Feeds

Clink! Terrorist jailed for refusing to tell police his encryption password

Sudden 'oh wait, I remember now' doesn't save him from extra stripey suntan time

Internet Security Threat Report 2014

A convicted terrorist will serve additional time in jail after he was found guilty of refusing to supply police with the password for a memory stick that they could not crack.

Syed Farhan Hussain, 22, from Luton, was handed a four-month sentence at the Old Bailey on Tuesday after a jury took just 19 minutes to deliver the guilty verdict.

Judge Richard Marks QC sentenced him for not complying with a notice to give up his password. The refusal was contrary to section 53 of the Regulation of Investigatory Powers Act 2000, the UK's wiretapping law.

Police had issued Hussain with the notice under section 49 of RIPA to force him to let the cops into his USB stick.

The judge said Hussain's deliberate refusal to comply with a police notice and hand over his password was a very serious matter because it served to frustrate a police investigation, the BBC reports.

Hussain was jailed for five years and three months last April for the far more serious offence of conspiring to take part in a planned attack on a Territorial Army base in Luton. Along with three other men, Hussain pleaded guilty to plotting to use a remote-control toy car to plant a homemade bomb at the TA centre. The suspects were arrested before any preparations for an attack were put together.

At the time Hussain was arrested in April 2012, police recovered a number of USB sticks and external storage devices. Another USB device, reportedly found during a later search, was encrypted and the security protection was strong enough to frustrate attempts to receiver the information the device contained even after the police brought in experts from NTAC (the National Technical Assistance Centre) at GCHQ.

Hussain told investigators that he was unable to remember the password because of the stress he was under in prison. Even being served with the section 49 notice, along with a deadline that expired last January, failed to jog his memory.

However, after police told Hussein's lawyers they had launched a fresh investigation into alleged credit card fraud by Hussain late last year, his memory suddenly improved. Hussain revealed that the memory stick's password was "$ur4ht4ub4h8", a play on words relating to a chapter of the Koran.

Curiously the password "turned out to be the same phrase from the Koran that Hussain had used before on other devices”, according to a reports on the sentencing by the Luton Dunstable Express.

At this point the police were able to access the memory stick, discovering it contained evidence useful for their inquiry into the alleged financial fraud rather than anything directly related to terrorism or national security.

Bootnote

*The circumstances of the case raise several unanswered questions, as security and privacy watchers at Spy Blog note: "Why didn't authorities try the same password on the 3rd USB device, which NTAC had found for first 2 USB devices? So "$ur4ht4ub4h8" is too strong to brute force, but surely there are Koran & Bible phrase attack dictionaries?"

Other security experts have expressed surprise that GCHQ was supposedly unable to brute-force a 12 character alpha-numeric password, given the resources at its disposal. UK IT professional and security blogger Quentyn Taylor writes:

Others have noted that perhaps GCHQ made a strategic decision not to expose its capabilities in this area. ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.