Durov Bailed and Must Stay in France, Report to Police
Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Thinkst.
You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.
Telegram founder and CEO Pavel Durov has been released from custody by French authorities on €5m bail and banned from leaving French territory over charges related to illegal activity on the app.
Durov was detained last weekend after he flew into Paris-Le Bourget airport on a private jet and was bailed on Wednesday.
Although the investigation is being framed by some as an attack on free speech, the charges centre around deliberately avoiding responsibilities to tackle illegal and abhorrent content on Telegram.
According to media reports, the charges include being complicit in running an online platform that allows sharing of CSAM, drug trafficking, fraud, money laundering, as well as not cooperating with authorities when required by law. There is a 'kitchen sink' element to the charges, which also include operating encrypted services or tools without filling out the correct paperwork.
Le Monde reported that OFMIN (l'Office Mineur), a French police office that tackles violent crimes against children, issued the warrant for Durov's arrest. In a now deleted LinkedIn post, Jean-Michel Bernigaud, OFMIN's Secretary General said that "at the heart of this case is the lack of moderation and cooperation of the platform (which has nearly 1 billion users), particularly in the fight against pedocriminality."
Politico EU reports the specific incident cited in the arrest warrant was Telegram's refusal to identify a specific user after being served a judicial request. Per Politico, which viewed a document relating to the warrant:
The warrants [for Pavel Durov and his brother Nikolai] were issued after an undercover investigation into Telegram led by the cybercrime branch of the Paris prosecutor's office, during which a suspect discussed luring underaged girls into sending "self-produced child pornography," and then threatening to release it on social media.
The suspect also told the investigators he had raped a young child, according to the document. Telegram did not respond to the French authorities' request to identify the suspect.
Of all the major social media platforms, Telegram has the most combative attitude to content moderation and lawful assistance requests. Its FAQ says it uses its distributed architecture to confound court orders:
…Telegram uses a distributed infrastructure. Cloud chat data is stored in multiple data centers around the globe that are controlled by different legal entities spread across different jurisdictions. The relevant decryption keys are split into parts and are never kept in the same place as the data they protect. As a result, several court orders from different jurisdictions are required to force us to give up any data.
Thanks to this structure, we can ensure that no single government or block of like-minded countries can intrude on people's privacy and freedom of expression. Telegram can be forced to give up data only if an issue is grave and universal enough to pass the scrutiny of several different legal systems around the world.
To this day, we have disclosed 0 bytes of user data to third parties, including governments.
Telegram's terms of service state that illegal pornographic content is not allowed on its publicly viewable areas. Its FAQ says it will only take action on illegal content in these areas, which comprise sticker sets, channels and bots:
All Telegram chats and group chats are private amongst their participants. We do not process any requests related to them.
In other words, in private groups, which include up to 200,000 people, anything goes. No surprise, then, that a number of investigations have found child abuse material for sale on Telegram.
Although Telegram is viewed as an encrypted messaging app, it is not, really, based on modern use of the term (see cryptographer Matthew Green's explainer about Telegram encryption). It doesn't support default end-to-end encryption (E2EE) like WhatsApp, iMessage and Signal do.
However, in a very real sense, these apps don’t compete with Telegram because their use of E2EE imposes technical limits on group sizes. iMessage groups are limited to 32 participants, Signal groups are limited to 1,000, and WhatsApp to 1,024. Turns out that implementing E2EE across groups with lots of participants is not trivial.
Telegram's unique value proposition is providing large groups with light to non-existent moderation in a place that isn't Facebook. Telegram actually describes itself as a 'cloud-based messenger' that provides 'seamless sync' across devices. To do that, it needs access to the content of those messages.
Because Telegram can access the content of conversations, it certainly could invest in moderation. It just chooses not to. NBC News reported that child safety groups in the US, UK and Canada all get short shrift from Telegram when reporting CSAM.
This is in contrast to an app like Signal, for example, which also espouses privacy-first values. Signal, however, has built its app so that the technology reflects those values and it collects no content from its users and minimal metadata about how they use the service. This means that Signal responds to law enforcement requests, but only provides the account creation dates and the date an account last accessed the service in response.
In practical terms, Signal is just as helpful as Telegram is, but it can honestly say that it has wholeheartedly cooperated with court orders.
Some people may feel that the arrest of Durov is somehow unfair or unjust, or a demonstration of coercive state control. However, our view is that Durov, as CEO, is ultimately responsible for moderating how his platform is used and the content that is allowed on it.
Swipe Right For the Hottest Munitions
The US military purchased Tinder ads in the Middle East to warn Iran and its proxies against attacking Israel.
The ads are overt, feature the US Central Command's logo and pictures of F-16 and A-10 aircraft and say "Do not take up arms against the United States or its partners". The Washington Post reported former military information operations officers were skeptical the Tinder ads would be effective in isolation, although one thought it could be effective as part of a broader, longer-term campaign.
We like that the ads are sending a direct message, rather than like some previous US operations that attempted to covertly manipulate populations. And, even if the ads are part of a broader campaign that fails, these operations are cheap compared to the costs of real war.
Our Dear Leader Interviews ASIO's Mike Burgess
Last week Risky Business publisher Patrick Gray interviewed Mike Burgess, the Director General of the Australian Security Intelligence Organisation (ASIO). ASIO is responsible for protecting Australia from espionage, terrorism and foreign interference threats. The pair discuss the rise of encrypted messaging apps, the changing threat environment, and the future of telco and communication provider's assistance to law enforcement.
