LAPD investigators are searching social media records as part of an effort to identify the sender of the threatening email that triggered a one-day shutdown of Los Angeles schools, police said Wednesday.
Tracing the origin of an email is not always automatic and can be time consuming, particularly if the sender has made use of readily available mechanisms to obscure its transmission path, according to a respected authority on digital security.
"It's actually very difficult," said Prof. Clifford Neuman, PhD, Director of the USC Center for Computer Systems Security, Information Sciences Institute.
Top news of the day
Sent Monday night to members of the Los Angeles Unified School District Board of education, the threatening email asserted that bombs had been hidden on multiple campuses, and that armed jihadi fighters would storm schools. Authorities believe a similar email to school officials in New York city came from the same sender, and determined both were "not credible" -- but in LA's case, not until after all classes were cancelled Tuesday.
LAPD's Counter Terrorism Special Operations Bureau is conducting the investigation. From the email, it has the sender's email name and what is called an internet protocol, or IP, address for the
last computer server through which it passed, but not the computer from which it originated. In between, if a sender wants to disguise the origin, the message can be sent through a chain of servers.
From the IP address, LAPD knows the email was last routed through a server in Germany, but doubts it originated there, LAPD Chief Charlie Beck said Tuesday.
Tracing back the chain of IP addresses can take months, but other techniques can be used, Neuman said.
When a sender has done online research, as likely was done to get the email addresses of school board members, investigators can probe the records of search engines and servers for LAUSD and other sites the sender may have visited.
The sender may also have left clues by making similar statements on social media sites. Investigators would be expected to query sites for "repeated key phrases otherwise unique to the threat," Neuman said.
The sender had threatened to unleash nerve gas devices and trigger explosives by cellphone even if authorities cancelled school, but no weapons were ever detected during the school district's walk-through of some 1500 campus locations.
The email's author was self-identified as a senior high school student who had been bullied, and a "devout Muslim," but the contents do not support those assertions, said Rep. Brad Sherman, D-Sherman Oaks, former chairman of the House subcommittee on terrorism.
The email never mentioned the Koran, the holy book of Islam, and at one point failed to capitalize the first "A" of Allah, Sherman noted. The email address included a crude anatomical reference.
"There's reason to think the sender was trying to drive a wedge between the Islamic community and the rest of the United States," Sherman said from Washington, DC.
Though none of the threats was carried out, it's premature to discount the possibility the sender may have weapons to carry out an attack sometime in the future, Sherman said.
Sherman is proposing the Department of Homeland Security set up a special unit to provide expertise to local entities such as school districts confronted with threats that need rapid analysis.
Regardless of the sender's identity or motives, the differing responses of Los Angeles and New York were undoubtedly studied by terrorist movements, Sherman believes. He said it became apparent that Los Angeles has the capability to make quick decisions, redirect hundreds
of thousands of people, and search hundreds of locations, all within a handful of hours.
"That's impressive," said Sherman. "But they also learned that America is jittery."
Sherman said it must be remembered that the goal of terrorists is to create fear. "And they've learned they can do that with an email."