Internet

• Ah, the pleasure of waking up in the morning to discover that...
• A model for combating jihadi networks online
• U.S. Cyber Command Preparations Under Way, General Says
• Facebook traps Italian fugitive mafia suspect
• SOCA warns over untraceable websites

Israel

• Was Obama's Confrontation with Israel Premeditated?

...you'd spent two years running interference for the Saudis and the CIA:

Dismantling of Saudi-CIA Web site illustrates need for clearer cyberwar policies

There is no functional difference between a "real" jihadi forum and a "fake" jihadi forum, assuming the latter is accepted as legitimate by the community of activists. That means such a site will contribute in a meaningful way to the perpetuation of the terrorist threat globally. Nice people need to stay out of the spy business, and spies need oversight. The obvious ethical dilemmas presented by such a situation require constant reassessment of the costs versus the benefits. Left to their own devices intelligence officers and analysts will tend to focus on the latter. This is not to say that they are wrong, just that their bias needs to be understood and balanced by other considerations.

In general terms, we need to move away from this/that right/wrong arguments when it comes to the issue of keeping sites online or taking them down, and I see no sign of such movement in this article. What I see are people in entrenched positions defending their parochial interests, while simultaneously denying the obvious consequences of their actions. Perhaps they are just too nice and need to find another line of work. As for the rest of us, life goes on, as does the global war on terror, and our adversaries learn and alter their behaviors constantly. As a result of the last point, this whole debate is of limited value, as it doesn't address what al-Qaida operatives are doing online today, and where they are doing it. The caravan has moved on, folks.

If one is looking for a model of how to variously attack, degrade, and undermine the effectiveness of jihadi networks online, a good place to start is the campaign being waged against botnets and the criminal networks that operate them. With that in mind, check out the following:

TROYAK-AS: the cybercrime-friendly ISP that just won't go away

Disrupting the ISPs activities doesn’t mean that the remaining and currently active Zeus campaigns would be somehow disrupted. This common misunderstanding stems from the Zeus crimeware wrongly perceived as a botnet similar to, for instance, the Conficker botnet. In comparison, Zeus is a DIY crimeware — also available as a managed crimeware service since 2008, perhaps even earlier — with an unknown of cybercriminals operating their own Zeus botnets.

Taking it down means undermining the effectiveness of a huge percentage of their campaigns launched during the first quarter of the year. Not only does this mean disruption of their operations, but most importantly, loss of confidence on behalf of their customers in TROYAK-AS’s ability to stay online.

See also

• Cybercrime's bulletproof hosting exposed
• Researchers Map Multi-Network Cybercrime Infrastructure
• AS-Troyak Exposes a Large Cybercrime Infrastructure

WASHINGTON, March 16, 2010

Preparations for the formal establishment of U.S. Cyber Command are under way, a senior military officer reported to Congress today.

The formal launch of the new organization is awaiting congressional approval of its commander, Air Force Gen. Kevin P. Chilton, the commander of U.S. Strategic Command, said in a written statement submitted to the House Armed Services Committee’s subcommittee on strategic forces.

Army Lt. Gen. Keith B. Alexander, currently the director of the National Security Agency at Fort Meade, Md., has been nominated to command U.S. Cyber Command, pending Congressional approval. Alexander would, if confirmed, command both the NSA and Cyber Command and be promoted to full general.

“We look forward to continuing to work with Congress and our agency partners as we move forward to establish U.S. CYBERCOM,” Chilton said.

In June 2009, Defense Secretary Robert M. Gates approved the establishment of cyber command to assume responsibility for operating and defending the Defense Department’s information networks as a unified sub-division of strategic command.

Gates charged U.S. Strategic Command –- that’s based at Offutt Air Force Base near Omaha, Neb., and responsible for the United States’ nuclear arsenal and global deterrence, as well as space and information operations -- to stand up the new sub-command. Cyber Command will be constituted by adjoining strategic command’s joint task force for global network operations under the operational control of the joint functional component command for network warfare, which had previously separated offensive and defensive cyberspace activities.

“This segregation detracts from natural synergies and ignores our experience in organizing to operate in the air, land, sea, and space domains,” Chilton said. “The establishment of U.S. CYBERCOM will remedy this problem in the cyber domain.”

On a not unrelated note: U.S. Joint Forces Command releases Joint Operating Environment 2010 – a strategic framework that forecasts possible threats and opportunities that will challenge the future joint force.

BBC:

Pasquale Manfredi, accused of being one of the top figures in the 'Ndrangheta mafia, was found in Calabria.

The 33-year-old, who faces charges of murder, mafia association and drugs trafficking, was traced via his network of Facebook contacts.

Good of them to notice...

Internet
• Flash: the Internet is an integral part of the jihad
• The Internet is not France...

