[iwar] [fc:Terrorists.Leave.Paperless.Trail]

From: Fred Cohen (fc@all.net)
Date: 2001-09-20 20:03:47 

Return-Path: <sentto-279987-2119-1001041428-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Thu, 20 Sep 2001 20:05:11 -0700 (PDT)
Received: (qmail 10061 invoked by uid 510); 21 Sep 2001 03:04:09 -0000
Received: from n26.groups.yahoo.com (216.115.96.76) by 204.181.12.215 with SMTP; 21 Sep 2001 03:04:09 -0000
X-eGroups-Return: sentto-279987-2119-1001041428-fc=all.net@returns.onelist.com
Received: from [10.1.4.53] by fg.egroups.com with NNFMP; 21 Sep 2001 03:03:48 -0000
X-Sender: fc@big.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-7_3_2_2); 21 Sep 2001 03:03:48 -0000
Received: (qmail 10777 invoked from network); 21 Sep 2001 03:03:47 -0000
Received: from unknown (10.1.10.142) by l7.egroups.com with QMQP; 21 Sep 2001 03:03:47 -0000
Received: from unknown (HELO big.all.net) (65.0.156.78) by mta3 with SMTP; 21 Sep 2001 03:03:47 -0000
Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id UAA05263 for iwar@onelist.com; Thu, 20 Sep 2001 20:03:47 -0700
Message-Id: <200109210303.UAA05263@big.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Thu, 20 Sep 2001 20:03:47 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:Terrorists.Leave.Paperless.Trail]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Terrorists Leave Paperless Trail
By Farhad Manjoo 

2:00 a.m. Sep. 20, 2001 PDT

Federal agents retracing the steps of the 19 hijackers suspected in last
week's attacks are finding a digital trail that leads from one Internet
connection to another. 

According to various media reports, at least some of them went online to
plan the attacks, purchase airplane tickets, and coordinate their moves. 

Computer forensic experts warn, however, that the path only appears hot
in hindsight.  It's a leap, they say, to conclude that the attacks might
have been prevented had laws been in place to make Internet surveillance
easier. 

Curt Bryson, a computer forensic specialist at New Technologies (NTI),
said that even if the feds did have broad powers to monitor digital
communications, the relatively innocent endeavors of these hijackers
wouldn't have raised any red flags. 

"Blanket coverage is not technologically possible," he said, given the
volume of Internet communication.  "The mathematical probability of
catching the traffic is already difficult.  The problem then is you have
to have a human or an ('artificially intelligent' computer) to know that
it was a criminal behavior to begin with.  A.I.  is not that good yet. 
And we don't have enough humans to do it."

In fact, parts of the digital trail identified after the attacks -- such
as the use of e-mail addresses that can be created anonymously at a
Kinko's store --- were of the type that couldn't have been detected
unless authorities were physically following the suspects. 

One of the first signs that the hijackers were tech-savvy came from an
FBI document, obtained by the German magazine Der Spiegel, which
disclosed how the hijackers purchased their airline tickets.  Several
used a pay-per-use public Internet terminal at a Kinko's store in
Hollywood, Florida, to access online ticket sites.  Some of them chose
paperless electronic tickets, and -- for reasons hard to grasp --
entered in their frequent-flier numbers. 

A spokesman for Travelocity confirmed that two of the hijackers used the
service to book flights, but he said that authorities had barred the
company from speaking more about the hijackings.  He would not disclose
whether it was possible for hijackers to have booked specific seats on
their desired planes, as some in the media have speculated. 

Internet terminals like the one at Kinko's seem to have been a favorite
of the hijackers.  Katherine Hensman, a research librarian in Delray
Beach, Florida, told the Miami Herald on Tuesday that one of the 19 men
named by the FBI used a computer at her library in late August. 

She told the paper that she remembered the man because strangers aren't
very common at the small library, and when she heard that some of the
suspects stayed in her neighborhood, she checked the sign-in logs.  Sure
enough, she found a person who signed his last name as "Alshehri" and a
first name as either "Mohad" or "Mohlad."

