Dark Web: Clever and Cute Security Innovations
December 11, 2024
This write up was created by an actual 80-year-old dinobaby. If there is art, assume that smart software was involved. Just a tip.
I am not sure how the essay / technical analysis “The Fascinating Security Model of Dark Web Marketplaces” will diffuse within the cyber security community. I want to highlight what strikes me as a useful analysis and provide a brief, high-level summary of the points which my team and I found interesting. We have not focused on the Dark Web since we published Dark Web Notebook, a complement to my law enforcement training sessions about the Dark Web in the period from 2013 to 2016.
This write up does a good job of explaining use of open source privacy tools like Pretty Good Privacy and its two-factor authentication. The write up walks through a “no JavaScript” approach to functions on the Dark Web site. The references to dynamic domain name operations is helpful as well.
The first observation I would offer is that in the case of the Dark Web site analyzed in the cited article is that the security mechanisms in use have matured and, in the opinion of my research team, advanced to thwart some of the techniques used to track and take down the type of sites hosted by Cyberbunker in Germany. This is — alas — inevitable, and it makes the job of investigators more difficult.
The second observation is that this particular site makes use of distributed services. With the advent of certain hosting providers to offer self managed virtual servers and a professed inability to know what’s happening on physical machines. Certain hosting providers “comply” and then say, “If you try to access the virtual machines, they can fail. Since we don’t manage them, you guys will have to figure out how to get them back up.” Cute and effective.
The third observation is that the hoops through which a potential drug customer has to get through are likely to make a person with an addled brain get clean and then come back and try again. On the other hand, the Captcha might baffle a sober user or investigator as well. Cute and annoying.
The essay is useful and worth reading because it underscores the value of fluid online infrastructures for bad actors.
Stephen E Arnold, December 11, 2024
FOGINT: Pavel Durov: A Waffling Borzoi with a Shock Collar Now?
December 11, 2024
Information from the FOGINT research team. No smart software involved.
Cointelegraph, one of the “future of money” news services covering crypto ran an interesting story on Saturday, December 7,2024. “Telegram Found Pavel Durov Questioned in Paris Court for First Time: Report.” We know this is a blog post about a write up sharing information from another source. Keep this dicey chain in mind.
The core of the story is that Pavel Durov was under the control of French authorities in August 2024. Wikipedia reports that Mr. Durov may have met with Vladimir Putin before jetting to Paris and landing at Paris-Le Bourget Airport. In the last three months, information about Mr. Durov’s and his lawyer’s interaction with the French authorities has been limited. After 90 days of having his movements restricted, Mr. Durov has been rumored to:
- Expressed a desire to cooperate with law enforcement when duly authorized requests for alleged bad actors is provided to “Telegram”, which is Mr. Durov for practical purposes. Pavel’s brother Nikolai seems pre-occupied with technical issues related to the Telegram platform.
- Telegram has apparently agreed to interact with organizations focused on preventing human trafficking and child sexual abuse material
- Reversing course on his statements about responding to government pressure. One example was Telegram’s blocking of Ukrainian content from Ukrainian government agencies to Telegram users in Russia and possibly other countries in the Russian Federation.
Here’s what Cointelegraph reported:
Durov appeared in a Parisian court at 10 am CET on Dec. 6, alongside his lawyers David-Olivier Kaminski and Christophe Ingrain.
The lawyers have offices at 126 Boulevard St. Germain. Kaminski’s Web site says:
We specialize in criminal defense. The Kaminski law firm has built up recognized expertise in all areas of criminal defense. We can represent our clients at any stages of the judicial procedure, including police custody, preliminary investigation, judicial information, criminal court and before the assize court). The firm defends individuals as well as companies, legal entities, or institutions (Non-governmental organizations, associations, professional bodies). Kaminski’s catchphrase is, “The culture and practice of criminal defense is respect for fundamental freedoms.” https://www.kaminskiavocats.com/
Christophe Ingrain is part of the defense team. He was / is affiliated with Darrois Villey Maillot Brochier. He was named one of the 30 most influential lawyers in France, and he appeared on a list of the “best layers” in France. His office is on Avenue Victor Hugo.
