Email Spam and Forgeries
ISRAELI COMPUTER HACKERS FOILED, EXPOSED
By Michael Gillespie
For Washington Report on Middle East Affairs - Sept. 3, 2002
Israeli cyber warfare professionals targeted human rights and anti-war activists across the USA in late July and August temporarily disrupting communications, harassing hundreds of computer users, and annoying thousands more.
The Israeli hackers targeted Stephen "Sami" Mashney, an Anaheim, California, attorney active in the effort to raise awareness of the plight of Palestinians.
"People have found an alternate way to communicate through the Internet," Mashney, a Palestinian-American, told the Washington Report on Middle East Affairs, "and this attack is backfiring on the hackers. Many people are being educated."
Mashney, who co-manages a popular pro-Palestinian e-mail list hosted by Yahoo! logged onto his Internet accounts on July 31 to find hundreds of e-mail messages from angry Americans. He quickly realized that hackers had appropriated or "spoofed" his e-mail addresses and identity and sent out a message titled "Down With America" in his name. The message named and included contact information for 16 well- known human rights activists and falsely claimed the activists wished to be contacted by anyone desiring advice or assistance in fomenting and carrying out anti-American, anti-Christian, or anti-Jewish activities. In an obvious attempt to damage Mashney's reputation, the hackers appended his name, law office telephone number, and website address to the spurious e-mail.
As Mashney was looking up the telephone number of the local FBI office to report the hackers' crime, his phone rang. It was the FBI calling, from Washington, with questions about the forged e-mail message. Mashney later met with FBI agents in California.
"I answered all their relevant questions," said Mashney, who notes that the hackers' attacks continued unabated for weeks and expanded to include other new and innovative methods of harassment that were used against many other activists associated with Free Palestine and
other public and private e-mail lists.
Dr. Francis A. Boyle, professor of International Law at the University of Illinois College of Law, is a human rights activist who served on the board of Amnesty International USA. A member of Free Palestine and other activist lists, Dr. Boyle was also targeted by Israeli hackers who sent counterfeit e-mails in his name. Again, the hackers' intention was to sow confusion, provoke animosity, damage a reputation, and restrict ability to communicate. When Boyle returned from a vacation in mid August, he found 55,000 e-mails waiting for him. Like Mashney, Boyle spent days sorting through the messages, writing personal apologies to those offended by the bogus e-mails, and deleting thousands of bounced messages. Unflappable, Boyle takes it all in stride.
"You can't keep the Irish down," wrote Boyle in an e-mail message to this reporter.
Israeli hackers also targeted Dr. Mazin Qumsiyeh, associate professor at the Yale University School of Medicine. The hackers forwarded to some 1,500 members of the Yale community e-mails that Qumsiyeh had sent to a private list of activists. Many of his university colleagues were annoyed, but Qumsiyeh, too, feels that the hackers are doing the Zionist cause more harm than good. Qumsiyeh said the hackers' efforts have generated new networking opportunities among activists and groups who did not know of each other's existence before the hackers targeted them.
Monica Terazi is director of the New York office of the American Arab Anti-Discrimination Committee (ADC). Terazi's e-mail privileges were yanked by Yahoo! for a time after hackers "spoofed" her e-mail address and identity to send a message to some 80 Yahoo! groups. Terazi, like Mashney, spoke with the FBI about the new Israeli cyber warfare tactics, which have piqued the interest of Internet communications professionals.
For a story published August 23, Terazi wrote to Wired News reporter Noah Shachtman, "While these e-mails are a nuisance, offensive and intimidating, the FBI didn't find anything illegal: There haven't been threats that rise to the level of a hate crime, no money has been stolen, public safety has not been endangered and, as far as we can tell, our computers have not been hacked or 'technically intruded into' as one agent put it." The offensive messages are all protected by the First Amendment, said Terazi.
By mid August, the Israeli hackers had begun to target activists in Iowa, where it seems the Israeli hackers have "technically intruded" into computers. It is also likely their helpers here have forwarded addresses from private lists to Israel. Iowa activists report that people and organizations on their private e-mail lists: family members, friends, acquaintances, media contacts, government officials, interfaith relations organizations, activists, and activist organizations suddenly found themselves receiving tens, hundreds, or thousands of anti-Arab, anti-Muslim and anti-Palestinian "spam" e-mails per day. Many on private e-mail lists reported receiving anti-Arafat cartoons and racist diatribes, along with e-mail that aggressively connected to a web site that took control of their computers, turned the screen white, and made it necessary to shut down and re-start the computer. Some also reported that their e-mail addresses had been "spoofed" and their on-line identities appropriated for the distribution of racist messages.
