Passwords: Reuse Pumps Up Crime
April 8, 2025
Cloudflare reports that password reuse is one of the biggest mistakes users make that compromises their personal information online. Cloudflare monitored traffic through their services between September-November 2024 and discovered that 41% of all logins for Cloudflare protected Web sites used compromised passwords. Cloudflare discussed why this vulnerability in the blog post: “Password Reuse Is Rampant: Nearly Half Of Observed User Logins Are Compromised.”
As part of their services, Cloudflare monitors if passwords have been leaked in any known data breaches and then warn users of the potential threat. Cloudflare analyzed traffic from Internet properties on the company’s free plan that includes the leaked credentials feature.
When Cloudflare conducted this research, the biggest challenge was distinguishing between real humans an d bad actors. They focused on successful login attempts, because this indicates real humans were involved . The data revealed that 41% of human authentication attempts involved leaked credentials. Despite warning PSAs about reusing old passwords, users haven’t changed their ways.
Bot attacks are also on the rise. These bots are programmed with stolen passwords and credentials and are told to test them on targeted Web sites.
Here’s what Cloudflare found:
“Data from the Cloudflare network exposes this trend, showing that bot-driven attacks remain alarmingly high over time. Popular platforms like WordPress, Joomla, and Drupal are frequent targets, due to their widespread use and exploitable vulnerabilities, as we will explore in the upcoming section.
Once bots successfully breach one account, attackers reuse the same credentials across other services to amplify their reach. They even sometimes try to evade detection by using sophisticated evasion tactics, such as spreading login attempts across different source IP addresses or mimicking human behavior, attempting to blend into legitimate traffic. The result is a constant, automated threat vector that challenges traditional security measures and exploits the weakest link: password reuse.”
Cloudflare advises people to have multi-factor authentication on accounts, explore using passkeys, and for God’s sake please change your password. I have heard that Telegram’s technology enables some capable bots. Does Telegram rely on Cloudflare for some services? Huh.
Whitney Grace, April 8, 2025
Telegram Lecture at TechnoSecurity & Digital Forensics on June 4, 2025
April 3, 2025
No AI. Just a dinobaby sharing an observation about younger managers and their innocence.
The organizers of the June 2025 TechnoSecurity & Digital Forensics Conference posted a 60 second overview of our Telegram Overview lecture on LinkedIn. You can view the conference’s 60 second video at https://lnkd.in/eTSvpYFb. Erik and I have been doing presentations on specific Telegram subjects for law enforcement groups. Two weeks ago, we provided to the Massachusetts Association of Crime Analysts a 60-minute run down about the technical architecture of Telegram and identified three US companies providing services to Telegram. To discuss a presentation for your unit, please, message me via LinkedIn. (Plus, my son and I are working to complete our 100 page PDF notes of our examination of Telegram’s more interesting features. These range from bots which automate cross blockchain crypto movement to the automatic throttling function in the Telegram TON Virtual Machine to prevent transaction bottlenecks in complex crypto wallet obfuscations.) See you there. — Thank you, Stephen E Arnold, April 3, 2025, 223 pm U S Eastern
No Joke: Real Secrecy and Paranoia Are Needed Again
April 1, 2025
No AI. Just a dinobaby sharing an observation about younger managers and their innocence.
In the US and the UK, secrecy and paranoia are chic again. The BBC reported “GCHQ Worker Admits Taking top Secret Data Home.” Ah, a Booz Allen / Snowden type story? The BBC reports:
The court heard that Arshad took his work mobile into a top secret GCHQ area and connected it to work station. He then transferred sensitive data from a secure, top secret computer to the phone before taking it home, it was claimed. Arshad then transferred the data from the phone to a hard drive connected to his personal home computer.
Mr. Snowden used a USB drive. The question is, “What are the bosses doing? Who is watching the logs? Who is checking the video feeds? Who is hiring individuals with some inner need to steal classified information?
