/tcp on 180.235.150.135
Discovered open port 443/tcp on 180.235.150.135
Discovered open port 3306/tcp on 180.235.150.135
Discovered open port 995/tcp on 180.235.150.135
Completed Connect Scan at 07:39, 11.74s elapsed (1000 total ports)
Nmap scan report for 180.235.150.135
Host is up (0.30s latency).
Not shown: 958 filtered ports, 34 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
110/tcp  open  pop3
143/tcp  open  imap
443/tcp  open  https
993/tcp  open  imaps
995/tcp  open  pop3s
3306/tcp open  mysql

Tasty, they have a few ports open. Hey antisec skiddies, wanna play with some SQLi ?

Meh.

Site Contact Data:

Daru Kuncoro:

Yogie Nareswara:

Current State:

Guess they are still working on the server connections… I am sure as well, that soon they will have more stealth servers out there in Malaysia as well. So the mirroring will begin for the sql instance to do the push from. Lets see how long it is before this one is taken down shall we? Oh, and next time an attack happens, lets all get a lock on how it is happening as well as exactly what it is. I have had enough of the media hype with talking heads who have no idea what they are talking about when it comes to information warfare or network security.

More later.

K.

The Eternal Game of Whack-A-Mole Goes On: Was Al-Shamukh Hacked?

with 2 comments

The Eternal Game of Whack-A-Mole Goes On:

Al-Shamikh1, the Shamukh Al-Islam AQ site is down, and has been allegedly under attack since this weekend. It’s mirrors are down as well and according to the news media Here and Here citing Evan Kohlmann of Flashpoint Global. The problem I have with the stories that the media is ravening over now is either that Evan is not painting the full picture or the media, as usually, is not understanding what he is saying. As for my take on it, it’s a little of both really. Evan has been around for a long time working as a consultant on terrorism, but as far as I know, he is not a network security specialist.

Over the weekend I had heard and re-tweeted reports that Shamikh was under an attack of some kind and the site was intermittently unavailable. as I had a whiskey in hand and no motivation, I let it be and figured it was maybe Jester doing his usual thing. Then today I see the barrage of bad media accounts with headlines like;

British Hackers Take Down Al-Qaeda Websites

and

NBC News: Hacker attack cripples al-Qaida Web communications

*Facepalm*

None of the articles cites any clear evidence of who did what never mind what actually happened to the site! Upon investigation this morning after being contacted by someone in the UK press, I found the following salient point:

From: robtex.com The domain and NS pointers have been suspended by GoDaddy

The domain and the name servers have been suspended by Godaddy. This is why it is offline now. Perhaps it was DD0S’d for a while and the traffic was the final straw for Godaddy on this site. You see, this site has been on the Godaddy for some time and many have pointed this fact out before, to no avail.. Well, actually one might assume that the feds just wanted to know where it was and leave it be to monitor.. But, that’s a bit too subtle for the media.

Whois data for shamikh1.net

Either way, the site is down now because they cannot route to it via the domain. Backups of the site hosted on non domain named boxes are down and the core server may have been compromised. It’s all up in the air at the moment but the media is just trucking along with the story. It may in fact be that the server was core was pulled by the jihadi’s themselves because they have been real twitchy since the 2010 roll up of al-faloja.

In the case of Shamikh, I had seen in the past that this site had some security issues to begin with. The implementation of the phpbb was weak and there were ways to get into the board and collect data. In one case, they had even re-set passwords and one could get them from the site itself for those users as they had passed them in the clear in what they thought was a secure space. Others have been using these vulns for some time to audit what is going on in the boards and have in the past run operations that have kept the admin’s and the jihadi’s on edge. This is why today you see so many more discussion groups on computer security, but more so how to configure and secure phpbb today on sites like As-Ansar.

Distributed Sites:

“Al-Qaida’s online communications have been temporarily crippled, and it does not have a single trusted distribution channel available on the Internet,” said Evan Kohlmann, of Flashpoint Global Partners, which monitors the group’s communications.