These names were suspiciously close to that of Mohald Alshehri, one of
the hijackers on United Airlines flight 175, which brought down the
south tower of the World Trade Center.  The FBI is examining the data on
computers at that library and others on Broward County, Florida, as well
as computers at libraries in Fairfax County, Virginia. 

Bryson, NTI's forensic specialist, said that with the tools available to
the FBI, it's possible that the public computers might yield some clues
about the terrorists. 

Bryson worked as an FBI agent for 11 years, sometimes ferreting out the
misdeeds of terrorists, and he said that often what's contained on
public machines are tiny nuggets of information that can help to lead an
investigation in the right direction. 

"If they look for the word 'bomb' or 'explode,' they probably won't find
anything," he said.  "I bet they will look for all the communications in
a specific date-time group."

"Sometimes we do just get the smoking gun -- 'I'm going to steal this
much money from the company.' But most of the time you get leads, very
good leads that people don't know exist."

Just hours after the attack, federal agents began showing up at Internet
service providers' offices and installing the crime-sniffing Carnivore
system that monitors purportedly malicious e-mail, according to
engineers at several companies who spoke on condition of anonymity. 

It's unclear what the feds found in those sweeps, but experts said that
near-anonymous public e-mail systems like those provided by Yahoo or
Microsoft's Hotmail service were likely used by digitally inclined
hijackers. 

A search for the hijackers' names among Yahoo members on Wednesday
yielded inconclusive results.  Some names were close to those of the
hijackers, while others didn't match up at all. 

And one exact match for Mohammed Atta, a 33-year-old pilot who was on
the flight that crashed into the north tower of the Trade Center, was
obviously a fake.  It included the I.D.  picture of Atta that has been
widely circulated in the press, and it listed his hobby as "making
bombs, flying airplanes." It was last updated on Sept.  18, seven days
after the hijackers are believed to have died in the attacks. 

A search of AOL Instant Messenger chatters also yielded few clues to the
suspects, but a search of people who chat on MSN Messenger did find five
matches for Mohamed Atta.  Three of them appeared to be identical
entries, listing an "origin" as Egypt, where Atta is believed to be
from. 

It's unclear whether these, too, were pranksters' aliases, as messages
to them were unanswered. 

The Miami Herald also reported this week that in late August, a motel
owner in Hollywood, Florida, got into a dispute with two men of Middle
Eastern descent who were upset that his motel couldn't provide 24-hour
Internet access. 

"These were not businessmen," Paul Dragomir, the owner of the Longshore
Motel, said on Wednesday.  He suggested that they were closely linked to
the 19 hijackers, but that they were not among those men. 

"At first, I thought they I can satisfy them," he said.  "I can let them
work in my office or run a line from the office to their room.  But they
didn't want to work in my office, and they said they didn't want anybody
to enter their room while they were gone.  So for some reason I changed
my mind -- they were acting kind of strange.  I later found out that the
name and address they gave me were false."

The men requested all their money back, and Dragomir complied.  "But
they still became confrontational," he said.  "They said, 'You don't
understand.  We're on a mission.  We need the Internet.'

"As a joke, I said, 'What kind of mission is that -- a mission of
Islam?'

"They were kind of stunned.  And they said, 'No we stay away from
that.'"

Authorities would not comment on whether this incident was being
investigated. 

On Wednesday, wire services reported that terrorists involved in the
attack might not only have been smart about matters of technology, but
also about world finances. 

"From what I'm hearing, it's more than coincidence," said one options
industry official, referring to increased trading activity in options on
some airline and financial stocks in the days before the Sept.  11
attacks, according to Reuters. 


------------------------ Yahoo! Groups Sponsor ---------------------~-->
Pinpoint the right security solution for your company- Learn how to add 128- bit encryption and to authenticate your web site with VeriSign's FREE guide!
http://us.click.yahoo.com/JNm9_D/33_CAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:46 PDT