Home page logo

isn logo Information Security News mailing list archives

Re: Terrorist group claims responsibility for Slammer
From: InfoSec News <isn () c4i org>
Date: Mon, 10 Feb 2003 02:33:54 -0600 (CST)

Forwarded from: security curmudgeon <jericho () attrition org>
cc: Brian McWilliams <brian () pc-radio com>,
    Dan Verton <Dan_Verton () computerworld com>

Several points are not clear after this hoax unfolded. I invite both
Verton and McWilliams to reply to any part of this. There are several
times where I quote McWilliam's regarding this event. These quotes are
taken from: http://www.pc-radio.com/why.html which was posted to
explain why he perpetuated this hoax. I encourage everyone to read
this at some point.

Forwarded from: Dan Verton <Dan_Verton () computerworld com>

Here's the story of how I got screwed. I was duped, I was had --
call it what you will. Despite calls to the FBI and security firms
and other journalists around the world, I didn't turn up the hidden
ownership of the domain in question. I let myself get burned.


FEBRUARY 06, 2003

In an elaborate scheme to dupe security companies and journalists,
McWilliams acknowledged last night that he purchased the domain name
last March and registered it under the name of "Abu-Mujahid of
Karachi." He also left a legitimate mirror site in place on a server

According to McWilliams, he snatched up the lapsed domain for other

  It certainly was a big departure from my original reason for
  registering the domain: to gain some insight into how the Internet 
  was being used for terrorist recruitment, and to report my findings.

Your response above is cleverly worded to make it sound like
McWilliam's intentions were solely to dupe journalists and security

McWilliams' hoax, which he described as an effort to surreptitiously
obtain information that he might be able to turn into a good news
story, came to my attention after I reported being contacted by Abu
Mujahid. In a series of e-mails spanning several weeks, McWilliams,

Once again, your wording is very poor. When asked, McWilliams said
that YOU contacted him (as Abu-Mujahid), which contradicts your
statement above.

a.k.a. "Mujahid," claimed responsibility for the Slammer Internet
worm late last month. Although my story noted that claims of
responsibility for Slammer couldn't be verified, I, along with
journalists in India, several computer security firms and even law
enforcement experts, didn't see through McWilliams' hoax.

Which is nothing short of pathetic. Not only was the claim far fetched
to begin with, the proof supplied went well beyond bogus. On top of
absurd 'math' and glaring contradictions in the claim, iDefense went
so far as to tell Computerworld "HUM's claim of injecting a
fingerprint into the code 'does not hold water'". Despite a security
company telling you their claim had no foundation, and despite you
have no other validation of anything, you still went with the story
without properly disclaiming yourself.

"I worked hard to make the illusion look real," he said in an e-mail
to me last night, after the hoax had been exposed. McWilliams also
expressed regret for having allowed the hoax to go so far. "But the
Internet gives those who want to spread misinformation a big
advantage. It's so easy to conceal ... the ownership of a domain."

Yes, it is. Despite that, you apparently did not take note of a few
facts before believing the hoax. The fact that harkatulmujahideen.org
appears to be located in the US, the domain contact info provides no
information or validation of who owns it, and that a simple google
search would have revealed an American company took ownvership of the
domain during the Pearl incident should not have escaped you. All of
these facts didn't register in your mind as warnings that it may be a
hoax, because you didn't bother to do what a journalist is supposed
to.. a little research. Let's also not forget that you are the
"Computerworld Security Expert" according to your press releases. How
is it that a "security expert" can not figure out e-mail headers and

Had you done the research and discovered all of the above, I have a
feeling that would not have stopped you from running those same
stories. As several people have stated, you WANTED to believe.

"I've been secretly receiving lots of interesting e-mails apparently
intended for HUM," said McWilliams. "I was hoping I might get a
story out of some of the stuff that came in to the site. Most of the
messages have been from people in the Middle East who wanted to join
jihad. I've forwarded some to the FBI."

This was a clever thing to include in your story. Consider that
incredible lead for information dead from here on out. I'm sure the
FBI are loving that since they were benefiting by a US Citizen
receiving that mail and forwarding relevant mail on to the proper
authorities. Later in this article you speak of McWilliams "[damaging]
the effectiveness of the defensive action." Yet here you are damaging
an important lead that was likely producing good intel on potential
terrorists and their actions. I'm glad you see fit to trade this for a
little news fodder, the whole while pointing fingers at McWilliams for
using the domain for possible story leads.

