Nedenfor kan du - lidt på dansk og lidt på engelsk - læse et eksempel på, hvorledes internetkilder kan være aldeles uvederhæftige og hvilke konsekvenser dette kan få.
Sagen gik i korthed ud på:
En computervirus inficerede d. 25. jan. 1000’vis af computere og computernetværk verden over. Dan Verton, tidligere efterretningsofficer og nu journalist på Computerworld.com, afslørede så d. 5. feb. 2003, at virussen, den såkaldte “Slammer-orm”, var sluppet løs af en bestemt muslimsk terrorgruppe.
Oplysningerne havde han fået på e-mail fra organisationen selv. Troede han.
I virkeligheden kom de fra den kendte freelancejournalist Brian McWilliams, som havde købt domænenavnet, harkatulmujahideen.org.
Organisationen er ægte nok, det var bare ikke den, der stod bag domænenavnet og altså heller ikke bag virus-angrebet.
Det var Brian McWilliams, der sendte disse falske beskyldninger ud på internettet.
DU KAN LÆSE FØLGENDE ARTIKLER
| Dato | Hovedrubrik | Tekstforfatter | Kilde pr. d. 9.feb. 2003 |
|---|---|---|---|
| 26. jan. 2003 | Internettet i knæ under orme-angreb | Tania Andersen | computerworld.dk |
| 6.feb. 2003 | Jihad-organisation tager skylden for Slammer | Lene Holmbæck | virus112.com |
| 5.feb. 2003 | Terrorist group claims responsibility for Slammer worm | Dan Verton | pc-radio.com |
| 6.feb. 2003 | Journalist perpetrates online terror hoax | Dan Verton | computerworld.com |
| 6.feb. 2003 | I staged a fake defacement of my web site… | Brian S. McWilliams | pc-radio.com |
| 7.feb. 2003 | In case my first revision of this document was unclear… | Brian S. McWilliams | pc-radio.com |
Dagen efter virusangrebet kunne vi læse følgende artikel:
Søndag 26. jan. 2003, kl. 12:53
Internettet i knæ under orme-angreb
Det værste virus-angreb i 18 måneder, siger eksperter om ormen SQL Slammer, som tvang internettet i knæ over store dele af verden lørdag morgen.
Af : Tania Andersen
Mens de danske internet-brugere sov eller var på vej ud af sengen, voldte en orm med navnet SQL Slammer skade over hele internettet, og tvang nettet i knæ lørdag morgen.
Værst gik det udover Sydkorea, hvor størstedelen af de nationale netværk gik fuldstændigt ned.
Da angrebet begyndte omkring 6.30 lørdag morgen dansk tid, blev pakketabet på internettet målt til 20 procent. Det betyder, at en ud af fem internet-pakker, som bærer data rundt på nettet, gik tabt.
På grund af det høje pakketab blev applikationer som IP-telefoni over internettet sat ud af kraft. Mange e-mail servere led også under de dårlige forbindelser.
Ormen benyttede et kendt hul i Microsofts databasesoftware SQL Server 2000. Efter at have overtaget serveren, oversvømmer ormen nettet med pakker.
Ifølge sikkerhedskilder er ormen ikke farlig på den måde, at den sletter eller videresender data. Men ormen er særdeles aggressiv i måden, den spreder sig selv på.
Ormen er allerede blevet sammenlignet med Code Red, den hidtil værste orm i internettets historie. Omkostningerne ved Code Reds ødelæggelser er blevet opgjort til over 13 milliarder kroner.
Sikkerhedsorganisationen CERT har udsendt en meddelelse angående SQL Slammer, og Microsoft har ligeledes udsendt en sikkerhedsbulletin.
Denne artikel stammer fra PC World Online.
I en anden artikel på internettet stod:
Jihad-organisation tager skylden for Slammer?!
