Swipe Right for the Hottest Munitions

Editor’s Note: This newsletter is part of a collaboration between Lawfare and Risky Business. You can find the full version of the Seriously Risky Business newsletter and previous editions on news.risky.biz.

Durov Bailed and Must Stay in France, Report to Police

Telegram founder and CEO Pavel Durov has been released from custody by French authorities on 5 million euros bail and banned from leaving French territory over charges related to illegal activity on the app.

Durov was detained last weekend after he flew into Paris-Le Bourget Airport on a private jet and was bailed out on Wednesday. 

Although the investigation is being framed by some as an attack on free speech, the charges center around Durov deliberately avoiding responsibilities to tackle illegal and abhorrent content on Telegram.

According to media reports, the charges include being complicit in running an online platform that allows sharing of child sexual abuse material (CSAM), drug trafficking, fraud, money laundering, as well as not cooperating with authorities when required by law. There is a “kitchen sink” element to the charges, which also include operating encrypted services or tools without filling out the correct paperwork.

Le Monde reported that OFMIN (l’Office Mineurs), a French police office that tackles violent crimes against children, issued the warrant for Durov’s arrest. In a now-deleted LinkedIn post, Jean-Michel Bernigaud, OFMIN’s secretary general said that “at the heart of this case is the lack of moderation and cooperation of the platform (which has nearly 1 billion users), particularly in the fight against pedocriminality.”

POLITICO EU reports the specific incident cited in the arrest warrant was Telegram’s refusal to identify a specific user after being served a judicial request. Per Politico, which viewed a document relating to the warrant:

The warrants [for Pavel Durov and his brother Nikolai] were issued after an undercover investigation into Telegram led by the cybercrime branch of the Paris prosecutor’s office, during which a suspect discussed luring underaged girls into sending “self-produced child pornography,” and then threatening to release it on social media.
The suspect also told the investigators he had raped a young child, according to the document. Telegram did not respond to the French authorities’ request to identify the suspect.

Of all the major social media platforms, Telegram has the most combative attitude to content moderation and lawful assistance requests. Its FAQ says it uses its distributed architecture to confound court orders:

Telegram uses a distributed infrastructure. Cloud chat data is stored in multiple data centers around the globe that are controlled by different legal entities spread across different jurisdictions. The relevant decryption keys are split into parts and are never kept in the same place as the data they protect. As a result, several court orders from different jurisdictions are required to force us to give up any data.
Thanks to this structure, we can ensure that no single government or block of like-minded countries can intrude on people’s privacy and freedom of expression. Telegram can be forced to give up data only if an issue is grave and universal enough to pass the scrutiny of several different legal systems around the world.
To this day, we have disclosed 0 bytes of user data to third parties, including governments.

Telegram’s terms of service state that illegal pornographic content is not allowed on its publicly viewable areas. Its FAQ says it will only take action on illegal content in these areas, which comprise sticker sets, channels and bots:

All Telegram chats and group chats are private amongst their participants. We do not process any requests related to them. 

In other words, in private groups, which include up to 200,000 people, anything goes. No surprise, then, that a number of investigations have found child abuse material for sale on Telegram. 

Although Telegram is viewed as an encrypted messaging app, it is not, really, based on modern use of the term (see cryptographer Matthew Green’s explainer about Telegram encryption). It doesn’t support default end-to-end encryption (E2EE) like WhatsApp, iMessage and Signal do.

However, in a very real sense, these apps don’t compete with Telegram because their use of E2EE imposes technical limits on group sizes. iMessage groups are limited to 32 participants, Signal groups are limited to 1,000, and WhatsApp to 1,024. Turns out that implementing E2EE across groups with lots of participants is not trivial.

Telegram’s unique value proposition is providing large groups with light to nonexistent moderation in a place that isn’t Facebook. Telegram actually describes itself as a “cloud-based messenger” that provides “seamless sync” across devices. To do that, it needs access to the content of those messages.

Because Telegram can access the content of conversations, it certainly could invest in moderation. It just chooses not to. NBC News reported that child safety groups in the U.S., U.K., and Canada all get short shrift from Telegram when reporting CSAM.

This is in contrast to an app like Signal, for example, which also espouses privacy-first values. Signal, however, has built its app so that the technology reflects those values and it collects no content from its users and minimal metadata about how they use the service. This means that Signal responds to law enforcement requests but provides only the account creation dates and the date an account last accessed the service in response.

In practical terms, Signal is just as helpful as Telegram is, but it can honestly say that it has wholeheartedly cooperated with court orders.

Some people may feel that the arrest of Durov is somehow unfair or unjust, or a demonstration of coercive state control. However, our view is that Durov, as CEO, is ultimately responsible for moderating how his platform is used and the content allowed on it.

Swipe Right for the Hottest Munitions

The U.S. military purchased Tinder ads in the Middle East to warn Iran and its proxies against attacking Israel.

The ads are overt, feature the U.S. Central Command’s logo and pictures of F-16 and A-10 aircraft and say, “Do not take up arms against the United States or its partners.” The Washington Post reported former military information operations officers were skeptical the Tinder ads would be effective in isolation, although one thought it could be effective as part of a broader, longer-term campaign.

We like that the ads are sending a direct message, rather than like some previous U.S. operations that attempted to covertly manipulate populations. And, even if the ads are part of a broader campaign that fails, these operations are cheap compared to the costs of real war.

