09/01/2010

Security Solutions International StaffThe Counter Terrorist
with Security Solutions International Staff

Cyber vigilantes: Citizen hackers go to war against terrorists

Do private citizens, who are clearly in the crosshairs of the enemy, have the right to self-defense by hacking or otherwise engaging on jihad sites?

By Jennifer L. Hesterman

Most terrorist groups are now leveraging the Internet to recruit, train, and spread propaganda, especially "global brands" such as al-Qaeda. Criminal groups and foreign intelligence services appear to have demonstrated electronic theft and sabotage capabilities. In the last year, social networking sites such as Facebook, Twitter, and MySpace have all been used as vehicles for international and domestic terrorist communication.

Google Earth has been used by al-Qaeda operatives to locate potential targets such as military recruiting stations. We shouldn't underestimate the sophistication of terror groups. When it comes to communications technology, if we use it, they use it.

Extremist websites are surprisingly easy to find and access, and experts believe there are perhaps thousands in existence.[1] Some sites are published in English, and others offer quick translation for the interested reader. Other web pages look benign, appearing to be classified ads or an online directory; however, with one correct click, the secret door opens to the actual home page. The sites invoke the call of jihad, contain bomb-making advice, and even offer "webinars" during the week for those who want to hear and interact with clerics and group leaders.

Cyber vigilantism by private citizens is a response to their frustration with the number of extremist sites in operation and what they believe is the unwillingness or inability of our government to take them down. Depending on whom you ask, private citizens engaging the enemy on the Internet either helps or hinders the fight against terror. However, the activity occurs daily, and the actors are increasingly savvy and effective.

Vigilantes and their tradecraft
It would be impossible to profile extremist "hacktivists"; they are men, women, young, old, ex-military, businessmen, lawyers, housewives, and techies. They live in big cities or small towns and their reasons for engaging and methods of infiltration vary. Some have come out of the shadows, but most use pseudonyms and are colorful characters, and are often as intriguing as their work.

Jester
A few months ago, I was given rare insight into the world of cyber vigilantes when contacted by "Jester," or th3j35t3r in 3133t language. Jester told me he is prior military, special forces — although he is careful not to identify in which country's military he served. He spent time in Afghanistan, and watched friends die on the battlefield. It became evident that unlike other vigilantes, his fight is very personal. My online discussions with Jester were enlightening. I found him patriotic, well intentioned, and thoughtful. He often struggles with whether his activities are judicious in light of the possible ramifications, from legal and safety perspectives. The targets of his attacks have reached out and threatened his life, but, undaunted, he carries on.

Cyber experts agree that Jester is very skilled and employs a technique not seen before and not easily duplicated. In fact, using his program XerXeS, he could bring down most any website in the world instantly. Fortunately, he is on our side of the fight. Jester's goal isn't to permanently bring down an extremist website; instead, it is to randomly disrupt and take the site off line, typically for 30 minutes. The site then returns to normal, no damage done, other than to the psyche of the owner and users. This disruption results in anger and frustration because the Internet may be terrorists' last line of clandestine electronic communication and virtual lifeline to the world.

Through XerXeS, Jester initiates Denial of Service (DoS) attacks against extremist websites. His method is unlike typical Distributed Denial of Service (DDoS) attacks. DDoS attacks use many computers to overwhelm the server with requests, shutting down the site. Jester uses a single, low-spec computer with low bandwidth in his attack. He transmits few packets, but the attack is effective. He demonstrated this to me online and as the jihad site "fought back" against the attack, Jester's XerXeS program altered activity to match the efforts, bringing down the site.

To prove the effectiveness of his program to the world, Jester released two videos exclusively to Infosec Island, a website for IT security professionals.

