Sunday, July 30, 2006

The Man Who Put Al-Qaeda on the Web

This isn’t really weird tech news, but Barry Levin of NewsFactor.Com has done some extensive research of on how al-Qaeda got to use the Internet for their evil deeds. It’s a great read.


The Man Who Put Al-Qaeda On The Web

by Barry Levin


Like radar in the last century, the Internet is a radical new tool that is helping to redefine the dimensions of warfare. For al-Qaeda, the shadowy terrorist organization behind 9/11, the Net is helping it to be everywhere and nowhere.

But there are real people, in real space, maintaining what is, in effect, al-Qaeda's I.T. department. Last October, the most important member of that group so far -- the man who has been called "the Godfather of cyber-terrorism" -- was arrested. He is a 22-year-old Muslim immigrant to Great Britain named Younis Tsouli.

On that cold autumn morning, police raided the West London flat where Tsouli lived and worked, and arrested him. As they entered, Tsouli was reportedly putting the finishing touches on a Web page titled "You Bomb It." On his hard drive, police said they found a video of how to make a car bomb, and another showing several locations in Washington, D.C. Tsouli, now residing in Belmarsh Prison in England, is expected to go on trial in January, along with two other young Muslim immigrants arrested at the same time.

The three suspects were reportedly discovered at least in part as the result of intelligence obtained in previous busts in Sarajevo and Denmark. In the Sarajevo arrest, more than 40 pounds of plastic explosives and a suicide-bomb belt were reportedly found, as well as plans pointing to bombing attacks in Europe and the U.S.

Although he may have been part of those cells, Tsouli was not your ordinary terrorist. By all indications, it appears that he was the most visible al-Qaeda Internet operative so far, better known by his screen name: Irhabi007.

Radar brought pinpoint tracking to the age of centralized warfare. By contrast, the Internet, in this distributed age, is helping to decentralize warfare. And like many decentralized franchises, al-Qaeda has come to use the World Wide Web for marketing, distribution, research, fund raising, recruiting, and, on occasion, operations.

Marketing Terrorism

But, at first, the Internet was only a means for al-Qaeda to distribute its equivalent of brochures. "Initially, before 9/11, [al-Qaeda] appeared to be using the Net primarily as a marketing tool," says Ned Moran, an intelligence analyst at the Terrorism Research Center outside Washington, D.C. He cites a Web site called Almeda.com as a key promoter of radical Islam.

Shortly after 9/11, Almeda.com and others were attacked by unknown hackers and shut down. It was about the time that al-Qaeda was being pushed out of Afghanistan, and the Internet became a perfect communications mechanism for what was now a terrorist organization on the move.

At that point, Moran says, "They were forced to innovate." On the Internet, al-Qaeda undertook two big innovations.

First, like any organization that wants to secure a loyal base, al-Qaeda wanted to increase its online "stickiness" and cultivate its market, and so it started to use community-building tools. Bulletin boards, chat rooms, and other mechanisms -- sometimes under passwords and mostly in Arabic -- became key attractions.

And, second, the Internet operations began to repeat themselves. Many sites were launched, and content was cross-posted between several dozen of them. Al-Qaeda's Internet operations began to mirror its replicating terrorist cells, multiplying as soon as some were destroyed. But all the while, the Net was a key unifier. The Internet operation, Moran says, was "the central pole in the tent holding up the organization."

Al-Qaeda became, in the words of a BBC2-TV series last year, "a global brand driven by the power of the World Wide Web."

But Aaron Weisburd, the head of an anti-terrorist group called Internet Hagganah, downplays the number of al-Qaeda sites. "The 'proliferation of jihadist Web sites' is not quite the problem it is made out to be," he says. "There are really only a handful of Web sites of significance, and the rest are peripheral, though as Web sites fall, some in the periphery may gain more significance."

Weisburd contends that, behind the curtain, "There are only a relatively small number of people responsible for much of what we see online."

License to Kill

It was in this murky scene -- al-Qaeda emerging in various forms on the Net, but with no dominant personalities -- that a character known by the screen name of Irhabi007 emerged.

Posting and boasting his way to prominence, Irhabi007 started appearing on radical Islamist bulletin boards and in chat rooms. He had no apparent reluctance in melding "irhabi," which means "terrorist" in Arabic, to the code number of the world's most famous, albeit fictional, British secret agent.

In addition to his proclamations, Irhabi007 frequently posted low-level, apparently stolen documents, such as a purportedly official Israeli map program, complete with serial number, and a U.S. Army Handbook on Intelligence for Combat Commanders. He was also posting training tips about the Internet for other jihadists.

Irhabi007 "put a face and a name to al-Qaeda's Internet presence" for the first time, Moran says.

According to Internet Hagganah, Irhabi007 was not a native speaker of Arabic, and, when posting in that language, he used translation software. But English was often his language of choice. "We all know some Yankees recentely [sic] got back from Iraq," went a typical posting, as quoted by Internet Hagganah, "and we all know these idiots tend to tape on camera anything so im [sic] sure in a couple of weeks we might see personal home pages displaying footages from Iraq giving us a little insight into how things go."

