FOGINT: Targets Draw Attention. Signal Is a Target

April 1, 2025

dino orange_thumb_thumb_thumbDinobaby says, “No smart software involved. That’s for “real” journalists and pundits.

We have been plugging away on the “Telegram Overview: Notes for Analysts and Investigators.” We have not exactly ignored Signal or the dozens of other super secret, encrypted beyond belief messaging applications. We did compile a table of those we came across, and Signal was on that list.

I read “NSA Warned of Vulnerabilities in Signal App a Month Before Houthi Strike Chat.” I am not interested in the political facets of this incident. The important point for me is this statement:

The National Security Agency sent out an operational security special bulletin to its employees in February 2025 warning them of vulnerabilities in using the encrypted messaging application Signal

One of the big time cyber security companies spoke with me, and I mentioned that Signal might not be the cat’s pajamas. To the credit of that company and the former police chief with whom I spoke, the firm shifted to an end to end encrypted messaging app we had identified as slightly less wonky. Good for that company, and a pat on the back for the police chief who listened to me.

In my experience, operational bulletins are worth reading. When the bulletin is “special,” re-reading the message is generally helpful.

Signal, of course, defends itself vigorously. The coach who loses a basketball game says, “Our players put out a great effort. It just wasn’t enough.”

In the world of presenting oneself as a super secret messaging app immediately makes that messaging app a target. I know first hand that some whiz kid entrepreneurs believe that their EE2E solution is the best one ever. In fact, a year ago, such an entrepreneur told me, “We have developed a method that only a government agency can compromise.”

Yeah, that’s the point of the NSA bulletin.

Let me ask you a question: “How many computer science students in countries outside the United States are looking at EE2E messaging apps and trying to figure out how to compromise the data?” Years ago, I gave some lectures in Tallinn, Estonia. I visited a university computer science class. I asked the students who were working on projects each selected. Several of them told me that they were trying to compromise messaging systems. A favorite target was Telegram but Signal came up.

I know the wizards who cook up EE2E messaging apps and use the latest and greatest methods for delivering security with bells on are fooling themselves. Here are the reasons:

  1. Systems relying on open source methods are well documented. Exploits exist and we have noticed some CaaS offers to compromise these messages. Now the methods may be illegal in many countries, but they exist. (I won’t provide a checklist in a free blog post. Sorry.)
  2. Techniques to prevent compromise of secure messaging systems involve some patented systems and methods. Yes, the patents are publicly available, but the methods are simply not possible unless one has considerable resources for software, hardware, and deployment.
  3. A number of organizations turn EE2E messaging systems into happy eunuchs taking care of the sultan’s harem. I have poked fun at the blunders of the NSO Group and its Pegasus approach, and I have pointed out that the goodies of the Hacking Team escaped into the wild a long time ago. The point is that once the procedures for performing certain types of compromise are no longer secret, other humans can and will create a facsimile and use those emulations to suck down private messages, the metadata, and probably the pictures on the device too. Toss in some AI jazziness, and the speed of the process goes faster than my old 1962 Studebaker Lark.

Let me wrap up by reiterating that I am not addressing the incident involving Signal. I want to point out that I am not into the “information wants to be free.” Certain information is best managed when it is secret. Outfits like Signal and the dozens of other EE2E messaging apps are targets. Targets get hit. Why put neon lights on oneself and try to hide the fact that those young computer science students or their future employers will find a way to compromise the information.

Technical stealth, network fiddling, human bumbling — Compromises will continue to occur. There were good reasons to enforce security. That’s why stringent procedures and hardened systems have been developed. Today it’s marketing, and the possibility that non open source, non American methods may no longer be what the 23 year old art history who has a job in marketing says the systems actually deliver.

Stephen E Arnold, April 1, 2025

An Intel Blind Spot in Australia: Could an October-Type Event Occur?

March 17, 2025

dino orange_thumb_thumb_thumb_thumbYep, another dinobaby original.

I read a “real” news article (I think) in the UK Telegraph. The story “How Chinese Warships Encircled Australia without Canberra Noticing” surprised me. The write up reports:

In a highly unusual move, three Chinese naval vessels dubbed Task Group 107 – including a Jiangkai-class frigate, a Renhai-class cruiser and a Fuchi-class replenishment vessel – were conducting exercises in Australia’s exclusive economic zone.

The date was February 21, 2025. The ships were 300 miles from Australia. What’s the big deal?

According to the write up:

Anthony Albanese, Australia’s prime minister, downplayed the situation, while both the Australian Defence Force and the New Zealand Navy initially missed that the exercise was even happening.

