Feeds

Clink! Terrorist jailed for refusing to tell police his encryption password

Sudden 'oh wait, I remember now' doesn't save him from extra stripey suntan time

Combat fraud and increase customer satisfaction

A convicted terrorist will serve additional time in jail after he was found guilty of refusing to supply police with the password for a memory stick that they could not crack.

Syed Farhan Hussain, 22, from Luton, was handed a four-month sentence at the Old Bailey on Tuesday after a jury took just 19 minutes to deliver the guilty verdict.

Judge Richard Marks QC sentenced him for not complying with a notice to give up his password. The refusal was contrary to section 53 of the Regulation of Investigatory Powers Act 2000, the UK's wiretapping law.

Police had issued Hussain with the notice under section 49 of RIPA to force him to let the cops into his USB stick.

The judge said Hussain's deliberate refusal to comply with a police notice and hand over his password was a very serious matter because it served to frustrate a police investigation, the BBC reports.

Hussain was jailed for five years and three months last April for the far more serious offence of conspiring to take part in a planned attack on a Territorial Army base in Luton. Along with three other men, Hussain pleaded guilty to plotting to use a remote-control toy car to plant a homemade bomb at the TA centre. The suspects were arrested before any preparations for an attack were put together.

At the time Hussain was arrested in April 2012, police recovered a number of USB sticks and external storage devices. Another USB device, reportedly found during a later search, was encrypted and the security protection was strong enough to frustrate attempts to receiver the information the device contained even after the police brought in experts from NTAC (the National Technical Assistance Centre) at GCHQ.

Hussain told investigators that he was unable to remember the password because of the stress he was under in prison. Even being served with the section 49 notice, along with a deadline that expired last January, failed to jog his memory.

However, after police told Hussein's lawyers they had launched a fresh investigation into alleged credit card fraud by Hussain late last year, his memory suddenly improved. Hussain revealed that the memory stick's password was "$ur4ht4ub4h8", a play on words relating to a chapter of the Koran.

Curiously the password "turned out to be the same phrase from the Koran that Hussain had used before on other devices”, according to a reports on the sentencing by the Luton Dunstable Express.

At this point the police were able to access the memory stick, discovering it contained evidence useful for their inquiry into the alleged financial fraud rather than anything directly related to terrorism or national security.

Bootnote

*The circumstances of the case raise several unanswered questions, as security and privacy watchers at Spy Blog note: "Why didn't authorities try the same password on the 3rd USB device, which NTAC had found for first 2 USB devices? So "$ur4ht4ub4h8" is too strong to brute force, but surely there are Koran & Bible phrase attack dictionaries?"

Other security experts have expressed surprise that GCHQ was supposedly unable to brute-force a 12 character alpha-numeric password, given the resources at its disposal. UK IT professional and security blogger Quentyn Taylor writes:

Others have noted that perhaps GCHQ made a strategic decision not to expose its capabilities in this area. ®

SANS - Survey on application security programs

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.