Feeds

Clink! Terrorist jailed for refusing to tell police his encryption password

Sudden 'oh wait, I remember now' doesn't save him from extra stripey suntan time

Protecting against web application threats using SSL

A convicted terrorist will serve additional time in jail after he was found guilty of refusing to supply police with the password for a memory stick that they could not crack.

Syed Farhan Hussain, 22, from Luton, was handed a four-month sentence at the Old Bailey on Tuesday after a jury took just 19 minutes to deliver the guilty verdict.

Judge Richard Marks QC sentenced him for not complying with a notice to give up his password. The refusal was contrary to section 53 of the Regulation of Investigatory Powers Act 2000, the UK's wiretapping law.

Police had issued Hussain with the notice under section 49 of RIPA to force him to let the cops into his USB stick.

The judge said Hussain's deliberate refusal to comply with a police notice and hand over his password was a very serious matter because it served to frustrate a police investigation, the BBC reports.

Hussain was jailed for five years and three months last April for the far more serious offence of conspiring to take part in a planned attack on a Territorial Army base in Luton. Along with three other men, Hussain pleaded guilty to plotting to use a remote-control toy car to plant a homemade bomb at the TA centre. The suspects were arrested before any preparations for an attack were put together.

At the time Hussain was arrested in April 2012, police recovered a number of USB sticks and external storage devices. Another USB device, reportedly found during a later search, was encrypted and the security protection was strong enough to frustrate attempts to receiver the information the device contained even after the police brought in experts from NTAC (the National Technical Assistance Centre) at GCHQ.

Hussain told investigators that he was unable to remember the password because of the stress he was under in prison. Even being served with the section 49 notice, along with a deadline that expired last January, failed to jog his memory.

However, after police told Hussein's lawyers they had launched a fresh investigation into alleged credit card fraud by Hussain late last year, his memory suddenly improved. Hussain revealed that the memory stick's password was "$ur4ht4ub4h8", a play on words relating to a chapter of the Koran.

Curiously the password "turned out to be the same phrase from the Koran that Hussain had used before on other devices”, according to a reports on the sentencing by the Luton Dunstable Express.

At this point the police were able to access the memory stick, discovering it contained evidence useful for their inquiry into the alleged financial fraud rather than anything directly related to terrorism or national security.

Bootnote

*The circumstances of the case raise several unanswered questions, as security and privacy watchers at Spy Blog note: "Why didn't authorities try the same password on the 3rd USB device, which NTAC had found for first 2 USB devices? So "$ur4ht4ub4h8" is too strong to brute force, but surely there are Koran & Bible phrase attack dictionaries?"

Other security experts have expressed surprise that GCHQ was supposedly unable to brute-force a 12 character alpha-numeric password, given the resources at its disposal. UK IT professional and security blogger Quentyn Taylor writes:

Others have noted that perhaps GCHQ made a strategic decision not to expose its capabilities in this area. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.