This one line really just grinds my gears here. I am sorry Evan, but this site is not the only one out there that has this type of content and even though the core is down, the content lives on in other sites. The Jihadi’s have created redundancy in the number of sites, not just put all their terrorist eggs in one digital basket. All of the sites link to one another as fraternal organisations do (i.e. As-Ansar has much the same content as Shamikh1). Remember, this is an group performing insurgency who know the power of cells and this is no different online. An example of this is the site in question of Shamikh, which has had many sites online at different times. Some get pulled down as they have issues with the hosts removing them. Others still have stealth sites on compromised systems, or in cases like the boxes in Malaysia, hosted secretly with complicity on the part of someone in the network (see paradius net)

In the case of Shamikh1 the following sites are known to have hosted or, as in the case of shamikh1.info, was scheduled to be soon.

http://shamikh1.net

http://shamikh1.info

http://202.149.72.130/~shamikh/vb/

http://202.149.72.131/~shamikh/vb/

http://202.75.56.237/~shamikh/vb/

All of these systems are down at least content wise for Shamikh, the .info though is online and untouched but hosts no content as yet. It seems to me that it was still being staged to host the content or maybe was set to be a backup.

shamikh1.info whois data

This has been the SOP for the jihadi sites for some time. In case one site is hit, the rest are online to keep the content online. In this case though, it seems that the “sophisticated and coordinated attack” really just means that they hit the core server for Shamikh so the content is not getting to the satellite sites. Of course once again, there is no data to say how this attack was carried out and how massive it may have been. Like I said, lately the e-jihadi’s have been twitchy about security for a while now because they have been compromised in the past.

So, all of this reporting that it was a huge state run hack and was massive takedown is mostly media hype and, I am afraid, as you can see from the reporting, it all seems to be coming from Mr. Kohlmann. Who’s privately run consultancy is getting quite a bit of attention now.. Isn’t it?

Cupcake Recipies Instead of IED’s Do Not A Hack Make:

Another thing that is sticking in my craw is this whole linking this outage/hack to the “cupcake” incident with Inspire Magazine. These two things are NOT alike and the media needs to pay attention to the facts. Nor is there any evidence cited or even hinted at in the real world that MI6 or Five for that matter had anything to do with this. For all they know, it could have been Jester or someone with like technology that dos’d them and got them yanked offline by their host.

Let me set the record straight here. The MI6 operation on Inspire was a PSYOP. They poisoned the well (i.e. Al-Malahem’s media apparatus) by intercepting the AQ file and replacing it with their own. Just where this happened no one is sure. Was it on some desktop somewhere before being put out? Or, was it replaced with the edited file on the megashare?

No one has said.

This operation though served two purposes. First off, it managed to stop AQ from getting the IED manual out to everyone, but secondly, and more importantly, it make AQ question its communications security. This was even more important and we can see the effects of that today in posts on the boards about security.

They are worried.

Oh dear media, pay attention and get the story straight. While the Cupcake operation had style and was claimed by MI6, this current claimed attack on Shamikh has no attribution by anyone and there is no proof that I have seen to say that anyone did anything… Save that their site is down.

Whodunnit:

This all leaves me wondering just who may have attacked Shamikh and why. Given that the sites are often taken down only to show up elsewhere makes me question why it was done at all. It would be simpler to monitor the site and capture data than to send them all scurrying into the woods would it not? This was my primary issue with the Jester’s campaign, it did no good. Even if you are driving them off the sites, they will only move toward less visible ones and use more covert means of communication. Why not let them feel fat, dumb, and happy while we watch their every move?

All I can think of, if this was state sanctioned, was that the Shamikh site was about to drop some content that someone did not want out there so they took the network down. If it wasn’t state sanctioned and some hacker or hackers decided to mess with them they did it for their own reasons. Either way, the sites got taken down..

But, they will be back again… Let the great game of whack a mole begin!

K.

IMPORTANT SECURITY TIPS: Security Tips for Jihobbyists At Majahden

with 5 comments

Security Tips for Majahden2 Users and Jihobbyists

Important Security Tips from Majahden:

The boys at Majahden have been learning lately about how psyops, hacking, disinformation, and being pwn3d works. I suppose since Osama went to live in a pineapple under the sea, they have been taking stock of just how much information they are leaking on the boards out there on the internets. There have been a spate of timely deaths in the AQ camp of late as well as a few arrests, but really, the intelligence coup of finding OBL and whacking him has all the jihobbyists worried that they will be next.