Irhabi007 was also becoming known for ratcheting up al-Qaeda's use of the Internet for propaganda, rapidly posting documents and media. For instance, he gained notoriety for quickly posting the gruesome video of American Nicholas Berg's beheading, as well as many videos.

The Berg decapitation was reportedly downloaded half a million times in 24 hours. As was his specialty, Irhabi007 made sure that it was cross-posted at other sites, in order to handle the traffic. He was, Moran says, "sort of al-Qaeda's super administrator."

The 2004 Berg video in particular became a model. It showed a masked man purporting to be none other than Abu Musab al-Zarqawi as the executioner. Killed in June by an American air assault, al-Zarqawi was the apparent leader of the al-Qaeda contingent in Iraq. That video and others like it -- of similarly gruesome executions, or attacks on Americans, or training exercises -- influenced the creation and distribution of similar material from other terrorist cells, such as ones from Thailand. Most of these videos were in clear homage to al-Zarqawi.

In fact, it was Irhabi007's speed in posting information and media relating to attacks, especially those in Iraq, that led to his reputation as al-Zarqawi's Internet point man.

The Net-distributed videos and proclamations became an important part of al-Zarqawi's outreach to the faithful. Osama Bin Laden was known for using Al Jazeera, the Arab world's most prominent TV network, to get his message out. But beginning with a communiqu posted on a jihadist forum in 2004, al-Zarqawi began to cultivate the Internet to distribute pronouncements and media.

Al-Zarqawi discovered, for instance, that when he allowed a video scene to be posted showing his face for the first time, within hours followers had posted translations of his words into several languages. If the Web was pumping up the global brand of al-Qaeda, that brand was hot in certain circles.

And Irhabi007 was its PR guy.

"He facilitated a lot of online activities," Weisburd says, "often committing crimes along the way. He was always part of a bunch of guys all working on similar projects, not all of whom are in custody." Far from being a tech mastermind, Weisburd says, Irhabi007 "was more a problem solver than a great hacker."

"He seemed to have had an energizing role, in that videos started to regularly appear," says Mark Burgess, director of the World Security Institute's office in Brussels. "He was good, but he wasn't a rocket scientist. He got caught."

Binary Bread Crumbs

According to Internet Hagganah, by mid-2004 Irhabi007 had established a pattern of behavior that included posting Web pages on free hosting sites, sometimes with downloadable materials. He was regularly posting on jihadist forums like al-Palsm and al-Erhap and, when those forums ended, on another called Muntada al-Ansar al-Islami. The al-Ansar forum in particular was connected to al-Zarqawi.

Irhabi007 was beginning to attract his own following, with terrorist wannabes sometimes attaching "007" to the end of their screen names. By the fall of 2004, he was able to post videos of suicide bombings faster and more efficiently than most others, and received a clear mark of distinction: public praise from an aide to al-Zarqawi. According to the Terrorist Research Center, Irhabi007 was even credited as the "administrator" on al-Zarqawi's al-Ansar site.

Internet Hagganah said it kept after Irhabi, getting the free Web and FTP sites he was using to shut down. "The point of that effort was not to silence Irhabi007," the group reported later on its site, but "to keep him busy. This increased the chance of him making a mistake that would allow us to locate him. The plan worked better than expected."

"There's an old saying: In jungle warfare, the jungle is neutral," says Burgess of the World Security Institute. "Like anything else, the Net has its vulnerabilities. [Terrorists] can spread their ideology, but potentially they can be tracked down."

In mid-2004, Irhabi007's brazenness began to work against him. In July, he became an FBI target for the first time when he tried to use an FTP server that belonged to the State of Arkansas Highway Department.

He even registered www.irhabi007.org as a domain, using the name and address of an American first lieutenant stationed in Iraq.

When, at one point in 2004, Weisburd and his group succeeded in getting Irhabi's service provider to shut him off, Irhabi hit the roof. He posted threats in chat rooms of how he was going to slice up Weisburd. Weisburd, who acknowledges that he always keeps a loaded gun nearby, reported the threat to the FBI.

But then Irhabi started to leave a trail. On a site he was developing to post threats against targets in Italy, he left his IP address. Weisburd says Irhabi also left a different IP address on another online community he visited.

Then, Weisburd says, his group did a little fishing. Internet Hagganah posted a notice on its site warning that Irhabi's files were infected.

His wounded pride as an Internet administrator must have affected his judgment, because, in reply, Irhabi became even more careless. As part of an effort to show that his files were not infected, Weisburd says, Irhabi posted a screen shot that included a third IP address -- but it was only partially blurred out.

According to Weisburd, all three IP addresses pointed to the Ealing area of London, and he says he passed the information to U.S. and British authorities at the time. Nearly a year and a half later, whether from that lead or from the information obtained in the Sarajevo raid, or both, Tsouli was arrested. Reportedly, it was only after his arrest that authorities realized they might have just captured Irhabi007.

Since Tsouli's arrest, no one has posted using that screen name.

