Home page logo

isn logo Information Security News mailing list archives

Re: Terrorist group claims responsibility for Slammer
From: InfoSec News <isn () c4i org>
Date: Fri, 7 Feb 2003 02:35:46 -0600 (CST)

Forwarded from: Dan Verton <Dan_Verton () computerworld com>


Here's the story of how I got screwed. I was duped, I was had -- call
it what you will. Despite calls to the FBI and security firms and
other journalists around the world, I didn't turn up the hidden
ownership of the domain in question. I let myself get burned.



FEBRUARY 06, 2003

Editor's note: An online story yesterday by Computerworld reporting on
terrorist claims of responsibility for having authored the Slammer
worm was based on a hoax. The security reporter who wrote the story,
Dan Verton, explains in this first-person account how he and others
were misled by a U.S. journalist who pretended to be someone named
"Abdul Mujahid." The original story has been removed from
Computerworld's Web site.

There's an old Italian proverb that says, "Those who sleep with dogs
will rise with fleas." That's the situation in which I now find

While catching a few fleas isn't unusual in the murky, dog-eat-dog
world of reporting on hackers and terrorists, this hoax is different.
Had it been a simple scam, I might be embarrassed. But in this case,
the scammer is Brian McWilliams, a former reporter for Newsbytes.com,
which is now owned by The Washington Post Co.

For the past 11 months, McWilliams has operated a Web site,
www.harkatulmujahideen.org, which once belonged to a real terrorist
organization based in Pakistan. It was during legitimate research into
pro-terrorist Web sites that I first came across the
Harkat-ul-Mujahideen site and McWilliams.

In an elaborate scheme to dupe security companies and journalists,
McWilliams acknowledged last night that he purchased the domain name
last March and registered it under the name of "Abu-Mujahid of
Karachi." He also left a legitimate mirror site in place on a server
in Pakistan and by his own admission has been receiving e-mails from
people looking to join the actual terrorist group. He then posed as
Abu Mujahid in his communications with people and the news media.

McWilliams' hoax, which he described as an effort to surreptitiously
obtain information that he might be able to turn into a good news
story, came to my attention after I reported being contacted by Abu
Mujahid. In a series of e-mails spanning several weeks, McWilliams,
a.k.a. "Mujahid," claimed responsibility for the Slammer Internet worm
late last month. Although my story noted that claims of responsibility
for Slammer couldn't be verified, I, along with journalists in India,
several computer security firms and even law enforcement experts,
didn't see through McWilliams' hoax.

"I worked hard to make the illusion look real," he said in an e-mail
to me last night, after the hoax had been exposed. McWilliams also
expressed regret for having allowed the hoax to go so far. "But the
Internet gives those who want to spread misinformation a big
advantage. It's so easy to conceal ... the ownership of a domain."

McWilliams' efforts misled journalists in a foreign country now living
with the real-world threat from a very real group,
Harkat-ul-Mujahideen (HUM), a group linked not only to Osama bin
Laden, but also to the abductors and murderers of Wall Street Journal
reporter Daniel Pearl.

The Web site still in place in Pakistan, www.ummah.net.pk/harkat/,
refers to a radical Islamic group on the State Department's list of
designated terrorist groups. Once known as Harkat-ul-Ansar, the group
changed its name to Harkat-ul-Mujahideen in an effort to avoid
problems stemming from the U.S. terrorist designation. Contact
information on that site goes to harkatulmujahideen.org, which is
McWilliams' domain.

"I've been secretly receiving lots of interesting e-mails apparently
intended for HUM," said McWilliams. "I was hoping I might get a story
out of some of the stuff that came in to the site. Most of the
messages have been from people in the Middle East who wanted to join
jihad. I've forwarded some to the FBI."

As part of this scam, McWilliams contacted a journalist in India and
then defaced his own phony Web site, posting one of my earlier e-mails
as part of the defacement by a bogus hacker group. That "hacking" was
one reason that at least one security vendor, Mi2g.com, initially
considered the Web site to be genuine.

That authenticity unraveled late yesterday, after my story had been
posted, when members of an e-mail list that focuses on security topics
contacted Computerworld and informed me that McWilliams had been
bragging about the success of his hoax and how simple it would have
been to uncover. He did not, however, acknowledge then that he had
registered the domain using a fictitious name. After the hoax was
revealed, the story was removed from Computerworld's Web site. By then
it had been picked up by other Web sites.

This isn't the first time McWilliams has relied on questionable
reporting procedures to obtain information for a story, according to
government intelligence and industry sources, who requested anonymity.
These sources confirmed that in September 2001, at the height of the
Nimda worm, McWilliams obtained the telephone number for conference
calls held by the National Security Council, the National Security
Agency and private companies, and listened in surreptitiously to the
conversations. He then used the information from the conference calls
in news reports he filed.

"Just as that group was hitting its stride, the trust relationship was
fractured," said a source who took part in the conference calls.
"Since we couldn't know which participant compromised the trust,
[McWilliams'] efforts actually damaged the effectiveness of the
defensive action."

McWilliams confirmed today that he did listen in to the conference

Although the hoax this week taught me a valuable lesson about the
nature of information on the Internet, it's less clear that
McWilliams' scheme has done anything to advance the understanding of
cyberterrorism -- one of his stated reasons for conducting the hoax in
the first place. The fact is that real terrorist organizations around
the world do run Web sites. The Palestinian terrorist group Hamas is a
prime example of a terrorist group on the Web. There are many others,
including, until last March, Harkat-ul-Mujahideen.

This experience has been a particularly difficult one for me. I feel
like I've been had, and that's never an easy thing to swallow. I got
burned. So, I'm left here scratching fleas as the price you sometimes
pay for sleeping with dogs.

ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]