Of course they should be worried, but not only because OBL was popped. You see, we have been inside their shit for some time now and they just did not know it I guess. I have written in the past about sites that I have been poking at and digging through and I know in the case of Al-faloja (may it rest un-peacefully) I was able to get quite a bit of data from them. Since Al-Faloja fell down and went boom, there have been many site re-vamps by many a phpBB admin but they still seem to be on the whole, lacking the skills to really secure their shit.

Oopsies!

So, from their sooper sekret squirrel lair we have the following text from the above screen shot on majahden entitled “Important Security Tips” From this post I can say that they have been learning though. The tips are good and if followed it will make it just a teensy bit harder to track them and eventually have them picked up. Here are some good ones:

  • Trust no one: See a new member asking all kinds of questions about going to jihad? Be wary of them they may be spies
  • Use internet cafe’s to log in and post to the boards because they can track your IP address
  • DO NOT use just one internet cafe! Move around and make sure that you go outside your usual area (where you live)
  • Use a PROXY at the cafe!
  • Be careful though at the cafe because they are on the lookout for swarthy types like us!
  • NEVER give out your real information to ANY forum! (i.e. Bday, phone, etc)
  • Beware of files published to the forums! They could be malware!
  • Beware of popup installs like Java on the boards, they are not proper and likely a means to compromise you!
  • Beware people asking you to email them from the forum (use the message program on the board)
  • DO NOT RE-USE PASSWORDS!
  • Be careful what information (personal) you put on the site
  • Be careful about posting anecdotes about seeing this or that imam speak (places you in a place and a time)

AND Finally, in the FUNNIEST note of the list;

  • This is not a dating site! You want to make friends do that separately from the jihadi forums.

*snort*

In all, these warnings are good solid rules of the road for anyone going anywhere on the internet never mind on a jihadi board being audited by the likes of moi. Just from a privacy standpoint these types of suggestions are valid as well and should be the standard for anyone not wanting their identity stolen or their stuff hacked easily. This however, is pretty new to all of these guys and are the rudiments of SECOPS for them. Up til now, they have been not following any of these precepts, and to have to say this is not a dating site? Well, that kinda says it all to me hehe.

Meanwhile another tasty tidbit came up from the same site and this one is a little more interesting. The above screen cap is for a posting called “Deceptive methods to extract information” and it covers primarily the idea of snitches being placed in cells at camps to elicit information from jihadi’s. Now, this is nothing new to anyone who has had a diet of movies or TV here in the US, but perhaps it is a new one for these guys. Informants in the form of turncoat prisoners or actual agents from the likes of the CIA etc, have been standard operations to get information without the enemy knowing it.

This post is written by someone though who has had first hand experience with being detained. They go on to describe very specific scenarios and methods to evade giving up information to the “birds” as they are calling them.  (I think they mean stool pigeons) The writer gives suggestions on how to detect the turncoats and or to deal with the interrogators methods in trying to cajole information from them. All in all, this is an interesting read that comes across as someone who has had direct experience and understands PSYOPS.

The Take Away:

These posts and others within the site have me thinking that they are starting to become a bit more sophisticated in their efforts online. There are numerous tutorials now on chaining Tor and proxy-ing as well as the use of crypto and other security oriented programs. TNT_ON has been busy posting more tutorials as well as lauding Younis Tsouli (aka irhabi007, now in jail) as the progenitor of the jihadi hacking scene. All I can really say is that it is maturing and we need to step up our efforts with regard to them.

With the new invigoration within the cyber-jihadi community since OBL’s great pineapple adventure, they have taken up the gauntlet not only to hack but to wage a cyber-propaganda campaign like never before. Presently, the jihadi’s on Majahden and other sites have been spinning up and creating numerous Facebook sites that conform to standards that will fly under the FB radar (FB has been pulling sites down just about as fast as they could put them up) this has become the new “stealth jihad” They are making the effort now to have innocent front pages that lead to many other more hidden pages containing hardcore jihadi content. This is something that was being espoused last year on the boards and is now coming into acceptance as the main modus operandi. This way they can have their content and not get it 0wned or taken down by the likes of Facebook or Blogspot.

