Qaeda Internet Claim Could Be Impossible to Trail

Reuters ^ | Dec. 3, 2002 | Adam Tanner

[JohnathanRGalt]

"Impossible to Trail"?    It looks like Al-Qaeda is broadcasting from Texas.

http://reuters.com/newsArticle.jhtml?type=internetNews&storyID=1843191

Qaeda Internet Claim Could Be Impossible to Trail

Tue December 3, 2002 10:19 AM ET
By Adam Tanner

BERLIN (Reuters) - An Internet message purportedly from al Qaeda claiming responsibility for last week's Kenya attack presents investigators with major difficulties in tracking the claim's origin, computer experts said Tuesday.

"If you know what you are doing, you can hide your tracks in the Internet so well that you will be untraceable," said Mikko Hypponen, manager of anti-virus security at Helsinki-based F-Secure.

In the statement posted Monday at an Islamist Web site, a group claiming to be the "Political Office of Qaeda al-Jihad" said it had carried out last week's attacks on an Israeli hotel and airliner in Kenya.

"The fighters of al Qaeda return to the same place where the Crusader-Jewish coalition was hit four years ago," said the statement, referring to the 1998 bloody attacks on U.S. embassies in Nairobi and Dar es Salaam.

The previously unheard of "Army of Palestine" had also claimed responsibility for Thursday's attacks in a faxed statement via a Lebanese media organization.

The supposed al Qaeda message was posted in Arabic on the site www.azfalrasas.com, which roughly means "melody of gunfire," and shows an AK-47 automatic rifle and a tank.

The site calls itself the first jihad-related chatroom on the Internet, and the author of the message on Kenya is registered as "Bin Laden the Islamic Fighter." A second Web site posting the message was accompanied by pictures of bin Laden.

"There are two ways to do it. One way is that they have legal access to post on this Web Site," said Yoni Malachi, an Israeli Internet expert.

"The other option is they actually broke into this Web Site, that they didn't get legal permission to post."

Both options would be available to either a real al Qaeda member or a hoaxer, although how much information the user leaves behind depends on their computer sophistication.

"Anyone who sends e-mail or surfs the Internet leaves clues that can be followed," said Christian Brockert, spokesman for the German Federal Police, which conducted an extensive investigation into the German roots of the September 11 attacks.

MIXED SUCCESSES

E-mails helped Pakistani police make a series of arrests following the murder of U.S. reporter Daniel Pearl earlier this year. Officials have made arrests on child pornography and other cases by following Internet leads, in some instances helped by hackers who know the ins and outs of the Internet best.

A number of September 11 hijackers and alleged co-plotters used the Internet. Mohamed Atta, the ringleader who flew the first plane into the World Trade Center even had his own web page with a short description of his studies in the northern German city of Hamburg.

"I'm an Egyptian student. Now I'm studying urban planning in Germany," Atta wrote in 1997 on his Internet page. "I'm now preparing my graduation project about the old city of Aleppo."

Another suspected co-plotter from Hamburg, Said Bahaji, has been linked to militant Islamic web sites. But he apparently did not leave behind enough clues for investigators and is at large.

Computer experts say even if police with subpoena powers trace an e-mail or web page to the computer that sent it, the sender may remain elusive.

"Even though you might be able to trace it back to the original machine where the information was posted from, it might not help us so much," said Hypponen.

"Most likely the trails will go back to a cybercafe, or public library, or public university computer, which most likely won't give us any information," he said.

"Then again, there might be a surveillance camera in the cyber cafe, or the street next to it, which would show who was there at the time it was posted."

[JohnathanRGalt]

http://www.azfalrasas.com/  redirects to   http://216.97.79.152/nuke/index.php

This is interesting -- The top of the page says in English:

  "Interior Contracting   *   Joinery
   Architectural Aluminum Systems"

But when you look a the page source, there are all kinds of links to terrorist websites such as Azzam (many more).