According to Cointelegraph:
An anonymous source familiar with the matter told the Agence France-Presse (AFP) that the questioning focused on the allegations tied to Telegram’s potential use for illicit transactions. When asked about the legal proceedings, Durov reportedly told the AFP that he “trusts the French justice” system but refused to elaborate on the case.
His “refusal” to comment means that the 40 year old with more than 100 children is listening to his French attorneys. He may also have been informed about France’s low profile prison system. La Santé was built in 1867 and entertains a number of high-risk criminals. For those who chat with French law enforcement officials, La Santé is often described as a place one goes but never leaves. This prison has a VIP section which is somewhat different from the VIP services available for online gamblers in pursuit of an ejunket. It is located in the 14th arrondissement. There are two other facilities in Paris as well. France also has some special purpose prisons located near military bases and allegedly a couple of in-ground facilities in North Africa. If “in-ground” does not resonate with you, you may not want to know the set at these alleged incarceration facilities. As a point of reference, French prisons are overcrowded but c’est dommage. As a rule of thumb one may want to avoid getting ensnared in the French judiciary or prison system. Red tape is a specialty of French bureaucrats, and it can be a challenging situation for defendants and their lawyers.
Cointelegram observes:
Industry insiders are worried that the case against Durov raises alarming concerns for privacy-preserving Web3 technologies.
The Web3 reference includes blockchain technology, distributed infrastructures like Telegram’s, distributed finance, and a number of other innovations. These can add to the investigative burden of law enforcement and tax authorities.
Durov has paid bail of $5 to $6 million. However, Cointelegraph points out:
If convicted, Durov could face up to 10 years in prison and a fine of €500,000 ($550,000).
Was Durov’s interaction with French authorities an accident or coincidence? No. France allegedly began a preliminary investigation if February 2024. In July 2024 that was promoted to a judicial inquiry. In August, he was apprehended.
Sean Brizendine, a blockchain researcher, told Beyond Search:
Mr. Durov definitely appears to be listening to his high-power legal team. He is obviously aware that everything is at stake.
Net net: FOGINT wonders if the prosecution of CSAM perpetrators will ramp up as Durov demonstrates his willingness to cooperate. What’s at risk for Telegram is that the significant push into crypto services could be derailed. Other “free speech” advocates will create alternative services, but that will be expensive and time consuming. The core of Telegram is not available as open source software. Most cyber professionals are not aware of the scope of the Telegram platform.
Stephen E Arnold, December 11, 2024
Hiding Messages: The You-Will-Not-Pay-Attention Tactic
December 9, 2024
This blog post flowed from the sluggish and infertile mind of a real live dinobaby. If there is art, smart software of some type was probably involved.
I worked on a project in Bogota, Columbia. One of the individuals with whom I interacted talked about steganography. This is a method for placing “content” inside of images. At the time which was probably a decade ago, the law enforcement officials in Columbia had encountered certain bad actors passing messages using steganography within images of a day at the beach with kids, beach balls, and happy gringos.
“Square Zero: Hide Silly Messages in Decorative Borders” explains how an innocuous graphic element in an image or any content object can convey information about a drug deal, a weapons pick up point, or a money laundering contact location. The write up says:
So how successful was the card [containing the swizzled border]? Well, we sent out about 40 of them; almost no one realized there was a puzzle on the card. Once nudged, most folks realized it was the border, and quite a few guessed binary was involved. At this point I’d suggest decoding it. The most common reply? “I think I’ll go on living my life, but thanks”
That’s the purpose of steganography: Making the message invisible or “secret.” Steganography, according to the online ad vendor Google, is “the practice of concealing information within another message or physical object to avoid detection.” The example described in the cited blog post works.
If you want to fiddle around with the technology, the cited article contains code and some technical explanation. I want to call your attention to what might be accomplished in an activity involving big money and real life-and-death circumstances. Consider this border which I downloaded from Free Clipart:
Let’s assume that a bad actor has encoded a message in this clip art.
To make the challenge more interesting, the bad actor has included additional information is an image embedded in the manipulated clip art frame:
How can this double up message embedding be accomplished? The answer is, “Use the sample code provided and some odds and ends from GitHub, and you are good to go.”
Does this application of “borders” and embedded images pose challenges to analysts, investigators, and law enforcement professionals? Some information, as I have stated before, should not be out and about, providing bad actors with ideas and enablers.