Since the advent of the LulzSec crew, it just seems that we all have been focused elsewhere.. Time to wake up and go back to working these fools. I say it is time to start a program of 0day infected dox that will be downloaded from all those sharing sites that these guys love. Remember the whole cupcake thing with Inspire? I say we do it en masse for as many sites as we can. Added to this, we should also be using many more approaches such as PSYOPS, Disinformation, and all out penetration of their servers… No matter where they sit.

But that’s just me… I also think that perhaps the NSA might have that already covered… One wonders…

At the very least, we should keep an eye on these sites.. If not for the lulz, then for taking them down once and for all.

K.

GCHQ/SIS AQ Media PSY-OP: Messin With Jihobbyists

with one comment

June 2010: AQAP’s Al Malahem Media debut jihadi magazine ‘Inspire’ came out to much ballyhoo in on the jihadi boards online. It soon though became a feared file as members who were downloading it were saying that it was corrupted with malware. I personally had gotten a copy of the tinkered with file as well as the full file after the jihadists had re-uploaded a clean copy. At the time, I figured that some state actor was messing with them and perhaps even had had an abortive effort to trojan the file with some 0day. I imagined that had it been carried off well, there could be an IP address somewhere alerting its owners on just how many compromised systems were reporting back as rooted.

… And I thought “Shit, now that would be great!”

Well, at the least it seems that GCHQ and MI6 may indeed have been the culprit but instead of sending out 0day, they opted for a PSYOP.. Or was it?…

Perhaps it was a little of both. As it happened, shortlybefore this a major jihadi site was yanked offline. In all over 100 terrorists were rolled up in Saudi Arabia after the site, which was run by the CIA and others, had decided it was time to collect their jihadi’s that they had been baiting along. Just goes to show ya mr shahid wanna be, that you may in fact be kanoodling online not with your pal the radical Imam, but instead you’re hanging with a Fed!

DOH!

After the roll up of that site, another compromise happened to Al-Faloja. They too decided to shut down their site and re-tool after they learned that they had been spied on by certain individuals online. Of course their site was not so secure as I had pointed out in past posts, and someone finally just popped em. They came back though as have others like Ansar with varying degrees of success in securing their sites. They have been however, pretty cagey about certain things post these attacks.. But… Lately they have gotten lax again.

Ideally, I would like to see not only psyops carried out but also a full exploit series against the jihadi’s with 0day. Set up a server somewhere and let it recieve all the traffic after setting out some nice pdf files for them to all “read” All you really need is a little time gathering data to get a good idea of who and where they are, then roll em all up.

C’mon guys.. Lets start the 0day lulz.

K.

Al Qaeda: The Case of A More Diffuse and Autonomous Organisation

with one comment

Succession:

Speculation on the successor to OBL has been rife within the news-o-sphere and I too have waded in and made my case for who I think will be next. I have however, come to some more conclusions since I wrote my post on succession post Osama. My current thinking is still aligned with my post from before, that Al-Awlaki will be the prominent figure in the AQ presence world wide. Where I would like to refine the statement is that I believe while Al-Awlaki will be the public face of AQ/AQAP/Jihad he may not be the operational leader. At least, not as one might think.

I think that AQ (The Base) has become such a disparate organisation, that there really are leaders plural with a figurehead (aka OBL before his demise) It seems from the intelligence drips and drabs coming out in the news, that OBL was in fact part of the plotting at least aspiration-ally, of projects up until he got the face full of lead. This is not to say that any of the plans that he laid out actually made it to operational cells out in the world. Nor had OBL been on the media very much in the last years to give anyone ideas. So, who is coming up with the plans that are being tried out? Who is actuating plots? AQAP has.

