Wednesday 11 April 2012

The Leaked ICQ Logs - Lee Gibling Worked For More Than Just NDS

Yesterday I posted that a number of ICQ logs belonging to Lee Gibling had been leaked, and myself and others have spent some time working through the logs, looking for interesting information.

A number of the logs appear to belong to Martin Gallagher, who has a rather interesting CV:

Global Operations Manager Alternative Investigation Management Ltd (AIM) Public Company; 5001-10,000 employees; IVZ; Investment Management industry

1997 – 2004 (7 years) London, United Kingdom

I was responsible for all security projects including executive protection of CEOs and executives of well known multinational corportations, security reviews and risk assessments for large multinational media, hardware, software, and manufacturing & logistics companies.

Other areas of my operation and responsibility within the company were:

Surveillance, (Medical, Fraud & Piracy).
Test purchasing, for famous brands in the clothing, media and IT hardware and software industries
Undercover assignments, within logistics companies where high value thefts were prevalent.
Computer Forensics operations for individual clients and Blue Chip Hardware and Media companies.

Internet research, I was responsible for providing intensive internet research on hackers and piracy organisations , often infiltrating these criminal fraternities in order to provide law enforcement agencies and legal entities with criminals' personal details and evidence to support successful arrests and prosecutions.

It appears the following ICQ logs belong to him
56660605 21.12.1999 - 25.09.2000 Martin Gallagher

9552119 06.04.1999 - 05.09.1999 Martin Gallagher
56660445 08.05.2000 - 08.05.2000 SATNET/Ken Frazer
50640200 03.12.1999 - 15.01.2000 Ken Frazer
76873943 12.06.2000 - 03.11.2000 JanJo/Jannette Hess
63376893 05.02.2000 - 18.08.2000 Go4/Gopher Khan

He rather helpfully says this in his SATNET ICQ Log

56660445 (21.12.1999 15:44:31) MARTIN : SATNETºKenºFrazerºº0
56660445 (08.05.2000 18:41:11) MARTIN : yeah, i got several icq addresses
56660445 (08.05.2000 18:41:25) LEE : he he
56660445 (08.05.2000 18:41:58) MARTIN : you still got protium icq?
56660445 (08.05.2000 18:42:20) LEE : nah
56660445 (08.05.2000 18:42:48) LEE : i have also 56660605
56660445 (08.05.2000 18:43:25) MARTIN : that's me official one
56660445 (08.05.2000 18:44:08) LEE : ah - so this is yer dodgy one
56660445 (08.05.2000 18:45:19) MARTIN : satnet
Go4
Protium
those 3 r dodgy
56660445 (08.05.2000 18:46:49) LEE : i wondered who the fuck go4 was :-))
56660445 (08.05.2000 18:47:36) MARTIN : i am hoping that you is a nices peoples and can sends me somthings likes softwares
56660445 (08.05.2000 19:27:34) LEE : yes - we can send you any softwares you want - pls just ask Mr Satpratt

Along with references to his real name and contact details in the other ICQ logs it seems to confirm the accounts belong to him.

Martin Gallagher works for Barry Watters, the founder of Alternative Investigation Management Limited

Barry retired from the Metropolitan Police in 1995 after 31 years of distinguished service where he served as a front line detective at Scotland Yard. During his service he was engaged in a number of high profile departments including the Flying Squad, Regional Crime Squad and Specialist Operations. Whilst serving in these postings he was responsible for determining strategy in combating national and international crime organisations and was deployed on a number of occasions outside the United Kingdom.

He was also responsible for training operatives in Specialist Operations and on leaving the service in 1995 was engaged by Her Majesty’s Foreign and Commonwealth office to provide training specialist through the British Governments ‘Know How’ program to European countries seeking admission to the European Union.

On leaving the police service Barry founded Alternative Investigation Management Limited, a specialist security consultancy providing services to government, major ‘blue chip’ corporations and police services globally on risk assessment, crisis management, kidnap and ransom training, investigations and security training.

Lee Gibling and Martin Gallagher often discussed Barry Watters, especially in relation to Watters sending cheques to Gibling:
From ICQ log 63376893
63376893 (21.07.2000 20:10:00) MARTIN : Hi m8, Thanks for the mail re the free cam patch but I dont follow the story.

Baz said the cheque is in the post. hahaha!

Anyway, I have to do my end of month report now is there anything from you that I should put in?

