Sharp Words about US Government Security

May 22, 2025

dino orange_thumb_thumb_thumb_thumbNo AI. Just a dinobaby who gets revved up with buzzwords and baloney.

On Monday (April 29, 2025), I am headed to the US National Cyber Crime Conference. I am 80, and I don’t do too many “in person” lectures. Heck, I don’t do too many lectures anymore period. A candidate for the rest home or an individual ready for a warehouse for the soon-to-die is a unicorn amidst the 25 to 50 year old cyber fraud, law enforcement professionals, and government investigators.

In my lectures, I steer clear of political topics. This year, I have been assigned a couple of topics which the NCCC organizers know attract a couple of people out of the thousand or so attendees. One topic concerns changes in the Dark Web. Since I wrote “Dark Web Notebook” years ago, my team and I keep track of what’s new and interesting in the world of the Dark Web. This year, I will highlight three or four services which caught our attention. The other topic is my current research project: Telegram. I am not sure how I became interested in this messaging service, but my team and I will will make available to law enforcement, crime analysts, and cyber fraud investigators a monograph modeled on the format we used for the “Dark Web Notebook.”

I am in a security mindset before the conference. I am on the lookout for useful information which I can use as a point of reference or as background information. Despite my age, I want to appear semi competent. Thus, I read “Signalgate Lessons Learned: If Creating a Culture of Security Is the Goal, America Is Screwed.” I think the source publication is British. The author may be an American journalist.

Several points in the write up caught my attention.

First, the write up makes a statement I found interesting:

And even if they are using Signal, which is considered the gold-standard for end-to-end chat encryption, there’s no guarantee their personal devices haven’t been compromised with some sort of super-spyware like Pegasus, which would allow attackers to read the messages once they land on their phones.

I did not know that Signal was “considered the gold standard for end-to-end chat encryption.” I wonder if there are some data to back this up.

Second, is NSO Group’s Pegasus “super spyware.” My information suggests that there are more modern methods. Some link to Israel but others connect to other countries; for example, Spain, the former Czech Republic, and others. I am not sure what “super” means, and the write up does not offer much other than a nebulous adjectival “super spyware.”

Third, these two references are fascinating:

“The Salt Typhoon and Volt Typhoon campaigns out of China demonstrate this ongoing threat to our telecom systems. Circumventing the Pentagon’s security protocol puts sensitive intelligence in jeopardy.”

The authority making the statement is a former US government official who went on to found a cyber security company. There were publicized breaches, and I am not sure comparable to Pegasus type of data exfiltration method. “Insider threats” are different from lousy software from established companies with vulnerabilities as varied as Joseph’s multi-colored coat. An insider, of course, is an individual presumed to be “trusted”; however, that entity provides information for money to an individual who wants to compromise a system, a person who makes an error (honest or otherwise), and victims who fall victim to quite sophisticated malware specifically designed to allow targeted emails designed to obtain information to compromise that person or a system. In fact, the most sophisticated of these “phishing” attack systems are available for about $250 per month for the basic version with higher fees associated with more robust crime as a service vectors of compromise.

The opinion piece seems to focus on a single issue focused on one of the US  government’s units. I am okay with that; however, I think a slightly different angle would put the problem and challenge of “security” in a context less focused on ad hominin rhetorical methods.

Stephen E Arnold, May 22, 2025

AI: Improving Spam Quality, Reach, and Effectiveness

May 22, 2025

It is time to update our hoax detectors. The Register warns, “Generative AI Makes Fraud Fluent—from Phishing Lures to Fake Lovers.” What a great phrase: “fluent fraud.” We can see it on a line of hats and t-shirts. Reporter Iain Thomson consulted security pros Chester Wisniewski of Sophos and Kevin Brown at NCC Group. We learn:

“One of the red flags that traditionally identified spam, including phishing attempts, was poor spelling and syntax, but the use of generative AI has changed that by taking humans out of the loop. … AI has also widened the geographical scope of spam and phishing. When humans were the primary crafters of such content, the crooks stuck to common languages to target the largest audience with the least amount of work. But, Wisniewski explained, AI makes it much easier to craft emails in different languages.”

