Feeds

Clink! Terrorist jailed for refusing to tell police his encryption password

Sudden 'oh wait, I remember now' doesn't save him from extra stripey suntan time

Intelligent flash storage arrays

A convicted terrorist will serve additional time in jail after he was found guilty of refusing to supply police with the password for a memory stick that they could not crack.

Syed Farhan Hussain, 22, from Luton, was handed a four-month sentence at the Old Bailey on Tuesday after a jury took just 19 minutes to deliver the guilty verdict.

Judge Richard Marks QC sentenced him for not complying with a notice to give up his password. The refusal was contrary to section 53 of the Regulation of Investigatory Powers Act 2000, the UK's wiretapping law.

Police had issued Hussain with the notice under section 49 of RIPA to force him to let the cops into his USB stick.

The judge said Hussain's deliberate refusal to comply with a police notice and hand over his password was a very serious matter because it served to frustrate a police investigation, the BBC reports.

Hussain was jailed for five years and three months last April for the far more serious offence of conspiring to take part in a planned attack on a Territorial Army base in Luton. Along with three other men, Hussain pleaded guilty to plotting to use a remote-control toy car to plant a homemade bomb at the TA centre. The suspects were arrested before any preparations for an attack were put together.

At the time Hussain was arrested in April 2012, police recovered a number of USB sticks and external storage devices. Another USB device, reportedly found during a later search, was encrypted and the security protection was strong enough to frustrate attempts to receiver the information the device contained even after the police brought in experts from NTAC (the National Technical Assistance Centre) at GCHQ.

Hussain told investigators that he was unable to remember the password because of the stress he was under in prison. Even being served with the section 49 notice, along with a deadline that expired last January, failed to jog his memory.

However, after police told Hussein's lawyers they had launched a fresh investigation into alleged credit card fraud by Hussain late last year, his memory suddenly improved. Hussain revealed that the memory stick's password was "$ur4ht4ub4h8", a play on words relating to a chapter of the Koran.

Curiously the password "turned out to be the same phrase from the Koran that Hussain had used before on other devices”, according to a reports on the sentencing by the Luton Dunstable Express.

At this point the police were able to access the memory stick, discovering it contained evidence useful for their inquiry into the alleged financial fraud rather than anything directly related to terrorism or national security.

Bootnote

*The circumstances of the case raise several unanswered questions, as security and privacy watchers at Spy Blog note: "Why didn't authorities try the same password on the 3rd USB device, which NTAC had found for first 2 USB devices? So "$ur4ht4ub4h8" is too strong to brute force, but surely there are Koran & Bible phrase attack dictionaries?"

Other security experts have expressed surprise that GCHQ was supposedly unable to brute-force a 12 character alpha-numeric password, given the resources at its disposal. UK IT professional and security blogger Quentyn Taylor writes:

Others have noted that perhaps GCHQ made a strategic decision not to expose its capabilities in this area. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Getting ahead of the compliance curve
Learn about new services that make it easy to discover and manage certificates across the enterprise and how to get ahead of the compliance curve.