06-02-2003
Den islamiske selvstændige Jihad organisation HUM, tidligere kendt som Harkat-ul-Mujahideen, har overfor Computerworld i USA taget ansvaret for sidste måneds store plage: SQL Slammer. En talsmand for HUM har udtalt, at Slammer blev aktiveret som en del af “Cyber Jihad” for at skabe frygt for brug af internettet.
HUM påstår, at de har sat deres fingeraftryk i Slammer i form af tallet 42. Dette tal findes nemlig i en af ormens første instruktioner og “HUM” giver ved omregning til romerske tal sammenlagt 42.
Analytiker Pedram Amini fra sikkerhedsfirmaet iDefense Inc. har dog udtalt, at ormens kode er så lille, at tallet 42 ikke kan have været en del af den. Der er simpelthen ikke plads nok og desuden er det ikke noget en programmør kan indsætte via koder. Ifølge Amini er tallet fremkommet ved eksekveringen af koden.
Efterfølgende er HUMs egen hjemmeside blevet hacket og forsiden er udskiftet med følgende: “You can change your name, but you cant [sic] hide from the 4nti-MUja. GWB and USA is comming [sic] for you. Can you say kaboom?” Det er blevet bekræftet, at hackingen rent faktisk har fundet sted i kraft af, at flere e-mails er blevet kompromitteret. En af disse e-mails var fra den 30. januar, en udveksling mellem HUM og det amerikanske Computerworlds journalist Dan Verton omhandlende Slammer-ormen. Dan Verton har bekræftet e-mailens ægthed.
HUM er registreret på US State Departments liste over terroristorganisationer og menes at have tilknytning til al-Qaeda samt Ahmad Omar Sheikh. Sidstnævnte blev i januar 2002 arresteret for at have kidnappet og myrdet journalisten Daniel Pearl fra Wall Street Journal. Organisationen opererer, ifølge den amerikanske flåde, primært i Pakistan og Kashmir regionen, men har dog afholdt træningslejre i Afghanistan.
Sandsynligheden for, at HUM står bag SQL Slammer er forsvindende lille, men at gruppen overhovedet kan finde på at tage ansvaret for ormen viser blot, at terroren er på vej ind i den digitale verden. Det er en skræmmende tanke, men virksomheder såvel som private kan gøre meget for at stoppe dette. Både i kraft af jævnlige opdateringer af antivirus software og med en vis omtanke i forbindelse med downloading af programmer samt åbning af e-mails.
Desværre har Computerworld selv taget historierne af sitet grundet tvivl om troværdigheden af den, men det forventes at der kommer en opdateret artikel senere.
Såfremt du er i tvivl, om du har virus på din computer, kan du med fordel scanne den gratis på virus112.com (online virusscan)
Lene Holmbæck
EuroTrust Virus112 A/S
(Kilde: Security News Portal, Computerworld.com)
Den første artikel Dan Verton skrev om Slammer-ormen og hvem der stod bag, var denne her:
Terrorist group claims responsibility for Slammer worm
By DAN VERTON
FEBRUARY 05, 2003
A radical Islamic group that is on the U.S. State Department’s list of designated terrorist organizations has claimed responsibility for the release of the Slammer worm late last month (see story).
In an exclusive exchange of e-mails with Computerworld spanning two weeks, Abu Mujahid, a spokesman for Harkat-ul-Mujahideen (HUM), a self-proclaimed radical Islamic jihadist organization, said the group released the Slammer worm as part of a “cyber jihad” aimed at creating fear and uncertainty on the Internet.
U.S. intelligence officials allege that HUM, formerly known as Harkat-ul-Ansar, has ties to al-Qaeda and Ahmad Omar Sheikh, who was arrested for the January 2002 kidnapping and murder of Wall Street Journal reporter Daniel Pearl. The group operates primarily in Pakistan and the Kashmir region, but it has also run terrorist training camps in eastern Afghanistan, according to a U.S. Navy profile.
According to Mujahid, one of the worm’s first instructions, a so-called “push” command, includes the number 42, which is the sum of the letters H, U and M if you add up the numbers that correspond to the point at which each one falls in the Roman alphabet. H is the eighth letter; U is the 21st; M is the 13th. When eight, 13 and 21 are added up, the total is 42.
