Al-Qaida supporters hack into student's Web site
The Web site of a Portland State University graduate student has been targeted in a wave of Internet hackings supporting al-Qaida, attracting federal authorities and terrorism experts who worry the break-in may be more than a prank.
Files planted in Conrado Salas Cano's personal Web site housed threats against the United States, tributes to the Sept. 11 attacks and purported messages from Osama bin Laden. The physics student said the files were added without his knowledge or consent.
The FBI reportedly launched an investigation, and some cyberterrorism followers said it resembled attacks by the online propaganda unit of al-Qaida, the Islamic group led by bin Laden. But it is unclear whether the cyber-intruders represent a terrorist threat or are playing a joke on Cano, whose site explores theories about science and space.
Liquid Web, a Lansing, Mich., Internet service provider that stores Cano's site, said it contacted the FBI when it discovered the hacking about a month ago. The FBI began investigating the site and took control of the al-Qaida pages, removing them more than a week ago, said Jack Flintz, Liquid Web's security administrator.
Flintz said that according to Liquid Web's records, intruders used computers in Saudi Arabia to bust into his servers.
"We consider it more than just a prankster bit," Flintz said.
Bill Murray, a spokesman for the FBI's cyberdivision, early Monday could not confirm the FBI's investigation.
"Generally, Web site defacements have to achieve a certain level of damage for us to be involved" because thousands of pages are defaced every day, Murray said.
Cano was stunned last month to receive e-mail messages from groups opposed to al-Qaida alerting him to the pages, buried within a folder in his personal Web site.
"I'm so happy to have it off my back," said Cano, who maintains www.conrado.net. "It is abhorrent."
Hacking in support of al-Qaida has been seen on two other sites hosted by Liquid Web.
After the pages were pulled from Cano's site, hackers placed them on a visitor's information portal for Homer, Alaska, operated by a high school student. Those pages were removed last week. And last year, a Dutch soccer fan site hosted by Liquid Web was home to the al-Qaida pages.
Flintz said he doesn't know why the hackers have repeatedly chosen sites hosted by his provider. Liquid Web, he said, has thoroughly investigated its servers and has not found holes that would allow hackers into its members' sites.
"Clearly, they busted into Liquid Web's servers, and they found an easy back door," said Josh Devon, an analyst at the Search for International Terrorist Entities Institute, which tracks cyberterrorism.
More than coincidence George Heuston, a retired FBI agent who specialized in high-tech crimes, said that as with all counterintelligence, investigators should worry when a crime is committed more than once.
"If you see them once, that's just chance," said Heuston, who works on high-tech crime cases at the Hillsboro Police Department. "If you see them twice, it's an interesting coincidence. If you see them three times, it's no coincidence. You're being followed."
In many cases of Web defacement, the entire site is changed to make a political statement. But the Liquid Web sites appeared unchanged. The al-Qaida files were hidden, leading Heuston to think the hackers were using the sites to communicate.
"They're not trying to create a huge statement," he said. "It's more subtle than that."
The pages on Cano's site, posted by the Center for Islamic Studies and Research, urged Muslims to "destroy and divide the US" and praised Sept. 11 and the attacks on U.S. embassies and the USS Cole.
"The US went mad because of panic, terror and astonishment at what it sees and hears," the pages on Cano's site said. "It could not bear such humiliating acts, thus it forced the whole world to come under its banner and join its camp."
Many of the hacked pages are in Arabic, including those with the most updated information, said Devon, whose Washington, D.C., group tracks Al Neda, the alleged online arm of al-Qaida.
Propaganda outlet Based on his research of previous al-Qaida sites, Devon thinks the messages on Cano's pages and the other Liquid Web sites come from officials within al-Qaida.
"It's definitely a propaganda outlet," Devon said. "That's one of the fronts al-Qaida realizes they have to wage. They're trying to appeal to Web-savvy young men."
Some of the Al Neda pages, Devon said, contain pictures of guns and bomb-making manuals in Arabic. Specific plans of future attacks aren't on the site, although Devon said it's possible they use code words to communicate attacks.
Until last summer, similar content from the Center for Islamic Studies and Research was found on alneda.com. But a Maryland operator of pornography Web sites took the domain name when it expired. The porn-site operator claimed the domain name using Snapnames, a Portland company that places people on waiting lists for Web addresses.
Since then, Devon said, Al Neda has been hacking into various sites around the globe to spread its message. Once the sites are discovered and shut down, a new Al Neda site pops up within 48 hours. News of the Web sites, he said, spreads by word of mouth and in Arabic newspapers.
"The Web site they're putting up is literally how al-Qaida disseminates new information," Devon said.
Cano said he thinks the Web site defacement wasn't in response to the statements on his site about science and the late Carl Sagan. He hasn't received an e-mail about his site for about two years, he said.
"I was just an unlucky target," Cano said. "I completely abhor, detest and want nothing to do with the entity or people who put that in my domain."
Cybercrime News Archive