The reason that AQAP has been more active is that they are in the country of Yemen where they have a base of support and a fledgling government that poses no real threat. Since AQAP has a bit of a free hand there and a younger crew of jihadi’s headed by several Americans, they seem to me, to be the new jihadi zeitgeist. These are some of the reasons that I feel Al-Awlaki, who is charismatic and liked, would be a more logical choice to be the inspirational head of the global jihad, which happens to be primarily aimed at America. Who better to use as the face of this fight than a former citizen refuting the way of life in America and the West? Who better to reach out to those lone wolves in the states and radicalise them to the point of action?

The problem though on trying to lead AQ now is that the GWOT has indeed made it harder for there to be structured networks. As evidenced by the killing of OBL, the jihadists have learned and have been learning over the years of strikes, that to have a ‘network’ that has clear channels of command and control leads to their being picked off one at a time with Hellfire missiles shot from reapers. It was the physical act of meeting with as well as making calls to OBL by his couriers, that lead to his demise. It is this fact that I think AQ will take to heart and collectively try to leverage not only the internet even more, but also create a more splintered organisational structure on purpose. The franchise model +1 will be the modus operandi of the day because they now fear to communicate a little bit more since we took out Osama.

It is this franchise idea with small autonomous cells that are to be inspired to action, even to the point of ‘Lone Wolf” single cell actors, that will be the new GWOT’s target. Thus, going back to the idea of whoever would ‘lead’ AQ, would have to be like OBL in the area of charisma, affability, piety, and leading by example… And that would not be Ayman Zawahiri, nor I think some of the other operators mentioned in the news and in papers I have seen come across my screen on the subject. I think it would make more sense that the operators stay in the shadows to lead and create operations. Ayman is not liked, pedantic, and generally not someone that would be universally followed by the jihadi masses.

This too I think, is why the IS has been immediately attempting to step up attacks on Yemen and Anwar because they too feel that he is a likely choice for taking up where OBL left off. If not officially, at least by proxy of AQAP being the new force in Jihad, the one group who has acted on grander plans like the old AQ did. Anwar I think, is about to replace OBL on the FBI’s wanted list slot…

Unless they actually hit him with one of those missiles.

Autonomous Cells:

Since the GWOT started and now the JSOC and the Kill/Capture program, AQ has been learning that to fight the battle they need to pivot the attacks. Just as hackers learned that it was best to use internal attacks by tricking people into clicking links in emails (phising) so too have the jiahdis in this battle space. Thus we have the idea of lone wolves and small cells of one to three members within them. The smaller the cell, and the more autonomous, the higher likelihood that they will be able to carry off a mission.

By leveraging the Internet, the propaganda machine that GIMF started, has been replaced by Al-Malahem and AQAP’s Inspire magazine. This trend is somewhat scary in many ways as the lone wolves out there may have some communications with AQ central (AQAP) but they likely will not be many. Instead, as data has shown us, the lone wolves out there so far (Nidal Hassan, Emerson Begolly, and others) radicalised by watching Youtube videos, chatting online with Paltalk, and reading jihadist writings on internet php boards. Rarely have these people had direct contact with the main players in AQ, though, Hassan did in fact email with Al-Awlaki.

Over all, I think that the decentralising of AQ will continue from the GWOT thus causing more splinter groups to pop up, see the model that AQAP has put together, and will emulate it. They will be harder to stamp out and they will be more of a percieved threat because they could be just about anyone. Irhabi 007 was a single prolific propagandist who worked out of his parents house in the UK. All he needed was the internet and some hacking skills and he was able to create a new paradigm of online jihad. Imagine now all of the next gen kids who are just as computer literate and just as moved to radical thought.

Jihad GEN 3:

Which brings me to the next generation of Jihad. Or should I say the next few generations of it? In watching the trending I have seen more and more younger recruits online and in jihadist videos. It has always been known that the Jihad starts at the Madrassa, but, it seems now that not only are the boys being trained from a young age, but so too the muslima. With the advent of the Chechen “Black Widows” and some of the rules being created by shura counsels, the girls too are now being trained from a young age to become shahid.

