Announcement

Collapse
No announcement yet.

Turkish Police May Have Beaten Encryption Key Out Of TJ Maxx Suspect

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Turkish Police May Have Beaten Encryption Key Out Of TJ Maxx Suspect

    TURKISH POLICE MAY HAVE BEATEN ENCRYPTION KEY OUT OF TJ MAXX SUSPECT
    Chris Soghoian

    CNET News
    http://news.cnet.com/8301-13739_3-10069776-46 .html
    October 24, 2008 8:46 AM PDT
    CA

    When criminals turn to disk encryption to hide the evidence of their
    crimes, law enforcement investigations can hit a brick wall. Where
    digital forensics software has failed to recover encryption
    passwords, one tried and true technique remains: violence. It is
    is this more aggressive form of good cop bad cop behavior which the
    Turkish government is alleged to have turned to, in order to learn
    the cryptographic keys of one of primary ringleaders in the TJ Maxx
    credit card theft investigation.

    The 2005 theft of tens of million credit card numbers from an unsecured
    wireless network run by TJ Maxx stores has lead to over 150 million
    dollars in damages for the company. The two gentlemen behind the heist
    sold the pilfered credit card information to others online. Eventually,
    the stolen cards reached Maksym Yastremskiy, a Ukrainian citizen, and,
    according to media reports, a "major figure in the international sale
    of stolen credit card information."

    Mr Yastremskiy was later arrested in 2007, while on vacation in
    Turkey. The US government has formally requested that Yastremskiy
    be extradited, and has charged him with a number of crimes including
    aggravated identity theft.

    According to comments allegedly made by Howard Cox, a US Department
    of Justice official in a closed-door meeting last week, after being
    frustrated with the disk encryption employed by Yastremskiy, Turkish
    law enforcement may have resorted to physical violence to force the
    password out of the Ukrainian suspect.

    Mr Cox's revelation came in the context of a joke made during his
    speech. While the exact words were not recorded, multiple sources
    have verified that Cox quipped about leaving a stubborn suspect alone
    with Turkish police for a week as a way to get them to voluntarily
    reveal their password. The specifics of the interrogation techniques
    were not revealed, but all four people I spoke to stated that it was
    clear that physical coercion was the implied method.

    The Turkish interrogation seemed to have worked as Mr Cox was even
    able to share Yastremskiy's encryption password with the audience.

    Mr Cox, the Assistant Deputy Chief for the DOJ's Computer Crime and
    Intellectual Property Section, made the comments during his keynote
    talk at an invitation only event for academic and industry experts
    focused on phishing related crimes. This blogger has spoken to four
    sources, each in independent interviews, who claim to have witnessed
    Mr. Cox making such statements. However, due to the closed-door nature
    of the event, and fearing that coming forward publicly would lead
    to them being blackballed from future information sharing sessions,
    no one would go on the record to make their claims.

    If Mr Yastremskiy is successfully extradited to the United States,
    it is unclear if the evidence from his encrypted disk could be used
    against him in court. It also remains an open question as to how much
    the US knew about the alleged beating of Yastremskiy by the Turkish
    authorities, and when.

    If Mr Cox's alleged comments are indeed true, this is alarming
    news. The majority of cryptographic tools in use today are designed
    around the general assumption that an end-user can refuse to disclose
    his or her key if the computer is seized. While password discovery
    via torture is something that has been discussed in the academic
    literature for a number of years (it is commonly known as rubber-hose
    cryptanalysis), it has for the most part remained a theoretical
    threat. A few tools, such as TrueCrypt, are designed to resist such
    attacks, and thus use deniable encryption -- that is, making it
    impossible for someone to examine a computer and be able to determine
    if there is anything encrypted on the disk. Some tools even allow for
    multiple deniable encrypted folders, each with a different password.

    Of course, Truecrypt and other tools that have adopted deniable
    cryptography do not stop government agents from torturing a suspect. It
    just means that they cannot be sure when to stop the beatings, as
    there could always be one additional hidden file on the disk.

    Multiple requests for comment, by both phone and email to Howard Cox
    and the DOJ Office of Public Affairs have been ignored. Similarly,
    the Turkish embassy in Washington DC had not responded to a request
    for comment by press time.

    A Freedom of Information Act request has been submitted for the slides
    and notes for Mr Cox's speech, however, this could take months or
    years before any information is returned.

    Disclosure:

    Mr Cox presented at a closed-door session at the Anti-Phishing Working
    Group e-Crime summit. I presented at the same conference the next
    day, at a session open to the general public. My hotel and airplane
    ticket were paid for by the APWG, as part of a scholarship program
    for graduate students.

    In 2006, the FBI investigated me for some of my research into boarding
    pass security. While no charges were ever filed, it's reasonable to
    state that I have little affection for the DOJ computer crimes section.

    Finally, due to the fact that the Turkish government is involved,
    it is worth mentioning that I am 50% Armenian by blood. Several
    generations ago, a number of my family members died at the hands of
    the Ottoman Empire (now Turkey). I do not have an axe to grind in
    this area, but in the interest of honest disclosure, I thought it
    should be mentioned here.

    Christopher Soghoian delves into the areas of security, privacy,
    technology policy and cyber-law. He is a student fellow at Harvard
    University's Berkman Center for Internet and Society , and is a
    PhD candidate at Indiana University's School of Informatics. His
    academic work and contact information can be found by visiting
    www.dubfire.net/chris/. He is a member of the CNET Blog Network,
    and is not an employee of CNET
Working...
X