For example, residents of Quebec used to spot spam by its use of European French instead of the Québécois dialect. Similarly, folks in Portugal learned to dismiss messages written in Brazilian Portuguese. Now, though, AI makes it easy to replicate regional dialects. Perhaps more eerily, it also make it easier to replicate human empathy. Thomson writes:

“AI chatbots have proven highly effective at seducing victims into thinking they are being wooed by an attractive partner, at least during the initial phases. Wisniewski said that AI chatbots can easily handle the opening phases of the scams, registering interest and appearing to be empathetic. Then a human operator takes over and begins removing funds from the mark by asking for financial help, or encouraging them to invest in Ponzi schemes.”

Great. To make matters worse, much of this is now taking place with realistic audio fakes. For example:

“Scammers might call everybody on the support team with an AI-generated voice that duplicates somebody in the IT department, asking for a password until one victim succumbs.”

Chances are good someone eventually will. Whether video bots are a threat (yet) is up for debate. Wisniewski, for one, believes convincing, real-time video deepfakes are not quite there. But Brown reports the experienced pros at his firm have successfully created them for specific use cases. Both believe it is only a matter of time before video deepfakes become not only possible but easy to create and deploy. It seems we must soon learn to approach every interaction that is not in-person with great vigilance and suspicion. How refreshing.

Cynthia Murrell, May 22, 2025

Stolen iPhone Building: Just One Building?

May 21, 2025

Dino 5 18 25Just the dinobaby operating without Copilot or its ilk.

I am not too familiar with the outfits which make hardware and software to access mobile phones. I have heard that these gizmos exist and work. Years ago I learned that some companies — well, one company lo those many years ago — could send a text message to a mobile phone and gain access to the device. I have heard that accessing iPhones and some Androids is a tedious business. I have heard that some firms manufacture specialized data retention computers to support the work required to access certain actors’ devices.

So what?

This work has typically required specialized training, complex hardware, and sophisticated software. The idea that an industrial process for accessing locked and otherwise secured mobile phones was not one I heard from experts or that I read about on hacker fora.

And what happens? The weird orange newspaper published “Inside China’s Stolen iPhone Building.” The write up is from a “real news” outfit, the Financial Times. The story — if dead accurate — may be a reminder that cyber security has been gifted with another hole in its predictive, forward-leaning capabilities.

The write up explains how phones are broken down, parts sold, or (if unlocked) resold. But there is one passage in the write up which hip hops over what may be the “real” story. Here’s the passage:

Li [a Financial Times’ named source Kevin Li, who is an iPhone seller] insisted there was no way for phone sellers to force their way into passcode-locked devices. But posts on western social media show that many who have their phones stolen receive messages from individuals in Shenzhen either cajoling them or threatening them to remotely wipe their devices and remove them from the FindMy app. “For devices that have IDs, there aren’t that many places that have demand for them,” says Li, finishing his cigarette break. “In Shenzhen, there is demand . . . it’s a massive market.”

With the pool of engineering and practical technical talent, is it possible that this “market” in China houses organizations or individuals who can:

  1. Modify an unlocked phone so that it can operate as a node in a larger network?
  2. Use software — possibly similar to that developed by NSO Group-type entities — to compromise mobile devices. Then these devices are not resold if they contain high-value information. The “customer” could be a third party like an intelligence technology firm or to a government entity in a list of known buyers?
  3. Use devices which emulate the functions of certain intelware-centric companies to extract information and further industrialize the process of returning a used mobile to an “as new” condition.

Are these questions ones of interest to the readership of the Financial Times in the British government and its allies? Could the Financial Times ignore the mundane refurbishment market and focus on the “massive market” for devices that are not supposed to be unlocked?

Answer: Nope. Write about what could be said about refurbing iPads, electric bicycles, or smart microwaves. The key paragraph reveals that that building in China is probably one which could shed some light on what is an important business. If specialized hardware and software exist in the US and Western Europe, there is a reasonable chance that similar capabilities are available in the “iPhone building.” That’s a possible “real” story.