In the West though, the rationalisation process is more led by what media the jihadi/takfiri/kuffr has been able to align with. Perhaps they are going to mosque and getting some of the content in some cases, but mostly, it comes from the net. Just how many of these people are muslims from raising is unclear. Just as is how many come to Islam and then radicalise at some point as well. The one constant though in my mind is that they are likely mentally unbalanced or seeking attention in some way that is core to their being.

What form the next generation will take is still unclear. Perhaps the pivot toward trying to get Western recruits to become shahid will ultimately fail on the large scale. Though, I do expect there to be more unbalanced individuals attempting to carry out small attacks as mandated by AQ/AQAP for the cause. NO matter how small the explosion or the number of people killed, they will have fulfilled the mandate of a thousand cuts set out by OBL.

Chatter:

Currently, the chatter on the internet has started to amp up since the death of OBL. After AQ put out its announcement that he was martyred, the boards began to fill with prayers and threats. None of the threats have been credible but, we have seen a potential spike in action with at least one person attempting to get into the cockpit of a plane in flight last week. All of this chatter online and the reverberations from it, are likely to set in motion GEN3 and GEN2 actors within the AQ universe. It is time to keep our eyes open on the operations in play.

Talk of WMD’s and other key words have been seen on the boards and I fully expect that this will spin up even further as time goes by within the next few months toward September.

Time will tell.

K

Written by Krypt3ia

2011/05/12 at 18:40

Post Bin Laden: Don’t Get Cocky America

leave a comment »

It was a busy week last week on the internet. With the news that OBL was gone, the jihadi boards stayed silent for a couple days as the rank and file waited for AQ to post a response. It wasn’t too long though before at least one faction (Kavkaz) began posting that OBL was in fact alive and well and that the fire fight in Abbottabad actually took hours.

Of course this is a Russian/Maghreb source so they are quite used to propaganda blasts. This posting though did not seem to gather any traction with the masses on the other boards. The silence continued until AQ finally put out the official word on Thursday, that OBL was indeed martyred and that OBL would ascend, leaving thousands of jihadi’s behind in his wake.

It was soon after AQ put out this statement that the boards began to spin up on traffic. The masses began to write prayers interspersed with threats to America and President Obama…

These are just a few from the last couple of days. The boards have been getting extensive posts from the masses.. I am still going through them all and it seems with every refresh, there is a new post of prayer and threats. What has been interesting though, is that they are re-grouping and trying to create extensive propaganda blitzes online. When the news of OBL’s death came out, the savvy jihadi’s started a Facebook page called “We are all OBL”

This site came down quickly as Facebook caught on, but you get the idea. Once this site was removed, I saw traffic that had a new idea. The jihadi’s compiled an uber list of sites to post propaganda on. They had created new OBL Graphics, nasheeds, and documents to get the word out that their shaiykh had been killed, but his jihad goes on. I have yet to see the propaganda propagate anywhere, but I am sure they are feverishly working toward making more videos to upload to YouTube and other places.

Slowly the boards have begun to have non credible threats being made within their threads including comments about bombing and shootings. So far the comments though are not being seen as warranting any action other than being more vigilant (i.e. nothing saying today we are going to hit this place with a bomb) but time will tell if one of these guys decides to go all lone wolf and try something and this is the real problem. The lone wolves out there in their bedrooms making bombs or plotting to shoot people, often times, they do not overtly post that they plan on doing such things. Instead you have to read between the lines on their postings to see who actually might act up.

It’s a crap shoot.

I have been taking stock of what has transpired this last week and here are some observations:

There seems to be another wave of “America FUCK YEAH!” fever going on since OBL’s demise:

While I agree we have some things to celebrate, I think that we also need to take into account that it’s not over. We should not feel as though we can dust off W’s “Mission Accomplished” banner and go back to swilling beer. I have read a few pieces in the news that covered the mentality of the youth who grew up post 9/11 and there seems to be a consensus that with OBL’s death, the “Boogeyman” has been removed from the collective unconscious. Given that I am older, I can’t really empathise on how they feel as well as with what I know about AQ and Jihadi mentality, I cannot party down like many did that night.

