In the film “Arlington Road,” a college professor in a quiet Virginia town is disturbed to learn his neighbors may be terrorists. That film was released in 1999. In 2008, something similar may be happening in a manner more fitting to the 21st century.
A few days ago, Paul Henry, vice president of technology evangelism at Secure Computing, began tracking a software package called Mujahideen Secrets 2 — an update to an encryption tool used by al-Qaeda and other terrorist groups to communicate on the Internet.
Henry tracked it down to a password-protected Web site that belongs to an Islamic forum known as al-Ekhlaas. al-Ekhlaas’s domain, Ek-ls.org, traces back to a hosting company, Noc4Hosts, which in turn is run by Hi Velocity, a hosting provider based in Tampa, Fl.
Henry, who lives in Tampa, was upset when he found out.
“I’m appalled that someone is willing to risk these types of actions just to make a few dollars,” he told InternetNews.com.
Hi Velocity did not answer a query as of press time, and calls to the phone number listed in its WHOIS registration entry did not go through, meaning the lines are disconnected or out of service.
Its toll-free customer service line has an option to report abuse, but on selecting that, a message indicates that all abuse must be reported via a feedback form on the company Web site.
Henry said that he contacted the FBI about the site and its contents last weekend, but as of Wednesday evening, it’s still up and running.
Because the site is password-protected, Henry hasn’t been able to download the new version of Mujahideen Secrets. Ironically, under U.S. law, he can’t try to “brute force” his way in, either. He’s concerned because it looks like the bad guys are getting better at covering their tracks.
“What concerns me personally is we’ve relied on their use of archaic technology to block them in the past, and it looks like this might be the start of a tech refresh for the bad guys,” he said.
Last November, there was supposed to be a mass cyber assault called e-Jihad, but it never went down.
Henry said the IP addresses for e-Jihad’s command-and-control servers with target lists were hard-coded into the client applications. Law enforcement apparently got the information before the attack and were able to take down the servers before the attack could be launched.
Now, Henry says terrorists have adopted the same methodology as the Storm worm, using something called a fast flux DNS, where the IP addresses of control servers change every 300 seconds, making it impossible to use IP address blocking.
Unlike “Arlington Road,” this incident isn’t a movie, but a potential threat. And we don’t know, yet, how it ends.