Stephen E Arnold, May xx, 2025

Scamming: An Innovation Driver

May 19, 2025

Readers who caught the 2022 documentary “The Tinder Swindler” will recognize Pernilla Sjöholm as one of that conman’s marks. Since the film aired, Sjöholm has co-developed a tool to fend off such fraudsters. The Next Web reports, “Tinder Swindler Survivor Launches Identity Verifier to Fight Scams.” The platform, cofounded with developer Suejb Memeti, is called IDfier. Writer Thomas Macaulay writes:

“The platform promises a simple yet secure way to check who you’re interacting with. Users verify themselves by first scanning their passport, driver’s license, or ID card with their phone camera. If the document has an NFC (near-field communication), IDfier will also scan the chip for additional security. The user then completes a quick head movement to prove they’re a real person — rather than a photo, video, or deepfake. Once verified, they can send other people a request to do the same. Both of them can then choose which information to share, from their name and age to their contact number. All their data is encrypted and stored across disparate servers. IDfier was built to blend this security with precision. According to the platform, the tech is 99.9% accurate in detecting real users and blocking impersonation attempts. The team envisions the system securing endless online services, from e-commerce and email to social media and, of course, dating apps such as Tinder.”

For those who have not viewed the movie: In 2018 Sjöholm and Simon Leviev met on Tinder and formed what she thought was a close, in-person relationship. But Simon was not the Leviev he pretended to be. In the end, he cheated her out of tens of thousands of euros with a bogus sob story.

It is not just fellow humans’ savings Sjöholm aims to protect, but also our hearts. She emphasizes such tactics amount to emotional abuse as well as fraud. The trauma of betrayal is compounded by a common third-party reaction—many observers shame victims as stupid or incautious. Sjöholm figures that is because people want to believe it cannot happen to them. And it doesn’t. Until it does.

Since her ordeal, Sjöholm has been dismayed to see how convincing deepfakes have grown and how easy they now are to make. She is also appalled at how vulnerable our children are. Someday, she hopes to offer IDfier free for kids. We learn:

“Sjöholm’s plan partly stems from her experience giving talks in schools. She recalls one in which she asked the students how many of them interacted with strangers online. ‘Ninety-five percent of these kids raised their hands,’ she said. ‘And you could just see the teacher’s face drop. It’s a really scary situation.’”

We agree. Sjöholm states that between fifty and sixty percent of scams involve fake identities. And, according to The Global Anti-Scam Alliance, scams collectively rake in more than $1 trillion (with a “t”) annually. Romance fraud alone accounts for several billion dollars, according to the World Economic Forum. At just $2 per month, IDfier seems like a worthwhile precaution for those who engage with others online.

Cynthia Murrell, May 19, 2025

Retail Fraud Should Be Spelled RetAIl Fraud

May 16, 2025

As brick-and-mortar stores approach extinction and nearly all shopping migrates to the Web, AI introduces new vulnerabilities to the marketplace. Shocking, we know. Cyber Security Intelligence reports, “ChatGPT’s Image Generation Could Be Driving Retail Fraud.” We learn:

“The latest AI image generators can create images that look like real photographs as well as imagery from simple text prompts with incredible accuracy. It can reproduce documents with precisely matching formatting, official logos, accurate timestamps, and even realistic barcodes or QR codes. In the hands of fraudsters, these tools can be used to commit ‘return fraud’ by creating convincing fake receipts and proof-of-purchase documentation.”

But wait, there is more. The post continues: 

“Fake proof of purchase documentation can be used to claim warranty service for products that are out of warranty or purchased through unauthorised channels. Fraudsters could also generate fake receipts showing purchases at higher values than was actually paid for – then requesting refunds to gift cards for the inflated amount. Internal threats also exist too, as employees can create fake expense receipts for reimbursement. This is particularly damaging for businesses with less sophisticated verification processes in place. Perhaps the scenario most concerning of all is that these tools can enable scammers to generate convincing payment confirmations or shipping notices as part of larger social engineering attacks.”

Also of concern is the increased inconvenience to customers as sites beef up their verification processes. After all, the write-up notes, The National Retail Federation found 70% of customers say a positive return experience makes them more likely to revisit a seller.

So what is a retail site to do? Well, author Doriel Abrahams is part of Forter, a company that uses AI to protect online sellers from fraud. Naturally, he suggests using a platform like his firm’s to find suspicious patterns without hindering legit customers too much. Is more AI the solution? We are not certain. If one were to go down that route, though, one should probably compare multiple options.