I think that Obama has it right when he says we need not swagger. I also agree with him that releasing the photos would only incite more of the jihadi’s to work together and really do something as a whole, it would in effect re-energize them even more so than the killing of OBL itself has done. It would be the equivalent of drawing a picture of OBL and Muhammad together and then having Terry Jones burn it on camera for CNN.

What I really fear is that people collectively have this idea that since OBL is dead, that AQ is too.. And that just isnt the case. If anything they have been damaged (and the intel from the hard drives may give us much more data to keep them on the run or to kill them as well) but, there are many more of them out there now saying they will follow in OBL’s footsteps because he was a righteous man.

To understand the war.. One must understand the enemy…. I think we are still lacking critical thinking and understanding by the masses on that enemy. I really would hate to see us slip into a 2001/2002 mentality again.

Whacknutty “Deathers” and other conspiracy theories abound:

Since the death of OBL was reported, there has been a spinning up of the conspiracists out there claiming that OBL had been in fact dead all along and that this was another COINTELPRO project or something of that ilk. The decision by Obama to not release the photos has only inflamed these conspriacy nuts even further. I actually took a listen to Alex Jones the other day and he was going on and on about how this was just another media created manipulation by the one world government blah blah blah.

Hey Alex… You are insane btw… No, really, clinically insane. You need help.

But I digress.. So, yeah, the lack of physical data or other proofs that OBL is indeed dead would likely make no difference now anyway. You see, for the conspiracy folks, he would have just been on ice somewhere and this “killing” was used to boost the poll numbers for Obama. Frankly its all drivel and shows the insecurities in the average conspiracists mind. If you give them data, they will just say its forged. My evidence that OBL was in fact dead came from AQ themselves. They put out a pdf announcement as well as the boards, like I said above, had been real quiet like… So something was up.

Ugh.. Well, no worries though.. According to other whacknuts with a 100 million dollar radio ministries say that we are in the end times anyway. As of May 21st the games up!

And don’t you know I will be emaling them on the 22nd saying “Welcome to Hell bitches!”

Morons.

Oh, and back to the “deathers” give it up. He’s dead. Lets move on and work towards ending Jihad huh?

Don’t get cocky America!:

Last weekend I read an article that is pertinent to the post OBL world. The title of the article is “Don’t Get Cocky America”  and is by Daveed, Gartenstein-Ross. The point of his argument is that the death of OBL, while damaging, is not the end of AQ nor Jihad. More specifically, the brand of jihad that OBL was espousing featured an economic bent. In the latter part of his jihadi life, OBL and AQ had been moving toward an even more diffuse organization that would be harder to track. Using couriers as he was to get data back and forth was his undoing, but, it is this model along with the idea of self radicalization through jihadi media outlets that makes this more dangerous.

OBL from the start, cited that he wanted to bleed America dry with a death of a thousand cuts as the Mujahideen had in Afghanistan with the Soviet Union. By using this model OBL wanted to create cells all over that could self actuate and with every small attack, cause the American government to spend even more money on security and war. His economic warfare in fact worked… Look at where we are now as opposed to where we were 9/10/01. We have a multi front war ongoing, a security behemoth called the DHS that can’t get out of its own way, and trillions of dollars in debt to show for it all.

Still, we are not truly safe and the sad fact is we never can really insure that we will be. It is just the nature of the beast. There will always be a way for a determined aggressor to strike and we just have to understand this.

Meanwhile, as the article alludes, many now think that the war is over because one man, who was an active part but no longer the true aegis of the organisation, is dead. This is a fallacy and we have to come to grips here with the future.

OBL is dead.. The movement isnt.

Which brings me back to the economic warfare thing.. Do we really need to spend as much on all of this? Would the intel that eventually killed OBL be just as obtainable without the trillions being spent on the wars in Afghanistan and Iraq? It’s a puzzle that needs to be looked at and I have to think about it some more…

Moving forward:

Its not time to relax our security stance, but, it is a good time to take stock of what we are doing and how. OBL’s demise will bring on interesting times I suspect and I for one, will be quietly watching.

K.

Written by Krypt3ia

2011/05/09 at 16:29

Posted in AQAP, GWOT, jihad, Qaeda