Another terror site from C.I. Host in Texas  -- the same ISP that's hosting a Muslim website called "Jewish Converts to Islam," which calls Rabbi Tovia Singer "a Jew liar," a "predator rabbi" and urges followers to visit the rabbi's "home and teach him all about Islam." The site includes Singer's home phone number, address and a map to his home.

Jeremy Reynalds contacted C I Host and they refused to take the site down because it might interfere with Yousef al Khattab's freedom of expression.  

Note to Constitutional scholars: it's the Government that is prohibited from passing laws abridging freedom of speech. Citizens have a right, and a duty, to speak out against this kind of evil to our elected representatives, the media, or the ISPs hosting it.
____________________________________

Whois Information from "whois.enom.com" about azfalrasas.com

Domain:       azfalrasas.com
IP Address: 216.97.79.152
OrgName:   C I Host 
Address:     1851 Central Drive Suite 110, Bedford TX 76021
Contact:    nancys@cihost.com

Administrative, Billing, Technical, Registrant Contact:

   WebMaster
   Unkown One   (abuuud@yahoo.com)
   +1.9665555555
   FAX: none
   Jeddah, NA 64645 SA

(This registration looks fake. If so, this is a violation of new InterNic rules which require valid domain registration information or the site will be taken down within 15 days).
____________________________________

Yet another CI Host terror site:

Domain:       jewstoislam.com
IP-address:  66.34.54.69
OrgName:    C I Host 
Address:     1851 Central Drive Suite 110, Bedford TX 76021
Contact:      nancys@cihost.com

Administrative, Registrant, Billing, Technical Contact-
  
   Nasser alWohaibi   (azooz@post.com)
   +96655202288
   PO Box 3002
   Riyadh,  11471 SA
____________________________________

Yet another CI Host terror site:

Domain:      alsalafyoon.com
IP address:  66.34.237.73
OrgName:    C I Host 
Address:     1851 Central Drive Suite 110, Bedford TX 76021
Contact:      nancys@cihost.com
____________________________________

After 9-11, the U.S. Government gave millions of dollars to the Middle East Studies Association (MESA)  for Arabic translators. But, MESA is not translating this and hundreds of other Arabic websites planning death and destruction. We might see something worse than Kenya or even the WTC.  Americans, your tax dollars were flushed down the toilet. Ask your Senator to fix this problem.
 

[Kay Soze]

Thanks/bump

[Desecrated]

Both from Arabia. I'm shocked!!!

[JohnathanRGalt]

Jehadi website ping: (let me know if you want on or off)

[thatdewd]

...the author of the message on Kenya is registered as "Bin Laden the Islamic Fighter."

I find it hard to believe intelligence communities would take this message seriously given the poster's screen-name. The 'Army of Palestine' claim seems much more realistic. The AOP is probably a just a name that specific group of al-Qaeda operatives came up with after putting the Kenya mission together, in order to help inspire the 'uprising'.

These webhosters are really starting to make me sick. Posting someone's name, address, phone number and a map to their house along with a suggestion they be paid a visit is not freedom of expression. It's incitement to violence. The CI Host people must think their clients have the right to scream FIRE in crowded theaters whenever they feel like it too. They don't. Legal is legal and that ain't.

[JohnathanRGalt]

I find it hard to believe intelligence communities would take this message seriously given the poster's screen-name.

Actually, the posters to these chat rooms all have 'jehadi' type names. Of course, I'm Johnathanrgalt and you're thatdewd. How many take us seriously?

These webhosters are really starting to make me sick.

Me too. I'm all for capitalism and making an honest buck but the ISPs seem to be overstepping some boundary of common decency here.

[JohnathanRGalt]

Jehadis Better Not Mess With Texas Ping!  Al-Qaeda claims responsibility for Kenya Attack from Bedford Hamas owned ISP is justifying Human Slavery from Richardson Hezbullah is broadcasting from San Antonio Laskar Jehad is broadcasting from Houston Senators: Gramm,  Hutchison, and your Texas representative, respond to Texas residents. Let them know what you think of terrorists broadcasting, recruiting, fund raising, propagandizing, and inciting to murder from U.S. ISPs. Your local law enforcement and news media might also be interested in this story.