His first video shows how he uses the XerXeS program to bring down a Taliban website.[2] But his second video really caught the attention of those in the cybersecurity business: Jester used an improved XerXeS to successfully attack Apache, the HTTP software program that runs 57 percent of the world's websites. Infosec Island's Anthony Freed explains the weaknesses in Apache are fairly well known among the savvy tech elite, but it was only since Jester came along with his non-distributed DoS attack that the unpatched vulnerabilities in Apache finally became the subject of much concern. Mr. Freed's primary concern: if a hacker used a tool like XerXeS in combination with a zombie army consisting of thousands of hijacked PCs, the implications for critical systems security could be extremely serious.[3]

Other notable vigilantes
Although perhaps the most interesting, Jester is not the first cyber vigilante.

Shannen Rossmiller is a lawyer and mother of three from Montana who taught herself Arabic and began engaging in chat rooms on jihad websites in 2003. She spent years creating her personas and the persistence paid off: posing as an al-Qaeda sympathist, she ensnared several Americans who had radicalized and turned on their country. One would-be terrorist was convicted and is spending 30 years in jail for offering to use explosives on U.S. pipelines. Her most notable case is that of an Army National Guard specialist who was preparing to deploy and who is now serving a life sentence for treason, aiding the enemy, and attempted espionage.[4]

In 2008 Bill Warner, a private investigator and self-proclaimed cyber crusader, shut down three extremist websites hosted by a Tampa, Florida, Internet service provider. One site contained graphic images and video related to attacks on U.S. troops in Iraq and Afghanistan along with propaganda such as inflated casualty counts. The site had 19 million hits in 10 months.[5]

Cyber vigilante Aaron Wiseburd is the creative force behind "Internet Haganah," a repository of extremist site information. Wiseburd gathers and stores intelligence on the site (accessible to all), and states he has dismantled thousands of extremist sites on his own.[6] The quote on his web page serves as his mantra: "asymmetric warfare: It's not just for the other guys."

Video vigilantes patrol popular websites for jihadist postings, flagging them and working through established procedures with the site owners to have the videos pulled. One site claims to have had more than 15,000 videos removed, and identified dedicated "channels" maintained by groups such as the Taliban. Usually, the service provider is happy to comply with the removal requests because providing services to known terrorists or enemies during a time of conflict generally violates existing laws.

Emerging threat and response
Scam mail vigilantes are a new phenomenon and already number more than 1,000 — and they may be unintentionally helping the fight against terror. "Scam baiting" targets illicit e-mail fund-raising schemes by sending bogus replies, tracking IP addresses of the sender and reporting these to authorities, defacing websites, and reporting the e-mail as spam to Internet service providers.

The scam communication (legally known as "419 advance-fee fraud") relays the good news of an inheritance or a lottery win, tells a tragic story about a child, or informs of a hot, new investment scheme and asks for bank account information and wiring instructions. Sadly, people do fall for this ploy, and there is a 5 percent growth each year in the amount of loss to the public.[7] According to UltraScan, a Netherlands-based research organization that studies 419 scams, global revenues exceeded $9 billion in 2009, with a total of $49 billion lost to date.[8]

These scams are a rising concern in the counter-terrorism realm with respect to fund-raising. Most are launched from Nigeria, which yielded the "Christmas Day Bomber" Umar Farouk Abdulmutallab and is emerging as a new source of manpower for al-Qaeda in the Arabian Peninsula. Also, a recent UltraScan report stated: "Between 2003 and 2008, there was evidence of a terrorist connection in the slipstream of 419 fraud networks, supporting attacks. In 2008 and 2009, there was evidence directly linking 419 to (attempted) attacks."[9]

Who should prosecute the fight?
When asking industry and counterterror experts their opinion, I found the arguments for cyber vigilantes are equally as compelling as those against.

- Do private citizens, who are clearly in the crosshairs of the enemy, have the right to self-defense by hacking or otherwise engaging on jihad sites?

- Does the hacking interfere with intelligence collection? Government agents know about the sites, monitor and possibly engage; therefore, cyber vigilantes unwittingly may interfere with information gathering or psyops. On the other hand, how much actionable intelligence can really be gleaned from these sites, most often meant for recruitment, propaganda, and insurrection? Most cyber vigilantes say little... then again, they may only see a piece of what is perhaps a much larger puzzle.