Cynthia Murrell, May 16, 2025

Smart Software Exploits Direct Tuition Payment. Sure, the Fraud Is Automated

April 22, 2025

dino orange_thumb_thumb_thumb_thumb_thumbNo AI, just the dinobaby himself.

The Voice of San Diego published “As Bot Students Continue to Flood In, Community Colleges Struggle to Respond.” The write up is one of those recipes that “real” news outfits provide to inform their readers about a crime. When I worked through the article, my reaction was, “The process California follows for community college student assistance is a big juicy sandwich on a picnic table in the park on a warm summer day.”

Will the insects flock to the sandwich?

Absolutely. Plus, telling the insects where the sandwich is and the basics of getting their mandibles on that sandwich does one thing: Provide an easy-to-follow set of instructions for a bad actor to follow.

The write up says:

Kevin Alston, a business professor who has taught at Southwestern for nearly 20 years, has stumbled across even more troubling incidents. During a prior semester, he actually called some of the students who were enrolled in his classes but had not submitted any classwork.  “One student said ‘I’m not in your class. I’m not even in the state of California anymore’” Alston recalled.  The student told him they had been enrolled in his class two years ago but had since moved on to a four-year university out of state.  “I said, ‘Oh, then the robots have grabbed your student ID and your name and re-enrolled you at Southwestern College. Now they’re collecting financial aid under your name,’” Alston said.

The opportunity for fraud is a result of certain rules and regulations that require that financial aid be paid directly to the “student.” Enroll as a fake student and get a chunk of money. The more fake students that apply and receive aid, the more money the fake students receive.

California appears to be taking steps to reduce the fraud.

Several observations:

  1. A basket of rules and regulations appear to create this fraud opportunity
  2. Smart software in the hands of clever individuals allows the bad actors to collect money. (I am not sure how one cashes multiple checks made out to a fake person, but obviously there are ways around this problem. Are those nifty automatic teller machine deposits an issue?)
  3. The problem, according to the write up, has been known and getting larger since 2021.

I must admit that I think about online fraud in the hands of pig butchering outfits in the Golden Triangle. The fake student scam sounds like a smaller scale operation. Making a teacher the one who must identify the fake student does not seem to be working.

Okay, let’s see what the great state of California does to resolve this problem. Perhaps the instructors need to attend online classes in fraud detection, apply for financial aid, and get an extra benefit for this non-teaching work? Will community college teachers make good cyber investigators? Sure, especially those teaching history, social science, and literature classes.

Stephen E Arnold, April 22, 2025

The French Are Going After Enablers: Other Countries May Follow

April 16, 2025

dino orangeAnother post by the dinobaby. Judging by the number of machine-generated images of young female “entities” I receive, this 80-year-old must be quite fetching to some scammers with AI. Who knew?

Enervated by the French judiciary’s ability to reason with Pavel Durov, the Paris Judicial Tribunal is going after what I call “enablers.” The term applies to the legitimate companies which make their online services available to customers. With the popularity of self-managed virtual machines, the online services firms receive an online order, collect a credit card, validate it, and let the remote customer set up and manage a computing resource.

Hey, the approach is popular and does not require expensive online service technical staff to do the handholding. Just collect the money and move forward. I am not sure the Paris Judicial Tribunal is interested in virtual anything. According to “French Court Orders Cloudflare to ‘Dynamically’ Block MotoGP Streaming Piracy”:

In the seemingly endless game of online piracy whack-a-mole, a French court has ordered Cloudflare to block several sites illegally streaming MotoGP. The ruling is an escalation of French blocking measures that began increasing their scope beyond traditional ISPs in the last few months of 2024. Obtained by MotoGP rightsholder Canal+, the order applies to all Cloudflare services, including DNS, and can be updated with ‘future’ domains.

The write up explains:

The reasoning behind the blocking request is similar to a previous blocking order, which also targeted OpenDNS and Google DNS. It is grounded in Article L. 333-10 of the French Sports Code, which empowers rightsholders to seek court orders against any outfit that can help to stop ‘serious and repeated’ sports piracy.  This time, SECP’s demands are broader than DNS blocking alone. The rightsholder also requested blocking measures across Cloudflare’s other services, including its CDN and proxy services.