Darrell Yeaney, a Presbyterian campus minister who retired after serving at the University of Iowa, is active in Friends of Sabeel, an ecumenical Christian organization that supports the ministry of Sabeel, the center for Palestinian Ecumenical Liberation Theology. He and his wife, Sue, now serve as co-moderators for the Middle East Peacemaking Group in Iowa. The Yeaneys report that the hackers appropriated their address and sent out spurious e-mail in their names.
Ames-based activist, author, and editor Betsy Mayfield, whose work has appeared in the Washington Report on Middle East Affairs, was busy with plans for a mid-September Des Moines film festival, "Boundaries: The Holy Land," when the hackers turned their attentions to her computer.
Several Ames women whose only association with the crisis in the Holy Land is their commitment to the Ames Interfaith Council (AIC) reported being shocked by the sudden appearance of pornographic e-mail and racist diatribes on their computer screens.
Many Iowans were targeted for harassment by the hackers, and hundreds of others suffered varying degrees of inconvenience because they were somehow connected to the cause of peace and justice in the Middle East. Similar scenarios played out in other states across the USA.
The scale of the Israeli cyber warfare campaign, the number of targets, and the variety of techniques used, coupled with specifically targeted intrusions calculated to provide additional target addresses for the application of the hackers' various forms of harassment, suggest a sophisticated, coordinated, government- sponsored program designed to impact directly upon the communications abilities of the human rights and pro-Palestinian anti-war activism communities in the USA.
When the Israeli hackers "spoofed" the AIC's e-mail address, they invited a response they did not expect. Because the AIC list was hosted by Iowa State University (ISU), because the world's first electronic digital computer was invented at ISU in a Physics Department laboratory in the early 1940s, and because he has represented the ISU Muslim Student's Association on the AIC cabinet, ISU Physics Department computer administrator Dr. Bassam Shehadeh decided to track the hackers down.
"The hackers access the internet via an ISP called Palnet.com on the West Bank," said Shehadeh.
When Palnet.com did not respond to his repeated e-mail enquiries, Shehadeh called the company, informed their representative that Palnet facilities were being used to interfere with communications at a state institution in the USA, and demanded an explanation. He provided information that enabled Palnet technicians to identify the phone number of the customer harassing Iowans.
"Everyone here is a victim but the hackers," said Shehadeh. "The hackers use stolen identification to get access to Palnet."
Shehadeh said the contact line the hackers used for at least one message to the AIC list address was an Israeli number in West Jerusalem or one of the surrounding settlements. A Palnet representative also told Shehadeh the hackers have used several lines and methods to access Palnet's facilities.
"Afterwards, the hackers compromise another service system here in the USA by passing the e-mail message with Simple Mail Transfer Protocol
(SMTP), using HELO verb. The hackers don't have a valid principal host but overcome that by using a bracketed Internet Protocol number
(IP address) at a location anywhere on the web. Web hosting servers tricked into transferring these e-mails include Digital Cube, Inc.,
Verizon DSL Network, and Iowa Online Web Access located in Washington, Iowa," said Shehadeh.
Shehadeh and other computer professionals working in the USA report that ISPs and companies with IP addresses are typically very cooperative when notified that their equipment is being misused. Most act promptly to end the hackers' access.
Given widespread and systematic destruction of electronic communications facilities by the Israeli Defense Force (IDF) in the West Bank in recent months, the continued existence of Palnet facilities suggests that the Israeli government had reason to permit Palnet's continued operation and raises questions about the ability of Palnet's owners to refuse service to Israeli hackers or otherwise interfere with their activities.
This particular campaign in Israel's cyber war seemed to have been curtailed, at least temporarily, on August 29, soon after Shehadeh tracked the hackers to the West Bank ISP and, finally, to an Israeli phone number, while other computer professionals in the USA, along with some of the targeted activists themselves, quietly contacted management representatives at various IP addresses around the globe and notified them that their facilities were being abused.
History of the recent waves of spam/hacking/forging:
Human rights activists including myself have received occasionally threatening letters or verbal attacks. These were generally isolated and, while annoying and disturbing, many of us have not taken them too seriously. For example, after 9/11, I received a number of messages and some even very threatening. The thought was that those who send emails directly are more likely to be mere talkers and not "doers". However, after many activists continued and accelerated their activities for human rights, there were increased attempts at shutting down these activities. The American Jewish Committee (AJC.org) for example created a task force in Connecticut to "deal with" the activities of human rights advocates in Connecticut.