However, Internet security experts were quick to dismiss HUM’s claims of purposely injecting a fingerprint into the code of Slammer as a way to claim credit.
Pedram Amini, an analyst at iDefense Inc., a security firm based in Chantilly, Va., said the size of the worm is such that there is very little room for any arbitrary fingerprints to have been included in the code. In addition, the push command referenced by Mujahid and the numbers that followed it are not something a coder could inject, but are instead something generated by the execution of the code, said Amini.
“It is and has always been my opinion that the author of the worm cannot be identified [by studying the code],” said Amini. HUM’s claim of injecting a fingerprint into the code “does not hold water,” he said, noting that the code that went into the worm could have been downloaded from multiple locations on the Internet by anybody.
For example, according to iDefense analysts, a Chinese hacker group called the Honker Union of China is known to have posted code similar to that of the Slammer worm on its Web site prior to the attack. In addition, proof-of-concept code released last August at the Black Hat hacker conference by researcher David Litchfield is also believed to have been used as a basis for the worm.
Bill Murray, a spokesman for the FBI’s National Infrastructure Protection Center (NIPC), would not call members of HUM suspects, but he did say that an NIPC analyst has looked into the group in connection with the Slammer investigation.
“Do not underestimate our abilities to create fear and chaos on the Internet, using programs we find and modify to our purposes,” said Mujahid. “We do not need to attack the infrastructure to terrorize the Kufars,” he said, referring to non-Muslims. “We use the Internet to spread misinformation and confusion.”
Dan Verton opdager, at hans kilde til ovenstående artikel er mildest talt uvederhæftig. Dette indrømmer han åbent i følgende artikel:
Journalist perpetrates online terror hoax
By DAN VERTON
FEBRUARY 06, 2003
Editor’s note: An online story yesterday by Computerworld reporting on terrorist claims of responsibility for having authored the Slammer worm was based on a hoax. The security reporter who wrote the story, Dan Verton, explains in this first-person account how he and others were misled by a U.S. journalist who pretended to be someone named “Abdul Mujahid.” The original story has been removed from Computerworld’s Web site.
There’s an old Italian proverb that says, “Those who sleep with dogs will rise with fleas.” That’s the situation in which I now find myself.
While catching a few fleas isn’t unusual in the murky, dog-eat-dog world of reporting on hackers and terrorists, this hoax is different. Had it been a simple scam, I might be embarrassed. But in this case, the scammer is Brian McWilliams, a former reporter for Newsbytes.com, which is now owned by The Washington Post Co.
For the past 11 months, McWilliams has operated a Web site, www.harkatulmujahideen.org, which once belonged to a real terrorist organization based in Pakistan. It was during legitimate research into pro-terrorist Web sites that I first came across the Harkat-ul-Mujahideen site and McWilliams.
In an elaborate scheme to dupe security companies and journalists, McWilliams acknowledged last night that he purchased the domain name last March and registered it under the name of “Abdul Mujahid of Karachi.” He also left a legitimate mirror site in place on a server in Pakistan and by his own admission has been receiving e-mails from people looking to join the actual terrorist group. He then posed as Abdul Mujahid in his communications with people and the news media.
McWilliams’ hoax, which he described as an effort to surreptitiously obtain information that he might be able to turn into a good news story, came to my attention after I reported being contacted by Abdul Mujahid. In a series of e-mails spanning several weeks, McWilliams, a.k.a. “Mujahid,” claimed responsibility for the Slammer Internet worm late last month. Although my story noted that claims of responsibility for Slammer couldn’t be verified, I, along with journalists in India, several computer security firms and even law enforcement experts, didn’t see through McWilliams’ hoax.
“I worked hard to make the illusion look real,” he said in an e-mail to me last night, after the hoax had been exposed. McWilliams also expressed regret for having allowed the hoax to go so far. “But the Internet gives those who want to spread misinformation a big advantage. It’s so easy to conceal … the ownership of a domain.”
