Telegram Fundamentals

It is 2 years since I did my first blog relating to messenger apps and what from an OSINT perspective we could find from them. In OSINT you will hear a lot said about false, positives, well what about false negatives.

I have decided to do a short follow up blog on Telegram and how it has changed over time just like Twitter and Facebook have done to embrace privacy and how this may affect OSINT research. I have used Telegram 8.4, an I-Phone iOS 15 and an Android 9 device  for this blog.

Telegram has divided opinion within the privacy community as to its merits, most hardcore privacy enthusiasts I believe would not recommend it. From an OSINT perspective it has been a rich source of intelligence but times have moved towards a more privacy focused platform now.

Telegram originated in St Petersburg, Russia, the development team is now based in Dubai. The servers are apparently based in different locations around the globe. You can chose to store your data locally or on Telegram’s servers. It had an uplift in popularity last year when there was the furore over WhatsApp’s new ToS.

Personally I wouldn’t use it just as a means of communication but I can see its appeal. It does offer a kind of end to end encryption (E2EE) through its secret chat facility but there has to be user interaction as opposed to enabled by default and there has been some debate as to whether Telegram have the back door encryption keys and how secure the encryption actually is.

But even Telegram in these new times of the privacy conscious user, has had to adapt to the times and this will have an effect on how Telegram is used and also researched from OSINT perspective. Certainly since I wrote my previous blog on messenger apps in Jan 2020, Telegram has changed. Telegram has very flexible, privacy and security options which I will outline later in more details.

How to Access Telegram

Telegram is very practical to use and has three ways in which to access it, app, desktop or if you do not want to download any software direct to your computer, you can use the web access through a browser; which can be achieved by either the mobile number you used to sign up or by scanning the QR code using the Telegram app. I have noticed that the desktop client can record the fact that is in a VM if you chose to use one.

OPSEC alert, if you chose to use the above method to see if a number is on Telegram, it will send a code or SMS to the  user of the account and in any case even if you input a number not linked to a Telegram account it will still tell you that it has sent a code, so you would be none the wiser as to whether the number was linked to an account.

A Telegram user cannot have multiple numbers on one Telegram account. Each number will represent a different account. On Signal you can lock a number to an account, there does not appear to be this option on Telegram however If you try to use a number already assigned to a Telegram account, you cannot use the number until that other account is deleted.

The above may well be an alternative way to see if a number is linked to a Telegram account where  a POI has locked down their privacy and security settings. I haven’t seen any indications that the other account is notified that an attempt has been made to use their number on a new account.

Most of what I discuss below is based on the Privacy & Security option within Telegram’s Settings menu.

Once over a user was automatically discoverable to everyone by their mobile number however this is now disabled by default. For the OSINT investigator this may lead them to think that the subject of interest is not using Telegram, if they have chosen to use a mobile number as a search operator, as in syncing contacts for example.

The methodology now may dictate that you try and find a username or display name linked to another platform where the subject mobile has been used and then search Telegram that way.

The Basics

I will cover first what steps you have to take once you have downloaded Telegram from the Google Play Store.

A new user will need a mobile number to enable them to create an account, as they will be sent a verification code. The mobile number does not have to be the users real number. I have had success with VOIP numbers but remember some VOIP numbers are not able to process short codes, so you have to wait for the SMS verification to time out and Telegram will then ring you with the verification code.

The next screen takes you through to where to input a name, a first name is mandatory, a last name is optional. Needless to say a person can use whatever name or random characters they like.

Then the user has to accept the ToS. The next screen will then show them which of their contacts are also on Telegram. This is why it is important from an OPSEC perspective that you use a clean phone for the install, using a personal phone will create OPSEC issues for you. You are able to stop Telegram syncing your contacts.

You can follow the steps below but turn off the Contact sync.

Sometimes contact sync does not work on Android, so if this does occur you can follow the below steps: –
•    Reinstall the app (do not open yet)
•    Go into Android Settings > Accounts > Telegram and enabled Contact sync
•    Open the app and check Contacts

If the above does not work for turning off contact sync on your particular flavour of Android or on Apple then you can deny Telegram access to your contacts via the permission manager before you open the app. For those who are researching Telegram and do not have the luxury of a fresh phone and clean install the above maybe advisable as you do not want Telegram telling all your contacts, who are there that you are now on the platform.

