Turkish Police May Have Beaten Encryption Key Out Of TJ Maxx Suspect

TURKISH POLICE MAY HAVE BEATEN ENCRYPTION KEY OUT OF TJ MAXX SUSPECT
Chris Soghoian

CNET News
.html
October 24, 2008 8:46 AM PDT
CA

When criminals turn to disk encryption to hide the evidence of their
crimes, law enforcement investigations can hit a brick wall. Where
digital forensics software has failed to recover encryption
passwords, one tried and true technique remains: violence. It is
is this more aggressive form of good cop bad cop behavior which the
Turkish government is alleged to have turned to, in order to learn
the cryptographic keys of one of primary ringleaders in the TJ Maxx
credit card theft investigation.

The 2005 theft of tens of million credit card numbers from an unsecured
wireless network run by TJ Maxx stores has lead to over 150 million
dollars in damages for the company. The two gentlemen behind the heist
sold the pilfered credit card information to others online. Eventually,
the stolen cards reached Maksym Yastremskiy, a Ukrainian citizen, and,
according to media reports, a "major figure in the international sale
of stolen credit card information."

Mr Yastremskiy was later arrested in 2007, while on vacation in
Turkey. The US government has formally requested that Yastremskiy
be extradited, and has charged him with a number of crimes including
aggravated identity theft.

According to comments allegedly made by Howard Cox, a US Department
of Justice official in a closed-door meeting last week, after being
frustrated with the disk encryption employed by Yastremskiy, Turkish
law enforcement may have resorted to physical violence to force the
password out of the Ukrainian suspect.

Mr Cox’s revelation came in the context of a joke made during his
speech. While the exact words were not recorded, multiple sources
have verified that Cox quipped about leaving a stubborn suspect alone
with Turkish police for a week as a way to get them to voluntarily
reveal their password. The specifics of the interrogation techniques
were not revealed, but all four people I spoke to stated that it was
clear that physical coercion was the implied method.

The Turkish interrogation seemed to have worked as Mr Cox was even
able to share Yastremskiy’s encryption password with the audience.

Mr Cox, the Assistant Deputy Chief for the DOJ’s Computer Crime and
Intellectual Property Section, made the comments during his keynote
talk at an invitation only event for academic and industry experts
focused on phishing related crimes. This blogger has spoken to four
sources, each in independent interviews, who claim to have witnessed
Mr. Cox making such statements. However, due to the closed-door nature
of the event, and fearing that coming forward publicly would lead
to them being blackballed from future information sharing sessions,
no one would go on the record to make their claims.

If Mr Yastremskiy is successfully extradited to the United States,
it is unclear if the evidence from his encrypted disk could be used
against him in court. It also remains an open question as to how much
the US knew about the alleged beating of Yastremskiy by the Turkish
authorities, and when.

If Mr Cox’s alleged comments are indeed true, this is alarming
news. The majority of cryptographic tools in use today are designed
around the general assumption that an end-user can refuse to disclose
his or her key if the computer is seized. While password discovery
via torture is something that has been discussed in the academic
literature for a number of years (it is commonly known as rubber-hose
cryptanalysis), it has for the most part remained a theoretical
threat. A few tools, such as TrueCrypt, are designed to resist such
attacks, and thus use deniable encryption — that is, making it
impossible for someone to examine a computer and be able to determine
if there is anything encrypted on the disk. Some tools even allow for
multiple deniable encrypted folders, each with a different password.

Of course, Truecrypt and other tools that have adopted deniable
cryptography do not stop government agents from torturing a suspect. It
just means that they cannot be sure when to stop the beatings, as
there could always be one additional hidden file on the disk.

Multiple requests for comment, by both phone and email to Howard Cox
and the DOJ Office of Public Affairs have been ignored. Similarly,
the Turkish embassy in Washington DC had not responded to a request
for comment by press time.

A Freedom of Information Act request has been submitted for the slides
and notes for Mr Cox’s speech, however, this could take months or
years before any information is returned.

Disclosure:

Mr Cox presented at a closed-door session at the Anti-Phishing Working
Group e-Crime summit. I presented at the same conference the next
day, at a session open to the general public. My hotel and airplane
ticket were paid for by the APWG, as part of a scholarship program
for graduate students.

In 2006, the FBI investigated me for some of my research into boarding
pass security. While no charges were ever filed, it’s reasonable to
state that I have little affection for the DOJ computer crimes section.

Finally, due to the fact that the Turkish government is involved,
it is worth mentioning that I am 50% Armenian by blood. Several
generations ago, a number of my family members died at the hands of
the Ottoman Empire (now Turkey). I do not have an axe to grind in
this area, but in the interest of honest disclosure, I thought it
should be mentioned here.

Christopher Soghoian delves into the areas of security, privacy,
technology policy and cyber-law. He is a student fellow at Harvard
University’s Berkman Center for Internet and Society , and is a
PhD candidate at Indiana University’s School of Informatics. His
academic work and contact information can be found by visiting
He is a member of the CNET Blog Network,
and is not an employee of CNET

http://news.cnet.com/8301-13739_3-10069776-46
www.dubfire.net/chris/.