Turkish police may have beaten encryption key out of TJ Maxx suspect

Updated Jan 27 2009 with a comment from the Turkish Government. See below

When criminals turn to disk encryption to hide the evidence of their crimes, law enforcement investigations can hit a brick wall. Where digital forensics software has failed to recover encryption passwords, one tried and true technique remains: violence. It is is this more aggressive form of good cop bad cop behavior which the Turkish government is alleged to have turned to, in order to learn the cryptographic keys of one of primary ringleaders in the TJ Maxx credit card theft investigation.

The 2005 theft of tens of million credit card numbers from an unsecured wireless network run by TJ Maxx stores has lead to over 150 million dollars in damages for the company. The two gentlemen behind the heist sold the pilfered credit card information to others online. Eventually, the stolen cards reached Maksym Yastremskiy, a Ukrainian citizen, and, according to media reports, a "major figure in the international sale of stolen credit card information."

Mr Yastremskiy was later arrested in 2007, while on vacation in Turkey. The US government has formally requested that Yastremskiy be extradited, and has charged him with a number of crimes including aggravated identity theft.

According to comments allegedly made by Howard Cox, a US Department of Justice official in a closed-door meeting last week, after being frustrated with the disk encryption employed by Yastremskiy, Turkish law enforcement may have resorted to physical violence to force the password out of the Ukrainian suspect.

Mr Cox's revelation came in the context of a joke made during his speech. While the exact words were not recorded, multiple sources have verified that Cox quipped about leaving a stubborn suspect alone with Turkish police for a week as a way to get them to voluntarily reveal their password. The specifics of the interrogation techniques were not revealed, but all four people I spoke to stated that it was clear that physical coercion was the implied method.

The Turkish interrogation seemed to have worked as Mr Cox was even able to share Yastremskiy's encryption password with the audience.

Mr Cox, the Assistant Deputy Chief for the DOJ's Computer Crime and Intellectual Property Section, made the comments during his keynote talk at an invitation only event for academic and industry experts focused on phishing related crimes. This blogger has spoken to four sources, each in independent interviews, who claim to have witnessed Mr. Cox making such statements. However, due to the closed-door nature of the event, and fearing that coming forward publicly would lead to them being blackballed from future information sharing sessions, no one would go on the record to make their claims.

If Mr Yastremskiy is successfully extradited to the United States, it is unclear if the evidence from his encrypted disk could be used against him in court. It also remains an open question as to how much the US knew about the alleged beating of Yastremskiy by the Turkish authorities, and when.

If Mr Cox's alleged comments are indeed true, this is alarming news. The majority of cryptographic tools in use today are designed around the general assumption that an end-user can refuse to disclose his or her key if the computer is seized. While password discovery via torture is something that has been discussed in the academic literature for a number of years (it is commonly known as rubber-hose cryptanalysis), it has for the most part remained a theoretical threat. A few tools, such as TrueCrypt, are designed to resist such attacks, and thus use deniable encryption -- that is, making it impossible for someone to examine a computer and be able to determine if there is anything encrypted on the disk. Some tools even allow for multiple deniable encrypted folders, each with a different password.

Of course, Truecrypt and other tools that have adopted deniable cryptography do not stop government agents from torturing a suspect. It just means that they cannot be sure when to stop the beatings, as there could always be one additional hidden file on the disk.

Multiple requests for comment, by both phone and email to Howard Cox and the DOJ Office of Public Affairs have been ignored. Similarly, the Turkish embassy in Washington DC had not responded to a request for comment by press time.

A Freedom of Information Act request has been submitted for the slides and notes for Mr Cox's speech, however, this could take months or years before any information is returned.

Update:On January 27, 2009, Berkan Pazarcı, the First Secretary at the Turkish Embassy in Washington DC replied to the request for a comment that I sent back in October of 2008:

The Turkish Ministry of Justice informed the Embassy that Maksym Yastremskiy has not filed any complaint for being subject to ill-treatment or police violence or brutality. The medical reports issued by the Turkish forensic medicine clearly state that no signs of physical harm have been detected on his body.

Disclosure:

Mr Cox presented at a closed-door session at the Anti-Phishing Working Group e-Crime summit. I presented at the same conference the next day, at a session open to the general public. My hotel and airplane ticket were paid for by the APWG, as part of a scholarship program for graduate students.

In 2006, the FBI investigated me for some of my research into boarding pass security. While no charges were ever filed, it's reasonable to state that I have little affection for the DOJ computer crimes section.

Finally, due to the fact that the Turkish government is involved, it is worth mentioning that I am 50% Armenian by blood. Several generations ago, a number of my family members died at the hands of the Ottoman Empire (now Turkey). I do not have an axe to grind in this area, but in the interest of honest disclosure, I thought it should be mentioned here.