My name among others surfaced on several Zionist Web sites as someone who is advocating positions at variance with Israeli government positions. Some of the sites went on to make the absurd and slanderous claims that we are "anti-Semitic" or "hateful" or "support terrorism" etc. Sites ranged from mainstream Zionist sites like the Anti-Defamation League (ADL.org see under "hate") to the Connecticut Jewish Ledger (where I was slandered as an "Apologist for terror", http://www.jewishledger.com/), to the American Jewish Committee (AJC.org , see under activism in Connecticut), to rabid Zionists with Jewish Defense League mentality like Masada2000.org (see http://www.masada2000.org/petitions.html where they had an action alert for people that included my picture).
Soon after, some strange things started to happen to me and other activists (including Jewish human rights activists). Letters that I or other human rights advocates published in newspapers were strongly attacked using aggressive language (calling us liars, "apologists for terror", "anti-Semites," "self-hating Jews", "extremist", "un-American" etc). Then on June 4th, a hacker sent an email to thousands on the internet with a forged "from" field showing falsely that it came from my Yale email account (falsely appearing to come from me). This email was generated through an insecure server in Taiwan (dehwa.com.tw). As soon as I discovered this (due to hundreds of bounced messages "returned" to me for incorrect addresses of recipients flooding my email inbox), I contacted the administrator of that server and alerted them about the use of their site for spamming/hacking. The same day, emails were sent to many in Yale using forged messages. The forger took a message I had posted to a private list and added to it my academic affiliation and then sent it to, what later investigation by Yale ITS shows to be, over 1500 Yale email addresses (including deans, chairman, and even the president).
I contacted Yale ITS and was dealing with you all on the issue immediately (June 4th). Mr. Morrow Long and many others among you were extremely helpful and suggested ways to combat this.
The same technique was used spamming tens of thousands with messages that appear falsely to come from dozens of other activists. Some of the activists were Jewish (who obviously oppose Israeli policies) and the messages disseminated had things like "I am a really sick $%$%", from activists with American sounding names saying things like "I am a sociopath", and some from activists with Arabic or Muslim sounding names had messages like "I enjoy killing children". Most included deceptive subject lines and many included articles that supposedly buttress the Israeli government position.
In the days to follow, these tactics continued. In total, three forged messages were sent to Yale staff and faculty. The second one sent through the open relays at Dyna-graphics in California was sent to 1947 email addresses at Yale (per the research done by Morrow Long of Yale ITS) . But for outside, literally dozens and perhaps hundreds of messages were sent to perhaps tens of thousands of addresses (numbers and extent of this unknown). On June 12 (a few days after the initial large wave of spams) and within 24 hours of the second forged message sent to Yale addresses, I contacted the FBI in New Haven and reported this to them. I met June 13 in my office at Yale with two FBI officers assigned to the case.
From June 13 onward, I supplied the FBI with a steady stream of additional information, links, tips from fellow activists, and other material I deemed useful to their investigation.
On June 18, I contacted the ACLU and asked them to see if there is anything else that can be done especially since such hacking/spamming infringes on civil right. I also continued to contact any server I found being used for such hacking and asking them to secure their servers.
Some of the open-relays or insecure servers used for forgery/spamming included:
After the third email sent to Yale using my forged email address, Yale computer security kindly made it such that no similar messages sent from outside of Yale can be delivered to Yale addresses. This is I feel a good interim solution. However, the forger has already used my private email address to spam people outside of Yale (firstname.lastname@example.org; unfortunately also Yahoo closed down this account without checking full headers to see where the messages were really going from). I have set up a couple more private email accounts recently but have not posted anything using those that identifies me as the owner although this might be easily determined from the IP addresses (either my home computer or the one I use at work). Thus, there is still a possibility of additional spam that may appear to come from a private email address forging that it comes from me. Besides the steps we are all taking already (and I am also investigating using PGPI per Morrow's suggestion but this program seems complicated for me), the solution IMHO must include:
a) removal of my name from websites that "target" me for my human rights advocacy (and there is legal precedent for this),
b) tracking down at least one culprit hacker/forger (if there is more than one) and making sure they get to court and that their punishment is publicized so that it sets an example for future hackers/forgers.