But outside phones in a top secret meeting? That sounds like a great idea. I attended a meeting held by a local government agency, and phones and weapons were put in little steel boxes. This outfit was no GHCQ, but the security fellow (a former Marine) knew what he was doing for that local government agency.
A related story addresses paranoia, a mental characteristic which is getting more and more popular among some big dogs.
CNBC reported an interesting approach to staff trust. “Anthropic Announces Updates on Security Safeguards for Its AI Models” reports:
In an earlier version of its responsible scaling policy, Anthropic said it would begin sweeping physical offices for hidden devices as part of a ramped-up security effort.
The most recent update to the firm’s security safeguards adds:
updates to the “responsible scaling” policy for its AI, including defining which of its model safety levels are powerful enough to need additional security safeguards.
The actual explanation is a master piece of clarity. Here’s snippet of what Anthropic actually said in its “Anthropic’s Responsible Scaling Policy” announcement:
The current iteration of our RSP (version 2.1) reflects minor updates clarifying which Capability Thresholds would require enhanced safeguards beyond our current ASL-3 standards.
The Anthropic methods, it seems to me, to include “sweeps” and “compartmentalization.”
Thus, we have two examples of outstanding management:
First, the BBC report implies that personal computing devices can plug in and receive classified information.
And:
Second, CNBC explains that sweeps are not enough. Compartmentalization of systems and methods puts in “cells” who can do what and how.
Andy Grove’s observation popped into my mind. He allegedly rattled off this statement:
Success breeds complacency. Complacency breeds failure. Only the paranoid survive.
Net net: Cyber security is easier to “trust” and “assume”. Real fixes edge into fear and paranoia.
Stephen E Arnold, April 9, 2025
FOGINT: Targets Draw Attention. Signal Is a Target
April 1, 2025
Dinobaby says, “No smart software involved. That’s for “real” journalists and pundits.
We have been plugging away on the “Telegram Overview: Notes for Analysts and Investigators.” We have not exactly ignored Signal or the dozens of other super secret, encrypted beyond belief messaging applications. We did compile a table of those we came across, and Signal was on that list.
I read “NSA Warned of Vulnerabilities in Signal App a Month Before Houthi Strike Chat.” I am not interested in the political facets of this incident. The important point for me is this statement:
The National Security Agency sent out an operational security special bulletin to its employees in February 2025 warning them of vulnerabilities in using the encrypted messaging application Signal
One of the big time cyber security companies spoke with me, and I mentioned that Signal might not be the cat’s pajamas. To the credit of that company and the former police chief with whom I spoke, the firm shifted to an end to end encrypted messaging app we had identified as slightly less wonky. Good for that company, and a pat on the back for the police chief who listened to me.
In my experience, operational bulletins are worth reading. When the bulletin is “special,” re-reading the message is generally helpful.
Signal, of course, defends itself vigorously. The coach who loses a basketball game says, “Our players put out a great effort. It just wasn’t enough.”
In the world of presenting oneself as a super secret messaging app immediately makes that messaging app a target. I know first hand that some whiz kid entrepreneurs believe that their EE2E solution is the best one ever. In fact, a year ago, such an entrepreneur told me, “We have developed a method that only a government agency can compromise.”
Yeah, that’s the point of the NSA bulletin.
Let me ask you a question: “How many computer science students in countries outside the United States are looking at EE2E messaging apps and trying to figure out how to compromise the data?” Years ago, I gave some lectures in Tallinn, Estonia. I visited a university computer science class. I asked the students who were working on projects each selected. Several of them told me that they were trying to compromise messaging systems. A favorite target was Telegram but Signal came up.
I know the wizards who cook up EE2E messaging apps and use the latest and greatest methods for delivering security with bells on are fooling themselves. Here are the reasons:
- Systems relying on open source methods are well documented. Exploits exist and we have noticed some CaaS offers to compromise these messages. Now the methods may be illegal in many countries, but they exist. (I won’t provide a checklist in a free blog post. Sorry.)
