comment 1

Hackers and terrorist

Tip to newsmenL Next time blur out the photos and names on the ID tags as well.
Pic from TheMalaysianInsider, Tip to newsmen: Next time blur out the photos and names on the ID tags as well.

There is no greater danger of tech illiteracy, than the way we treat hackers. A society that doesn’t understand technology will view those who can manipulate it as wizards and sorcerers.

Technology sufficiently advanced is indistinguishable from magic, and to most people that bar of being ‘sufficiently advanced’ isn’t set very high.

The magic analogy is apt, even in fiction, wizards are treated either with  awe, ala Harry Potter and the muggles, or disdain ala the Salem witch trials, where ignorance bred fear, which in turn led to persecution.

Regular readers of this blog will know Kevin Mitnick, the grand-daddy of hackers, who was once rumored to be able to launch a nuclear missile by whistling into a phone. Not only was the rumor patently false, it nudged Judges in American courts to deny him a bail hearing, something guaranteed to Mitnick by the countries Federal Constitution. Prosecutors quickly learnt that if you throw around words like Hacker and Nuclear, Judges will willingly jettison constitutional protections quicker than Han Solo can dump cargo to make the jump to light speed.

In the absence of a nuclear threat, law enforcement agencies have begun using terrorism, and found it equally effective in demonizing hackers and anyone else who could do seemingly magical things with bit and bytes on a computer screen.

ISIS hacker in Malaysia

Early last month, Malaysian authorities arrested an ‘ISIS-Linked’ hacker by the name of Ardit Ferrizi (a.k.a. TheDir3torY), who was accused of leaking the Personal Information of US Military staff  to ISIS, possibly endangering the lives of the affected servicemen.True, having your personal information published by bat-shit crazy Jihadis isn’t my idea of a happy day, but the fact remains that US Military information isn’t all that secure anyway, the OPM hack demonstrated that magnificently. And if you think that it was a one time occurence, consider that military e-mail addresses were released as part of the Ashley Madison hack (including one belonging an NSA.gov employee) and consider that the CIA chief had this e-mail hacked and published by a teenager.

So let’s not treat this like an ISIS victory just yet. But I digress, let’s get back to the hacker.

On the surface, Ardit Ferrizi had all the elements of a James Bond villain, a Hacker working for known Terrorist organization, wreaking havoc on peaceful loving citizens. But dig deeper and the story gets a lot more mundane, and it would appear Mr. Ferrizi was more Mojo Jojo than Spectre. A clumsy and careless hacker, wielding more power than he ever should had, lacking the maturity and discipline we usually ascribe to real baddies.

Ardit Ferrizi was the leader of the Kosovo Hackers Society (KHS),  hyped up to be an ‘expert’ hacker who was providing expertise to ISIS. In reality he was just a script kiddie getting some kicks out of hacking,  wasn’t directly linked to ISIS (other than a couple tweets between them), and just a smarter than average 20-year old computer science student.

Mojo-Jojo’s litany of errors

Grandma HackerHere’s the high level of what happened. Ferrizi was a student at Lim Kok Wing University (that should ring some alarm bells on it’s own), and it was already known to the FBI that Ferrizi was in contact to with ISIS members via twitter–seeing as how he never once tried to hide his real identity on twitter, and used public tweets instead of direct messages.

OK, maybe he’s so bad-ass he doesn’t need to hide anything.Weeeellllll, let’s see.

On August 13th 2015, an IT system administrator reported unauthorized access to their system to the FBI. The system belonged to a undisclosed US retailer, and was hacked by someone using the username “KHS”. Lesson number 1, when breaking US federal law, probably best not to use the acronym of your gang as the username.

Ferrizis used a bunch of tools including DUBrute.exe, a freely available brute-force hacking application and some good ol’ fashion SQL Injection to gain the access to the system.These are off-the-shelf products anyone can download, and while it doesn’t really give you an indication of the hackers capability, it does give you an indication of the security the undisclosed US retailer employed.

If a lock picker managed to pry open your front door with nothing more than a credit card, then it would imply you didn’t have a very good door, if a hacker manages to use DUBrute to hack your system, maybe your system wasn’t secure enough to begin with–no wonder they never disclose the retailer in the formal FBI Complaint.

The system administrator had tried to stop the hack 3 separate times, but was unsuccessful on all accounts. At the last attempt, the ‘hacker’ even posted threatening messages to the sysadmin:

Hi Administrator,

Is third time you’re deleting my files and losing my hacking JOB on this server!
One time i alert you that if you do this again i will publish every account on this server!
…….

I didn’t touch anything on your website, please don’t touch my files.

What to contact me? [email protected]

At one point he even asked for a ransom of 2 bit-coin to be paid.Which isn’t very ISIS-like now is it?

On September 10th, Ferrizi sent himself a csv file containing the personal information of 100,000 people. Problem was that he used Facebook to do it, and the FBI manage to intercept the file and perform a pretty detailed analysis on it. They were able to match this data with the one published by ISIS and that was case closed. Lesson 2, when trying to move around hacked data, best not to send it to yourself via facebook.

On top of all the mistakes he did, he never once tried to hide his IP address by using TOR or even a VPN, instead US Law Enforcement managed to trace his IP address in Malaysia (suggesting Malaysian ISPs might have helped), tie that to facebook and twitter logins and manage to craft out a pretty strong case against him.

So in summary, he never tried to hide his IP, proudly use his real identity on twitter to communicate with ISIS, and used publicly visible tweets as opposed to direct messages, and to top it off, sent himself the hacked data via facebook!!

Not really an Expert Hacker

00MXsWPC’mon  guys, does anyone really believe this was a top class hacker!!

What really worries me, is that they’re throwing everyone and the kitchen sink at Ferrizi, with a maximum penalty of 35 years in prison–the kid is only 20 years old. If he gets the full sentence, he’ll be out when he’s 55, and would spent a large majority of his life in prison–if that’s not a recipe for radicalism I don’t know what is.

It’s a strange world we live in, when a geek who used some commonly available hacks breaks into a server gets the same penalty as The National President of the Phantom Outlaw Motorcycle Club. This is similar to the Salem with trials all over again, and not because he’s Muslim, or from Kosovo, it’s all because he’s been designated as a ‘hacker’ and most people have no idea what it actually means.

Conclusion

Compare this to the treatment of Ahmed the clock maker. Ahmed basically opened up a production manufactured clock, put it into a pencil case, and brought it to school. Leaving the racial and religious discrimination aside, Ahmed did nothing special, and there are a lot of kids his age who have far more complex things. But Ahmed was advertised as some of genius kid who invented the clock in 20 minutes, and was given a whole bunch of stuff from Microsoft, even offered internships at twitter–for what? Taking apart a clock? Something thousands of kids do everyday, and aren’t offered trips to the White House for?

Two kids, performing seemingly innocuous activities, tinkering with technology, and one is offered a trip to the White House, the other is looking at a jail sentence that will end his life.

This underlying problem of hackers getting penalties that don’t really match up to the crime is worrying, and serves to further alienate and divide the tech-illiterate from the literate and that’s a real divide we need to address.

Post-Script

I was corrected by a reader that Han never quite dumped cargo to make the jump to light speed, but rather waited for the empire battleships to do so before dis-engaging. I hand my head in shame for making such a grievous error, and beg for forgiveness—please don’t force choke me…ergh, argh, eeeehhhhh!!!

1 Comment so far

#YourComment