Telegram Appeals to Diverse Constituencies

February 25, 2021

Other than heated conflicts between US political parties, the recent coup happened because of the mass spread of conspiracy theories propagated by social media. Social media platforms, including YouTube, Facebook, Twitter, and Instagram, were used to communicate right wing extremist misinformation. In the past, it was difficult for bad acting extremists to pool their “knowledge” and meet liked minded individuals, but the Internet fixed that.

Many social media platforms kicked right wing extremists off their platform, because of crackdowns that followed post-coup. According to Vox’s article, “Why Right-Wing Extremists’ New Favorite Platform Is So Dangerous” the bad actors already found another tool to communicate. Telegram is a Dubai-based platform and only 2% of its users were US-based until the coup attempt. Now Telegram boasts 25 million new US users. Why do bad actors love Telegram?

“Telegram is currently the most downloaded app in the Google Play Store, having unseated Signal for the top spot in the United States. Telegram’s specific combination of features, however, make it especially popular among American right-wing extremists, who have joined the platform in droves after being kicked off of Twitter, Facebook, and Parler. The latter is another extremist favorite and was recently kicked off the internet, though it’s now back in a very limited form.”

Telegram has three components: private and public channels that only a limited number of people can follow, groups where up to 200,,000 can communicate, and Secret Chats-one-on-one encrypted conversations.

Some bad actors can reach larger groups to spread misinformation and they can do so anonymously. Telegram does not monitor its content, but after its been used to incite violence its developers did crackdown on some of the channels. Telegram is popular for another reason: It is a reasonably reliable app.

Since Telegram is not US-based it does not need to comply to the country’s standards, but we have heard that the company has a relationship with Mr. Putin’s telecommunications agency. Other countries may find it slightly more challenging to monitor.

Whitney Grace, February 25, 2021

DarkCyber for February 23, 2021 Is Now Available

February 23, 2021

DarkCyber, Series 3, Number 4 includes five stories. The first summarizes the value of an electronic game’s software. Think millions. The second explains that Lokinet is now operating under the brand Oxen. The idea is that the secure services’ offerings are “beefier.” The third story provides an example of how smaller cyber security startups can make valuable contributions in the post-SolarWinds’ era. The fourth story highlights a story about the US government’s getting close to an important security implementation, only to lose track of the mission. And the final story provides some drone dope about the use of unmanned aerial systems on Super Bowl Sunday as FBI agents monitored an FAA imposed no fly zone. You could download the video at this url after we uploaded it to YouTube.


YouTube notified Stephen E Arnold that his interview with Robert David Steele, a former CIA professional, was removed from YouTube. The reason was “bullying.” Mr. Arnold is 76 or 77, and he talked with Mr. Steele about the Jeffrey Epstein allegations. Mr. Epstein was on the radar of Mr. Steele because the legal allegations were of interest to an international tribunal about human trafficking and child sex crime. Mr. Steele is a director of that tribunal. Bullying about a deceased person allegedly involved in a decades long criminal activity? What? 

What’s even more interesting is that the DarkCyber videos, which appear every 14 days focus on law enforcement, intelligence, and cyber crime issues. One law enforcement professional told Mr. Arnold after his Dark Web lecture at the National Cyber Crime Conference in 2020, you make it clear that investigators have to embrace new technology and not wait for budgets to accommodate more specialists.

Mr. Arnold told me that he did not click the bright red button wanting Google / YouTube to entertain an appeal. I am not certain about his reasoning, but I assume that Mr. Arnold, who was an advisor to the world’s largest online search system, was indifferent to the censorship. My perception is that Mr. Arnold recognizes that Alphabet, Google, and YouTube are overwhelmed with management challenges, struggling to figure out how to deal with copyright violations, hate content, and sexually related information. Furthermore, Alphabet, Google, and YouTube face persistent legal challenges, employee outcries about discrimination, and ageing systems and methods.

What does this mean? In early March 2021, we will announce other video services which will make the DarkCyber video programs available.

The DarkCyber team is composed of individuals who are not bullies. If anything, the group is more accurately characterized as researchers and analysts who prefer the libraries of days gone by to the zip zip world of thumbtypers, smart software, and censorship of content related to law enforcement and intelligence professionals.

Mr. Arnold was discussing online clickfraud at lunch next week. Would that make an interesting subject for a DarkCyber story? With two firms controlling more than two thirds of the online advertising, click fraud is a hot potato topic. How does it happen? What’s done to prevent it? What’s the cost to the advertisers? What are the legal consequences of the activity?

Kenny Toth, February 23, 2021

SolarWinds: Woulda, Coulda, Shoulda?