Stephen E Arnold, December 9, 2024
Creeping Crypto: Regulators Adapt to What People Have Been Doing
November 28, 2024
This write up is the work of a humanoid who admits he is a dinobaby; that is, deadwood too old to employ. By the way, the “dinobaby” lingo allegedly emerged from IBM during its housecleaning event years ago. The art, however, is from MidJourney and definitely AI fakery.
I don’t want to make a big deal of the “real” news in “Apple Pay, Cash App, and Other Digital Wallets Will Be Regulated More Like Banks Now.” The write up reports:
Major digital payment providers will soon be subject to bank-like supervision from the US Consumer Financial Protection Bureau (CFPB). On Thursday, the CFPB issued a final rule that will regulate digital payment apps that process over 50 million transactions each year, covering services like Apple Pay, Google Wallet, PayPal, Cash App, and others. The new rule is meant to ensure digital payment providers adhere to the same laws as credit unions and large banks. It will give the CFPB the authority to oversee their compliance with federal laws surrounding privacy, fraud, and other rules through “proactive examinations.”
Some governments move slowly and others not at all. This “adjustment” reminds me that the world of digital payments, particularly the use of crypto currency, is moving a bit faster than the regulators mentioned in the Verge’s story. (Wow, that log strikes me as weird.)
I want to point out that in the last few days, Telegram turned on its Messenger app’s linkage to the CryptoCasino operation. Here’s a snapshot of what Telegram is engineering. (I drafted the following text for a couple of the law enforcement professionals who pay some attention to my research team’s work related to Telegram, the The Open Network Foundation, and TON Social. (If there are goods in the following summary, let me know. I feel like the Lone Ranger when I try to figure out what the Russia-flavored online messaging outfit is up to.)
Here’s the snapshot I provided as background information:
CryptoCasino.com went live earlier this week. Telegram provides access to the service owned by Armchair Online BV is an experienced online gaming firm based in Willemstad, Curaçao, Netherlands Antilles. Information about the “organization” is sparse.
A Telegram user can access more than 5,000 games via the Telegram Messenger application. No additional registration is required. Plus Telegram’s platform provides the integration of the multiple steps required to engage in online gambling. This service illustrates the “new” Telegram which shifts from messaging functionality to programmatic services running on the distributed Telegram platform.
The gambling games range from poker to crypto horse racing. Live dealer sessions are available to VIP members who pay for additional privileges. The system uses a new $CASINO coin. This coin is available at a low rate and includes the same “bet on this coin’s value” functions as other Telegram “click to earn” games.
Why would Telegram offer a comprehensive online gambling services? The answer is, in the opinion of the Arnold research group is, “Revenue.” Telegram had previously agreed to team up with Ku Group, an organization indicted in the US for money laundering.Organizations identified by Telegram as being involved in this new initiative are:
- Altcoin Edge
- AvatarUX
- Betby
- Coinbase
- Covey
- Decubate
- Evolution Gaming
- Fast Track
- Fireblocks
- Hacksaw
- MetaMask
- MyAffiliates
- Oddin.ggg
- Pragmatic Play
- Push Gaming
- Spribe
- Trust Wallet
- Wallet Connect
- Zealy
Users the Telegram or CryptoCasino.com Web site are blocked from accessing the site from the US for most users. The work around is to use a VPN (virtual private network) which provides service from Malta, Spain, or a similar nation state. Telegram continues with its effort to engage in high-profit activities and building out the Telegram platform as an application programming interface for an unregulated financial system. Telegram is, intentionally or unintentionally, furthering the effort to reduce or shift global financial markets from the US dollar to crypto currency.
The reason I mention this Telegram development is three fold:
First, it illustrates what I call the “high frequency” deals Telegram is doing even though its founder is in France under the supervision of French authorities. Services which could facilitate money laundering are examples of a CEO with a healthy sense of disdain for laws designed to regulate mere mortals. (Telegram’s founder has allegedly sired more than 100 children. He is offering free in vitro fertilization for those qualified to extend his genetic superbness.)