Let me offer several observations based on what may a mostly accurate “real” news report:

  1. Australia like Israel is well equipped with home grown and third-party intelware. If the write up’s content is accurate, none of these intelware systems provided signals about the operation before, during, and after the report of the live fire drill
  2. As a member of Five Eyes, a group about which I know essentially nothing, Australia has access to assorted intelligence systems, including satellites. Obviously the data were incomplete, ignored, or not available to analysts or Preligens-type of systems. Note: Preligens is now owned by Safran
  3. What remediating actions are underway in Australia? To be fair, the “real” news outfit probably did not ask this question, but it seems a reasonable one to address. Someone was responsible, so what’s the fix?

Net net: Countries with sophisticated intelligence systems are getting some indications that these systems may not live up to the marketing hyperbole nor the procurement officials’ expectations of these systems. Israel suffered in many ways because of its 9/11 in October. One hopes that Australia can take this allegedly true incident involving China to heart and make changes.

Stephen E Arnold, March 17, 2025

NSO Group the PR of Intelware Captures Headlines …. Yet Again

March 13, 2025

Our reading and research have lead us to this basic rule: Unless measures are taken to keep something secret, diffusion is inevitable. Knowledge about systems, methods, and tools to access data is widespread. Case in point—Today’s General Counsel tells us, "Pegasus Spyware Is Showing Up on Corporate Execs’ Cell Phones." The brief write-up cites reporting by The Record’s Suzanne Smalley, who got her information from security firm iVerify. It shows a steep climb in Pegasus-infected devices over the second half of last year. We learn:

"The number of reported infected phones among iVerify corporate clients was eleven out of 18,000 devices tested in December last year. In May 2024, when iVerify first began offering the spyware testing service, a study found seven spyware infections out of 3,000 phones tested. ‘The world remains totally unprepared to deal with this from a security perspective,’ says iVerify co-founder and former National Security Agency analyst Rocky Cole, who was interviewed for the article. ‘This stuff is way more prevalent than people think.’ The article notes that business executives are now proving to be vulnerable, including individuals with access to proprietary plans and financial data, as well as those who frequently communicate with other influential leaders in the private sector. These leaders engage in sensitive work out of the public eye, including deals that have the potential to impact financial markets."

But how could this happen? Pegasus-maker NSO Group vows it only sells spyware to whitelisted governments for counterterrorism and fighting crime. It does do that. And also other things, reportedly. So we are unsurprised to find business executives among those allegedly targeted. We think it best to assume anything digital can be accessed by anyone at any moment. Is it time to bring back communications via pen and paper? At least someone must get out from behind a desk to intercept snail mail or dead drops.

Cynthia Murrell, March 13, 2025

A Super Track from You Know Who

February 20, 2025

Those CAPTCHA hoops we jump through are there to protect sites from bots, right? As Boing Boing reports, not so much. In fact, bots can now easily beat reCAPTCHA tests. Then why are we forced to navigate them to do anything online? So the software can track us, collect our data, and make parent company Google even richer. And data brokers. Writer Mark Frauenfelder cites a recent paper in, “reCAPTCHA: 819 Million Hours of Wasted Human Time and Billions of Dollars in Google Profits.” We learn:

“‘They essentially get access to any user interaction on that web page,’ says Dr. Andrew Searles, a former computer security researcher at UC Irvine. Searle’s paper, titled ‘Dazed & Confused: A Large-Scale Real-World User Study of reCAPTCHAv2,’ found that Google’s widely-used CAPTCHA system is primarily a mechanism for tracking user behavior and collecting data while providing little actual security against bots. The study revealed that reCAPTCHA extensively monitors users’ cookies, browsing history, and browser environment (including canvas rendering, screen resolution, mouse movements, and user-agent data) — all of which can be used for advertising and tracking purposes. Through analyzing over 3,600 users, the researchers found that solving image-based challenges takes 557% longer than checkbox challenges and concluded that reCAPTCHA has cost society an estimated 819 million hours of human time valued at $6.1 billion in wages while generating massive profits for Google through its tracking capabilities and data collection, with the value of tracking cookies alone estimated at $888 billion.”

That is quite a chunk of change. No wonder Google does not want to give up its CAPTCHA system—even if it no longer performs its original function. Why bother with matters of user inconvenience or even privacy when there are massive profits to be made?

Cynthia Murrell, February 20, 2025

"Real" Entities or Sock Puppets? A New Solution Can Help Analysts and Investigators

January 28, 2025

Bitext’s NAMER (shorthand for "named entity recognition") can deliver precise entity tagging across dozens of languages.

