Feeds

Clink! Terrorist jailed for refusing to tell police his encryption password

Sudden 'oh wait, I remember now' doesn't save him from extra stripey suntan time

High performance access to file storage

A convicted terrorist will serve additional time in jail after he was found guilty of refusing to supply police with the password for a memory stick that they could not crack.

Syed Farhan Hussain, 22, from Luton, was handed a four-month sentence at the Old Bailey on Tuesday after a jury took just 19 minutes to deliver the guilty verdict.

Judge Richard Marks QC sentenced him for not complying with a notice to give up his password. The refusal was contrary to section 53 of the Regulation of Investigatory Powers Act 2000, the UK's wiretapping law.

Police had issued Hussain with the notice under section 49 of RIPA to force him to let the cops into his USB stick.

The judge said Hussain's deliberate refusal to comply with a police notice and hand over his password was a very serious matter because it served to frustrate a police investigation, the BBC reports.

Hussain was jailed for five years and three months last April for the far more serious offence of conspiring to take part in a planned attack on a Territorial Army base in Luton. Along with three other men, Hussain pleaded guilty to plotting to use a remote-control toy car to plant a homemade bomb at the TA centre. The suspects were arrested before any preparations for an attack were put together.

At the time Hussain was arrested in April 2012, police recovered a number of USB sticks and external storage devices. Another USB device, reportedly found during a later search, was encrypted and the security protection was strong enough to frustrate attempts to receiver the information the device contained even after the police brought in experts from NTAC (the National Technical Assistance Centre) at GCHQ.

Hussain told investigators that he was unable to remember the password because of the stress he was under in prison. Even being served with the section 49 notice, along with a deadline that expired last January, failed to jog his memory.

However, after police told Hussein's lawyers they had launched a fresh investigation into alleged credit card fraud by Hussain late last year, his memory suddenly improved. Hussain revealed that the memory stick's password was "$ur4ht4ub4h8", a play on words relating to a chapter of the Koran.

Curiously the password "turned out to be the same phrase from the Koran that Hussain had used before on other devices”, according to a reports on the sentencing by the Luton Dunstable Express.

At this point the police were able to access the memory stick, discovering it contained evidence useful for their inquiry into the alleged financial fraud rather than anything directly related to terrorism or national security.

Bootnote

*The circumstances of the case raise several unanswered questions, as security and privacy watchers at Spy Blog note: "Why didn't authorities try the same password on the 3rd USB device, which NTAC had found for first 2 USB devices? So "$ur4ht4ub4h8" is too strong to brute force, but surely there are Koran & Bible phrase attack dictionaries?"

Other security experts have expressed surprise that GCHQ was supposedly unable to brute-force a 12 character alpha-numeric password, given the resources at its disposal. UK IT professional and security blogger Quentyn Taylor writes:

Others have noted that perhaps GCHQ made a strategic decision not to expose its capabilities in this area. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.