An IT expert for British Airways has been found guilty of using his position to plan a terrorist attack on behalf of the Yemen-based radical cleric Anwar al-Awlaki, according to news reports. Rajib Karim, 31, of Newcastle, used his job as a software engineer for the UK airline to aid attacks being planned by Awlaki, who is …
What kind of encryption was it? So we can avoid that kind.
It does not matter the tool, algorithm or strength of the encryption key ..
if they brute forced the user's password that protects the key as that is the weak point.
What is more interesting is the password(s) that was used as 9 months is a pretty good time to hold out against today's distributed brute force methods.
He used a combination of RAR files (AES-128) and TrueCrypt with some sort of cascade.
When you say combination of do you mean RAR in a truecrypt container or some in RAR, others in truecrypt - I'd be interested to know as I'm assuming brute-forcing AES-128 inside cascading Truecrypt would be bloody difficult. Any ideas of hidden container or not?
Does anyone know what passphrase length could reasonably be implied for a cascading truecrypt (or AES -128 or AES-256) container to hold out for 9 months? Just wondering whether this dude just used the right tools incorrectly or not.
it's encrypted, this will take a little longer
now where have i read that recently? :D
Actual RAR files or fake RAR files?
Are you sure about those encryption methods? Admittedly (and perhaps understandably) there's little on the web detailing the actual encryption used, but this...
...seems to suggest that his main line of security was PGP, bolstered by some home-brew methods that were a combination of obfuscation, misdirection and security by obscurity. And either PGP is weaker than users think or this particular installation was badly configured, because it sounds as though the intelligence services decrypted it in relatively short order.
TrueCrypt, especially with whole-drive encryption, is very very strong and a well configured installation with a non-trivial password is more or less invulnerable to everything other than rubber hose cryptanalysis (or RIPA, whichever scares you more). If the stories are to be believed (disinformation theories notwithstanding) the combined efforts of the Brazilian authorities and the FBI couldn't crack the encryption on Daniel Dantas' machine:
The fact that the Police could see both encrypted and non-encrypted files on Rajib Karim's system suggests that, if he was using TrueCrypt at all, he was using it with encrypted file containers and weak keys rather than as a whole-drive solution with a strong passphrase. Otherwise there's no way they'd have decrypted it so easily.
Something for which we should be grateful I suppose, because if he'd been using the same system as Daniel Dantas the authorities might still have no clue as to what was on that drive.
No, it does matter, because part of what makes an encryption scheme strong is that it should be prohibitively expensive and time consuming to exhaustively try all the passwords. I know Truecrypt in particular was designed with this in mind and it has reportedly withstood similar attacks before, so maybe this guy just used a comparatively weak password.
I don't suppose anybody knows what it was. (I didn't really expect anyone to know what encryption was used either so...) [See post icon.]
comparatively weak password
He may have had the best password in the world, but it wont help if that's the Nth billion one they tried after 9 months of trying.
@AC - I think you misunderstand me and we are saying the same thing..
The password that protects the key is typically the weakest element .. i.e. you might be using a randomly generated AES-256 bit symmetric encryption key but if you protect the key's use with a password of <20 characters even if its complex it is possible to brute force the password given enough raw/distributed CPU and time. That does not mean TrueCrypt is easy to break-in to .. it means that people need to understand where the real weak point lies (hint: its the end-user and decisions they make 8-) and use the encryption tool effectively.
So strength of password that protects the actual encryption key is typically the most important element of this type of file encryption mechanism .. obviously if you use an encryption algorithm or tool which has known flaws or technical limitations (e.g. DES) then you don't need the password to brute force the encryption key itself.
Hate to break it to you, but the NSA and chums have been happilly reading encrypted texts for years, and every indication that black hats have been doing similarly as well. It's already been publicly acknowledge that AQ were caught napping because they were relying on "commercial encryption programmes". Best bet is just not to transmit your silly thoughts/pr0n/financials in the first place. Think "air gap".
Highly unlikely.... oh!
Hey, it's Matt.
How many GPU enabled machines in a high end cluster could break an encrypted...
password protected file?
If you think about it... you're not going to have to go through every potential combination.
RE: Highly unlikely.... oh!
Hi Destroyed All Braincells With Beer. You may want to do a little Googling before you hit the pub again. For example, there have been several AQ operatives captured in Pakistan and other countries with an AQ manual on how to use PGP. Their key man for Internet security, Mohammed Naem Noor Khan, was caught with the manual in 2004 and is thought to have been its author. His manual included a technique for generating a 1024 character key, which the NSA admits they broke. When the Septics found Musab al-Zarqawi's laptop in Iraq in 2005 it was using Khan's technique, and it is reputed that the location of the safehouse al-Zarqawi was killed at in 2006 was in encrypted files on that laptop.
The ability to "break" encrypted material such as that using PGP is not surprising, given the billions in budget the NSA spends each year on hardware alone, plus the fact they have been targetting PGP since the '90s. What is less realised is PGP switched the whole US security apparatus to the problem of commercial encryption, and I'm told every commercial package that hits the market (along with "free" offerings) has been put under the NSA's microscope. Just because your friends from down the pub tell you Product X is "unbreakable", doesn't mean the real pros won't be able to read your secrets, should you have any worth reading. I suspect you would be of very little interest to anyone.
"he held secret meetings with fellow Islamic extremists at Heathrow Airport"
Not the best place to hold 'secret meetings' given the high Plod count as well as the security types dressed in blazers plus or all the nondescript security types. Undoubtedly the video tapes provided a trove of information, too.
I see British prosecutors have vivid imaginations, too: "He also tried to enroll as a member of the cabin crew and may have been planning to crash BA's computer systems in an attempt to wreak havoc".
How do they connect cabin crew status with that of crashing BA computer systems?
from daily mail....
"Investigators said the 31-year-old used a 'Russian doll system' which hid his terrorist plotting behind at least eight layers of disguise and encryption."
Guilt by innuendo - must be following FBI entrapment stories
" having links to the to the attempted shoe-bombing of a plane over Detroit on Christmas 2009" then they start talking about "with the people you have is is it possible to get a package or a person with a package on board a flight".
So I wonder what is the link between a guy living in Nigeria, flying to Amsterdam and then trying to blow his underpants up over Detroit AND a package? Commonalities are air, explosives, USA.
I think the Met Plod have been reading too much about the far fetched FBI-sponsored bomb plots starting up all over the USA.
Another point. Presumably BA does background checks when it hires somebody: why did it not detect this dodgy computer guy earlier, or did the Plod use him as bait and, inter alia, putting passengers at risk had the computer guys alleged friends been successful?
Methinks there is much more to this than has been released. Or the Plod has presented a fairy story.
Since when have convictions be based on evidence using the word 'may' as in "may have been planning"? He either did or he didn't.
If you want to cause havoc at an airline, surely it would be a lot easier just to become a baggage handler at Heathrow terminal 5?
Nine months to crack the passwords? We're doomed....
Readers will remember that encrypted files were just one of the reasons our esteemed Prime Minister Blair wanted to increase the time limit of detention without charge. If this case has established a 'benchmark' for the time required to unencrypt files, can we expect a move to increase the detention time?
to crack the encryption or 8 months 29 days sitting on arse then 1 day to crack trivially encrypted emails?
It was only cracked when they read the PostIt note stuck on the corner of his monitor.
One less terrorist on the streets
Let's hope they catch more of these terrorists before they down another plane.