[ISN] An Indonesian's Prison Memoir Takes Holy War Into Cyberspace

[InfoSec News]

Forwarded from: William Knowles <wk at c4i.org>

http://www.washingtonpost.com/wp-dyn/articles/A62095-2004Dec13.html

By Alan Sipress
Washington Post Foreign Service
December 14, 2004

JAKARTA, Indonesia -- After Imam Samudra was charged with engineering
the devastating Bali nightclub bombings two years ago, he taunted his
police accusers in court, then greeted his death sentence with the
cry, "Infidels die!"

So when Samudra published a jailhouse autobiography this fall, it was
not surprising that it contained virulent justifications for the Bali
attacks, which killed 202 people, most of them foreign tourists.

But tucked into the back of the 280-page book is a chapter of an
entirely different cast titled "Hacking, Why Not?" There, Samudra
urges fellow Muslim radicals to take the holy war into cyberspace by
attacking U.S. computers, with the particular aim of committing credit
card fraud, called "carding." The chapter then provides an outline on
how to get started.

The primer on carding is rudimentary, according to U.S. and Indonesian
cybercrime experts, but they said the chapter provides a rare glimpse
into the mounting threat posed by terrorists using Internet fraud to
finance their operations.

"The worry is that an army of people doing cybercrime could raise a
great deal of money for other activities that terrorists are carrying
out," said Alan Paller, research director of the Sans Institute, a
U.S. Internet-security training company.

Samudra, 34, is among the most technologically savvy members of Jemaah
Islamiah, an underground Islamic radical movement in Southeast Asia
that is linked to al Qaeda. He sought to fund the Bali attacks in part
through online credit card fraud, according to Indonesian police. They
said Samudra's laptop computer revealed an attempt at carding, but it
was unclear whether he had succeeded.

Internet crime experts said Samudra's book seems unprecedented as a
tool for recruiting radical Muslims into a campaign of online fraud
and building networks of fundraisers.

"This is exactly the kind of advice you would give someone who wanted
to get started in cybercrime," said Paller, who reviewed a translation
of the chapter. "It doesn't focus on a specific technique, but focuses
on how you find techniques and focuses on connecting with other people
to act loosely together."

Titled "Me Against the Terrorist!" the book depicts Samudra on the
cover in a now-classic pose from his trial last year in Bali. He is
clad in a white shirt and white Muslim skullcap, with his right arm
outstretched and a single finger raised as he lectures the judges.

Four thousand copies in Indonesian have been issued by a small
publisher and are selling for about $4 each in at least seven cities
across the islands of Java and Sumatra, said Achmad Michdan, Samudra's
attorney, who wrote the forward. Michdan said the publisher is
planning a second run and is considering translating the book into
English, French and Arabic. Profits benefit Samudra's wife and
children. Samudra remains on death row.

Most of the book is a memoir that tracks Samudra from his early
schooling in Java, through his arms training in the Afghan mountains,
his exile in Malaysia and his return to Indonesia. It includes
arguments for killing Western civilians and bitter critiques of U.S.
policy in Israel, Afghanistan and Iraq, including photographs of
Muslim civilian casualties.

Toward the end, Samudra informs readers that the United States is not
as invincible as they might think.

"It would not be America if the country were secure. It would not be
America if its computer network were impenetrable," he writes at the
beginning of the hacking chapter. He continues by urging fellow
militants to exploit this opening: "Any man-made product contains
weakness because man himself is a weak creature. So it is with the
Americans, who boast they are a strong nation."

The chapter is less a how-to manual than a course of study for
aspiring hackers and carders. Samudra directs them to specific
Indonesian-language Web sites that provide instruction. For those who
find these sites too sophisticated, he counsels first learning
computer programming languages, in particular Linux, and suggests
several other Web sites, including one run by young Muslims. Then he
advises learning about hacking by finding mentors through online
chats. He lists six chat rooms as sources.

Next, Samudra discusses the process of scanning for Web sites
vulnerable to hacking, then moves on to a three-page discussion on the
basics of online credit card fraud and money laundering.

"This is hacking for dummies," said Evan F. Kohlmann, a U.S.
consultant on international terrorism who also reviewed the chapter.
"But in this day and age, you don't have to be an expert hacker to
have a tremendous impact."

Kohlmann and other cyberterrorism experts said the kind of online
fraud preached by Samudra is becoming increasingly attractive as a
source of funding for al Qaeda operatives in several regions of the
world.

One of the chief hazards posed by Samudra's book is that it could
direct religious extremists into the company of more accomplished
hackers. Indonesian police assert their country now has more online
credit card fraud than any other in the world.

"If you succeed at hacking and get into carding, be ready to make more
money within three to six hours than the income of a policeman in six
months," Samudra tells his readers. "But don't do it just for the sake
of money."

He adds, "Remember, the main duty of Muslims is jihad in the name of
God, to raise arms against the infidels, especially now the United
States and its allies."

Samudra had first sought to finance the Bali nightclub attacks by
ordering the robbery of a shop selling gold jewelry in western Java.
The heist allegedly netted five pounds of gold and $500. Then he
turned to more lucrative targets on the Internet, police and
prosecutors said.

At Samudra's trial, police testified that his computer had been used
to communicate in chat rooms with others involved in online credit
card fraud and contained information on ways to obtain credit card
details.

Petrus Reinhard Golose, head of cybercrimes investigations for the
Indonesian police, said in an interview that Samudra had asked for
religious permission to conduct carding from Abubakar Baasyir, the
radical cleric and alleged head of Jemaah Islamiah now on trial in
Jakarta in connection with terrorist bombings, including the one in
Bali. Golose said police did not know whether Baasyir had blessed
Samudra's Internet activities.

Special correspondent Noor Huda Ismail contributed to this report.



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
----------------------------------------------------------------
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable -
http://www.osvdb.org/

--- end forwarded text


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'