- Techniques to prevent compromise of secure messaging systems involve some patented systems and methods. Yes, the patents are publicly available, but the methods are simply not possible unless one has considerable resources for software, hardware, and deployment.
- A number of organizations turn EE2E messaging systems into happy eunuchs taking care of the sultan’s harem. I have poked fun at the blunders of the NSO Group and its Pegasus approach, and I have pointed out that the goodies of the Hacking Team escaped into the wild a long time ago. The point is that once the procedures for performing certain types of compromise are no longer secret, other humans can and will create a facsimile and use those emulations to suck down private messages, the metadata, and probably the pictures on the device too. Toss in some AI jazziness, and the speed of the process goes faster than my old 1962 Studebaker Lark.
Let me wrap up by reiterating that I am not addressing the incident involving Signal. I want to point out that I am not into the “information wants to be free.” Certain information is best managed when it is secret. Outfits like Signal and the dozens of other EE2E messaging apps are targets. Targets get hit. Why put neon lights on oneself and try to hide the fact that those young computer science students or their future employers will find a way to compromise the information.
Technical stealth, network fiddling, human bumbling — Compromises will continue to occur. There were good reasons to enforce security. That’s why stringent procedures and hardened systems have been developed. Today it’s marketing, and the possibility that non open source, non American methods may no longer be what the 23 year old art history who has a job in marketing says the systems actually deliver.
Stephen E Arnold, April 1, 2025
FOGINT: Dubai Makes a Crypto Move
March 26, 2025
Cryptocurrencies are on deck to replace fiat currencies. The Dubai Financial Services Authority (DFSA) recently recognized a cryptocurrencies says Gadgets 360: “USDC, EURC Stablecoins Secure ‘Token Recognition’ In Dubai.” The two new tokens recognized in Dubai are the stablecoins USDC and EURC from Circle.
The DFSA approved the use of these stablecoins within the Dubai International Financial Centre’s (DIFC) economic activities. EURC and USDC are the first crypto stablecoins to receive official recognition from the DFSA. Stablecoins are cryptocurrencies backed by traditional assets such as gold and regular hard currencies.
The DFSA issued a crypto token framework in 2022 so businesses working with cryptocurrencies would have safe guidelines. Only DFSA-recognized cryptocurrencies are allowed to be used within the DIFC. This is to ensure companies are protected from scams.
This is an important move for stablecoins:
Dante Disparte, Chief Strategy Officer and Head of Global Policy and Operations at Circle called the development a ‘milestone’ moment for the stablecoin sector. ‘This milestone aligns with our mission to make digital dollars and euros more accessible, interoperable, and useful for businesses, developers, and financial institutions worldwide,’ Dante said. ‘As the first stablecoins to receive this designation, USDC and EURC continue to set the global standard for transparency, compliance, and utility.’”
Circle is the second largest provider of stablecoins in the world after Tether. The company reported the USDC profit reached $18 trillion since launching in 2018. Dubai, Telegram, and crypto: Interesting ingredients.
Whitney Grace, March 18, 2025
Bankman-Fried and Cooled
March 20, 2025
We are not surprised a certain tech bro still has not learned to play by the rules, even in prison. Mediaite reports, "Unauthorized Tucker Carlson Interview Lands Sam Bankman-Fried in Solitary Confinement." Reporter Kipp Jones tells us:
"FTX founder Sam Bankman-Fried was reportedly placed in solitary confinement on Thursday following a video interview with Tucker Carlson that was not approved by corrections officials. The 33-year-old crypto billionaire-turned-inmate spoke to Carlson about a wide range of topics for an interview posted on X. Bankman-Fried and the former Fox News host discussed everything from prescription drug abuse to political contributions. According to The New York Times, prison officials became aware of the interview and put the crypto fraudster in the hole."