Graphs — knowledge graphs and social graphs — have moved into the mainstream since Leonhard Euler formed the foundation for graph theory in the mid 18th century in Berlin.

With graphs, analysts can take advantage of smart software’s ability to make sense of Named Entity Recognition (NER), event extraction, and relationship mapping.

The problem is that humans change their names (handles, monikers, or aliases) for many reasons: Public embarrassment, a criminal record, a change in marital status, etc.

Bitext’s NER solution, NAMER, is specifically designed to meet the evolving needs of knowledge graph companies, offering exceptional features that tackle industry challenges.

Consider a person disgraced with involvement in a scheme to defraud investors in an artificial intelligence start up. The US Department of Justice published the name of a key actor in this scheme. (Source: https://www.justice.gov/usao-ndca/pr/founder-and-former-ceo-san-francisco-technology-company-and-attorney-indicted-years). The individual was identified by the court as Valerie Lau Beckman. The official court documents used the name "Lau" to reference her involvement in a multi-million dollar scam.

However, in order to correctly identify her in social media, subsequent news stories, and in possible public summaries of her training on a LinkedIn-type of smart software is not enough.

That’s the role of a specialized software solution. Here’s what NAMER delivers.

The system identifies and classifies entities (e.g., people, organizations, locations) in unstructured data. The system accurately links data across different sources of content. The NAMER technology can tag and link significant events (transactions, announcements) to maintain temporal relevance; for example, when Ms. Lau Beckman is discharged from the criminal process. NAMER can connect entities like Ms. Lau or Ms. Beckman to other individuals with whom she works or interacts and her "names" appearance in content streams.

The licensee specifies the languages NAMER is to process, either in a knowledge base or prior to content processing via a large language model.

Access to the proprietary NAMER technology is via a local SDK which is essential for certain types of entity analysis. NAMER can also be integrated into another system or provided as a "white label service" to enhance an intelligence system with NAMER’s unique functions. The developer provides for certain use cases direct access to the source code of the system.

For an organization or investigative team interested in keeping data about Lau Beckman at the highest level of precision, Bitext’s NAMER is an essential service.

Stephen E Arnold, January 28, 2025

More about NAMER, the Bitext Smart Entity Technology

January 14, 2025

dino orangeA dinobaby product! We used some smart software to fix up the grammar. The system mostly worked. Surprised? We were.

We spotted more information about the Madrid, Spain based Bitext technology firm. The company posted “Integrating Bitext NAMER with LLMs” in late December 2024. At about the same time, government authorities arrested a person known as “Broken Tooth.” In 2021, an alert for this individual was posted. His “real” name is Wan Kuok-koi, and he has been in an out of trouble for a number of years. He is alleged to be part of a criminal organization and active in a number of illegal behaviors; for example, money laundering and human trafficking. The online service Irrawady reported that Broken Tooth is “the face of Chinese investment in Myanmar.”

Broken Tooth (né Wan Kuok-koi, born in Macau) is one example of the importance of identifying entity names and relating them to individuals and the organizations with which they are affiliated. A failure to identify entities correctly can mean the difference between resolving an alleged criminal activity and a get-out-of-jail-free card. This is the specific problem that Bitext’s NAMER system addresses. Bitext says that large language models are designed for for text generation, not entity classification. Furthermore, LLMs pose some cost and computational demands which can pose problems to some organizations working within tight budget constraints. Plus, processing certain data in a cloud increases privacy and security risks.

Bitext’s solution provides an alternative way to achieve fine-grained entity identification, extraction, and tagging. Bitext’s solution combines classical natural language processing solutions solutions with large language models. Classical NLP tools, often deployable locally, complement LLMs to enhance NER performance.

NAMER excels at:

  1. Identifying generic names and classifying them as people, places, or organizations.
  2. Resolving aliases and pseudonyms.
  3. Differentiating similar names tied to unrelated entities.

Bitext supports over 20 languages, with additional options available on request. How does the hybrid approach function? There are two effective integration methods for Bitext NAMER with LLMs like GPT or Llama are. The first is pre-processing input. This means that entities are annotated before passing the text to the LLM, ideal for connecting entities to knowledge graphs in large systems. The second is to configure the LLM to call NAMER dynamically.

The output of the Bitext system can generate tagged entity lists and metadata for content libraries or dictionary applications. The NAMER output can integrate directly into existing controlled vocabularies, indexes, or knowledge graphs. Also, NAMER makes it possible to maintain separate files of entities for on-demand access by analysts, investigators, or other text analytics software.