Second, the purpose of the CryptoCasino in Telegram is to make it really easy for about one billion people to engage in activities which are at present somewhat challenging for investigators to track in real time. Telegram games like the more than 5,000 in the CryptoCasino deal include VIP (very important person) memberships, speculative bets on $Casino coins, and options for moving crypto through multiple wallets. Tracking transactions in one wallet can be done. But multiple wallets activated in short time cycles can make the time and resources budget dwindle quickly.
Third, regulators are likely to struggle to develop rules, regulations, and guidelines able to deal with the array of crypto-ized traditional financial services Telegram explained at its November 2024 Gateway Conference. Other than Group I-B what security centric firm attended the event in Dubai?
So, the Verge’s article provides some information about regulatory velocity. Now the more significant and difficult regulatory work has to be accelerated. In a race between the tortoise and the hare? If you want to bet on the winner, head to the Telegram CryptoCasino service, become a VIP, and interact with one of the 24×7 customer support staff. It is probable that the tortoise and the hare bet can be accommodated.
Stephen E Arnold, November 28, 2024
FOGINT: Telegram Shifts from Pretending to Promoting Its Casino Play
November 26, 2024
An online service named “EuropeanGaming.eu” published an interesting story about Telegram. As you may know, the founder of VKontakte.ru and Telegram Messenger has been detained by French authorities. Coincident with this restriction on Pavel Durov’s travel, the organizations with which he has been associated have been doing fast-cycle innovation.
The story “CryptoCasino.com Launch to Disrupt iGaming with Groundbreaking Telegram Casino” reports that Telegram has launched:
an innovative Telegram casino that is set to drive player acquisition in the rapidly growing blockchain betting space.
The features of the Telegram casino include — obviously — crypto currency and blockchain as well as:
- 6,000 online slots and table games
- A live dealer casino
- An extra fee sports betting service
- Support for a number of crypto currencies.
The CryptoCasino will feature a new “token” called $CASINO. After the US Securities & Exchange Commission put pressure on Telegram’s fund raising for its GRAM coin, Mr. Durov rejiggled the Telegram operation to accommodate a non-profit operation focused on free speech, building support for broader financial services based on crypto, and a nominal owner of the TON coin. (TON coin is the GRAM crypto renamed and donated to the Open Network Foundation.)
This “casino play” adds to Telegram’s revenue stream opportunities. The write up points out:
CryptoCasino is catering to the over one billion unique Telegram users by building a Telegram Casino integration that allows anybody to immediately join and begin playing with just one click.
The commissions and other fees are one potentially lucrative revenue stream for Telegram.
A second revenue opportunity is the introduction of “VIP” services or “very important person” services. The United Nations’ 2024 UNODC reports in January and October do a very good job of explaining the “value” of casino activities and revenue. You can locate the United Nations’ reports at https://www.unodc.org/.
To get this “casino play” off the ground, the European Gaming report says:
the CryptoCasino .com team understands that the key to rapid growth comes from partnerships with trusted names in the online gaming business. That is why CryptoCasino has partnered with several major names in betting and blockchain including Pragmatic Play, Evolution Gaming, Betby, Oddin. gg, Decubate, Covey, Fireblocks, and others. Certified through CertiK and as a fully licensed platform under Curacao and Anjouan gaming authorities, the platform will provide the highest level of player safety and security, complying with all regulatory statutes for the best crypto betting experience possible.
Will this initiative succeed? Will the French authorities pursue an inquiry into this facet of Mr. Durov’s business interests? How will the Telegram CryptoCasino.com “player” move currency from one wallet to another in Telegram’s crypto environment? Will Telegram extend its cooperation with law enforcement to the new CryptoCasino.com “play”?
Several observations are warranted:
- Telegram is pushing the boundaries of its cooperation and compliance with some regulatory authorities
- The push into overt casino activities complements the effort to move from traditional financial regulatory restrictions to less regulated and controllable gambling activities
- The companion services for the new CryptoCasino.com “play” will have some appeal to those who seek to obfuscate certain types of financial activities.
Net net: Telegram may be responding to the government efforts to get Telegram to cooperate more enthusiastically with investigators by saying, “Okay, you want user names and mobile numbers, check out our encrypted blockchain based crypto play.”
