June 2007

London Car Bombs and Internet Forums

richard m. smith wrote on funsec:

subject: tracking down the london bombers via an ip address

was london bomb plot heralded on web?

internet forum comment from night before: “london shall be bombed”

hours before london explosives technicians dismantled a large car bomb in the heart of the british capital’s tourist-rich theater district, a message appeared on one of the most widely used jihadist internet forums, saying: “today i say: rejoice, by allah, london shall be bombed.”

cbs news found the posting, which went on for nearly 300 words, on the “al hesbah” chat room. it was left by a person who goes by the name abu osama al-hazeen, who appears regularly on the forum. the comment was posted on the forum, according to time stamp, at 08:09 a.m. british time on june 28 — about 17 hours before the bomb was found early on june 29.

al hesbah is frequently used by international sunni militant groups, including al qaeda and the taliban, to post propaganda videos and messages in their fight against the west.

there was no way for cbs news to independently confirm any connection between the posting made thursday night and the car bomb found friday.

al-hazeen’s message begins: “in the name of god, the most compassionate, the most merciful. is britain longing for al qaeda’s bombings?”

al-hazeen decries the recent knighthood of controversial author salman rushdie as a blow felt by all british muslims. “this ‘honoring’ came at a crucial time, a time when the whole nation is reeling from the crusaders attacks on all muslim lands,” he said, in an apparent reference to the british role in iraq.

this is of course, scary and interesting, but i’d like to concentrate on the subject line of richard’s message:
tracking down the london bombers via an ip address

the more important thing to note here, is the fact these cyber terrorism forums have a real connection to real terrorism, rather than how they may be used to try and track the bad guys down (although that is of course, interesting).

it may be stating the obvious, and these forums are likely already tracked: i am unsure if this article will hurt plausible current surveilance efforts, but i am sure stating the obvious about this connection between the real and virtual worlds when it comes to terrorism, is important.

gadi evron,
ge@beyondsecurity.com.

IPv6, C&C (not botnets, coffee and cats)

So, someone sent this to NANOG:
An IPv6 address for new cars in 3 years?

From: Rich Emmings
Date: Thu Jun 28 17:47:46 2007

Mark IV systems has a spec for OTTO. Mark IV makes automatic
toll collection and related systems O(Not to mention other
automotive products)

The system spec’s show support for IPv6 and SNMPv3. Notably
absent was IPv4 as far as I could tell. No notes on if the IPv6
would be used for Firmware updates or live data collection.
802.1p radio is the spec’d LLP. O/S is VxWorks.

The expectation is for 100% of new cars to have OTTO around
2010.

http://www.ivhs.com/pdf/FactSheet_OTTO_FactSheet1_101105.pdf

Topicality: Looks like someone, somewhere intends to be live
with IPv6 in 3-5 years.
Off Topic: The privacy and security ramifications boggle the
mind….

Which I didn’t read.

Then, this thread happened:

> – — “Suresh Ramasubramanian” wrote:
>
> >On 6/29/07, Rich Emmings wrote:
> >>
> >> Topicality: Looks like someone, somewhere intends to be live with
> >> IPv6
> >> in 3-5 years. Off Topic: The privacy and security ramifications
> >> boggle
> >> the mind….
> >>
> >
> >Fully mobile, high speed botnets?
>
> *bing*

That last bing was from Paul Ferguson, our Fergie.
If I was drinking coffee, I’d have dropped it!

Other followups included Chris Morrow’s:
> I can’t help it:
>
> “If a bot-car is headed north on I-75 at 73 miles per hour for 3 hours
> and a bot-truck is headed west on I-90 at 67 miles per hour, how long
> until they are 129 miles apart?”

And Steve Bellovin’s:
Hmm — I was going to say 127.1 miles apart, but that’s not a v6
address… 1918 miles apart?

PDF spam

I have been getting lately more and more PDF based spam, the PDF itself appears to be just a cover for the normal image spam. The idea I believe is that PDF is not investigated by most spam filtering agents, and is not regarded by spam filtering as a “score giver” (i.e. what makes the email look more spamish than others).

BTW: At first glance I though it was a malware or a exploit that uses PDF as its carrying bag, but after a days work of investigating, and probing the file with various PDF readers (non-standard ones), I concluded that it had nothing to do with a malware or an exploit :) kudos to me 😛