By grouping name variants, Bitext NAMER streamlines search queries, enhancing document retrieval and linking entities to knowledge graphs. This creates a tailored “semantic layer” that enriches organizational systems with precision and efficiency.

For more information about the unique NAMER system, contact Bitext via the firm’s Web site at www.bitext.com.

Stephen E Arnold, January 14, 2025

Geolocation Data: Available for a Price

December 30, 2024

According to a report from 404 Media, a firm called Fog Data Science is helping law enforcement compile lists of places visited by suspects. Ars Technica reveals, “Location Data Firm Helps Police Find Out When Suspects Visited their Doctor.” Writer Jon Brodkin writes:

“Fog Data Science, which says it ‘harness[es] the power of data to safeguard national security and provide law enforcement with actionable intelligence,’ has a ‘Project Intake Form’ that asks police for locations where potential suspects and their mobile devices might be found. The form, obtained by 404 Media, instructs police officers to list locations of friends’ and families’ houses, associates’ homes and offices, and the offices of a person’s doctor or lawyer. Fog Data has a trove of location data derived from smartphones’ geolocation signals, which would already include doctors’ offices and many other types of locations even before police ask for information on a specific person. Details provided by police on the intake form seem likely to help Fog Data conduct more effective searches of its database to find out when suspects visited particular places. The form also asks police to identify the person of interest’s name and/or known aliases and their ‘link to criminal activity.’ ‘Known locations a POI [Person of Interest] may visit are valuable, even without dates/times,’ the form says. It asks for street addresses or geographic coordinates.”

See the article for an image of the form. It is apparently used to narrow down data points and establish suspects’ routine movements. It could also be used to, say, prosecute abortions, Brodkin notes.

Back in 2022, the Electronic Frontier Foundation warned of Fog Data’s geolocation data horde. Its report detailed which law enforcement agencies were known to purchase Fog’s intel at the time. But where was Fog getting this data? From Venntel, the EFF found, which is the subject of a Federal Trade Commission action. The agency charges Venntel with “unlawfully tracking and selling sensitive location data from users, including selling data about consumers’ visits to health-related locations and places of worship.” The FTC’s order would prohibit Venntel, and parent company Gravy Analytics, from selling sensitive location data. It would also require they establish a “sensitive data location program.” We are not sure what that would entail. And we might never know: the decision may not be finalized until after the president-elect is sworn in.

Cynthia Murrell, December 30, 2024

Bold Allegation: Columbia, the US, and Pegasus

December 27, 2024

The United States assists its allies, but why did the Biden Administration pony up $11 million for a hacking software. DropSiteNews investigates the software, its huge price tag, and why the US bought it in: “The U.S. Bought Pegasus For Colombia With $11 Million In Cash. Now Colombians Are Asking Why.” Colombians are just as curious as Americans are why the US coughed up $11 million in cash for the Israeli hacking software.

The Colombian ambassador to the US Daniel García-Peña confirmed that Washington DC assisted his country in buying the software, so the Colombian government could track drug cartels. The software was purchased and used throughout 2021-2022. Pegasus usage stopped in 2022 and it was never used to against politicians, such as former Columbian president Ivan Duque. The Biden Administration remained in control of the Pegasus software and assured that the Columbian government only provided spying targets.

It’s understandable why Colombia’s citizens were antsy about Pegasus:

“García-Peña’s revelations come two months after Colombian President Gustavo Petro delivered a televised speech in which he revealed some of the details of the all-cash, $11-million purchase, including that it has been split across two installments, flown from Bogotá and deposited into the Tel Aviv bank account belonging to NSO Group, the company that owns Pegasus. Soon after the speech, Colombia’s attorney general opened an investigation into the purchase and use of Pegasus. In October, Petro accused the director of the NSO Group of money laundering, due to the tremendous amount of cash he transported on the flights.

The timeline of the purchase and use of Pegasus overlaps with a particularly turbulent time in Colombia. A social movement had begun protesting against Duque, while in the countryside, Colombia’s security forces were killing or arresting major guerrilla and cartel leaders. At the time, Petro, the first left-wing president in the country’s recent history, was campaigning for the presidency.”

The Pegasus is powerful hacking software and Columbians were suspicious how their government acquired it. Journalists were especially curious where the influx of cash came from. They slowly discovered it was from the United States with the intent to spy on drug cartels. Columbia is a tumultuous nation with crime worse than the wild west. Pegasus hopefully caught the worst of the bad actors.