Israel
• Call it the Obama Intifada

You're shocked, I know. The title of the following is actually better than the content of the story, but FWIW:

Taliban Internet recruiting through the eyes of a detainee

...and there are no "no-go" zones. If the bad guys are somewhere, using some service, the good guys will follow. See

Break the law and your new 'friend' may be the FBI

It's interesting how a private organization operating without any meaningful government oversight - the Electronic Freedom Foundation - believes it has a right to 'police' government agencies who are bound to the US Constitution and have to answer to executive, congressional, and judicial overseers. And the EFF does so, and their efforts are reported on, without the slightest trace of irony.

The author of the above linked news story reveals his true colors when he equates a real woman who created a fictional online identity in order to bully a child until the latter committed suicide, with the actions of hypothetical government agents conducting criminal investigations, describing these as "effectively the same activity... although for different purposes." Right. For the benefit of those who "report" on legal matters, we call those "purposes" intent, and it is commonly the presence or absence of criminal intent that determines what is or is not a crime. For example, if I break down your door to drag you out of a burning house, that is "effectively the same activity" as if I break down your door in order to shoot you once in the neck and once in the head. That the "purpose" is different is - I hope - obvious, yet in both cases I do in fact make a mess out of your door. Sorry about that...

The reality of Internet use by criminals is inadvertently captured by the article in the following:

Undercover operations aren't necessary if the suspect is reckless. Federal authorities nabbed a man wanted on bank fraud charges after he started posting Facebook updates about the fun he was having in Mexico.

Maxi Sopo, a native of Cameroon living in the Seattle area, apparently slipped across the border into Mexico in a rented car last year after learning that federal agents were investigating the alleged scheme. The agents initially could find no trace of him on social media sites, and they were unable to pin down his exact location in Mexico. But they kept checking and eventually found Sopo on Facebook.

While Sopo's online profile was private, his list of friends was not. Assistant U.S. Attorney Michael Scoville began going through the list and was able to learn where Sopo was living. Mexican authorities arrested Sopo in September. He is awaiting extradition to the U.S.

@ Internet Haganah
• In praise of Jawas...

@ SoFIR
• Adam Gadahn makes the case for the weakness of al-Qaida Central

...and YouTube Smackdown crews, and everyone else involved in tracking, investigating, and reporting the activities of Jihad Jane.[1] I was going to title this post "In defense of..." but there's nothing here to be even a little defensive about. Having had a ring-side seat throughout the entire campaign, if there was something here that concerned me or that I thought in any way might harm law enforcement or intelligence collection activities, I would have said something.

The astute viewer will note that the headline does *not* read
"cyber vigilantes charged with interfering in a lawful investigation"

The work of removing individual videos from YouTube, while tedious, is of enormous value. The global jihad is all about the videos, and the videos don't keep themselves in circulation, al-Qaida activists do. Every once in a while a video may come along that actually has some redeeming educational or intelligence value, but those times are rare. As for the YouTube accounts of these activists, the harder the bastards have to work, the better it is for the rest of use, because all these people are doing is building a case against themselves - they are demonstrating publicly the degree to which they are committed to the cause. For investigative purposes, and to make the most of available resources, we need to know who the most dedicated activists are. Once they are on the radar, smacking down their videos and YouTube accounts does no harm - the investigators are already reading their email and know damn well what they are doing online.

Such efforts are part of what I call a supply-side approach to dealing with jihadi media. For a host of reasons it is a much better approach than trying to track and investigate every person who happens watch one of these videos. Over time such efforts will likely result in the more risk-averse jihadis dropping out, while the risk-tolerant will remain active. The result of that selection process over time is that people who we can see active online in support of al-Qaida will be increasingly likely to be involved in real-world terrorist activity as well: risk is risk, and those who have learned they can tolerate it have this way of seeking out more of it. In case the investigative opportunities this represents are not clear, just remember that at the end of the day the Internet is a public place - we can see what people are doing on YouTube, but not what they are cooking up in their kitchen.

My best wishes to all concerned: job well done. That's one Little Blue AK for Jihad Jane, and one for each of her co-conspirators arrested in Ireland.

[1] I'm not going to link to any mainstream media reports about Jihad Jane's takedown - go here for more information: http://mypetjawa.mu.nu/

Update: 03 March 2010, 13:18 Z
Well, that was fun. All the core sites (Faloja, Ma'ark, and Ansar) are back online. Was it a diversion? A message to the forum operators that they are not in charge of their own sites? A fit of pique by an intelligence service or two or three? No one knows - and anyone who says they do know is probably being less that truthful or more than a little imaginative. The jihadi site admins in particular are an unreliable source in such matters - witness the complete denial on the part of the Ansar forum admins regarding the compromise of their site's database. In more general terms, the jihadi site admins can either cut their own lines of communication and truly compartmentalize their operations, or they can suffer having those lines of communication cut by their adversaries more-or-less at will. Either way we win, they lose.