The approach taken by the French provides a framework which other countries can use to crack down on what seem to be legal online services. Many of these outfits expose one face to the public and regulators. Like the fictional Dr. Jekyll and Mr. Hyde, these online service firms make it possible for bad actors to perform a number of services to a special clientele; for example:

  • Providing outlets for hate speech
  • Hosting all or part of a Dark Web eCommerce site
  • Allowing “roulette wheel” DNS changes for streaming sites distributing sports events
  • Enabling services used by encrypted messaging companies whose clientele engages in illegal activity
  • Hosting images of a controversial nature.

How can this be? Today’s technology makes it possible for an individual to do a search for a DMCA ignored advertisement for a service provider. Then one locates the provider’s Web site. Using a stolen credit card and the card owner’s identity, the bad actor signs up for a service from these providers:

sporestack list of enablers

This is a partial list of Dark Web hosting services compiled by SporeStack. Do you recognize the vendors Digital Ocean or Vultr? I recognized one.

These providers offer virtual machines and an API for interaction. With a bit of effort, the online providers have set up a vendor-customer experience that allows the online provider to say, “We don’t know what customer X is doing.” A cyber investigator has to poke around hunting for the “service” identified in the warrant in the hopes that the “service” will not be “gone.”

My view is that the French court may be ready to make life a bit less comfortable for some online service providers. The cited article asserts:

… the blockades may not stop at the 14 domain names mentioned in the original complaint. The ‘dynamic’ order allows SECP to request additional blockades from Cloudflare, if future pirate sites are flagged by French media regulator, ARCOM. Refusal to comply could see Cloudflare incur a €5,000 daily fine per site. “[Cloudflare is ordered to implement] all measures likely to prevent, until the date of the last race in the MotoGP season 2025, currently set for November 16, 2025, access to the sites identified above, as well as to sites not yet identified at the date of the present decision,” the order reads.

The US has a proposed site blocking bill as well.

But the French may continue to push forward using the “Pavel Durov action” as evidence that sitting on one’s hands and worrying about international repercussions is a waste of time. If companies like Amazon and Google operate in France, the French could begin tire kicking in the hopes of finding a bad wheel.

Mr. Durov believed he was not going to have a problem in France. He is a French citizen. He had the big time Kaminski firm represent him. He has lots of money. He has 114 children. What could go wrong? For starters, the French experience convinced him to begin cooperating with law enforcement requests.

Now France is getting some first hand experience with the enablers. Those who dismiss France as a land with too many different types of cheese may want to spend a few moments reading about French methods. Only one nation has some special French judicial savoir faire.

Stephen E Arnold, April 16, 2025

Passwords: Reuse Pumps Up Crime

April 8, 2025

Cloudflare reports that password reuse is one of the biggest mistakes users make that compromises their personal information online. Cloudflare monitored traffic through their services between September-November 2024 and discovered that 41% of all logins for Cloudflare protected Web sites used compromised passwords. Cloudflare discussed why this vulnerability in the blog post: “Password Reuse Is Rampant: Nearly Half Of Observed User Logins Are Compromised.”

As part of their services, Cloudflare monitors if passwords have been leaked in any known data breaches and then warn users of the potential threat. Cloudflare analyzed traffic from Internet properties on the company’s free plan that includes the leaked credentials feature.

When Cloudflare conducted this research, the biggest challenge was distinguishing between real humans an d bad actors. They focused on successful login attempts, because this indicates real humans were involved . The data revealed that 41% of human authentication attempts involved leaked credentials. Despite warning PSAs about reusing old passwords, users haven’t changed their ways.

Bot attacks are also on the rise. These bots are programmed with stolen passwords and credentials and are told to test them on targeted Web sites.

Here’s what Cloudflare found:

“Data from the Cloudflare network exposes this trend, showing that bot-driven attacks remain alarmingly high over time. Popular platforms like WordPress, Joomla, and Drupal are frequent targets, due to their widespread use and exploitable vulnerabilities, as we will explore in the upcoming section.