What riveting insights were worth that risk? Apparently he has made friends with Diddy, and he passes the time playing chess. That’s nice. He also holds no animosity toward prison staff, he said, though of course "no one wants to be in prison." Perhaps during his stint in solitary, Bankman-Fried will reflect on how he can stay out when he is released in 11 – 24 years.
Cynthia Murrell, March 20, 2025
AI Hiring Spoofs: A How To
March 12, 2025
Be aware. A dinobaby wrote this essay. No smart software involved.
The late Robert Steele, one of first government professionals to hop on the open source information bandwagon, and I worked together for many years. In one of our conversations in the 1980s, Robert explained how he used a fake persona to recruit people to assist him in his work on a US government project. He explained that job interviews were an outstanding source of information about a company or an organization.
“AI Fakers Exposed in Tech Dev Recruitment: Postmortem” is a modern spin on Robert’s approach. Instead of newspaper ads and telephone calls, today’s approach uses AI and video conferencing. The article presents a recipe for what was at one time a technique not widely discussed in the 1980s. Robert learned his approach from colleagues in the US government.
The write up explains that a company wants to hire a professional. Everything hums along and then:
…you discover that two imposters hiding behind deepfake avatars almost succeeded in tricking your startup into hiring them. This may sound like the stuff of fiction, but it really did happen to a startup called Vidoc Security, recently. Fortunately, they caught the AI impostors – and the second time it happened they got video evidence.
The cited article explains how to set and operate this type of deep fake play. I am not going to present the “how to” in this blog post. If you want the details, head to the original. The penetration tactic requires Microsoft LinkedIn, which gives that platform another use case for certain individuals gathering intelligence.
Several observations:
- Keep in mind that the method works for fake employers looking for “real” employees in order to obtain information from job candidates. (Some candidates are blissfully unaware that the job is a front for obtaining data about an alleged former employer.)
- The best way to avoid AI centric scams is to do the work the old-fashioned way. Smart software opens up a wealth of opportunities to obtain allegedly actionable information. Unfortunately the old fashioned way is slow, expensive, and prone to social engineering tactics.
- As AI and bad actors take advantage of the increased capabilities of smart software, humans do not adapt quickly when those humans are not actively involved with AI capabilities. Personnel related matters are a pain point for many organizations.
To sum up, AI is a tool. It can be used in interesting ways. Is the contractor you hired on Fiverr or via some online service a real person? Is the job a real job or a way to obtain information via an AI that is a wonderful conversationalist? One final point: The target referenced in the write was a cyber security outfit. Did the early alert, proactive, AI infused system prevent penetration?
Nope.
Stephen E Arnold, March 12, 2025
Dear New York Times, Your Online System Does Not Work
March 3, 2025
The work of a real, live dinobaby. Sorry, no smart software involved. Whuff, whuff. That’s the sound of my swishing dino tail. Whuff.
I gave up on the print edition to the New York Times because the delivery was terrible. I did not buy the online version because I could get individual articles via the local library. I received a somewhat desperate email last week. The message was, “Subscribe for $4 per month for two years.” I thought, “Yeah, okay. How bad could it be?”
Let me tell you it was bad, very bad.
I signed up, spit out my credit card and received this in my email:
The subscription was confirmed on February 26, 2025. I tried to log in on the 27th. The system said, “Click here to receive an access code.” I did. In fact I did the click for the code three times. No code on the 27th.
Today is the 28th. I tried again. I entered my email and saw the click here for the access code. No code. I clicked four times. No code sent.
Dispirited, I called the customer service number. I spoke to two people. Both professionals told me they were sending the codes to my email. No codes arrived.
Guess what? I gave up and cancelled my subscription. I learned that I had to pay $4 for the privilege of being told my email was not working.
That was baloney. How do I know? Look at this screenshot:
The estimable newspaper was able to send me a notice that I cancelled.