February 17, 2021

The SolarWinds security breach had consequences worldwide. The bad actors, supposed to be Russian operatives, hacked into systems at the Department of Homeland Security, the Treasury Department, the National Institutes of Health, the Department of Justice, and other federal agencies as well as those of some major corporations. The supply-chain attack went on for months until it was finally discovered in December; no one is sure how much information the hackers were able to collect during that time. Not only that, it is suspected they inserted hidden code that will continue to give them access for years to come.

Now ProPublica tells us the government paid big bucks to develop a system that may have stopped it, if only it had been put into place. Writers Peter Elkind and Jack Gillum report that “The U.S. Spent $2.2 Million on a Cybersecurity System that Wasn’t Implemented—and Might Have Stopped a Major Hack.” Oops. We learn:

“The incursion became the latest — and, it appears, by far the worst — in a string of hacks targeting the software supply chain. Cybersecurity experts have voiced concern for years that existing defenses, which focus on attacks against individual end users, fail to spot malware planted in downloads from trusted software suppliers. Such attacks are especially worrisome because of their ability to rapidly distribute malicious computer code to tens of thousands of unwitting customers. This problem spurred development of a new approach, backed by $2.2 million in federal grants and available for free, aimed at providing end-to-end protection for the entire software supply pipeline. Named in-toto (Latin for ‘as a whole’), it is the work of a team of academics led by Justin Cappos, an associate computer science and engineering professor at New York University. … Cappos and his colleagues believe that the in-toto system, if widely deployed, could have blocked or minimized the damage from the SolarWinds attack. But that didn’t happen: The federal government has taken no steps to require its software vendors, such as SolarWinds, to adopt it. Indeed, no government agency has even inquired about it, according to Cappos.”

Other experts also believe in-toto, which is free to use, would have been able to stop the attack in its tracks. Some private companies have embraced the software, including SolarWinds competitor Datadog. That company’s security engineer, in fact, contributed to the tools’ design and implementation. We are not sure what it will take to make the government require its vendors implement in-toto. Another major breach? Two or three? We shall see. See the write-up for more details about supply-chain attacks, the SolarWinds attack specifically, and how in-toto works.

Cynthia Murrell, February 17, 2021

2021: A Year with Two Gulps of Failure

February 11, 2021

I provide additional commentary on Microsoft’s late January 2021 about the SolarWinds’ misstep. The glitch seems to be like an ink stain. Over time, it spreads: China’s alleged involvement, one third of the security penetrations not involving SolarWinds’ software, and mounting suggestions about how long the bad actors were probing and possibly implanting backdoors in government agencies, big contractors, and commercial enterprises. You can view the video on this blog’s home page on January 9, 2021. For today (Monday, January 8, 2021) I want to call attention to two items.

The first is a useful list of situations in which malware, viruses, and other bad actor actions are not detected. You can find the list in “Why Antivirus Software Fails to Detect Latest Viruses and Malwares.” What’s interesting about the article is that none of the suggestions solves the problem of the Saturday Night Live / Donald Rumsfeld quip, “You don’t know what you don’t know.”

The second is the allegedly accurate information in the ABC News’s report “Former Capitol Police Chief Steven Sund Says Entire Intelligence Community Missed Signs of Riot.” Here’s a passage the Capitol Police’s former top dog to Ms. Pelosi included in the news story:

“Having previously handled two major post-election demonstrations successfully utilizing an action plan that was based on intelligence assessments that had proven to be credible, reliable, and accurate, we reasonably assumed the intelligence assessment for Jan. 6, 2021, was also correct.”

What this means to me is that the intel was off the mark.

Perhaps the SolarWinds’ misstep is the result of several factors. Let me raise these as possibilities:

First, the software designed to identify and flag breaches did not work. Furthermore, the infrastructure in wide use for Microsoft software was the carrier of the malware. No one noticed for possibly a year or more. FireEye investigated a mobile phone access issue and came across the multi-part, multi-stage attack. The breach was not one outfit. The penetration extended to as many as 18,000 organizations. It is not clear what the bad actor did once access to this gold mine of systems was achieved.

Second, the intelligence apparatus of multiple US entities did not characterize the scale, intent, and size of the “friendly” protest at the US Capitol in early January. If the information in the ABC News’s story is accurate, the intelligence reports, like the awareness of the SolarWinds’ misstep, were wide of the mark. Maybe in someplace like Cuba or Bali, just not in the Capitol Police’s tactical planning unit’s hands?

The conclusion is that I see two types of failure with a common root cause: A certain blindness.

Marketing, threat assessment webinars, and licensing existing cyber security software won’t address these, possibly inter related problems.

Not good. Marketing explanations are much better. The fix? Another BrightTALK cyber security briefing, more Microsoft security blog posts, and more security podcasts from former government security attorneys?