Our Dear Leader Interviews ASIO’s Mike Burgess

Last week Risky Business publisher Patrick Gray interviewed Mike Burgess, the director general of the Australian Security Intelligence Organisation (ASIO). ASIO is responsible for protecting Australia from espionage, terrorism, and foreign interference threats. The pair discuss the rise of encrypted messaging apps, the changing threat environment, and the future of telecommunication and communication providers’ assistance to law enforcement.

Catch the interview here.

Three Reasons to Be Cheerful This Week:

1. Free Microsoft logs paying off for security: The Cybersecurity and Infrastructure Security Agency (CISAconfirmed to Cybersecurity Dive that Microsoft’s (reluctant) move to provide more logs for no extra cost is resulting in improved security. Microsoft expanded customer access to logs in the wake of a 2023 hack of around 25 organizations that the State Department detected because it was paying for enhanced logging. 
2. Seizing opportunity from the CrowdStrike disaster: In the wake of the CrowdStrike outage, Microsoft will host a summit about how to make endpoint security more resilient. The seriousness of the outage will prompt stakeholders to take actions that might otherwise be held up by concerns Microsoft wants to empower its own endpoint solution while neutering competitors.
3. Justice comes for ransomware-as-a-service innovator: The U.K.’s National Crime Agency (NCA) announced that Maksim Silnkau, who used the moniker “JP Morgan,” was arrested in Spain and has been extradited to the U.S. The NCA says Silnikau’s criminal activities date back to 2011, when, along with associates, he introduced  Reveton, the first malware using the ransomware-as-a-service business model. Silnikau was also involved in malvertising and developed and distributed exploit kits including Angler.

Shorts

Spotting North Korean Recruits

Trust and safety company Cinder has published a great explainer on how it detected North Korean information technology workers attempting to sneak through its recruitment process.

These workers are likely operating at the behest of the North Korean government to funnel money to the regime. Employing them is risky because of the potential for data or intellectual property theft, or the deployment of malicious software, and may also break international sanctions.

After investigating suspicious applicants, Cinder created a list of indicators or common characteristics that suggested North Korean applicants. Based on these indicators, it found that, on some job sites, “roughly 80% of inbound applicants with experience matching our stack were suspected North Koreans.” Declan Cummings, the post’s author, says the company had a unique perspective on the problem:

[O]ur company is in the internet safety industry, two of our co-founders came from the CIA, and I have twelve years of experience working on cybersecurity and human rights issues related to North Korea.

Endpoint Security Protects Against Lawsuits, Too

The U.S. government has joined a whistleblower lawsuit against the Georgia Institute of Technology alleging that it did not observe cybersecurity obligations in contracts with the U.S. Department of Defense.

One of the violations was that a key individual prevented the installation of active endpoint protection software, describing it as a “nonstarter.”

This suit  is part of a broader effort to punish contractors who shirk cybersecurity requirements under a 2021 Department of Justice Civil Cyber-Fraud initiative.

Just a Few U.S. Election Phishing Domains

Security firm BforeAI has found over 3,800 malicious domains attempting to take advantage of or manipulate voters in the upcoming U.S. election. They identified the sites by analyzing newly registered domains for relevant words such as Trump, Harris, Kamala, and Biden.

Most of the sites were used for criminal purposes such as phishing for personally identifiable information or credit card information.

Some websites were attempting to mislead voters by providing incorrect information about voting dates, locations, and requirements. It’s unclear from the report who is behind the sites that are trying to suppress voter turnout.

The good news here, we suppose, is that these voter suppression websites aren’t likely to make much of a difference, because they’ll be swamped by criminal ones.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify). 

In the latest “Between Two Nerds” discussion, Tom Uren and The Grugq discuss the opportunities in phishing and why it is both easy and difficult.

From Risky Biz News:

Volt Typhoon returns with a new zero-day: Chinese cyber-espionage group Volt Typhoon has used a zero-day in a network virtualization server to breach the infrastructure of U.S. Internet service providers and managed service providers.

The attacks began in June and are still ongoing, according to internet infrastructure company Lumen.

They target Versa Director [PDF], a type of server that allows companies to virtualize or segment their networks on a large scale—hence why its customers typically include large corporations, cloud providers, and internet service providers.

[more on Risky Business News]

Digital wallet apps, the new frontier for card fraud: An academic study presented earlier this month at the USENIX security conference has detailed several vulnerabilities in the modern financial ecosystem that can be exploited by threat actors to add stolen cards to digital wallet apps and conduct transactions with stolen funds without being detected.

The paper—titled “In Wallet We Trust: Bypassing the Digital Wallets Payment Security for Free Shopping”—is an eye-opener and wake-up call for app makers and banks that they need to improve the security of some of their underlying processes.

The study looked at the services of several major U.S. banks (for example, AMEX, Bank of America, Chase, Citi, Discover, U.S. Bank) and three of today’s top digital wallet providers in Apple, Google, and PayPal.

Researchers say they’ve discovered several issues that impact how banks and digital wallets interact and can be exploited for these attacks (see table below).

[more on Risky Business News]

New Android malware evolves fraud tactics with NFC cloning: Recent improvements made to mobile banking apps and mobile operating systems are forcing threat actors to evolve their tactics with new and never-before-seen techniques.

One such example was recently uncovered in Czechia by local authorities, which called on security firm ESET to help with their investigation.

This new technique involves cloning a victim’s NFC card data and sending it to an attacker, who then abuses it to make payments at point-of-sale terminals or withdraw money from ATMs.

This particular attack involves both social engineering and a novel piece of malware that ESET is calling NGate.

[more on Risky Business News, including how the attack works]