McWilliams’ efforts misled journalists in a foreign country now living with the real-world threat from a very real group, Harkat-ul-Mujahideen (HUM), a group linked not only to Osama bin Laden, but also to the abductors and murderers of Wall Street Journal reporter Daniel Pearl.
The Web site still in place in Pakistan, www.ummah.net.pk/harkat/, refers to a radical Islamic group on the State Department’s list of designated terrorist groups. Once known as Harkat-ul-Ansar, the group changed its name to Harkat-ul-Mujahideen in an effort to avoid problems stemming from the U.S. terrorist designation. Contact information on that site goes to harkatulmujahideen.org, which is McWilliams’ domain.
“I’ve been secretly receiving lots of interesting e-mails apparently intended for HUM,” said McWilliams. “I was hoping I might get a story out of some of the stuff that came in to the site. Most of the messages have been from people in the Middle East who wanted to join jihad. I’ve forwarded some to the FBI.”
As part of this scam, McWilliams contacted a journalist in India and then defaced his own phony Web site, posting one of my earlier e-mails as part of the defacement by a bogus hacker group. That “hacking” was one reason that at least one security vendor, Mi2g.com, initially considered the Web site to be genuine.
That authenticity unraveled late yesterday, after my story had been posted, when members of an e-mail list that focuses on security topics contacted Computerworld and informed me that McWilliams had been bragging about the success of his hoax and how simple it would have been to uncover. He did not, however, acknowledge then that he had registered the domain using a fictitious name. After the hoax was revealed, the story was removed from Computerworld’s Web site. By then, it had been picked up by other Web sites.
This isn’t the first time McWilliams has relied on questionable reporting procedures to obtain information for a story, according to government intelligence and industry sources, who requested anonymity. These sources confirmed that in September 2001, at the height of the Nimda worm, McWilliams obtained the telephone number for conference calls held by the National Security Council, the National Security Agency and private companies, and listened in surreptitiously to the conversations. He then used the information from the conference calls in news reports he filed.
“Just as that group was hitting its stride, the trust relationship was fractured,” said a source who took part in the conference calls. “Since we couldn’t know which participant compromised the trust, [McWilliams’] efforts actually damaged the effectiveness of the defensive action.”
McWilliams confirmed today that he did listen in on the conference call.
Although the hoax this week taught me a valuable lesson about the nature of information on the Internet, it’s less clear whether McWilliams’ scheme has done anything to advance the understanding of cyberterrorism – one of his stated reasons for conducting the hoax in the first place. The fact is that real terrorist organizations around the world do run Web sites. The Palestinian terrorist group Hamas is a prime example of a terrorist group on the Web. There are many others, including, until last March, Harkat-ul-Mujahideen.
This experience has been a particularly difficult one for me. I feel like I’ve been had, and that’s never an easy thing to swallow. I got burned. So, I’m left here scratching fleas as the price you sometimes pay for sleeping with dogs.
Her er “den skyldige”, Brian S. McWilliams, forklaring på, hvorfor han gjorde som han gjorde:
On Feb. 4, 2003
I staged a fake defacement of my web site
I staged a fake defacement of my web site, harkatulmujahideen.org, which I have owned since March of 2002. I also spread a hoax about an Islamic militant group taking credit for an Internet worm.
My goal was to learn whether truth is the first casualty in cyber-war.
This was arguably a serious lapse in judgment on my part, especially since I work as a journalist and strive to report the truth.
It certainly was a big departure from my original reason for registering the domain: to gain some insight into how the Internet was being used for terrorist recruitment, and to report my findings. At the start, I absolutely did not intend the site as a honeypot for gullible journalists.
But, like a teenage web site hacker, there I was early this week, replacing the site’s home page with a misspelled, quasi-political rant, and anonymously submitting the site’s address to zone-h.org, a web site that compiles records on Internet vandalism.