[John Jamieson]

What could a couple of terrorists do with a rented high wing plane and a couple of automatic guns over a major airport with 500 planes loaded with fuel and most with passengers? Airport strafing would be cheap and easy. Terrorists version of a C130 gunship. They'd probably get away too.

I first thought of DFW but George Bush IA (Houston) would make a more dramatic statement.

[Tall_Texan]

I figure Al Qaeda is behind the dreaded Orbitz Virus - you know, the one where every friggin' commercial website pops up an ad for Orbitz.com? Ever noticed that "Orbitz" is an anagram for "biz rot"? Al Qaeda plans to limit our productivity by forcing us to close thousands of windows with ads to Orbitz.com. They're dastardly. They should be stopped and stopped now.

[writmeister]

I don't think that they care about legality. If the CI Host owner is anything like his mother (who I knew from school), it is all about MONEY.

[Caliban]

Thx 4 the ping.

[unixfox]

I'm thinking a good ole fashioned hack job and D.O.S. might be in order for these web sites.

[Abcdefg]

DOS? I know how to send 'pings' to another computer. If I want to send a ping, on a Windows PC I would click "Start" then "Run" and type in "command" for Windows 98 or "cmd" for Windows 200. That would give a DOS window. Is that what you mean by DOS?
Once I have the DOS window I could type in "ping -t -l 4096 www.cihost.com" and hit enter. That would let me know that CI Host is up and running. I could leave the command going, so that I would always know that CI Host is online. That is because I want only the best for that champion of free speech CI Host, also known as "63.249.159.33".

[thatdewd]

Actually, the posters to these chat rooms all have 'jehadi' type names. Of course, I'm Johnathanrgalt and you're thatdewd. How many take us seriously?

True, my own in particular (blush), but I meant the poster directly calling himself "Bin Laden" in his screen name. If al-Qaeda posted a statement, I would expect them to use a group name. If it was a direct statement from OBL it would have gone to al-jazeera or a similar mouthpiece long before that site saw it. The way that statement was presented, it's either some prankish teen or the website itself trying to drum up publicity (and advertising revenues).

[thatdewd]

I don't think that they care about legality. If the CI Host owner is anything like his mother (who I knew from school), it is all about MONEY.

No doubt. If the guvment would just enforce its existing laws, the fines against these people should be substantial enough to cause them to appreciate the value of an honest dollar. I would hope so, anyway. There's substantial fines for everything else, supporting terrorists should be worth more than just a few bucks.

[facedown]

Bump

[unixfox]

Not DOS as in Disk Operating System, but D.O.S. as in a Denial Of Service attack. In other words flood the web site with so many hits that it completely shuts it down. A ping flood started by several people in different locations at the same time could accomplish this task very nicely.

[JohnathanRGalt]

Denial Of Service attack: In other words flood the web site with so many hits that it completely shuts it down. A ping flood started by several people in different locations at the same time could accomplish this task very nicely.

Hack jobs, DOS attacks, domain redirects,... etc. don't work. (at least for more than a few hours). Over the years, ISPs have experienced most everything hackers have been able to throw at them and, if the ISP was good, they have been able to beef up their security to minimize any damage and quickly recover when an attacker gets through.

Kavkaz.org was up for years and weathered many attacks from Russian hackers. In just the past month or so, the Jewish sites Haganah has withstood:

»Osama: alHckrz Called Upon to Wage Jihad Against the 'al Haganah'
»Denial of Service Attack from Houston
»Cyber Attack from Saudi Arabia
»Cyber Attack from Kuwait
»Cyber Attacks, weapon of Hamas

Ping floods can be traced back to their origin and stopped. Unless the hacker is very good computer forensic experts can trace them back to their home base.

Easiest and legal method to shut down web sites posting hateful things is to talk the ISP and have them do it. If the ISP refuses then talk to the media, law enforcement, and the ISPs customers.