Whitney Grace, December 27, 2024

FOGINT: Intelware Tension Ticks Up

December 24, 2024

fog from gifer 8AC8 small_thumb_thumb Observations from the FOGINT research team.

On Friday, December 20, 2024, NSO Group, the Pegasus specialized software outfit, found itself losing a court squabble with Facebook (Meta and WhatsApp). According to the Reuters’ news story pushed out at 915 pm Eastern time, “US Judge Finds Israel’s NSO Group Liable for Hacking in WhatsApp Lawsuit.” In case you don’t have the judgment at hand, you can find the United States District Court, Norther District of California document at this link.

The main idea behind the case is that the NSO Group’s specialized software pressed into duty for the purpose of obtaining information about WhatsApp users. The mechanism was to exploit “a bug in the messaging app to install spy software allowing unauthorized surveillance.” NSO Group’s fancy legal two step did not work.

The NSO Group has become the poster child for the “compromise the mobile” phone and obtain data. The Pegasus system exfiltrates data and, when properly configured, can capture information from a mobile device. Furthermore, the company’s hassles about its customers’ use of the Pegasus tool unwittingly created a surge in software and specialized services performing identical or similar tasks.

The FOGINT team has identified firms which have found different ways of compromising mobile devices. The company, therefore, has been an innovator and its approach to compromising devices has [a] focused attention on Israel’s technical competence in this specialized software niche and [b] rightly or wrongly illustrated that the technology can act with extreme prejudice when used by some clients to solve what they perceive as “problems.”

There are several larger consequences which the FOGINT team has identified:

  1. Specialized software is more prevalent because the revelations about Pegasus have encouraged entrepreneurs and technologists to develop more effective surveillance methods
  2. Unique delivery methods have been crafted. These range for in-app malware to more sophisticated multi-stage malware installed as a consequence of a user’s carelessness
  3. Making clear that powerful surveillance tools can be installed in a way that does not require the user to click, email, or interact. The malware simply dials up a mobile and bingo! the device is compromised.

How will this judgment affect the specialized software industry? In FOGINT’s view, the decision will further stimulate competition and the follow of novel surveillance techniques. One consequence also may be that law enforcement and intelligence professionals will encounter headwinds when similar specialized software is required for certain investigations. FOGINT’s view is that NSO Group’s go-go approach to sales created a problem for the company and for specialized software. Some technologies should remain “secret,” which is now becoming an old-fashioned viewpoint. Marketing is not always a benefit.

Stephen E Arnold, December 24, 2024

Entity Extraction: Not As Simple As Some Vendors Say

November 19, 2024

dino orange_thumb_thumb_thumb_thumb_thumbNo smart software. Just a dumb dinobaby. Oh, the art? Yeah, MidJourney.

Most of the systems incorporating entity extraction have been trained to recognize the names of simple entities and mostly based on the use of capitalization. An “entity” can be a person’s name, the name of an organization, or a location like Niagara Falls, near Buffalo, New York. The river “Niagara” when bound to “Falls” means a geologic feature. The “Buffalo” is not a Bubalina; it is a delightful city with even more pleasing weather.

The same entity extraction process has to work for specialized software used by law enforcement, intelligence agencies, and legal professionals. Compared to entity extraction for consumer-facing applications like Google’s Web search or Apple Maps, the specialized software vendors have to contend with:

  • Gang slang in English and other languages; for example, “bumble bee.” This is not an insect; it is a nickname for the Latin Kings.
  • Organizations operating in Lao PDR and converted to English words like Zhao Wei’s Kings Romans Casino. Mr. Wei has been allegedly involved in gambling activities in a poorly-regulated region in the Golden Triangle.
  • Individuals who use aliases like maestrolive, james44123, or ahmed2004. There are either “real” people behind the handles or they are sock puppets (fake identities).

Why do these variations create a challenge? In order to locate a business, the content processing system has to identify the entity the user seeks. For an investigator, chopping through a thicket of language and idiosyncratic personas is the difference between making progress or hitting a dead end. Automated entity extraction systems can work using smart software, carefully-crafted and constantly updated controlled vocabulary list, or a hybrid system.

Automated entity extraction systems can work using smart software, carefully-crafted and constantly updated controlled vocabulary list, or a hybrid system.

Let’s take an example which confronts a person looking for information about the Ku Group. This is a financial services firm responsible for the Kucoin. The Ku Group is interesting because it has been found guilty in the US for certain financial activities in the State of New York and by the US Securities & Exchange Commission. 

Read more

Next Page »

  • Archives

  • Recent Posts

  • Meta