Security preparations for New Year’s Eve celebrations in New York’s Times Square will be altered following a botched suicide bombing in a subway tunnel, the city’s counterterrorism chief has said. Akayed Ullah, 27, has ben charged with terrorism crimes after detonating a pipe bomb in the pedestrian tunnel on Monday. John Miller, deputy commissioner for intelligence and counterterrorism, said the New York Police Department will carry out an “immediate” and “in-depth” review of the attempted attack. He said: “This is the first time I believe that we have seen an individual with a suicide bomb in mass transit and actually have that bomb function.
“So we’re going to take a hard look at it.”
Image: Attack suspect Akayed Ullah
Plans for security in the New Year will also consider other attacks such as the Las Vegas sniper shooting on 1 October, in which 58 people were killed and more than 500 people wounded, Mr Miller said. An increased police presence will be seen around mass transit and public gatherings, he added. In the short term, that will likely mean more heavily armed and specially trained officers on the streets, as well as more police dogs, bag screenings and checkpoints. Chemicals inside the pipe bomb ignited, but the pipe itself did not explode, officials have said.
Ullah, from Bangladesh, was seriously hurt in the blast during Monday morning rush hour . But the malfunctioning device resulted in only minor injuries for three other people. Acting US attorney Joon Kim said Ullah planned to “murder as many human beings as he could.. . in support of a vicious terrorist cause”. Court papers filed by federal prosecutors claim he told police officers after the blast that “I did it for Islamic State”. He is believed to have begun viewing pro IS material online in 2014 and prosecutors claim he carried out the attack because he was angry over US policy in the Middle East. On the morning of the attack, he posted on his Facebook page1 “Trump you failed to protect your nation”.
He has been charged with providing material support to terrorists and using weapons of mass destruction. Ullah could appear in court on Wednesday via video link.
More from NEW YORK ATTACK
Investigators in Bangladesh are questioning his wife, officials told Reuters news agency . The couple have a six-month-old boy.
President Donald Trump claimed the bombing underlined a need for changes to the US imigration system, which he clamed is “lax” and “allows far too many dangerous, inadequately vetted people” into the US.
Salford house fire family had been living under threat and security was increased before devastating attack
The family of Michelle Pearson had been living under threat before the devastating attack. Demi Pearson, 14, Brandon, eight, and sister Lacie, seven, died after a blaze broke out on Jackson Street in Walkden at 5am on Monday morning. Five people have since been arrested in connection with the fire, and police have launched a murder investigation.
The M.E.N . has learned that security had been stepped up at the mid-terrace property. Sources confirmed to the M.E.N . that the house had been target hardened to protect the family living there from attack. Measures included the fitting of an increased security device on the letterbox.
Police confirmed that the force had very recent physical contact with the family – understood to be within 24 hours of the devastating attack.
The Manchester Evening News understands that police had been called there to a reported incident at the house at around 2am, around three hours before the blaze took hold. As well as the possibility that a flammable liquid was poured through the home s letterbox, there have also been reports that the perpetrator used scaffolding to launch the attack, although there has been been no confirmation of this by Greater Manchester Police. Chief Supt Wayne Miller confirmed at a press conference held at Swinton police station that there had been earlier incidents at the address, but refused to elaborate further or confirm the nature of the call.
As a result of the prior police contact GMP has voluntarily referred itself to the Independent Police Complaints Commission (IPCC) in line with procedure.
The police chief said: There have been earlier incidents at the address and consequently a referral to the IPCC has been made. Asked whether the tragedy is being linked to organised crime, Chief Supt Miller said the force was keeping an open mind and did not comment further. He added: This is a fast moving live investigation and we have a major investigation team with scores of dedicated detectives working tirelessly.
The devastated older brother of the three young children who were killed has spoken of the moment he tried desperately to save them. Speaking about the horrific incident, Kyle Pearson told the M.E.N: I fell asleep and the next thing I knew was I could hear my mum screaming, Fire! . There was lots of smoke so I climbed out of an upstairs window.
I ve gone to get back in but a cloud of smoke hit me in the face.”
I can t get my head around it . It s disgraceful.
I tried to break the front door down and smashed a window, but I couldn t get in because of the flames and the smoke.”
Timeline of events
Monday, December 11
Police were originally called to the house following an incident, around three hours before the fire service were alerted to the blaze.
Firefighters raced to the family s mid-terrace home on Jackson Street in Walkden, Salford, after reports of a large fire.
Early reports from the fire service said that six people were taken to hospital . The street was closed off and transport bosses warned people to avoid the area.
Investigations into the blaze continued . Firefighters remained at the scene to monitor the house for any remaining hotspots.
Neighbours told the M.E.N . of their shock at what had happened . One local resident said she heard screaming and banging during the night, initially thinking it was an argument . She described the street as being quite loud .
