Reference Library – Scotland
Security services missed a string of chances to bring in Salman Abedi in the months prior to the Manchester bombing, it has emerged. But he struck just days before a scheduled intelligence meeting about his activities was due to take place. An independent review into the attack concluded it is conceivable the atrocity could have been averted if the cards had fallen differently . Despite this, MI5 maintain it is ‘unlikely’ the plot could have been stopped.
Compiled by David Anderson QC, the report brings together the results of eight internal reviews by MI5 and the police, following the wave of attacks between March and June which included the Manchester bomb. The document lays bare how in the months and weeks before the attack there were a series of missed opportunities to confront Abedi – who had been on security services radar for THREE years and suspected of links to ISIS for at least two.
(Image: Joel Goodman)
We now know that MI5 received intelligence about Abedi that has turned out to be significant – but wasn t thought to be at the time . As a result, he was not under investigation at the time of the attack – and he remained a closed subject of interest . We now know he could have been placed on ports action after he travelled to Libya in April 2017 – a step which would have triggered an alert when he came to Manchester .
This would have allowed him to be questioned and searched at the airport under the Terrorism Act.
Abedi was not placed on ports action however – and killed 22 people, injuring hundreds of others, at a Manchester Arena concert shortly after returning to the city from Libya. Describing this, the report says an opportunity was missed by MI5 to place Salman Abedi on ports action . The report says that on two occasions in 2017 MI5 came by intelligence which had its true significance been properly understood would have triggered an investigation into Abedi.
(Image: Ian Cooper)
While the significance of intelligence was not fully appreciated at the time , the review concludes in retrospect , it can be seen to have been highly relevant to the planned attack . A subsequent data review of intelligence about 20,000 people identified Abedi as among a small number of people worth further examination – but Abedi struck nine days before a meeting was due to be held about this.
A meeting (arranged before the attack) was due to take place on 31 May 2017: Salman Abedi s case would have been considered, together with the others identified . The attack intervened on 22 May, it states.
Despite these findings, the report says that it is unknowable whether an investigation would have pre-empted and thwarted Abedi s attack, adding: MI5 assesses it would not. Describing MI5 s conclusions, the author says after detailed consideration of their intelligence – the intelligence whose true significance was not appreciated – it is unlikely Abedi would have been stopped.
(Image: Joel Goodman)
The report reveals for the first time that Abedi had been on security services radar for three years. In 2014 he was actively investigated by MI5 – for six months – when it was thought he might have been acting suspiciously with a second subject of interest . However, because of his limited engagement with persons of national security concern , he was classed as low risk.
The following year – in October 2015 – his case was reopened because he was suspected of contact with an Islamic State figure in Libya . The case was closed the same day when it transpired any contact had not been direct.
Despite this, the decision not to re-open the investigation into Abedi in 2017, following the new intelligence, was described in the report as finely-balanced and understandable .
There is a high degree of inherent uncertainty in speculating as to what might or might not have been discovered if an investigation had been opened on the basis of the new intelligence , MI5 s internal review, detailed in the report, concluded. MI5 s review also concluded: On the clear balance of professional opinion, successful pre-emption of the gathering plot would have been unlikely.
(Image: Joel Goodman)
The review – ordered by government several weeks after the May 22 attack – looked at what the intelligence services knew ahead of the Manchester bombing, as well as the earlier one at Westminster, and the ones at London Bridge and Finsbury Park in the weeks afterwards. While complimentary of both intelligence and counter-terror services in many respects, the report does suggest that Manchester s attack in particular could potentially have been averted.
It is not the purpose of the internal reviews, or of this report, to cast or apportion blame, it adds.
But though investigative actions were for the most part sound, many learning points have emerged .
It is conceivable that the Manchester attack in particular might have been averted had the cards fallen differently.
After rapidly patching a flaw1 that allowed anyone with access to a High Sierra Mac to obtain administrative control, Apple still has more work to do to make its software secure, namely iOS 11, it was claimed this week. Oleg Afonin, a security researcher for password-cracking forensic IT biz Elcomsoft, in a blog post2 on Wednesday called iOS 11 “a horror story” due to changes the fruit-themed firm made to its mobile operating system that stripped away a stack of layered defenses. What’s left, he argued, is a single point of failure: the iOS device passcode.
With an iOS device and its passcode a barrier but not a particularly strong one an attacker can gain access not only to the device, but to a variety of linked cloud services and any other hardware associated with the device owner’s Apple ID. Before the release of iOS 11, Alfonin explained in a phone interview with The Register, there were several layers of protection in iOS.
“I feel they were pretty adequate for what they were,” he said. “It seems like Apple abandoned all the layers except the passcode . Now the entire protection scheme depends on that one thing.”
What changed was the iOS device backup password in iTunes . In iOS 10 and earlier, users could set a unique password to secure an encrypted backup copy of the data on an iPhone . That password travelled with the hardware and if you attempted to connect the iPhone to a different computer in order to make another backup via iTunes, you’d have to supply the same backup password.
That’s a security problem because device backups made through iTunes contain far more data than would be available just through an unlocked iPhone . And that data can be had through the sort of forensic tools Elcomsoft and other companies sell.