Catch the interview here:
Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:
Three Reasons to Be Cheerful This Week:
- Free Microsoft logs paying off for security: CISA confirmed to Cybersecurity Dive that Microsoft's (reluctant) move to provide more logs for no extra cost is resulting in improved security. Microsoft expanded customer access to logs in the wake of a 2023 hack of around 25 organisations that the State Department detected because it was paying for enhanced logging.
- Seizing opportunity from the CrowdStrike disaster: In the wake of the CrowdStrike outage, Microsoft will host a summit about how to make endpoint security more resilient.. The seriousness of the outage will prompt stakeholders to take actions that might otherwise be held up by concerns Microsoft wants to empower its own endpoint solution while neutering competitors.
- Justice comes for ransomware-as-a-service innovator: The UK's National Crime Agency (NCA) announced that Maksim Silnkau, who used the moniker 'JP Morgan' was arrested in Spain and has been extradited to the US. The NCA says Silnikau's criminal activities date back to 2011, when, along with associates, he introduced Reveton, the first malware using the ransomware-as-a-service business model. Silnikau was also involved in malvertising and developed and distributed exploit kits including Angler.
Sponsor Section
In this Risky Business News sponsor interview, Catalin Cimpanu talks with Haroon Meer, Founder and CEO at Thinkst, about the company's evolution over the past 15 years, its focus on hacker-like internal culture, and the UK NCSC's new deception network.
This article describes how this hacker-like approach influenced the set up process of Thinkst's hardware canaries.
Shorts
Spotting North Korean Recruits
Trust and safety company Cinder has published a great explainer on how it detected North Korean IT workers attempting to sneak through its recruitment process.
These workers are likely operating at the behest of the North Korean government to funnel money to the regime. Employing them is risky because of the potential for data or IP theft, or the deployment of malicious software, and may also break international sanctions.
After investigating suspicious applicants, Cinder created a list of indicators or common characteristics that suggested North Korean applicants. Based on these indicators, it found that, on some job sites, "roughly 80% of inbound applicants with experience matching our stack were suspected North Koreans". Declan Cummings, the posts author says the company had a unique perspective on the problem:
…our company is in the internet safety industry, two of our co-founders came from the CIA, and I have twelve years of experience working on cybersecurity and human rights issues related to North Korea.
Endpoint Security Protects Against Lawsuits, Too
The US government has joined a whistleblower lawsuit against the Georgia Institute of Technology alleging that it did not observe cyber security obligations in contracts with the US Department of Defense.
One of the violations was that a key individual prevented the installation of active endpoint protection software, describing it as a "nonstarter".
This suit is part of a broader effort to punish contractors who shirk cyber security requirements under a 2021 Department of Justice Civil Cyber-Fraud initiative.
Just a Few US Election Phishing Domains
Security firm BforeAI has found over 3,800 malicious domains attempting to take advantage of or manipulate voters in the upcoming US election. They identified the sites by analysing newly registered domains for relevant words such as Trump, Harris, Kamala, and Biden.
Most of the sites were used for criminal purposes such as phishing for personally identifiable information or credit card information.
Some websites were attempting to mislead voters by providing incorrect information about voting dates, locations and requirements. It's unclear from the report who is behind the sites that are trying to suppress voter turnout.
The good news here, we suppose, is that these voter suppression websites aren't likely to make much of a difference, because they'll be swamped by criminal ones.
Risky Biz Talks
You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).
In our last "Between Two Nerds" discussion Tom Uren and The Grugq discuss the opportunities in phishing and why it is both easy and difficult.
From Risky Biz News:
Volt Typhoon returns with a new zero-day: Chinese cyber-espionage group Volt Typhoon has used a zero-day in a network virtualization server to breach the infrastructure of US ISPs and managed service providers.
The attacks began in June and are still ongoing, according to internet infrastructure company Lumen.
They target Versa Director [PDF], a type of server that allows companies to virtualize or segment their networks on a large scale—hence why its customers typically include large corporations, cloud providers, and internet service providers.
[more on Risky Business News]
Digital wallet apps, the new frontier for card fraud: An academic study presented last week at the USENIX security conference has detailed several vulnerabilities in the modern financial ecosystem that can be exploited by threat actors to add stolen cards to digital wallet apps and conduct transactions with stolen funds without being detected.
The paper—titled "In Wallet We Trust: Bypassing the Digital Wallets Payment Security for Free Shopping"—is an eye-opener and wake-up call for app makers and banks that they need to improve the security of some of their underlying processes.
The study looked at the services of several major US banks (AMEX, Bank of America, Chase, Citi, Discover, US Bank, etc.) and three of today's top digital wallet providers in Apple, Google, and PayPal.
Researchers say they've discovered several issues impacting how banks and digital wallets interact that can be exploited for these attacks (see table below).
[more on Risky Business News]
New Android malware evolves fraud tactics with NFC cloning: Recent improvements made to mobile banking apps and mobile operating systems are forcing threat actors to evolve their tactics with new and never-before-seen techniques.
One such example was recently uncovered in Czechia by local authorities, which called on security firm ESET to help with their investigation.
This new technique involves the cloning of a victim's NFC card data and sending it to an attacker, who then abuses it to make payments at PoS terminals or withdraw money from ATMs.
This particular attack involves both social engineering and a novel piece of malware that ESET is calling NGate.
[more on Risky Business News, including how the attack works]