Internet
• All your base are belong to us
• Our finest hour?
• More "last words" from The Shaheed Abu Dujana al-Khorasani

Note: it's not just you - of the sites in our current Top Ten list, 6 are down, and two (Hanein and Ana al-Muslm) should really be removed from the list. That leaves at-Tahaddi and Majahden as the only active jihadi forums as of 2010-02-28 20:15 Z.

PS: The al-Luyuth al-Islamiyyah forum is also available, but not very active - you'll find it here: http://www.leyoth.info/vb/

The Ansar al-Mujahideen forums are totally compromised, and have been for about a year and a half.

First the server was hacked, the database deleted, and the front page replaced with a page that attempted to infect each visitor with a virus. The attack appeared to have been aimed at the server, and all the sites on the server were treated similarly - in other words the jihadi site was just on the wrong server at the wrong time. What the Russian mafia did with the data *they* collected is anyone's guess.

Then the admins, in the process of attempting to restore the site, left not one, but a half-dozen copies of the database in plain view where the site's front page was supposed to be.

The rest, as they say, is history.

Location of the core membership of the
Ansar al-Mujahideen forum (English section)

US location data obscured for reasons that should be obvious

Evan Kholmann has just written an exposé of the Ansar al-Mujahideen forum which features - among other things - extended quotes from "private messages" exchanged by the forum's administrators and leading activists. It will be published in the February 2010 edition of the CTC Sentinel.

Make your time.

Pretty darn close, for sure.

Thanks to a reader in Saudi Arabia for reminding me of the following incident - arguably one of the better examples of information operations Interent Haganah-style.

Keep in mind that the suicide bomber who struck the CIA base in Afghanistan late last year, Abu Dujanah al-Khorasani, was formerly an administrator of the al-Hesbah forum. It is likely that he was identified and captured by the Jordanians as a result of that activity.

The al-Hesbah forum, as far back as 2003-2004, was one of the most important, and certainly the most exclusive of jihadi sites. It survived the Montada al-Ansar forum (of Irhabi007 fame) and continued to operate until late fall/early winter of 2008. Actual cause of death has not been revealed, but likely was related to a kind of survivor guilt - all the other "top tier" jihadi sites having been scuttled earlier in the Fall of '08.

The administrators of the al-Hesbah forum were accused of colluding with the Enemies of Islam™ by the operators of the rival Tajdeed forum - the latter having suffered a near-terminal loss of members following an extended period of down-time as a consequence of the post 7/7 bombing backlash in the UK (Tajdeed was/is operated by individuals living in the UK). In particular the al-Hesbah admins were accused of assisting in the capture of Irhabi007 - a charge later proven to be without merit.

Enter Internet Haganah - stage right.

On 02 March 2006 I posted a report about the geographic distribution of the readership of the al-Hesbah forum - the administrators of that forum had, in fact, provided me with critical assistance in collecting the data (not that they were aware of it at the time).

Over at the Tajdeed forum, the brothers seized upon this as proof that al-Hesbah was in league with Satan:

click image to view archive of Tajdeed forum thread

A month later I posted the demographic data for the Tajdeed forum:

Note to jihadi website admins: when seeking agents of Satan,
I recommend first looking in the mirror

New video and transcripts have been released by as-Sahab, who are to be commended for making the most of this opportunity.

The focus is on the Jordanian intelligence services and provides al-Khorasani's self-serving account of how he first became an informant, and then turned on his handlers. As such, it has some redeeming intelligence value.

The .PDF version of this interview may be infected, so I have extracted the text and present it here. If you insist on exploring the PDF files on your own, I recommend at a minimum using a non-Adobe PDF reading application (e.g. the Preview.app on Mac OS X).

Internet
• Three websites of Hamas known by Israel to be associated with Hamas operatives in the UK
• Jihadis report a fresh round of arrests in south Yemen
• *The* Warning
• Adieu M. Namouh
• Jihadis reflect on the Austin, TX attack
• FUD of the day award
• Two threads about ambushes
• FUD of the day award, second runner up
• Majahden forum user number 17695 asks the question...
• A forum goes down - prayers and excuses follow
• Top ten archived pages from jihadi sites

Israel
• Britain as a hub of Hamas activism
• It's called being a light unto the nations

The allegation of linkage to the UK is based on research conducted by and correspondence with the Intelligence and Terrorism Information Center.

The data about the location and service providers of the sites is based on my own studies.

Additional information:

The server's name is "0-119.nizar.cc.colocall.com" Note the presence of the name Nizar. It is a reference to Nizar al-Hussein, a long-time known Hamas activist. Note the site's .co.uk domain name.