“Once an intruder gains access to the user s iPhone and knows (or recovers) the passcode, there is no single extra layer of protection left,” Alfonin explains in his post. “Everything (and I mean, everything) is now completely exposed . Local backups, the keychain, iCloud lock, Apple account password, cloud backups and photos, passwords from the iCloud Keychain, call logs, location data, browsing history, browser tabs and even the user s original Apple ID password are quickly exposed.”
So the risk goes beyond the compromised phone and any associated Apple devices: Apple’s iCloud Keychain could include, say, Google or Microsoft passwords. Alfonin in his post suggested “Apple gave up” in the wake of complaints from police, the FBI, and users . Asked whether he had any reason to believe the change was made to appease authorities, he said, “I don’t believe this was made for the police . I believe it was just user complaints.”
Nonetheless, the iOS change has significant implications for those who deal with authorities, at border crossings for example.
“If I cross the border, I may be forced to reveal my passcode,” he said, noting that many thousands of electronic device searches happen every year.
With that passcode, authorities could create their own device backup and store it, which would allow them to go back and extract passwords unrelated to the device itself later on. “If that happens they have access to everything, every password I have,” he said. Alfonin said with iOS 11, Apple’s entire protection scheme has fallen apart . He likened the situation to the 2014 iCloud hack known as Celebgate4.
“Those iCloud accounts were protected with just passwords,” said Alfonin. “We have a similar situation today . If it’s just one single thing, then it’s not adequate protection.”
To fix the issue, Alfonin suggests going back to the way things were. “It was a perfectly balanced system,” he said. “I don’t think anybody complained seriously . The ability to reset an iTunes Backup password is not necessary .
If they revert it back to the way it was in iOS 10, that would be perfect.”
Of course, this is just Alfonin and Elcomsoft’s opinion . Others in the world of infosec were not convinced by his arguments for example, Dino Dai Zovi, cofounder of cloud security biz Capsulate8, was having none of it:
Apple did not respond to a request for comment.
PS: Apple’s iPhone X shares face scans with apps, which has some people worried5 . Also, if you have installed the password-less root security patch on macOS 10.13.0, and then upgraded to 10.13.1, make sure you reinstall the patch Apple’s Software Update mechanism should do this automatically and reboot .
On Tuesday 28 November, security operatives from around Glasgow attended Counter Terrorism Project Griffin Training at Cathouse, a music venue in Glasgow. The session in Glasgow was the first in a series of Project Griffin training sessions specifically targeting security operatives. A Police Scotland Counter Terrorism Security Adviser delivered the training and the event was supported by the National Licensed Trade Partnership (NLTP) whose Chair Donald McLeod provided the venue. This training will roll out in the major cities across Scotland in the coming months on behalf of the Security Industry Safer Scotland – Counter Terrorism (SISS-CT) in partnerships with the Security Industry Authority (SIA) and Police Scotland.
Sharon Roberts, our Regional Manager for Scotland, said
Security operatives across Scotland play a critical role in protecting the public. Providing funded Project Griffin training to the Private Security Industry increases Scotland’s preparedness in the event of a terrorist attack. The fact that so many security officers and door supervisors have attended the training in their own time is testament to the dedication and professionalism of the security industry and reflects the determination of people in Scotland not to give in to terrorism.
Brian Muir, Chair of SSIS-CT, said:
The Security Industry Safer Scotland – Counter Terrorism (SISS-CT) Group welcomes this important initiative. This Project Griffin training is a vital tool in providing people with the knowledge and skills to recognise the threats posed by terrorism and to understand the actions they can take to prevent it and make places and communities safer. The SISS-CT s activities are not restricted to SIA licensed personnel and apply to the wider security industry. The Group consists of representatives from Police Scotland, the Scottish Business Resilience Centre, the SIA, security providers in Scotland and various other related agencies.
Donald MacLeod, Chairman of the NLTP said,
“The National Licensing Trade Partnership is very happy to lend its support to the SIA and Project Griffin. After the recent terrorist atrocities in Paris, Manchester and London, It is now vital that all who are involved in the licence trade recognise the benefits of Counter Terrorism training, which sadly is now as important as it is necessary. The safety of the general public and staff must always come first and never more so in these dangerous times.
The aim of the NLTP is to develop and promote positive working relationships between Police Scotland, the SIA and the license trade as well as support a shared aim of best practice, responsible operation and mutual respect for each other, and Project Griffin Counter Terrorism Training ticks all these boxes and more.”
Steve Johnson, Police Scotland Assistant Chief Constable (Crime) said,
This event is an ideal opportunity to develop existing relationships in Scotland between Police Scotland and the private security industry and ther key partners. Police Scotland are delighted to support the innovative work being carried out by the Security Industry Safer Scotland (CT) Group at this time of increased risk nationally. The event reaffirms the benefits of collaborative working; ensuring organisations work together for a common goal, rather than in isolation, to make Scotland safer for all of our communities.
- The Security Industry Authority is the organisation responsible for regulating the private security industry in the United Kingdom, reporting to the Home Secretary under the terms of the Private Security Industry Act 2001.
The SIA’s main duties are: the compulsory licensing of individuals undertaking designated activities; and managing the voluntary Approved Contractor Scheme.
- For further information about the Security Industry Authority or to sign up for email updates visit www.sia.homeoffice.gov.uk.