Forwarded from: William Knowles <wk@c4i.org> http://www.washingtonpost.com/wp-dyn/articles/A62095-2004Dec13.html By Alan Sipress Washington Post Foreign Service December 14, 2004 JAKARTA, Indonesia -- After Imam Samudra was charged with engineering the devastating Bali nightclub bombings two years ago, he taunted his police accusers in court, then greeted his death sentence with the cry, "Infidels die!" So when Samudra published a jailhouse autobiography this fall, it was not surprising that it contained virulent justifications for the Bali attacks, which killed 202 people, most of them foreign tourists. But tucked into the back of the 280-page book is a chapter of an entirely different cast titled "Hacking, Why Not?" There, Samudra urges fellow Muslim radicals to take the holy war into cyberspace by attacking U.S. computers, with the particular aim of committing credit card fraud, called "carding." The chapter then provides an outline on how to get started. The primer on carding is rudimentary, according to U.S. and Indonesian cybercrime experts, but they said the chapter provides a rare glimpse into the mounting threat posed by terrorists using Internet fraud to finance their operations. "The worry is that an army of people doing cybercrime could raise a great deal of money for other activities that terrorists are carrying out," said Alan Paller, research director of the Sans Institute, a U.S. Internet-security training company. Samudra, 34, is among the most technologically savvy members of Jemaah Islamiah, an underground Islamic radical movement in Southeast Asia that is linked to al Qaeda. He sought to fund the Bali attacks in part through online credit card fraud, according to Indonesian police. They said Samudra's laptop computer revealed an attempt at carding, but it was unclear whether he had succeeded. Internet crime experts said Samudra's book seems unprecedented as a tool for recruiting radical Muslims into a campaign of online fraud and building networks of fundraisers. "This is exactly the kind of advice you would give someone who wanted to get started in cybercrime," said Paller, who reviewed a translation of the chapter. "It doesn't focus on a specific technique, but focuses on how you find techniques and focuses on connecting with other people to act loosely together." Titled "Me Against the Terrorist!" the book depicts Samudra on the cover in a now-classic pose from his trial last year in Bali. He is clad in a white shirt and white Muslim skullcap, with his right arm outstretched and a single finger raised as he lectures the judges. Four thousand copies in Indonesian have been issued by a small publisher and are selling for about $4 each in at least seven cities across the islands of Java and Sumatra, said Achmad Michdan, Samudra's attorney, who wrote the forward. Michdan said the publisher is planning a second run and is considering translating the book into English, French and Arabic. Profits benefit Samudra's wife and children. Samudra remains on death row. Most of the book is a memoir that tracks Samudra from his early schooling in Java, through his arms training in the Afghan mountains, his exile in Malaysia and his return to Indonesia. It includes arguments for killing Western civilians and bitter critiques of U.S. policy in Israel, Afghanistan and Iraq, including photographs of Muslim civilian casualties. Toward the end, Samudra informs readers that the United States is not as invincible as they might think. "It would not be America if the country were secure. It would not be America if its computer network were impenetrable," he writes at the beginning of the hacking chapter. He continues by urging fellow militants to exploit this opening: "Any man-made product contains weakness because man himself is a weak creature. So it is with the Americans, who boast they are a strong nation." The chapter is less a how-to manual than a course of study for aspiring hackers and carders. Samudra directs them to specific Indonesian-language Web sites that provide instruction. For those who find these sites too sophisticated, he counsels first learning computer programming languages, in particular Linux, and suggests several other Web sites, including one run by young Muslims. Then he advises learning about hacking by finding mentors through online chats. He lists six chat rooms as sources. Next, Samudra discusses the process of scanning for Web sites vulnerable to hacking, then moves on to a three-page discussion on the basics of online credit card fraud and money laundering. "This is hacking for dummies," said Evan F. Kohlmann, a U.S. consultant on international terrorism who also reviewed the chapter. "But in this day and age, you don't have to be an expert hacker to have a tremendous impact." Kohlmann and other cyberterrorism experts said the kind of online fraud preached by Samudra is becoming increasingly attractive as a source of funding for al Qaeda operatives in several regions of the world. One of the chief hazards posed by Samudra's book is that it could direct religious extremists into the company of more accomplished hackers. Indonesian police assert their country now has more online credit card fraud than any other in the world. "If you succeed at hacking and get into carding, be ready to make more money within three to six hours than the income of a policeman in six months," Samudra tells his readers. "But don't do it just for the sake of money." He adds, "Remember, the main duty of Muslims is jihad in the name of God, to raise arms against the infidels, especially now the United States and its allies." Samudra had first sought to finance the Bali nightclub attacks by ordering the robbery of a shop selling gold jewelry in western Java. The heist allegedly netted five pounds of gold and $500. Then he turned to more lucrative targets on the Internet, police and prosecutors said. At Samudra's trial, police testified that his computer had been used to communicate in chat rooms with others involved in online credit card fraud and contained information on ways to obtain credit card details. Petrus Reinhard Golose, head of cybercrimes investigations for the Indonesian police, said in an interview that Samudra had asked for religious permission to conduct carding from Abubakar Baasyir, the radical cleric and alleged head of Jemaah Islamiah now on trial in Jakarta in connection with terrorist bombings, including the one in Bali. Golose said police did not know whether Baasyir had blessed Samudra's Internet activities. Special correspondent Noor Huda Ismail contributed to this report. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/ --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'