- Hacking jihadist sites may cause them to move or go underground, which leads to more work for intelligence collectors. Also, we are in a manhunt for the terrorists and their use of the Internet can often yield valuable data about their location, communication patterns, etc. However, taking down the site stops recruitment and proselytizing, and if this prevents even small numbers of U.S. citizens from taking up arms against our country, is it worth it?

- Bringing down the sites results in less access by those supporting the counter-terror effort. Open source analysts, theologians, social scientists, psychologists, and professors all visit extremist sites to glean information on shifting ideology, social trends, and subtle changes in behavior. The tenet of ancient Chinese strategist Sun Tzu — "know thy enemy" — has never been more applicable than it is in this fight and removing websites may diminish this insight.

- The more people involved with threat reduction and national security, the better. Resources are finite and the vigilantes are force multipliers. They may accomplish work that others can't or won't do. We are at war; the enemy is engaging asymmetrically, so should we.

- Cyber vigilantes are no different than child predator vigilantes on the Internet who enter chat rooms and post ads in the hopes of identifying a predator for law enforcement. This is community policing for the twenty-first century.

The way ahead
The universe of cyberspace is largely a free realm lacking international covenants or laws and is not subject to a singular governing body. Dorothy Denning, professor of defense analysis at the Naval Postgraduate School, may have said it best: "Soon, every interstate conflict, however minor, may be accompanied by some form of hacker war that is beyond the control of ruling governments."[10] Open to all, the Internet is unpatrollable and uncontrollable, making it ripe for anonymous and rampant engagement by all parties.

I am neither an IT expert nor a cyber expert, but I have extensively studied the minds of terrorists. I understand how terrorist groups use the Internet to turn the switch from "off" to "on" and recruit those who will carry out the most heinous of missions, sacrificing their own life in the process. The radical Islamist ideology can be seductive and like a poison to the mind, equally so to the all-American quarterback or the downtrodden in a failing state who would rather die as jihadists in a spectacular blast than as hungry beggars on the streets.

Something to consider: If we are to prepare to fight cyber war on a large scale, the most influential changes in this battle are actually happening at the microlevel: page by page, e-mail by e-mail. And in the words of Jester: lone wolves work faster, eat more, and are harder to track and capture.

About the author
Ms. Hesterman is a retired U.S. Air Force Colonel. She is currently a senior analyst for the MASY Group, a global intelligence and risk management firm, as well as a full professor of counter-terrorism studies at American Military University. Her book Transnational Crime and the Criminal-Terrorist Nexus was published in 2005. She authors a scholarly blog: www.counterterrorforum.com.

End Notes
1 http://www.foxnews.com/story/0,2933,340613,00.html

2 https://www.infosecisland.com/blogview/2990-Exclusive-Video-of-XerXeS-DoS-Attack.html

3 https://www.infosecisland.com/blogview/3258-Hacker-Releases-Second-Video-of-Enhanced-XerXeS-DoS-Attackon-Apache-Vulnerability-.html

4 http://www.meforum.org/1711/mycyber-counter-jihad

5 http://www.foxnews.com/story/0,2933,340613,00.html

6 http://internet-haganah.com/

7 http://www.ultrascan-agi.com/public_html/html/public_research_reports.html

8 http://www.ultrascan-agi.com/public_html/html/public_research_reports.html

9 http://www.ultrascan-agi.com/public_html/html/pdf_files/419_Advance_Fee_Fraud_Statistics_2009.pdf

10 http://www.scientificamerican.com/article.cfm?id=web-brings-new-weaponsof-war&page=2

About the author

The Counter Terrorist is a magazine published by Security Solutions International, which also produces the Counter Terrorist Newsletter, Webinars and interactive learning, as well as the annual Homeland Security Professionals Conference.

Visit The Counter Terrorist web site for more information.
Back to previous page