Stephen E Arnold, November 26, 2024
FOGINT: Security Tools Over Promise & Under Deliver
November 22, 2024
While the United States and the rest of the world has been obsessed with the fallout of the former’s presidential election, bad actors planned terrorist plots. I24 News reports that after a soccer/football match in Amsterdam, there was a preplanned attack on Israeli fans: “Evidence From WhatsApp, Telegram Groups Shows Amsterdam Pogrom Was Organized.”
The Daily Telegraph located screenshots from WhatsApp and Telegram that displayed messages calling for a “Jew Hunt” after the game. The message writers were identified as Pro-Palestinian supports. The bad actors also called Jews “cancer dogs”, a vile slur in Dutch and told co-conspirators to bring fireworks to the planned attack. Dutch citizens and other observers were underwhelmed with the response of the Netherlands’ law enforcement. Even King Willem-Alexander noted that his country failed to protect the Jewish community when he spoke with Israeli President Isaac Herzog:
“Dutch king Willem-Alexander reportedly said to Israel’s President Isaac Herzog in a phone call on Friday morning that the ‘we failed the Jewish community of the Netherlands during World War II, and last night we failed again.’”
This an unfortunate example of the failure of cyber security tools that monitor social media. If this was a preplanned attack and the Daily Telegraph located the messages, then a cyber security company should have as well. These police ware and intelware systems failed to alert authorities. Is this another confirmation that cyber security and threat intelligence tools over promise and under deliver? Well, T-Mobile is compromised again and there is that minor lapse in Israel in October 2023.
Whitney Grace, November 22, 2024
Short Snort: How to Find Undocumented APIs
November 20, 2024
This essay is the work of a dumb dinobaby. No smart software required.
The essay / how to “All the Data Can Be Yours” does a very good job of providing a hacker road map. The information in the write up includes:
- Tips for finding undocumented APIs in GitHub
- Spotting “fetch” requests
- WordPress default APIs
- Information in robots.txt files
- Using the Google
- Examining JavaScripts
- Poking into mobile apps
- Some helpful resources and tools.
Each of these items includes details; for example, specific search strings and “how to make a taco” type of instructions. Assembling this write up took quite a bit of work.
Those engaged in cyber security (white, gray, and black hat types) will find the write up quite interesting.
I want to point out that I am not criticizing the information per se. I do want to remind those with a desire to share their expertise of three behaviors:
- Some computer science and programming classes in interesting countries use this type of information to provide students with what I would call hands on instruction
- Some governments, not necessarily aligned with US interests, provide the tips to the employees and contractors to certain government agencies to test and then extend the functionalities of the techniques presented in the write up
- Certain information might be more effectively distributed in other communication channels.
Stephen E Arnold, November 20, 2024
E-Casino: Gambling As a Service
November 15, 2024
Gambling is a vice, but it’s also big business. Many gambling practices are illegal and if you want to stay on the right side of the law, then you should make your future gambling business complies with all ordinances. For starters, you need to pay your taxes or the IRS will shut you down. Second, read Revanda Group’s review the “Best White Label Casino Solution Providers In 2024” and see what they offer.
Revpanda Group specializes in iGaming marketing services to assist companies acquire and retain players. They use affiliate marketing strategies to draw and connect traffic with the top brands in their industry. Their entire schtick is helping iGaming companies succeed and stay on the right side of the authorities. Their article is a quick how-to start a casino with the right partners.
Revpanda suggests using a white label casino solution, which is an out-of-the-box solution to start a business:
“…one company provides everything you need, including the casino platform itself, online casino software, payment gateways, an affiliate system, and technical support. Your main responsibilities include creating a logo for the casino website and partnering with an agency for content marketing your brand to potential customers. So, choosing a white label solution is easier than starting your own business from scratch….Simply put, a white label solution provides you with a ready-to-operate casino business whereby a third party will help you maintain and handle everyday operations.”
It almost sounds too good to be true, but Revpanda doesn’t make it sound like a get rich quick scam that are haunting YouTube ads. Revpanda explains that there is upfront cost and risks associate with owning a casino:
“One thing to note is that about 40% revenue share goes to the operator and 60% goes to the platform provider. In essence, white label casino solutions offer a turnkey approach for aspiring casino operators, allowing them to launch and market their business with minimal operational burdens, while sharing revenue with the platform provider.”