How screwed up is the New York Times’ customer service? Answer: A lot. Two different support professionals told me I was not logged into my email. Therefore, I was not receiving the codes.
How screwed up are the computer systems at the New York Times? Answer: A lot, no, a whole lot.
I don’t think anyone at the New York Times knows about this issue. I don’t think anyone cares. I wonder how many people like me tried to buy a subscription and found that cancellation was the only viable option to escape automated billing for a service the buyer could not access.
Is this intentional cyber fraud? Probably not. I think it is indicative of poor management, cost cutting, and information technology that is just good enough. By the way, how can you send to my email a confirmation and a cancellation and NOT send me the access code? Answer: Ineptitude in action.
Well, hasta la vista.
Stephen E Arnold, March 3, 2025
Thailand Creeps into Action with Some Swiss Effort
February 24, 2025
Hackers are intelligent bad actors who use their skills for evil. They do black hat hacking tricks for their own gains. The cyber criminal recently caught in a raid performed by three countries was definitely a huge scammer. Khaosod English reports on the takedown: “Thai-Swiss-US Operation Nets Hackers Behind 1,000+ Cyber Attacks.”
Four European hackers were arrested on the Thai island Phuket. They were charged with using ransomware to steal $16 million from over 1000 victims. The hackers were wanted by Swiss and US authorities.
Thai, Swiss, and US law enforcement officials teamed up in Operation Phobos Aetor to arrest the bad actors. They were arrested on February 10, 2025 in Phuket. The details are as follows:
“The suspects, two men and two women, were apprehended at Mono Soi Palai, Supalai Palm Spring, Supalai Vista Phuket, and Phyll Phuket x Phuketique Phyll. Police seized over 40 pieces of evidence, including mobile phones, laptops, and digital wallets. The suspects face charges of Conspiracy to Commit an Offense Against the United States and Conspiracy to Commit Wire Fraud.
The arrests stemmed from an urgent international cooperation request from Swiss authorities and the United States, involving Interpol warrants for the European suspects who had entered Thailand as part of a transnational criminal organization.”
The ransomware attacks accessed private networks to steal personal data and they also encrypted files. The hackers demanded cryptocurrency payments for decryption keys and threatened to publish data if the ransoms weren’t paid.
Let’s give a round of applause to putting these crooks behind bars! On to Myanmar and Lao PDR!
Whitney Grace, February 24, 2025
TikTok Alleged to Be Spying on … Journalists
February 19, 2025
It is an open secret that TikTok is spying on the West and collecting piles of information on (maybe) unsuspecting victims. Forbes, however, allegedly has evidence of TikTok spying on its reporters: “TikTok Spied On Forbes Journalists.”
ByteDance, TikTok’s parent company, conducted an internal investigation and discovered that their employees tracked journalists who were reporting on the company. The audit also revealed that they used the journalists’ user data to track if they had been in close proximity with ByteDance employees.
“According to materials reviewed by Forbes, ByteDance tracked multiple Forbes journalists as part of this covert surveillance campaign, which was designed to unearth the source of leaks inside the company following a drumbeat of stories exposing the company’s ongoing links to China. As a result of the investigation into the surveillance tactics, ByteDance fired Chris Lepitak, its chief internal auditor who led the team responsible for them. The China-based executive Song Ye, who Lepitak reported to and who reports directly to ByteDance CEO Rubo Liang, resigned.”
ByteDance didn’t deny the surveillance, but said that TikTok couldn’t monitor people like the article suggested. The parent company also said it didn’t target journalists, public figures, US government members, or political activists. It’s funny that TikTok is trying to convince the Trump administration that it’s a benign force, but this story proves the opposite.
All of this is alleged of course. But it is an interesting story because journalists don’t do news. Journalists are pundits, consultants, and podcasters.
Stephen E Arnold, February 19, 2025
-
- Subscribe to Beyond Search
Feature archive
News archive
-