Stephen E Arnold, January 11, 2021

DarkCyber for February 9, 2021, Now Available

February 9, 2021

DarkCyber is a twice-a-month video news program about the Dark Web, cyber crime, and lesser known online services. The program is produced by Stephen E Arnold. You can view the program on the Beyond Search blog or on YouTube at this link.

This week’s program features a discussion of Microsoft’s explanation of the SolarWinds’ misstep. The online explanation is a combination of forensic information with an old-fashioned, almost Balmer-esque marketing pitch. Plus, DarkCyber responds to a viewer who wanted more information about locating bad actor hackers promoting their criminal capabilities on the Dark Web. The program highlights two Dark Web services and provides information to two online resources which offer additional information. Three other stories round out the February 9, 2021, program. Allegedly some of the software stolen in the SolarWinds’ misstep (a data breach which compromised more than 18,000 companies and government organizations) is available for sale. Information about the cost of the software and how to buy are provided. Next you learn about the app tracking technology which is creating friction between Apple and Facebook. Who benefits from tracking users’ actions hundreds of times each day? DarkCyber answers this question. The final story is another signature drone news item. If you think that one drone poses a challenge, consider the difficulty of dealing with thousands of miniature weaponized drones converging on a unit or disrupting warfighting tactics under live fire.

Kenny Toth, February 9, 2021

Google Speaks But Is MIT Technology Review Delivering Useful Information or Just PR?

February 4, 2021

I read “Google Says It’s Too Easy for Hackers to Find New Security Flaws.” I assume that the Google is thrilled that its systems and methods were not directly implicated in the SolarWinds’ misstep and possibly VMWare’s and Microsoft’s. But I don’t know because the information is dribbling out at irregular intervals and in my opinion has either been scrubbed or converted to euphemism. A good example is the Reuters’ report “Exclusive: Suspected Chinese Hackers Used SolarWinds Bug to Spy on US Payroll Agency — Sources.”

The esteemed institution supported by Jeffrey Epstein and housing a expert who allegedly had ties to an American adversary’s officials reports:

Attackers are exploiting the same types of software vulnerabilities over and over again, because companies often miss the forest for the trees.

What makes this story different is that the Google is now agreeing that today’s software is easy to compromise. The write up quotes an expert who offers:

Over its six-year lifespan, Google’s team has publicly tracked over 150 major zero-day bugs, and in 2020 Stone’s team documented 24 zero-days that were being exploited—a quarter of which were extremely similar to previously disclosed vulnerabilities. Three were incompletely patched, which meant that it took just a few tweaks to the hacker’s code for the attack to continue working. Many such attacks, she says, involve basic mistakes and “low hanging fruit.”

This is news? I think it is more self congratulatory just like the late January 2021 explanation of the SolarWinds’ misstep which I discuss in the February 9, 2021 DarkCyber video program. You can view the video on this blog.

Stephen E Arnold, February 4, 2021

Come On, Man: Hackers Seeking Legal Immunity

February 3, 2021

The hacking industry is thriving and there are companies labeled private sector offensive actors (PSOAs) selling cyberweapons enabling their customers to become hackers. PSOAs are nasty bad actor groups and they are trying to gain legal immunity to avoid criminal charges. Microsoft has more details in the story, “Cyber Mercenaries Don’t Deserve Immunity.”

One of these PSOAs trying to gain legal immunity is the NSO Group. The NSO Group sells cyberweapons to governments and the company argues its afforded the same legal immunity as its customers. Microsoft President Brad Smith stated the NSO Group’s business model is dangerous. It would allow other PSOAs to skirt laws and avoid any repercussions from their cyberweapons.

The biggest worry is that PSOAs’ technology could fall into the wrong hands and be used for nefarious deeds. Another worry is that if the NSO Group is granted sovereign immunity their actions will be profit driven rather than for the common good:

“Second, private-sector companies creating these weapons are not subject to the same constraints as governments. Many governments with offensive cyber capabilities are subject to international laws, diplomatic consequences and the need to protect their own citizens and economic interests from the indiscriminate use of these weapons. Additionally, some governments – like the United States – may share high-consequence vulnerabilities they discover with impacted technology providers so the providers can patch the vulnerability and protect their customers. Private actors like the NSO Group are only incented to keep these vulnerabilities to themselves so they can profit from them, and the exploits they create are constantly recycled by governments and cybercriminals once they get into the wild.”

Human rights are another concern, because governments run by bad actors can use the cyberweapons to harm their citizens. Anyone who fights for human rights could be tracked and have their information stolen. This could ultimately lead to their deaths.

The NSO Group and PSOAs must be held to the same standards as other private companies. If their products are used by bad actors with the PSOAs’ knowledge they must be held liable.