Default Settings

I am not sure how many people rush to the settings as soon as they have downloaded an app, but it is one for the first things I do, especially the privacy and security settings. Below is the default privacy settings from the Android.

By opening the settings the user can create a username, bio and upload a profile photo. The display name will be the name that was provided at the above activation stage.

A username is not mandatory to be able to use Telegram however if they do chose one then they are public and they cannot be hidden. The advantage however for a user by setting up a username is that they can share this with other users on Telegram and avoid having to share their telephone number.

Usernames are also searchable on the web, https://t.me/USERNAME.

A display name does not have to be unique but a username does.

Some of the ways to search Telegram are by display name or username in the search bar. You can see a user’s profile photo, and bio along with their last seen, depending on their privacy and security settings.

Being able to, ‘See’ a number is not the same as searching for that telephone number. The only way you could, ‘See,’ a number of a POI, is if they have altered their privacy settings, or if you were mutual contacts, syncing a number will not necessarily allow you to see who that number belongs to.

You will also be notified if a contact joins Telegram, although this can be disabled in the settings.

When I did my original blog, when you deleted a number from your contacts that you had synced with Telegram, you would be able to see the name the person had provided when they created their account that was held on Telegram server, this is no longer possible.

I will now take you through various settings that will effect not only your OPSEC but your ability to find subjects on Telegram.

A user can restrict who can see their phone number. By default it is now set to, “My Contacts,” you can restrict it even from your contacts. Once over it was set to, “Everybody.” A POI would have to change the default setting to, ‘Everyone,’ for the phone sync to work.

They can choose one of the following, Everyone, Contacts or Nobody. If you wanted however you can added exceptions from your contacts, so you can choose which of your contacts can see your number.

If they choose, Nobody, even their contacts will only be able to see their Telegram username and not their phone number. If they choose, ‘Nobody,’ they are then presented with a further option of who can find their number, Everybody or Contacts.

So their number is not exactly 100% not searchable but it is limited as you need to be mutual contacts and this is where from an OSINT perspective you mustn’t think just because you cannot find a number that you are interested in, that it does not necessarily mean that user of the number is not on Telegram.

There are other privacy settings that may make your OSINT research less fruitful. Telegram users can also restrict, last seen online, profile picture, voice calls and who can add then to a group or channel.

A Telegram user can restrict who can see their profile photo to their contacts and even then they can add exceptions as to who can and cannot see it.

Online Monitoring

Last seen has always been an interesting OSINT consideration and from an OPSEC perspective we wouldn’t want to be seen online, however if you want to see whether a POI is online then you must not change your settings to disable it, as this will stop you from seeing your POI’s online status.

If your POI has altered their online privacy settings this is what you may see: –

•    Last seen recently — covers anything between 1 second and 2-3 days
•    Last seen within a week — between 2-3 and seven days
•    Last seen within a month — between 6-7 days and a month
•    Last seen a long time ago — more than a month (this is also always shown to blocked users)

As an OSINT investigator if we see any of the above behavior all is not lost, yes we haven’t been able to find what we expected but It does potentially tell something about the POI that we are researching in that they may be OPSEC aware themselves, so therefore we have to adjust our methodology accordingly. Don’t think just because you cannot find someone or information about someone that they are not on Telegram.

A Telegram user can also restrict who can phone them on Telegram, the choices being, Everyone, Contacts & Nobody. Again they are able to add exceptions. A user has a choice of whether to use peer-to-peer to route their calls through Telegrams servers too. They may also disable iOS call integration as this will stop their call history from being shared with Apple, this facility did not appear to be available on the Android version I was using.

Built-in OSINT Tools

A nice little OSINT tool within Telegram that will assist you with translations in app when you are reading a message. Go to Settings – Language, you can then add a Translate Button to the context menu when selecting a message. Translation is available on all Android devices and iOS 15+. When you press and hold in a message the below box will present itself, click Translate.

The below example is from an I-Phone, where you can choose to translate off-line by going to Apple Settings – Translate – (toggle on) – On-Device Mode. If you don’t chose this method then the data is sent to Apple to translate online.

It appears that Telegram is also rolling out its own OCR for iPhone & Mac that allows you to strip out text from an image, say a copy of a letter for instance and then Telegram will re format it as text for you.