As part of this scam, McWilliams contacted a journalist in India and
then defaced his own phony Web site, posting one of my earlier
e-mails as part of the defacement by a bogus hacker group. That
"hacking" was one reason that at least one security vendor,
Mi2g.com, initially considered the Web site to be genuine.

First, McWilliams makes no mention of contacting a journalist in India
when explaining his actions. I invite him to clarify this or for you
to provide more information.

Second, this is *exactly* what McWilliams proved with this hoax. A web
site that has no real visible ties to anything outside the US other
than random e-mail claims gets 'defaced', and mi2g is saying "this is
the first significant attempt at anti- Islamic cyberwar." Even worse,
mi2g continues on saying the following:

  In early 2003, however, the anti-Islamic backlash predicted by the
  mi2g Intelligence Unit is beginning to materialize. This is a 
  significant development and we will continue to monitor the 
  situation closely.

If this doesn't define FUD, I don't know what does.

According to Computerworld's Feb 05 article about the defacement, you
have yourself validating the site as legitimate, and you have mi2g
validating it was defaced and referencing you. Excuse me, may I remind
you that you were a former "intelligence officer" and mi2g is an
"information intelligence" company. Where the hell do you guys get off
using these self granted titles? Neither of you had any real
validation of anything, yet both ran with this as legitimate news. The
fact that mi2g still has no retraction or explanation on their website
should warn off anyone using their service that they are charlatans
and pushing whatever crap hits their inbox as 'news'. Two charlatans
validating each other is a very common practice in many industries,
and one that the security industry has seen many times before
(Jones/Murphy, Meinel/Vranesevich, et al). Next time I referencec this
activity, I can include "Verton/mi2g" I guess.

been to uncover. He did not, however, acknowledge then that he had
registered the domain using a fictitious name. After the hoax was
revealed, the story was removed from Computerworld's Web site. By
then it had been picked up by other Web sites.

Who deserve what they got. The inbreeding that goes on between
supposedly reputable news sources is disgusting. The fact that they
push unverified stories out the door themselves, and then turn around
and swallow other outlet's stories without a question speaks wonders
about the current state of industry reporting.

That authenticity unraveled late yesterday, after my story had been
posted, when members of an e-mail list that focuses on security
topics contacted Computerworld and informed me that McWilliams had
been bragging about the success of his hoax and how simple it would
have been to uncover.

According to McWilliams:

  Contrary to some reports, I did not brag about this fact on a
  security mailing list. On the contrary, I find it troubling.

So.. is your source questionable or you misstating facts to try to
convince your readers that you were not at fault?

This isn't the first time McWilliams has relied on questionable
reporting procedures to obtain information for a story, according to
government intelligence and industry sources, who requested

Of course they requested anonymity. This isn't the first time your
sources have been called into question either, and i'm not just
talking about the one above.

These sources confirmed that in September 2001, at the height of the
Nimda worm, McWilliams obtained the telephone number for conference
calls held by the National Security Council, the National Security
Agency and private companies, and listened in surreptitiously to the
conversations. He then used the information from the conference
calls in news reports he filed.

Once again, I invite McWilliams to respond to these claims. While
waiting for his reply, i'd love to know why he wasn't charged with
various criminal law infractions if this was the case. Or were the
conference calls not near as important as made to sound?

McWilliams confirmed today that he did listen in to the conference

But did not confirm he did so in an unethical manner?

Although the hoax this week taught me a valuable lesson about the
nature of information on the Internet, it's less clear that
McWilliams' scheme has done anything to advance the understanding of
cyberterrorism -- one of his stated reasons for conducting the hoax
in the first place.

Sure it has. It has proven that you, Computerworld and companies like
mi2g will do anything to perpetuate the idea/myth/desire for
"cyberterrorism" despite the lack of documented cases proving it even

I'll close with the following quote from McWilliam's explanation:

  As my bungled experiment proved, even Verton -- whose book about
  teenage hackers claims he is "one of the leading technology 
  journalists in the country" -- can apparently be fooled by fake 
  e-mails, phony web sites, and wild claims, in a desire to get a big 
  scoop on a hot topic.

ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]