From ICQ log 76873943
76873943 (31.10.2000 18:08:21) LEE : and wtf is bw?
76873943 (31.10.2000 18:08:39) LEE : i am officially on strike from today
76873943 (31.10.2000 18:08:41) MARTIN : barry watters?
76873943 (31.10.2000 18:08:51) LEE : yes
76873943 (31.10.2000 18:09:12) MARTIN : i am waiting 4 mine 2
76873943 (31.10.2000 18:09:27) MARTIN : go on strike m8!
76873943 (31.10.2000 18:09:59) MARTIN : no more stuff till i get paid :-)
76873943 (31.10.2000 18:10:05) LEE : wad da we wan,,,,, MONEY
wen da we wan it,,,, NOW
76873943 (31.10.2000 18:10:30) LEE : tell em m8! go4it

From ICQ log 56660605
56660605 (12.01.2000 22:13:08) LEE : still no bloody cheque from barry
56660605 (12.01.2000 22:13:40) MARTIN : all and any!!!!!!!!!!!
I gotta cover the globe so i have created country directories
56660605 (12.01.2000 22:13:55) LEE : that's a mean old task eh
56660605 (12.01.2000 22:14:06) MARTIN : I will chase baz up re the cheque
56660605 (12.01.2000 22:15:57) LEE : thanks

56660605 (14.01.2000 17:52:15) LEE : still no cheque with todays post - it doesn't take a whole week to send even 2nd class
56660605 (14.01.2000 17:53:57) MARTIN : I didnt get to speak with him yesterday. I would send an email in red!
56660605 (14.01.2000 17:54:27) LEE : no - i am officially on strike
56660605 (14.01.2000 17:55:46) MARTIN : ROFL :-D

56660605 (17.01.2000 15:51:50) LEE : still no damn cheque - btw i saw BW yesterday

56660605 (17.01.2000 17:55:27) LEE : cheque has turned up - it was only posted on 16th
56660605 (17.01.2000 17:55:49) MARTIN : he's a bad bugger!!!!!!
56660605 (17.01.2000 17:56:07) LEE : that is a bit naughty -
56660605 (17.01.2000 17:56:49) MARTIN : I'll say,,, Perhaps the girls forgot to post it heh heh heh
56660605 (17.01.2000 17:57:14) LEE : it is in BW's writing and had a first class stamp!
56660605 (17.01.2000 17:57:52) MARTIN : HE'S A REALLY BAD BUGGER!!!!
56660605 (17.01.2000 17:58:38) LEE : yep - i won't pay for any other software now until i have the money direct credited into my account - it's not fair having to wait 3 weeks for it
56660605 (17.01.2000 17:59:29) MARTIN : I agree! Perhaps he thinks your'e made of money!

From ICQ log 50640200
50640200 (29.12.1999 16:45:14) LEE : yes! i had to chaps the money on christmas eve!

750.00
75.00 (lee)
15.00 (chaps)

total: 840.00 - i would appreciate the money asap - i'm still out of pocket from the last lot - barry's cheque didn't turn up until friday! and won't clear now until the 4th of bloody january
50640200 (29.12.1999 16:45:38) MARTIN : k - i has been well busy!! yesterday was very very

So that appears to show that Lee Gibling was receiving money from AIM over a period of months, if not years, and in some cases Barry Watters, the founder of AIM, personally signed his cheques.

It appears AIM was working on behalf of Mindport, a division of Irdeto, and Lee Gibling was keeping NDS informed of their plans
From: THOiC Online© [mailto:webmaster@thoic.com]
Sent: Saturday, December 11, 1999 1:54 PM
To: radams@ndsuk.com; agutman@ndc.co.il
Subject: damn and blast!

Avigail

I have been in communication by telephone this morning with Martin
Gallagher who works for Barry Watters. The general chit chat moved to
Dave Cottle, and Martin was excited to tell me that he will be getting
a suprise very soon.

I enquired exactly what he mean't by that and he said that he was
going to be busted - he did not say whether it was he and Barry who
would be involved directly in the bust or whether it would be joint or
just Mindport.

He gleefully explained that MINDPORT had all the email from DC to
others including MM - I enquired what email he was talking about and
he said that they have an intercept running on his mailboxes.

This is crap - Mindport BW and MGallagher couldn't complete a Rubik's
Cube let alone get a hack working on several mailboxes.

I suggest the truth is they are either relying on the quantity of copy
email exchanged between Bond and MM which was furnished through me
or/and the content of Rolf's HDD.

Either way, I am concerned that they (Mindport & BW- AIM) are again
going off at a tangent looking for kudos. I think it would be a
serious judgement of error for them to attack Bond at this stage.

1. There is the GESA development which we have on the boil.

2. It would finish the Forum for GOOD. A forum that has and will
continue to produce excellent information.

3. What exactly will they get on Bond if they rely on the older
emails? a test case in australia - incitement to hack?? wow!

I've copied this to RA - you will no doubt be speaking to him on this
and I would be pleased if you can tell me that all the work we have
done will not be ruined by this complete bunch of amateurs.