Dutch OSINT Guy has an excellent video, which explains how Telegram works and how to investigate it: –
https://www.youtube.com/watch?v=e_aXQYq2l6U

One of my favorite specialist OSINT teams Aware-Online have a good article on how to use the, ‘Nearby’ facility on Telegram: –
https://www.aware-online.com/en/search-for-telegram-groups-based-on-location/

The article is based on the use of a emulator, you can achieve the same results on a regular mobile phone by using a location spoofer app.

Finally, Telegram users can also enable further privacy and security features, that may be of interest to LE: –

•    In the device settings they can terminate sessions based on inactivity from 1 week through to 6 months.
•    They can set up the account to be deleted after a certain amount of inactivity, from 1 month up until 12 months.
•    Two step verification is by way of a password that you must use in addition to a SMS verification code if they want to set up a new device. This may be not be as good as a random generated software token or hardware device tokens but it is better than nothing at all. They can also set a recovery email address too if they wish. Telegram will notify them in app if any logon attempts are made on the account.
•    They can set up a six digit passcode to access the app. Once this is done they can then use the touch id or facial id to unlock the account. They can chose to lock the account after certain amount of inactivity too.

I hope the above goes someway to explaining how Telegram’s privacy and security settings may potentially limit your ability to research a POI and how we as OSINT researchers may need to adapt. I am a firm believer that an OSINT practitioner needs to understand the privacy & security settings of the platform they are investigating to avoid false, negatives.

Facebook Lockdown

(First Published January 2020)

Now, I am not a fan of Facebook purely from a privacy perspective. I can see the appeal of social networking platforms like Facebook.

I have an acquaintance who recently decided to set up a Facebook account as a friend he knows was moving to country where Facebook was the only means of messaging people. I did ask him why he had not simply downloaded the Facebook messenger app instead of creating a Facebook account.

Anyway he assured me that it was completely locked down and private. Needless to say when I checked it wasn’t. So I thought a short blog on taking control of your Facebook’s privacy settings maybe necessary.

Now basic privacy principals is about looking at the platforms and apps you use and adjusting the privacy settings accordingly. Moving forward there maybe be a necessity to invest in your privacy some of which I will explore in future blogs.Now Facebook has been involved in some nightmare privacy scandals and to give them their due they have made life difficult for people to leverage the site for information. A couple of years ago you could place a mobile number in the search bar and it would find you the account it was linked to. That no longer exists but you could still use the messenger feature within Facebook to add a number to find the account, that too has recently disappeared. Facebook have also announced that they will no longer link a mobile number used for 2FA (Two Factor Authentication) to an account.

In June 2019 Facebook also discontinued the Graph Search feature. Now all this may potentially thwart the casual researcher however a dedicated and methodical OSINT (Open Source Intelligence) practitioner is still able to leverage the site. Does Facebook monitor the OSINT community? I do not know however if I was Facebook I would be.

Moving forward however Facebook looks like it is rolling out a new preventive health tool and is asking user to participate in their facial recognition tech. There has been some discussion for a while that Facebook intends to bring all their messenger apps, Facebook messenger, WhatsApp & Instagram under one platform. What this would mean for privacy awaits to be seen.

I completely understand why people use Facebook. If you have ever been stuck on the M25 commuting to and from work, there are plenty of groups that provide live updates. If you have a favourite sports team or personality what better way to follow them. Lets not forget staying update to date with what friends are doing whether that is a genuine reason of just because we are nosy by default. In a later blog I will write about how you can setup an Alias account to protect your privacy. Something that journalists or people working in sensitive positions may find useful too.

So firstly to lock down your privacy you need to go to the settings

Then the Privacy tab. This is where you can then lock your account down.

Once you are happy with your privacy settings you can then preview how it looks to the outside world. Go to your timeline and click on the three dots next to the Activity Log an select, View as.

One new area of privacy that has hit the headlines of late is the how other apps share your data with Facebook. Thankfully you can view this and also turn it off.

To do this you need to navigate to you information settings where you will find the Off-Facebook Activity. You can download your activity and also see who has been sharing your activity with Facebook. You maybe surprised by what other apps are sharing with Facebook.In here you can then turn off this feature by going to;- Manage Future Activity – Future off-Facebook Activity and toggle the off switch. You will get the usual warnings about how this affects how Facebook can serve you however this should not stop you from confirming you wish to turn it off.

Hopefully you have found this introduction to Facebook privacy helpful so go and have a look for yourself.