Police confirmed three children died in the fire and a three-year-old girl remained in hospital in a critical condition. They also said the fire was being treated as suspicious . Officers revealed a girl, 14, a boy, eight, and a girl, seven, all passed away after the blaze broke out . The 35-year-old mother of all the children was in a serious condition in hospital, they said.
(Image: MANCHESTER EVENING NEWS)
During a press conference at Swinton police station, detectives confirmed they had launched a murder investigation and urged a suspect to give himself up . At the briefing, Chief Superintendent Wayne Miller told reporters that seven people were in the house at the time of the fire.
He added there was an active manhunt for a suspect.
The first victim of the fire was named as 14-year-old Demi Pearson, a pupil at Educating Greater Manchester school Harrop Fold.
GMP said they had arrested a man, 23, and a woman, 20, in connection with the fire . Both were held on suspicion of murder and taken into custody for questioning.
(Image: Manchester Evening News)
Two more victims of the fire were named – Demi s younger brother Brandon, eight, and his sister Lacie, seven . Their older brother Kyle Pearson, who escaped the burning property, paid tribute to his siblings.
Police confirmed three further arrests . Two young men, aged 18 and 20, were held on suspicion of murder . A 24-year-old man was also detained on suspicion of assisting and offender, a GMP spokesman said .
Five people have now been arrested in connection with the fatal fire.
Anyone with any information should contact police on 0161 856 8797, alternatively call 101 or Crimestoppers on 0800 555 111.
Security researchers from the University of Birmingham last week went public about security shortcomings in mobile banking apps that leave millions of users at a heightened risk of hacking. The researchers developed a tool called “Spinner” to perform semi-automated security testing of mobile phone apps . After running the tool on a sample of 400 security critical apps, they were able to identify a serious flaw in many banking apps including those offered by HSBC, NatWest and Co-op as well as Bank of America’s Health account app. The researchers found that although banks had been diligent in building security into their apps, one particular technology used – so-called certificate pinning – which normally improves security, meant that standard tests failed to detect a serious vulnerability that could let attackers take control of a victim’s online banking.
Dr Flavio Garcia, one the the researchers, explained: Certificate Pinning is a good technique to improve the security of a connection, but in this case, it made it difficult for penetration testers to identify the more serious issue of having no proper hostname verification. The security weak spot created a possible mechanism for an attacker – providing they are connected to the same network as the victim (eg, a Wi-Fi hotspot) – to perform a so-called “man in the middle attack” and retrieve the user’s credentials, such as username and password/PIN code . Other potential avenues for attack were also found, including the possibility for a wrong-un to do some in-app phishing in software offerings from Santander and Allied Irish bank. These attacks would have allowed the rogue take over part of the screen while the app was running and use this to phish for the victim s login credentials.
All the fixings
The University of Birmingham researchers worked with the banks involved, and the UK government’s National Cyber Security Centre to fix all the vulnerabilities, and the current versions of all the apps affected by this pinning vulnerability are now secure. Banking customers using the same old Apple device that the researchers used (probably a 1st generation iPad, which is limited to iOS 5.1.1) should probably think about using something else for their banking, according to app security firm Arxan. Winston Bond, technical director EMEA at the firm, urged banks to review the research and push updates to their customers.
Banks should fix vulnerabilities as quickly as they can and push updates to their customers, Bond said .
One of the issues highlighted by this research is that users of older Apple devices, which are restricted to older iOS versions, can’t pick up any updates once the app developer moves the minimum OS version for the app beyond their version . They are stuck on the last compatible version, with whatever bugs and vulnerabilities that includes.
For banks and other organisations to protect themselves from outdated apps, every major app developer has to balance the relentless pressure to adopt the latest iOS features against the need to keep updating the users of older devices, he added. More robust cryptographic technology deployments by banks would also guard against attacks even in cases where users are connecting into services from ageing or not fully patched devices.
Certificate pinning is a way to make sure that a mobile app will only talk directly to the server that it is meant to, Bond explained . All the communications traffic is strongly encrypted and it can only be understood when it gets to the right place . In this case, it stops anyone getting between you and the bank and seeing how much money you have in your account or changing the details when you tell the bank to pay someone.
“There are several ways to implement certificate pinning, with some trade-offs between flexibility and security, he added.
It’s also worth noting that the University of Birmingham team managed to carry out these attacks while following the app store licence agreement rules which prohibit reverse-engineering or modification of apps . Real attackers won’t play so nicely. Mark James, a security specialist at anti-malware firm ESET, added: Using financial services through your mobile device, either a smartphone or tablet, should ideally be done through your cellular mobile connection if possible, or if not, then through a VPN to minimise the chances of your connection being hijacked.”
Some initial results were given in the paper A Security Analysis of TLS in Leading UK Banking Apps presented at the Conference on Financial Cryptography and Data Security in January .
The full results were given in the paper Spinner: Semi-Automatic Detection of Pinning without Hostname Verification which was presented last week at the 33rd Annual Computer Security Applications Conference in Orlando, Florida in the US.