I and many of the human rights activists of all faiths do feel that we must not allow such attacks to achieve their goals to intimidate, cause fear and confusions, and silence free speech among human rights advocates. In this sense such cyber-attacks become a form of cyber-terrorism. Obviously for me personally this has been very, very painful and distressing.
I do appreciate those of you at Yale ITS and at the Yale General Council office (Susan Carney) for your support and understanding. Unfortunately, I do not feel the FBI has taken this issue seriously yet. Since I am not the only victim, I would hope that we collectively can persuade the FBI to address it more methodically/seriously. Another approach maybe is to go to the media with the story but that may actually cause me (and perhaps Yale collectively) additional unneeded headaches and so I prefer to wait to hear your thoughts on this.
On 11/8/2002 I received an encoded (forged from field) message which read thus:
"There is an organized attack underway. Many websites hosting views critical of the US Government and the policies of Israel have been subject to various forms of harassment. Some harassment has come in the form of forged spamming. Other harassment has come through electronic mail and posts on Internet forums. Many have suggested that these attacks are the work of lone individuals or pernicious non-governmental organizations. These suggestions may be true. However, I am aware of some information that may point the finger directly at the US Government. I am remaining anonymous for my protection. I have received death threats in response to my political writings. Other sanctions have been imposed upon me as well, but I leave the details out in order to make more difficult my identification. I am supplying you with inside information. Immediately following the 9/11 attacks, various agencies of the US Government reached out to corporate America for "help." Various defense contractors were asked to make suggestions about what they could do to help in the "war on terror." However, in addition to the suggestions, various intelligence and defense organizations within the US Government approached specific corporations in possession of tools that could assist a black operation that had in mind. I do not know all of the details of this request. However, I will share what I do know. Intelligence agencies and DISA (The Defense Information Services Agency) were interested in recruiting private corporations in an illegal effort to wage electronic warfare against US enemies. What was meant my "US enemies" was left unclear, at least at my level of awareness, but the corporation for which I worked turned down the request out of fear of future embarrassment should the operation be revealed. I have been monitoring harassment on various Internet forums. One individual engaged in harassment had the following IP address: 184.108.40.206. A reverse lookup of this address at that time revealed that the IP address is owned by The Technology Advancement Group (TAG). Visiting TAG's site, you will see that TAG is an asset of the NSA. I speculate that TAG is one entity involved in online harassment against dissent. This individual had access to much private information that is not publicly available, dogged forum dissidents, and in time the harassment was followed by death threats, at least in one case. Much of the harassment had a pro-Israel tone. There is a corporation in Austin, Texas called Cycorp. Cycorp is almost wholly dependent upon grants and contracts from the Department of Defense. Cycorp has a product called CycSecure. CycSecure, ostensibly, exists to provide network security. It employs a knowledge base of rules for detecting network vulnerabilities. Cycorp is a corporation specializing in Artificial Intelligence. CycSecure relies upon its product, Cyc, as a knowledge base and inference engine. The Department of Defense, DISA, and various intelligence agencies have approached Cycorp about using this tool in reverse. Specifically, using it to attack networks. Cycorp recently won a contract with DISA. TAG has a DISA contract as well. DISA wishes to use CycSecure. I suspect that this indicates that DISA is engaged in electronic warfare against the US Government's enemies. I suspect that one source of these attacks is TAG and another source is DISA. However, this may not be the comprehensive set of Governmental entities attacking dissent. Several articles have come out that claim that Freedom Corps is training individuals and retirees in cyber warfare through Cyber Corp as part of its volunteer program. One other interesting note about Cycorp. Cycorp has been proposing, to DISA, the creation of a computer center where hundreds of computers will run copies of Cyc. Each copy of Cyc specializes in modeling a specific "terrorist." Given the wide definition in current use for the concept "terrorist," will it be long before individual dissidents and dissident organizations have their an artificial intelligence working 24/7 on collecting information about them and predicting their actions?
The US government of course has at its disposal thousands of experienced information technology staff working 24 hours a day to advance an agenda defined by the executive branch of government. Some times the agenda is derived from corporate and military special interests and collide with public interests. We saw that in the manufactured wars ranging from Columbia to Iraq to Vietnam. One such group is “The Defense Information Systems Agency” which gives its mission as “a combat support agency responsible for planning, engineering, acquiring, fielding, and supporting global net-centric solutions and operating the Global Information Grid to serve the needs of the President, Vice President, the Secretary of Defense, the Joint Chiefs of Staff, the Combatant Commanders, and the other DoD Components under all conditions of peace and war. “http://www.disa.mil