Ciro Santilli @cirosantilli 37

Here we list of suspected domains for which the correct IP was apparently not found since there are no neighbouring hits.

These are suspicious, and suggest either that we didn't obtain the correct reverse IP, or a change in CIA methodology from an older time at which they were not yet using the obscene IP ranges.

For example, in the case of inews-today.com, 2013 DNS Census gave one IP 193.203.49.212, but then viewdns.info gave another one 66.175.106.146 which fit into an existing IP range, and which assumed to be the correct IP of interest.

A similar case happened when we found IP 212.209.74.126 for headlines2day.com with dnshistory.org: dnshistory.org/historical-dns-records/a/headlines2day.com.

It is also possible that some of them are simply false positives so they should be taken with a grain of salt. Further reverse engineering e.g. of comms or HTML analysis might be able to exclude some of them.

It is interesting to note that Reuters seems to have featured disproportionately many hits from that range, one wonders why that happened. It is possible that they chose these because they actually didn't have any nearby hits to give away less obvious information, though they did pick some from the ranges as wel.

In what follows we list the domains with possible reverse IPs and what was explored so far for each. We consider IPs not in a range to be uncertain, and that instead their domains might have been previously in a range which we

dailynewsandsports.com. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches

iranfootballsource.com:

iraniangoalkicks.com:

iraniangoals.com:

football-enthusiast.com:

cyhiraeth-intlnews.com:

news-latina.com: domainsbyproxy.com 2007-12-17

europeannewsflash.com:

outlooknewscast.com:

24hoursprimenews.com:

farsi-newsandweather.com:

global-view-news.com:

health-men-today.com:

firstnewssource.com:

pars-technews.com:

newdaynewsonline.com:

sportsnewsfinder.com:

newsworldsite.com:

todaysnewsreports.net:

hassannews.net:

todayoutdoors.com:

globaltourist.net:

terrain-news.com:

intlnewsdaily.com

opensourcenewstoday.com:

techwatchtoday.com:

This section is about possible "real-world" information leaks found in the HTML of the pages. Domain DNS metadata may of course expose more, and is more likely to do so, this section is only about in-page findings, notably in the HTML.

We haven found anything too mind-blowying so far, but the ones we have are curious.

The HTML <title> of webofcheer.com is cryptically set as:rather than a more natural title like "Web of cheer" as is the case for the other website. This feels like a forgotten placeholder for an internal page identifier, e.g. "page 1C" sounds plausible. At Section "HTML title element" we riefly inspected the <title> of every other hit with a wayback machine archive, and unfortunately none other seemed to have any such interesting title.

The 2010 archive of europeantravelcafe.com has a "plan your trip" link links to a different domain: secure-cert.net/~etc/transport.html. This appears to have been a link to the system used by CIA operators to manage the website. Furthermore, the link then was later removed from the 2011 version, so it was almost certainly a leak! "secure-cert.net" is obscure, the only other surviving online mention of it is www.leewillis.co.uk/wordpress-plugins/#comment-6513 to
secure-cert.net/~sayitint/products-page/bags-totes/duffel-bag/ We've grepped all the HTML downloaded as HTML analysis but no other links to it were found.

A similar thing happened to alljohnny.com Starting December 2004 the "Submit your favorite carlson quote" was mind blowingly switched to point to https://washington.serversecured.net/~alljohnn/cgi-bin/memlog.cgi thus likely leaking the control site URL. Beauty. It previously pointed to the more sensible: web.archive.org/web/20040901162621/https://secure.alljohnny.com/cgi-bin/memlog.cgi