Return-Path: <sentto-279987-2119-1001041428-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Thu, 20 Sep 2001 20:05:11 -0700 (PDT) Received: (qmail 10061 invoked by uid 510); 21 Sep 2001 03:04:09 -0000 Received: from n26.groups.yahoo.com (216.115.96.76) by 204.181.12.215 with SMTP; 21 Sep 2001 03:04:09 -0000 X-eGroups-Return: sentto-279987-2119-1001041428-fc=all.net@returns.onelist.com Received: from [10.1.4.53] by fg.egroups.com with NNFMP; 21 Sep 2001 03:03:48 -0000 X-Sender: fc@big.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-7_3_2_2); 21 Sep 2001 03:03:48 -0000 Received: (qmail 10777 invoked from network); 21 Sep 2001 03:03:47 -0000 Received: from unknown (10.1.10.142) by l7.egroups.com with QMQP; 21 Sep 2001 03:03:47 -0000 Received: from unknown (HELO big.all.net) (65.0.156.78) by mta3 with SMTP; 21 Sep 2001 03:03:47 -0000 Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id UAA05263 for iwar@onelist.com; Thu, 20 Sep 2001 20:03:47 -0700 Message-Id: <200109210303.UAA05263@big.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL1] From: Fred Cohen <fc@all.net> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Thu, 20 Sep 2001 20:03:47 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Terrorists.Leave.Paperless.Trail] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Terrorists Leave Paperless Trail By Farhad Manjoo 2:00 a.m. Sep. 20, 2001 PDT Federal agents retracing the steps of the 19 hijackers suspected in last week's attacks are finding a digital trail that leads from one Internet connection to another. According to various media reports, at least some of them went online to plan the attacks, purchase airplane tickets, and coordinate their moves. Computer forensic experts warn, however, that the path only appears hot in hindsight. It's a leap, they say, to conclude that the attacks might have been prevented had laws been in place to make Internet surveillance easier. Curt Bryson, a computer forensic specialist at New Technologies (NTI), said that even if the feds did have broad powers to monitor digital communications, the relatively innocent endeavors of these hijackers wouldn't have raised any red flags. "Blanket coverage is not technologically possible," he said, given the volume of Internet communication. "The mathematical probability of catching the traffic is already difficult. The problem then is you have to have a human or an ('artificially intelligent' computer) to know that it was a criminal behavior to begin with. A.I. is not that good yet. And we don't have enough humans to do it." In fact, parts of the digital trail identified after the attacks -- such as the use of e-mail addresses that can be created anonymously at a Kinko's store --- were of the type that couldn't have been detected unless authorities were physically following the suspects. One of the first signs that the hijackers were tech-savvy came from an FBI document, obtained by the German magazine Der Spiegel, which disclosed how the hijackers purchased their airline tickets. Several used a pay-per-use public Internet terminal at a Kinko's store in Hollywood, Florida, to access online ticket sites. Some of them chose paperless electronic tickets, and -- for reasons hard to grasp -- entered in their frequent-flier numbers. A spokesman for Travelocity confirmed that two of the hijackers used the service to book flights, but he said that authorities had barred the company from speaking more about the hijackings. He would not disclose whether it was possible for hijackers to have booked specific seats on their desired planes, as some in the media have speculated. Internet terminals like the one at Kinko's seem to have been a favorite of the hijackers. Katherine Hensman, a research librarian in Delray Beach, Florida, told the Miami Herald on Tuesday that one of the 19 men named by the FBI used a computer at her library in late August. She told the paper that she remembered the man because strangers aren't very common at the small library, and when she heard that some of the suspects stayed in her neighborhood, she checked the sign-in logs. Sure enough, she found a person who signed his last name as "Alshehri" and a first name as either "Mohad" or "Mohlad." These names were suspiciously close to that of Mohald Alshehri, one of the hijackers on United Airlines flight 175, which brought down the south tower of the World Trade Center. The FBI is examining the data on computers at that library and others on Broward County, Florida, as well as computers at libraries in Fairfax County, Virginia. Bryson, NTI's forensic specialist, said that with the tools available to the FBI, it's possible that the public computers might yield some clues about the terrorists. Bryson worked as an FBI agent for 11 years, sometimes ferreting out the misdeeds of terrorists, and he said that often what's contained on public machines are tiny nuggets of information that can help to lead an investigation in the right direction. "If they look for the word 'bomb' or 'explode,' they probably won't find anything," he said. "I bet they will look for all the communications in a specific date-time group." "Sometimes we do just get the smoking gun -- 'I'm going to steal this much money from the company.' But most of the time you get leads, very good leads that people don't know exist." Just hours after the attack, federal agents began showing up at Internet service providers' offices and installing the crime-sniffing Carnivore system that monitors purportedly malicious e-mail, according to engineers at several companies who spoke on condition of anonymity. It's unclear what the feds found in those sweeps, but experts said that near-anonymous public e-mail systems like those provided by Yahoo or Microsoft's Hotmail service were likely used by digitally inclined hijackers. A search for the hijackers' names among Yahoo members on Wednesday yielded inconclusive results. Some names were close to those of the hijackers, while others didn't match up at all. And one exact match for Mohammed Atta, a 33-year-old pilot who was on the flight that crashed into the north tower of the Trade Center, was obviously a fake. It included the I.D. picture of Atta that has been widely circulated in the press, and it listed his hobby as "making bombs, flying airplanes." It was last updated on Sept. 18, seven days after the hijackers are believed to have died in the attacks. A search of AOL Instant Messenger chatters also yielded few clues to the suspects, but a search of people who chat on MSN Messenger did find five matches for Mohamed Atta. Three of them appeared to be identical entries, listing an "origin" as Egypt, where Atta is believed to be from. It's unclear whether these, too, were pranksters' aliases, as messages to them were unanswered. The Miami Herald also reported this week that in late August, a motel owner in Hollywood, Florida, got into a dispute with two men of Middle Eastern descent who were upset that his motel couldn't provide 24-hour Internet access. "These were not businessmen," Paul Dragomir, the owner of the Longshore Motel, said on Wednesday. He suggested that they were closely linked to the 19 hijackers, but that they were not among those men. "At first, I thought they I can satisfy them," he said. "I can let them work in my office or run a line from the office to their room. But they didn't want to work in my office, and they said they didn't want anybody to enter their room while they were gone. So for some reason I changed my mind -- they were acting kind of strange. I later found out that the name and address they gave me were false." The men requested all their money back, and Dragomir complied. "But they still became confrontational," he said. "They said, 'You don't understand. We're on a mission. We need the Internet.' "As a joke, I said, 'What kind of mission is that -- a mission of Islam?' "They were kind of stunned. And they said, 'No we stay away from that.'" Authorities would not comment on whether this incident was being investigated. On Wednesday, wire services reported that terrorists involved in the attack might not only have been smart about matters of technology, but also about world finances. "From what I'm hearing, it's more than coincidence," said one options industry official, referring to increased trading activity in options on some airline and financial stocks in the days before the Sept. 11 attacks, according to Reuters. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Pinpoint the right security solution for your company- Learn how to add 128- bit encryption and to authenticate your web site with VeriSign's FREE guide! http://us.click.yahoo.com/JNm9_D/33_CAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:46 PDT