Once bots successfully breach one account, attackers reuse the same credentials across other services to amplify their reach. They even sometimes try to evade detection by using sophisticated evasion tactics, such as spreading login attempts across different source IP addresses or mimicking human behavior, attempting to blend into legitimate traffic. The result is a constant, automated threat vector that challenges traditional security measures and exploits the weakest link: password reuse.”

Cloudflare advises people to have multi-factor authentication on accounts, explore using passkeys, and for God’s sake please change your password. I have heard that Telegram’s technology enables some capable bots. Does Telegram rely on Cloudflare for some services? Huh.

Whitney Grace, April 8, 2025

Telegram Lecture at TechnoSecurity & Digital Forensics on June 4, 2025

April 3, 2025

dino orange_thumb_thumb_thumbNo AI. Just a dinobaby sharing an observation about younger managers and their innocence.

The organizers of the June 2025 TechnoSecurity & Digital Forensics Conference posted a 60 second overview of our Telegram Overview lecture on LinkedIn. You can view the conference’s 60 second video at https://lnkd.in/eTSvpYFb. Erik and I have been doing presentations on specific Telegram subjects for law enforcement groups. Two weeks ago, we provided to the Massachusetts Association of Crime Analysts a 60-minute run down about the technical architecture of Telegram and identified three US companies providing services to Telegram. To discuss a presentation for your unit, please, message me via LinkedIn. (Plus, my son and I are working to complete our 100 page PDF notes of our examination of Telegram’s more interesting features. These range from bots which automate cross blockchain crypto movement to the automatic throttling function in the Telegram TON Virtual Machine to prevent transaction bottlenecks in complex crypto wallet obfuscations.) See you there.  — Thank you, Stephen E Arnold, April 3, 2025, 223 pm U S Eastern

No Joke: Real Secrecy and Paranoia Are Needed Again

April 1, 2025

dino orangeNo AI. Just a dinobaby sharing an observation about younger managers and their innocence.

In the US and the UK, secrecy and paranoia are chic again. The BBC reported “GCHQ Worker Admits Taking top Secret Data Home.” Ah, a Booz Allen / Snowden type story? The BBC reports:

The court heard that Arshad took his work mobile into a top secret GCHQ area and connected it to work station. He then transferred sensitive data from a secure, top secret computer to the phone before taking it home, it was claimed. Arshad then transferred the data from the phone to a hard drive connected to his personal home computer.

Mr. Snowden used a USB drive. The question is, “What are the bosses doing? Who is watching the logs? Who is  checking the video feeds? Who is hiring individuals with some inner need to steal classified information?

But outside phones in a top secret meeting? That sounds like a great idea. I attended a meeting held by a local government agency, and phones and weapons were put in little steel boxes. This outfit was no GHCQ, but the security fellow (a former Marine) knew what he was doing for that local government agency.

A related story addresses paranoia, a mental characteristic which is getting more and more popular among some big dogs.

CNBC reported an interesting approach to staff trust. “Anthropic Announces Updates on Security Safeguards for Its AI Models” reports:

In an earlier version of its responsible scaling policy, Anthropic said it would begin sweeping physical offices for hidden devices as part of a ramped-up security effort.

The most recent update to the firm’s security safeguards adds:

updates to the “responsible scaling” policy for its AI, including defining which of its model safety levels are powerful enough to need additional security safeguards.

The actual explanation is a master piece of clarity. Here’s snippet of what Anthropic actually said in its “Anthropic’s Responsible Scaling Policy” announcement:

The current iteration of our RSP (version 2.1) reflects minor updates clarifying which Capability Thresholds would require enhanced safeguards beyond our current ASL-3 standards.

The Anthropic methods, it seems to me, to include “sweeps” and “compartmentalization.”

Thus, we have two examples of outstanding management:

First, the BBC report implies that personal computing devices can plug in and receive classified information.

And:

Second, CNBC explains that sweeps are not enough. Compartmentalization of systems and methods puts in “cells” who can do what and how.

Andy Grove’s observation popped into my mind. He allegedly rattled off this statement:

Success breeds complacency. Complacency breeds failure. Only the paranoid survive.

Net net: Cyber security is easier to “trust” and “assume”. Real fixes edge into fear and paranoia.

Stephen E Arnold, April 9, 2025

Next Page »

  • Archives

  • Recent Posts

  • Meta