Experts say threatening Pitt emails are virtually impossible to trace
Apr 06, 2012 (Pittsburgh Post-Gazette - McClatchy-Tribune Information Services via COMTEX) --
The hoax emails sent to reporters -- the venue chosen for delivering the latest of at least 16 bomb threats to the University of Pittsburgh campus -- require little technical knowledge to send and are virtually impossible to trace, cybersecurity specialists said.
And their frequency -- which some suspect has reached an unprecedented level -- places university officials in a precarious Catch-22: Do police continually evacuate buildings, sometimes three or four at a time, and feed into the suspect's or suspects' wishes? Or do they ignore the threats and risk catastrophe?
"There's no cookie-cutter approach to how you respond to a bomb threat," said Paul V. Verrecchia, chief of police for the College of Charleston in South Carolina and president of the International Association of Campus Law Enforcement Administrators. "You've got to go with your gut instinct and experience."
Pitt police, for the moment, said they have chosen to take no risks while two Federal Bureau of Investigation agents and a privately hired handwriting expert work to decipher the menacing messages, which have been scrawled in anonymously rerouted emails, on bathroom stalls and on paper towels left in rest rooms.
"All this is still worth it," Pitt police Chief Tim Delaney said Wednesday night as teams of bomb-sniffing dogs swept the 42-story Cathedral of Learning for the eighth time since mid-February. "I will never put the kids in danger."
Obstacles to tracing
Cybersecurity specialists said they're not surprised investigators have struggled to trace the origins of six of the latest threats -- five of which have been sent via email to Pittsburgh Post-Gazette reporters and one of which went to the Tribune-Review, according to a university spokesman.
Many of the messages sent to the Post-Gazette were delivered using an anonymous remailer called Mixmaster.
"Mixmaster is one of the more sophisticated anonymity tools," said Lorrie Cranor, who oversees the CyLab Usable Privacy and Security Lab at Carnegie Mellon University. "When I send an email ... instead of sending it to the person I want to send it to, it's going to send it through a chain of intermediaries -- tell that messenger to give it to another messenger and eventually it gets to another destination."
These chains can include multiple intermediaries. The person who receives the email at the end can only see information, such as an IP address, from the last person in the chain.
Some of the emails sent to reporters have traced to a destination in Austria, which presents an additional set of complications. In those cases, investigators must hope that Austrian laws grant them access to the server where the message came from and hope that officials there are cooperative.
Even then, "it's not clear that you're going to get much out of it," said Nicolas Christin, associate director of the Information Networking Institute at Carnegie Mellon.
These intermediaries do not immediately send messages. Instead, they wait until they have a significant number of emails, scramble them and send them out in a different order from the one in which they were received.
Some of the intermediaries contain logs of every message that comes in or out, while many others do not. The ones that do contain logs sometimes include bogus information.
"It would be very difficult if not impossible to trace this," Ms. Cranor said.
She and Mr. Christin said instructions for many anonymous remailers, including Mixmaster, can easily be found online. They posited that a student in high school or college could easily master the technology.
Chris Cook, a certified information systems security professional with Security Awareness Inc. in Tampa, Fla., guessed that a middle school student could use Mixmaster but added that "if this person knows what they're doing, it tells me they're pretty knowledgeable in IT security, probably the darker side of it, probably a hacker or distributor of viruses as well."
"Hopefully this guy made a mistake somewhere along the line and they'll be able to track it," Mr. Cook said.
Mr. Christin said he "would see if there's another way to crack the case."
Brent Turvey, a criminal profiler whose work has been featured in The American Journal of Psychiatry, said he was slightly baffled -- but not shocked -- that investigators have not yet pinned the handwritten threats on someone or multiple people. Eight of the threats were scrawled in bathrooms.
Mr. Turvey suggested that the strongest investigators would be prudent not only to review surveillance video outside the restrooms but also to have detectives interview students who regularly use the bathrooms where the threats have been reported.
"Any criminal investigator is only as good as their confidential informants," he said. "It shows how poorly prepared most agencies are to actually investigate crimes."
Still, even Mr. Turvey struggled to glean much from the messages scrawled to reporters or on bathroom walls, saying it could be one person or multiple people behind the threats and that without having interviewed someone himself, it was hard to tell much beyond the fact that whoever is sending the threats is "angry at the university."
Chief Delaney said investigators have developed at least one "person of interest." Sources said investigators interviewed a volunteer firefighter who continually did interviews with local news crews after the first few threats.
Since the university increased its reward for information from $10,000 to $50,000, Pitt police have received dozens of emails and phone calls from students who thought they had noticed something suspicious or might have ideas for possible suspects. Some students approached a Pitt police officer during a Wednesday afternoon evacuation to warn him that a student has been suspiciously missing from their class on the day that two of the bomb threats occurred.
Pitt officials have not commented on whether they think students are behind the threats, although a dean in the Kenneth P. Dietrich School of Arts and Sciences sent an email encouraging instructors to pass information along to investigators if they requested it.
Police have sent images to a private handwriting expert.
In the meantime, Pittsburgh police Chief Nate Harper and Public Safety Director Michael Huss have offered to help in any way they can, Chief Delaney said. Mr. Huss has acted as a go-between for Pitt police and PA Region 13, a collection of public safety agencies from 13 counties who work together on major events.
Wes Hill, chairman of Region 13, declined to go into specifics but said that all of the group's bomb-sniffing dogs have been dispatched to the university since the threats began.
He, like Chief Delaney, said he has not had time to calculate the costs of staffing enough crews to clear the bomb threats.
"The public sentiment is 'What can we do for you?' " Chief Delaney said. "I want for nothing in this investigation -- just catching them."
Sadie Gurman contributed. Liz Navratil: email@example.com, 412-263-1438 or on Twitter @LizNavratil.
___ (c)2012 the Pittsburgh Post-Gazette Visit the Pittsburgh Post-Gazette at
www.post-gazette.com Distributed by MCT Information Services
[ Back To TMCnet.com's Homepage ]