The casino-via-Door Dash also recommends potential online gambling parlor operators research their white label casino solution provider recommendations to discover the best fit. They discuss what consider when deciding what provider to work with, including licensing and regulation, game variety and quality, payment solutions, customization options, customer service and support, and mobile compatibility.
Yep, GaaS is a convenience.
Whitney Grace, November 15, 2024
Grooming Booms in the UK
November 12, 2024
The ability of the Internet to connect us to one another can be a beautiful thing. On the flip side, however, are growing problems like this one: The UK’s Independent tells us, “Online Grooming Crimes Reach Record Levels, NSPCC Says.” UK police recorded over 7,000 offenses in that country over the past year, a troubling new high. We learn:
“The children’s charity said the figures, provided by 45 UK police forces, showed that 7,062 sexual communication with a child offences were recorded in 2023-24, a rise of 89% since 2017-18, when the offence first came into force. Where the means of communication was disclosed – which was 1,824 cases – social media platforms were often used, with Snapchat named in 48% of those cases. Meta-owned platforms were also found to be popular with offenders, with WhatsApp named in 12% of those cases, Facebook and Messenger in 12% and Instagram in 6%. In response to the figures, the NSPCC has urged online regulator Ofcom to strengthen the Online Safety Act. It said there is currently too much focus on acting after harm has taken place, rather than being proactive to ensure the design of social media platforms does not contribute to abuse.”
Well, yes, that would be ideal. Specifically, the NSPCC states, regulations around private messaging must be strengthened. UK Minister Jess Phillips emphasizes:
“Social media companies have a responsibility to stop this vile abuse from happening on their platforms. Under the Online Safety Act they will have to stop this kind of illegal content being shared on their sites, including on private and encrypted messaging services, or face significant fines.”
Those fines would have to be significant indeed. Much larger than any levied so far, which are but a routine cost of doing business for these huge firms. But we have noted a few reasons to hope for change. Are governments ready to hold big tech responsible for the harms they facilitate?
Cynthia Murrell, November 12, 2024
Penalty for AI Generated Child Abuse Images
November 8, 2024
Whenever new technology is released it’s only a matter of time before a bad actor uses it for devious purposes. Those purposes are usually a form of sex, theft, and abuse. Bad actors saw a golden opportunity with AI image generation for child pornography and ArsTechnica reported that: “18-Year Prison Sentence For Man Who Used AI To Create Child Abuse Images.” Hugh Nelson, the pedophile from the UK used a 3D AI software to make child sexual abuse imagery. When his crime was discovered, he was sentences to eighteen years in prison. It’s a landmark case for prosecuting deepfakes in the UK.
Nelson used Daz 3D to make the sexually explicit images. AI image algorithms use large data models to generate “new” images. The algorithms can also take preexisting images and alter them. Nelson used photographs of real children, fed them into Daz 3D, and had deepfake SA images. He also encouraged other bad actors to do the same thing. Nelson will be incarcerated until he completes two-thirds of his sentence. The judge at the trial said Nelson was a “significant risk” to the public.
Since these images are fake, one could argue that they’re harmless but the problem here was the use of real children’s images. These real kids had their visage transformed into sexually explicit images. That’s where the debate about harm and intent enters:
“Graeme Biggar, director-general of the UK’s National Crime Agency, last year warned it had begun seeing hyper-realistic images and videos of child sexual abuse generated by AI. He added that viewing this kind of material, whether real or computer-generated, “materially increases the risk of offenders moving on to sexually abusing children themselves.”
Greater Manchester Police’s specialist online child abuse investigation team said computer-generated images had become a common feature of their investigations.
‘This case has been a real test of the legislation, as using computer programs in this particular way is so new to this type of offending and isn’t specifically mentioned within current UK law,’ detective constable Carly Baines said when Nelson pleaded guilty in August. The UK’s Online Safety Act, which passed last October, makes it illegal to disseminate non-consensual pornographic deepfakes. But Nelson was prosecuted under existing child abuse law.”
My personal view is that Nelson should be locked up for the remainder of his putrid existence as should the people who asked him to make those horrible images. Don’t mess with kids!
Whitney Grace, November 8, 2024
-
- Subscribe to Beyond Search
Feature archive
News archive
-