Whitney Grace, February 3, 2021

DarkCyber for January 12, 2021, Now Available

January 12, 2021

DarkCyber is a twice-a-month video news program about online, the Dark Web, and cyber crime. You can view the video on Beyond Search or at this YouTube link.

The program for January 12, 2021, includes a featured interview with Mark Massop, DataWalk’s vice president. DataWalk develops investigative software which leapfrogs such solutions as IBM’s i2 Analyst Notebook and Palantir Gotham. In the interview, Mr. Massop explains how DataWalk delivers analytic reports with two or three mouse clicks, federates or brings together information from multiple sources, and slashes training time from months to several days.

Other stories include DarkCyber’s report about the trickles of information about the SolarWinds’ “misstep.” US Federal agencies, large companies, and a wide range of other entities were compromised. DarkCyber points out that Microsoft’s revelation that bad actors were able to view the company’s source code underscores the ineffectiveness of existing cyber security solutions.

DarkCyber highlights remarkable advances in smart software’s ability to create highly accurate images from poor imagery. The focus of DarkCyber’s report is not on what AI can do to create faked images. DarkCyber provides information about how and where to determine if a fake image is indeed “real.”

The final story makes clear that flying drones can be an expensive hobby. One audacious drone pilot flew in restricted air zones in Philadelphia and posted the exploits on a social media platform. And the cost of this illegal activity. Not too much. Just $182,000. The good news is that the individual appears to have avoided one of the comfortable prisons available to authorities.

One quick point: DarkCyber accepts zero advertising and no sponsored content. Some have tried, but begging for dollars and getting involved in the questionable business of sponsored content is not for the DarkCyber team.

Finally, this program begins our third series of shows. We have removed DarkCyber from Vimeo because that company insisted that DarkCyber was a commercial enterprise. Stephen E Arnold retired in 2017, and he is now 77 years old and not too keen to rejoin the GenX and Millennials in endless Zoom meetings and what he calls “blatant MBA craziness.” (At least that’s what he told me.)

Kenny Toth, January 12, 2021

A Tiny Clue about the Entity Interested In the SolarWinds Misstep

January 11, 2021

I read “Putin’s Disinformation Campaign claims Stunning Victory with Capital Hill Coup.” The write up points out that a study by the Berkman Klein Center for Internet & Society describes a broad campaign against the United States. The article references a Rand study which offers additional color.

However, my interpretation of the write up is that Russia may be just one facet of the “truth decay” approach. Disinformation is complemented by penetration of US networks and systems. Even if no data were exfiltrated, undermining confidence is cyber security methods is another chess move by Russia.

The buzzword is widening the fissures. Serious weakness, exploitable weakness.

Stephen E Arnold, January 11, 2021

SolarWinds Are Gusting and Blowing Hard

January 5, 2021

Many pundits have reacted to the New York Times’ story “As Understanding of Russian Hacking Grows, So Does Alarm.” Work through those analyses. What’s missing? Quite a lot, but in this short blog post I want to address one issue that has mostly ignored.

At one time, there was a list on the SolarWinds’ Web site of the outfits which had been compromised. That list disappeared. I posted “Sun Spotting in the Solar Wind” on December 23, 2020. In that post, I reported three outfits which had been allegedly compromised by the SolarWinds’ misstep (and some of the information I used as a source remains online):

City of Barrie (Canada)

Newton Public Schools (US)

Regina Public Schools (Canada).

The question is, “Why are outfits like a municipality known as part of the Greater Golden Horseshoe, Newton’s public schools, and the Regina public schools? (I’ve been to Regina in the winter. Unforgettable is it.)

My research team and I discussed the alleged exploits taking up residence in these organizations; that is, allegedly, of course, of course.

Here’s what my team offered:

  • A launch pad for secondary attacks. The idea is that the original compromise was like a rat carrying fleas infected with the bubonic plague (arguably more problematic than the Rona)
  • A mechanism for placing malicious code on the computing devices of administrators, instructors, and students. As these individuals thumb typed away, these high trust individuals were infecting others in their social circle. If the infections were activated, downloads of tertiary malware could take place.
  • Institutions like these would connect to other networks. Malware could be placed in server nodes serving other institutions; for example, big outfits like Rogers Communications, a government ministry or two, and possibly the cloud customers of the beloved Rogers as well as BCE (Bell Canada’s parent) and Telus.

The odd ducks in the list of compromised organization, just might not be so odd after all.

That’s the problem, isn’t it? No one knows exactly when the misstep took place, what primary and downstream actions were triggered, and where subsequent rats with fleas infected with bubonic plague have go to.

Net net: It’s great to read so many words about a misstep and not have signals that the issue is understood, not even by the Gray Lady herself.

Stephen E Arnold, January 6, 2020


Next Page »

  • Archives

  • Recent Posts

  • Meta