Calculated Risks

Although Irhabi007 seems to have been involuntarily retired, the Net-based terrorist subculture could yield another star. There have even been online competitions, according to Burgess, in which prospective terrorists can display their skills, such as a competition to fire a rocket and hit a U.S. military target in Iraq.

But this isn't American Idol. If it's a War on Terrorism, why aren't the sites being forced to shut down by Western authorities?

"While these sites can present a danger, they give us a great window into [terrorists'] mindset," says Moran, the intelligence analyst. As an example, he cites a recent, foiled plot to blow up buildings in Toronto -- with information apparently provided, in part, by al-Qaeda-leaning chat rooms. News reports indicated that the Internet was used for communication, coordination, and recruitment in that plot.

There has also been speculation that some of the al-Qaeda sites are actually "honey pots" -- fake sites set up by Western intelligence agencies as part of a Net-based sting operation, in order to capture such information as the credit card numbers used to buy videos.

Some have wondered if, by not immediately trying to shut down sites that post information about making bombs and poisons, authorities aren't taking a fatal risk in the name of acquiring intelligence about a bigger plan. Not to worry, says George Smith, a senior fellow at the public-policy and research organization GlobalSecurity.org. Smith dismisses the effectiveness of al-Qaeda's online training information. "The level of sophistication is equivalent to what teenagers were distributing about 10 or 15 years ago," he says.

While al-Qaeda and its sympathizers see the Internet as another weapon in the hands of radical Islam, it is in fact "a double-edged sword," Moran says. Terrorists can recruit, propagandize, even exchange tactical information, he says, but they are also vulnerable. "They can be tracked down."

As in the jungle, successfully tracking down targets requires that they leave a trail.

Some observers believe that al-Qaeda Internet operatives are not much more than serious amateurs, unable to hide their activities very well. Moran notes that in discovering a reported plot targeting commuter trains in New York, authorities found that the planners were using the Internet in "unsophisticated ways," such as communicating without using a proxy server. This made their trail easier to follow.

GlobalSecurity.org's Smith describes the general level of Internet security maintained by al-Qaeda as "really lousy," and says that its sites are routinely invaded by people within U.S. borders. Moran goes so far as to call the online terrorists "script-kiddies," a derogatory term for inexperienced hackers who use programs developed by others. For example, he says, in trying to promote denial-of-service attacks, the jihadists have simply instructed sympathizers to "download this tool and drop in an address."

But primitive can be deadly. After all, primitive box cutters and a basic understanding of how to fly a plane brought down the World Trade Center. What happens when al-Qaeda learns the Internet equivalent of flying a plane?

It means that it will be much harder to track and decipher the terrorist network, Moran says. For example, if al-Qaeda ever mastered heavy encrypting of communications, he says, it could lead to major problems. "And al-Qaeda might only need that info to stay encrypted for 24 hours. NSA (the National Security Agency) might be able to decode it, but maybe not fast enough."

Moran says he believes al-Qaeda is trying out new tactics, such as saving communications as "drafts" within free e-mail accounts but never sending them. If the message is never sent, it can never be tracked. But anyone can log onto a free e-mail client with a screen name and password and read the information contained in the draft.

There have also been unconfirmed reports that al-Qaeda has used steganography, the process of writing hidden messages that only the intended recipient will recognize. Al-Qaeda's particular brand of steganography encodes media files -- such as a photo -- with secret messages that can be seen only at the binary level, when the photo is reduced to its bits and analyzed.

Not all observers believe that al-Qaeda's Internet operations are junior-grade. Some experts, such as terrorist researcher Evan Kohlmann, have said that al-Qaeda is quite sophisticated in its use of the Internet. And another terrorism expert, Bruce Hoffman of the Rand Corporation, recently testified before Congress that not enough is being done to counter al-Qaeda's propaganda on the Net.

Finally Paying Attention

Regardless of al-Qaeda's level of expertise, there are indications that Western authorities are finally paying serious attention to what might collectively be referred to as al-Qaeda.com.

They apparently now realize that al-Qaeda's use of the Internet, as described in a 2003 study by the U.S. Army War College, constitutes "an outstanding command-and-control mechanism." And at least some authorities realize the obstacles the West faces in bringing down such a mechanism, including a lack of native Arabic speakers who are also computer experts.

"The tipping point might have been the London bombings of July 7, 2005," Moran says. Like the 9/11 plotters, the terrorists in that attack, which took 52 lives and wounded about 700, apparently used the World Wide Web in planning the catastrophe.

A tipping point seems to have been reached by al-Qaeda as well, in that the Net has become invaluable in both the ideological and actual war against the West. Tsouli, his presumptive alter ego Irhabi007, and al-Zarqawi are now out of the Internet business. But they have helped to establish the notion of online jihad as war by other means.

By the end of World War II, the Allies had the upper hand in radar and planes, and we owned the sky. Whoever owned the sky, won the war.

But no one owns the Internet. And, at this point in history, it is not yet clear if the online War on Terrorism will ever fall off the radar.