Lee'

Now it's apparent that NDS and AIM had contact with each other, as this email shows:
'From: Bary Watters
To: Adams, Ray
Date: 11/17/1999 5:23:54 AM
Subject: eurosky

Hi ray the following forwarded for your info, found by martin:-

Do You live in Europe? Want to have Sky Digital in your home? Well now
you can. Here at Euro sky, we can supply one of two options to fulfill
your needs. Simple click on the option you prefer below:'

But it seems that Lee Gibling may not have been too keen on letting NDS know how much contact he was having with Martin Gallagher
63376893 (17.07.2000 20:16:17) MARTIN : u okm8?
63376893 (17.07.2000 20:17:04) LEE : yes - glad i got you
don't send any mail to lee@thoic.com or webmaster
send any mail to me at snakesurf69@hotmail.com
63376893 (17.07.2000 20:17:36) MARTIN : whats happend?
63376893 (17.07.2000 20:18:15) LEE : just that my mail is being monitored by the bosses
63376893 (17.07.2000 20:18:43) MARTIN : no probs m8. theybin moanin?
63376893 (17.07.2000 20:19:04) LEE : not really - just makin sure there's nothing to moan about
63376893 (17.07.2000 20:19:48) MARTIN LEE : k i will delete all refs to webmaster @ thoic and shall always use the new one,,,,,,,, ok?
63376893 (17.07.2000 20:20:07) LEE : i think that's best for now m8
63376893 (17.07.2000 20:20:19) MARTIN : k
Assuming that by "bosses" Lee means NDS it seems that he didn't want them to see what Martin was sending him.

Now, Martin and Lee seemed to have a very friendly relationship, with Lee apparently providing Martin with plenty of information about THOIC, including letting Martin know when THOIC users who were Mindport plants were accidently letting the webmasters know they were from Mindport.

56660605 (13.02.2000 16:14:17) LEE : MP are total wankers - there are a few people that know their ID's now in the forums
56660605 (13.02.2000 16:14:36) LEE : he he - i couldn;t sleep last night and was up till 4 am
56660605 (13.02.2000 16:14:50) MARTIN : who's bin in there?
56660605 (13.02.2000 16:17:44) LEE : quite a few actually - and silly silly boys think they are safe using a 3rd party email or ISP - but the wankers have been using the 'UBB a Friend' option to send some threads to people and the forwarding addresses they have input as so and so form mindport.com - they never learn - these forwarded messages are read by Bond - the messages are system generated when someone forwards on a message from the forums and it tells everything - bond gets copies as do I - so we can see who is forwarding threads out of the forums! it's common practise and IMO pretty lame
56660605 (13.02.2000 16:18:48) MARTIN : can u get me the details, ie alias used etc? I'll fkin sort em!!!
56660605 (13.02.2000 16:19:27) LEE : yeah - Mindport Australia - they also identify a plant in the forums - how amateur eh!
56660605 (13.02.2000 16:19:47) MARTIN : bond 007 he's one of ours, (i mean yours?)
56660605 (13.02.2000 16:20:07) MARTIN : had to be them eh?

Martin also wasn't shy about asking Lee to perform less than legal tasks
9552119 (13.07.1999 20:49:19) MARTIN : Lee, could you access hotel computers? ie bookings and reservations?
9552119 (13.07.1999 20:49:45) LEE : it's possible - depends on their security
9552119 (13.07.1999 20:50:15) MARTIN : you would have to do it through an annonymous ip eh?
9552119 (13.07.1999 20:50:25) LEE : that's easy enough
9552119 (13.07.1999 20:52:37) MARTIN : well I need to know if two people are checked in or about to checkin at
1. The Westbury Hotel (London)
2. The Hyde Park Hotel Ditto
3. Clariges London
Names: A Kashoggi
and Mr A K Pukar (Could be pookar) Spelling unsure
9552119 (13.07.1999 20:53:05) LEE : you didn't say 3!!!
that'll be 1k each
9552119 (13.07.1999 20:53:46) MARTIN : 1 kiss each okay but only if its Vicky I'm kissing! Ha
9552119 (13.07.1999 20:54:46) MARTIN : I have to phone the hotels but i thought it might be possible to check via their back orifice
9552119 (13.07.1999 20:57:48) LEE : it wouldn't be that quick to gain access - i'd first have to get their network ip address, bust their firewall (if poss dependent on the s/w) then if i got that lucky i'dhave to find the s/w prog and logon for their reservation system! they'd probably have been and left by the time i got in:-))
9552119 (13.07.1999 20:58:15) MARTIN : har har he he ho hum!
9552119 (13.07.1999 20:58:28) MARTIN : I'll stick to the phones

There's no evidence to say Lee went ahead and did the hack, but it does demonstrate how close the relationship was between Martin Gallagher and Lee Gibling at a time Lee Gibling was also apparently working for NDS.

There's still plenty more to read in the leaked ICQ logs, so hopefully tomorrow I'll have another post with even more new information.

You can contact the author on Twitter @brown_moses or by email at brownmoses@gmail.com

No comments:

Post a Comment