A New Year, New Privacy

(First Published January 2020)

For my first blog of the New Year. I wanted to do a small introduction as to why I felt the need to write blogs relating to privacy in the modern world and how it relates so closely to OSINT (Open Source Intelligence), Social Engineering & inadequate security measures.

In the last few years I have seen how others have used the aforementioned to commit crimes against non-suspecting innocent people often with tragic consequences. Then there are the unscrupulous companies who harvest our information so that they can make money. So I will look to pass on my knowledge and experiences to anyone who wants to protect their privacy. I am not a tech wizard and have learnt from reading articles, exploring different practices and experimenting.

The reasons for a person to protect their privacy will differ from person to person. Someone who is high profile may need to take measure far and beyond what most of us may deem necessary but you can guarantee that some of the techniques are also suitable for the vast majority of people too.

There is a lot of material available both online and offline that will help you however I have always found these to be in the whole orientated towards the US and finding similar solutions in the UK is a little bit more challenging. On the whole it doesn’t need to cost a penny but there may be occasions where you have to invest some money to regain the privacy you desire. I will explore this in future blogs. My intention is not to single out or berate companies whose products do not serve our privacy but is more to help people navigate this world.

As it is the New Year I have decided that this would be a good time to have a clean out of all those Apps that you no longer use. We do not seem to want to delete anything, in the same vain as we do like to throw our old clothes away.

There are over five billion mobile users in the world, with global internet penetration standing at 57%.

As of the first quarter of 2019, these app users could choose to download between 2.6 million Android, and 2.2 million iOS apps. And they certainly are choosing: App Annie sets the total number of app downloads in 2018 at 194 billion; up from 178 billion in 2017.

Apps come and go just like the seasons. What is a popular one year may not be so the next. We download apps on the recommendation of others and never truly buy into its use but it stays there on our phone. I have friend with nearly four screens of Apps most that he freely admits that he does not use and has no idea what the log on details are.

One thing I will say is please unless you know what you are doing only download Apps from reputable sources such as Apples App Store or Googles Play Store.

An App when it is downloaded will ask for certain permissions giving it access to parts of your phone such as, microphone, camera, location data and so on. Most of the Apps do not even need to have those permissions to work. So why is it they ask during the setup and why do we agree? I have denied Apps permission requests that I thought that it did not require and they have worked fine.

Easy one, why does your calculator need access to your location? Some Apps will need access to your location, such as a weather app but then you need to consider do you need to have your location switched on all the time or can you use it when you need to. You can set your permissions so that apps only have them when the App is in use instead of carte blanche.

Ask yourself the question, “Have I ever looked at what data the Apps on my mobile are harvesting?”

It’s beyond the scope of this blog to detail specific cases but there are many great articles detailing how Apps capture your data and how that data is abused or monetised. if you prefer watch the Netflix documentary ‘The Great Hack.’

So this new year when your on the train or bus home do some App house keeping and delete the Apps you do not need or no longer use. I bet you won’t find it as easy as you first thing and you may have to be brutal in your decision making. If you delete an App you no longer use ensure you also delete the account on it too.

Now that was part one completed.

Once you have purged your phone the next step is to then check what permissions the remaining Apps have. You will generally find these permissions in the privacy section of your settings. If you are unable to find it you can type, “Permissions” in the search bar at the top of the settings page, this will generally provide you the options available. Now clearly how these are displayed will differ from device to device.

Once you have located the permission you will then be able to see which Apps have been granted which permissions. From there you need to work your way through them. It will be a case of determining what the Apps is for and what permissions it has been granted.

Taking the weather App, location permission seems appropriate, microphone and contacts maybe not so. The calculator does it need to know my location, I think not. You will find that in the majority of cases a common sense approach will serve you well.

Now you will find some apps especially those that are important to how the device works a little bit more problematic. I have found that I was presented with a warning that the App may malfunction if I altered the permission settings. I would say in my experience it has been a 50 / 50 split whether the App malfunctions or not but if you it does you can reinstate the permission. It’s not for the faint hearted and if in doubt leave it as it is.

Last but not least keep a check on those pesky permissions because sometimes when an App is updated they have been known to reinstate the previous permissions.

One last quick snippet consider buying a privacy screen for your device, whether it is a mobile, tablet or laptop. Have you ever been sat next to someone or behind someone on the bus or train and seen their screen clear as day whether intentionally or not. Most people I know do buy screen protectors and the extra cost of a privacy screen protector is negligible.