[inachu]

Aside from criminality the best way still to get rid of data is to drill into your hard drive multiple times.

[rcrusoe]

Drilling your hard drive will destroy the data "in the holes" but much the data remaining on the drive can still be recovered.

There is a reason that various "three letter agencies" grind their hard drives to dust.

[f1111]

And the problem with asking (firmly) a criminal to give up info on his crime is????

[joshgiesbrecht]

Please don't hide the ugly truth about torture behind words like "firmly asking". It's embarrassing.

That aside, the other problem with your statement is an assumption about who is and isn't a criminal. The problem with that is that *evidence* is supposed to decide if you are a criminal or not, and the article is talking about evidence-gathering techniques.

If you allow the use of torture on "criminals", you allow the use of torture on anybody who is suspect. As Mr. Soghoian mentioned, he's been investigated by the FBI in the past for something which was suspected, but in fact was non-criminal in nature.

The authorities *don't know the difference between criminal and suspect* until the investigation concludes. Think about that before assuming that it's okay to abuse the bad guys.

[m26m]

People previously commented on this article might not have noticed but Mr. Soghoian is of Armenian decent, by looking at his last name and more than likely have an hidden agenda against the Republic of Turkiye. So, to say that, his article is biased against Turkiye is not going to be far from the truth. I am sure if the Armenian or Russian police have employed these harsh coercion techniques, he would be as silent as a devout religious man in a convent.

[csoghoian]

While I like conspiracy theories as much as the next guy, this is frankly rather silly.

If you want to claim that I am biased, you will have far better luck claiming that my dislike of the US Department of Justice clouds my ability to write objective articles.

As I said in my blog post, I have no axe to grind with the government of Turkey. If Armenia, Russia or even Canada had engaged in torture in order to get someone's cryptographic keys, I'd be writing about it.

Torture happens every day around the world, by evil governments and private actors of all sorts -- I do not write about every instance. However, when it relates to my world (which is computer security and digital privacy), then I am interested. I don't care which flag is on the shoulder of the person holding the rubber hose, merely that he is trying to get someone's password.

I went out of my way to highlight the fact that I am Armenian in my blog post, to specifically avoid people accusing me of an anti-Turkey bias. If you care that much about the reputation of your government, perhaps you can talk them into responding to the questions I asked of them? I would love to have an official statement from the Turkish government regarding this incident.

[maxxx11]

There is no proof that your elders died because of the Ottoman Empire. If you are talking about security, talk about it, not POLITICS.

[Truffisus]

Amateurish high school level reporting at best. The title should read "Some guy may have joked that Turkish police may have beaten encryption key out of TJ Maxx suspect."

[vrnsn]

Lets add a statement to the explanation "Christopher Soghoian delves into the areas of security, privacy, technology policy..." like; he delves these subjects through his biased politics. I really did not get why you pointed out your biased ideas in a technology related blog, Chris. Professionals do not do this. This kind of articles allow readers to question your objectivity (In fact we understood that you dont have). Hope to see you writing about your actual business.

[Sumatra-Bosch]

Truffisus, oh, hey, man, it's like, a blog, man. Don't get all heavy on him, man. He's just trying to save western civilization from fashizm. . . Seriously, though, no has asked it yet but why would the authorities would want to extradite someone whose has had information coerced from him, something that could well invalidate or greatly complicate the introduction of the evidence recovered by such means. Perhaps our last hope for civilization's principles here can make a big mean face and threaten to hold his breath until the Justice Department answers that question.

by Truffisus October 27, 2008 10:09 PM PDT
Amateurish high school level reporting at best. The title should read "Some guy may have joked that Turkish police may have beaten encryption key out of TJ Maxx suspect."

[aidan_karley]

Quote by Sumatra-Bosch "Seriously, though, no has asked it yet but why would the authorities would want to extradite someone whose has had information coerced from him, something that could well invalidate or greatly complicate the introduction of the evidence recovered by such means."

Umm, Khalid Sheikh Mohammed anyone? Ah, but that's justified torture (at least, according to some people). So, where is the dividing line between justifiable torture and non-justifiable torture? If you're involved (allegedly) in the murder of 999 people, you can only have the rubber-hose, but add another victim and you can get partial drowning too ?

[Sumatra-Bosch]

KSM is not going in front of a real court, but a military court or commission of some sort, a veritable kangaroo court of the kind that even military lawyers have scoffed at. If you need to pretend these courts martial - or whatever they are - are equivalent venues to civilian courts, hey, good luck.