The site is self-hosted by Hamas, using the following Name Servers:
ns1.palestine-info.com, ns2.palestine-info.com

The domain name palestine-info.co.uk is registered through register.com, an American company. This despite Hamas being a designated Terrorist organization. Three successive US administrations have chosen to not act on this matter.

Hamas has until 10 April 2010 to pay to renew the name. So sometime between now and then there will be funds transferred from someone to someone.

The domain name whois currently lists the registrant as:

ELMUSLIMAH PALESTINE, P.O.Box 25-68, SHOOEIFATI BLDG - HARET HREIK MUNICIPALITY, BEIRUT, 11121, Lebanon

Offical Hamas magazine Filistine al-Muslima: www.fm-m.com
IP address: 213.167.40.131
Network access provider: MASTAK OJSC/Sitek Global Network, 601G, 20a, Kuskovksya str., Moscow 111141, Russia, abuse@sitek.net

Additional information:

This site runs on a server in Moscow. It is almost certainly self-hosted by Hamas. However DNS service and domain name registration service are both provided by American company Network Solutions, Inc. The current domain name record was created (meaning money likely changed hands) on 14 April 2005. The name expires/must be renewed by 24 March 2015.

Name servers: NS81.WORLDNIC.COM, NS82.WORLDNIC.COM

worldnic.com is an alias of Network Solutions.

The domain name registrant is:

ELMUSLIMAH PALESTINE, P.O.Box 25-68, SHOOEIFATI BLDG - HARET HREIK MUNICIPALITY, BEIRUT, 11121, Lebanon, Phone: 0096170950190, Email: nizar@alhussien.name

Hamas' al-Fateh children's magazine: www.al-fateh.net
IP address: 213.167.40.131
Network access provider: MASTAK OJSC/Sitek Global Network, 601G, 20a, Kuskovksya str., Moscow 111141, Russia, abuse@sitek.net

Additional information:

This site shares a server with fm-m.com, and three other Hamas-linked sites: 4gaza.info, Paldf.com, and Palestinegallery.com. Once again, the domain name registrar is register.com. The domain name registration must be renewed by Hamas on or before 19 March 2010 (the record was created on 19 March 2002). The name itself is held by a Portugal-based proxy service:

Domain Discreet (domaindiscreet.com), ATTN: al-fateh.net, Rua Dr. Brito Camara, n 20, 1, Funchal, Madeira 9000-039, PT, Phone: 1-902-7495331

See archived forum post.

Prior to it being reported in the media, an alleged al-Qaida activist on the al-Faloja forum issued an urgent warning AQ leaders regarding the capture in Oman of one Abdullah Saleh al-Eidan. This is the warning thread.

This raises the question - who is the Faloja forum user called "afghani" and how is it that *he* knew about the capture of al-Eidan? One thing I can tell you is that identity has been active for a considerable length of time.

Canadian terrorist handed life sentence

He was a leading figure in the Global Islamic Media Front.

They seem to have confused the IRS and the CIA - nevertheless, you may be sure they learned the important lesson, namely that even a small aircraft loaded with fuel can destroy a reasonably large building.

Thread from the Ansar al-Mojahideen forum
Thread from the Electronic Mujahideen forum

Not for the first time, Declan McCullagh takes the prize with this paragraph from his report Police push for warrantless searches of cell phones:

Privacy advocates say that long-standing legal rules allowing police to search suspects during an arrest--including looking through their wallets and pockets - should not apply to smartphones because the amount of material they store is so much greater and the risks of intrusive searches are so much higher. A 32GB iPhone 3GS, for instance, can hold approximately 220,000 copies of the unabridged text of Lewis Carroll's Alice's Adventures in Wonderland.

The right of police to search your person and possessions incidental to arrest is well established - no warrant is required. That you can theoretically cram a whole lot of text data onto an iPhone is immaterial. Advances in binary explosives mean you could pack an extraordinarily powerful bomb inside your man purse, a bomb much more powerful than what you could previously pack into the same accessory if you were limited to dear old TNT. Either way, if Officer Friendly has cause to put you in cuffs, he has cause to look at what you have in the bag, and either way if what he finds is incriminating - too bad for you.

NEXT!

Number1, number 2

Experts highlight growing cyber-jihad threat

"On jihadist websites there are all sorts of manuals explaining how to make an e-bomb, how to create a virus, how to use encryption techniques", [Dominique] Thomas said. "They are very up to date. The Saudis especially are very strong."

Among militants indicted for terrorist acts, there are more students from pure sciences such as mathematics or information technology than there are from the social sciences, according to numerous studies.

Nigerian, Umar Farouk Abdulmutallab, who is accused of trying to blow up a US bound jet on December 25 studied mechanical engineering at a top London university.

For a more level-headed discussion, and with a tip of the hat to Tim Stevens, listen to the NPR Fresh Air interview with James Lewis.

See also: this discussion from the as-Ansar forum.