Within hours, mi2g, a security consulting firm, had sent out a news alert to journalists stating that the defacement marked the start of “anti-Islamic hacking.” Shortly thereafter, several reporters had filed articles based on mi2g’s alert, not realizing that the defacement was a complete fabrication.
I regret that my undercover work was so effective that the news sites and security “experts” believed claims I had made in e-mail interviews: that I was “Abu Mujahid,” a spokesperson for Pakistan-based Harkat-ul-Mujahideen (HuM), and that my group had masterminded the fast-spreading SQL Slammer worm.
I had originally meant to come clean before any reporters went to print with such an outrageous story.
But in my amazement as events unfolded, I totally botched the revelation part. I have since apologized to the reporters and security analysts who were duped by my hoax.
This story actually begins in November of 2002, when Dan Verton, a reporter for Computerworld who covers the security beat, sent an e-mail to [email protected], asking for an interview for his upcoming book on cyber-terrorism.
Eight months before, I had registered the address after the domain’s previous owners failed to renew it. But someone left in place a mirror image of the Harkat site on a server in Pakistan. As a result, I’ve been receiving lots of interesting e-mails apparently intended for HuM.
Most of the e-mail messages coming in Harkatulmujahideen.org have been from people in the Middle East who want to join jihad. Real-world, violent jihad, with guns and bombs; not hacking or cyber-terrorism. “I like to serve in a form of Hit & Run policy rather than suicide missions to support Jihad.” wrote one correspondent to [email protected].
Verton’s Nov. 16 message asked if HuM had considered using the Internet and computer technology as a way to fight back at those who Islamists view as oppressors.
“Has there been any talk of trying to cripple the Internet infrastructure of those states that Islamists view as oppressors as a way to hurt their economy and force their withdrawal from Muslim lands?” he inquired, and asked that his request be circulated among the group.
Verton’s question puzzled me. If HuM was truly interested in cyber-terrorism, wouldn’t their lying to him in an e-mail be a good start? After all, isn’t terrorism, even of the digital kind, all about creating fear and confusion?
I wondered if Verton, a former Marine intelligence officer and a self-proclaimed security expert, would attempt to verify whether harkatulmujahideen.org was actually operated by the Harkat. Would he rely exclusively on information fed to him by e-mail without some other corroboration: telephone, for example?
Would he check the headers of those e-mails to see if they were sent from Pakistan or some other place in the Middle East?
Would he even do a Google search on harkatulmujahideen.org and find a citation of a Newsbytes article I wrote in Feb. 2002 about how the domain’s registration had lapsed and was picked up by a Tennessee company?
Would he pay attention to the red flags, or would he brush them aside because he wanted to believe what he saw?
I also wondered how mi2g and other security firms would react to an apparent defacement of Harkatulmujahideen.org. Would they pitch the event to reporters as the start of a cyber-war on Islamic extremists?
Would those reporters simply parrot back what mi2g told them without doing any real digging of their own?
As my bungled experiment proved, even Verton – whose book about teenage hackers claims he is “one of the leading technology journalists in the country” – can apparently be fooled by fake e-mails, phony web sites, and wild claims, in a desire to get a big scoop on a hot topic.
Contrary to some reports, I did not brag about this fact on a security mailing list. On the contrary, I find it troubling.
– Brian S. McWilliams,
Feb. 6, 2003
For en sikkerheds skyld underskylder McWilliams dagen efter helt utvetydigt, i en opdateret version:
Update, 2/7/03
In case my first revision of this document was unclear
let me state that I believe it was a mistake to have perpetuated this hoax.
My experiment illustrated the dangers of relying on the Internet for reporting. But on balance, I think it may have done more harm than good.
I publicly apologize again to Dan Verton, Computerworld, and any other organizations or individuals who may believe they were harmed by my experiment.
Having worked the same security beat as Dan Verton, I know how hard it is to divine the truth via interviews over Internet chats, e-mails, and Web postings. Without the experience gained from this incident, I might have fallen for a similar scheme.
– BMcW
Tilbage til Kildekritik Tilbage til Forside
Opdateret d. 10.2.2003