0:00:17.160,0:00:26.220 There's a long way from Argentina.[br]Argentine, Argentine to Prague to Leipzig. 0:00:27.420,0:00:33.120 These two young researchers, security[br]researchers, the lady and the gentleman, 0:00:38.160,0:00:46.020 Veronica and Sebastian are here to tell us[br]something about Emergency VPNs, virtual 0:00:46.020,0:00:54.360 private networks, analyzing mobile network[br]traffic to detect digital threats. And I'm 0:00:54.360,0:00:59.460 quite convinced you're going to have a[br]good time. You're welcome to have a big 0:00:59.460,0:01:08.820 hand for Veronica and Sebastian. Thank[br]you. Thank you. OK, thank you, everyone 0:01:08.820,0:01:15.360 for coming here. My name is Veronica[br]Valera's. I'm a researcher with the Czech 0:01:15.360,0:01:19.800 Technical University in Prague. Currently,[br]I'm the project leader of the Civilsphere 0:01:19.800,0:01:25.200 Project, and Sebastian Garcia, the[br]director of the Civilsphere Project in the 0:01:25.200,0:01:31.140 Czech Technical University in Prague. The[br]project is is part of the Stratosphere 0:01:31.140,0:01:36.960 Laboratory in the university. The main[br]purpose is to provide free services and 0:01:36.960,0:01:43.020 tools to help the civil society protect[br]them and help me then help them identify 0:01:43.800,0:01:55.347 targeted digital attacks. So Maati Monjib.[br]He's a Moroccan historian. He's the co- 0:01:55.347,0:02:02.640 founder of the Moroccan Association of[br]Independent Journalism. He was denouncing 0:02:02.640,0:02:08.040 some misbehavior of his government, and[br]because of that, he was targeted with 0:02:08.040,0:02:21.300 spyware. Around 2015. Alberto Nisman was a[br]lawyer in Argentina, he - he died. He was 0:02:21.300,0:02:26.940 until the moment of his death, the lead[br]investigator in the terrorist attack of 0:02:26.940,0:02:36.120 1994 that happened in Buenos Aires. It was[br]a sad incident that may have been covered 0:02:36.120,0:02:42.600 up by the government. And after his death,[br]the researchers found traces of a spyware 0:02:42.600,0:02:51.300 in his mobile phone allegedly installed by[br]the government to spy on him. Ahmed 0:02:51.300,0:03:03.120 Mansoor. He's an activist from the UAE.[br]He's also a human rights defendant. He 0:03:03.120,0:03:07.740 also denounces misbehaviors of his[br]government, and because of that, his 0:03:07.740,0:03:13.920 government targeted him repeatedly with[br]different type of spyware from different 0:03:13.920,0:03:23.700 places. Right now, he's in jail. He he's[br]been there for almost two years, and he 0:03:23.700,0:03:29.100 barely survived there for more than 40[br]days hunger strike. He did complain about 0:03:29.100,0:03:36.840 the prison conditions. Simón Barquera.[br]Maybe you can check the slides. They are 0:03:36.840,0:03:45.720 not. Simón Barquera is a researcher, food[br]scientist from Mexico. He is a weird case 0:03:45.720,0:03:52.320 because it's not very clear why he was[br]targeted. The Mexican government targeted 0:03:52.320,0:04:01.440 him and his colleagues with also spyware.[br]Karla Salas she's a she's a lawyer from 0:04:01.440,0:04:07.440 Mexico as well. She's representing and[br]investigating the murder of a group of 0:04:08.160,0:04:14.640 human rights defendants that were murdered[br]in Mexico. She and her colleagues were 0:04:14.640,0:04:22.200 targeted by the Mexican government with[br]the NSOs Pegasus spyware. Griselda Triana, 0:04:22.200,0:04:27.120 she's a widow. Her husband was a[br]journalist from Mexico covering drug 0:04:27.120,0:04:34.320 cartel activities and organized crime in[br]Sinaloa, Culiacán, Mexico. She was 0:04:34.320,0:04:38.580 targeted by the Mexican government with[br]spyware. Few days after her husband's 0:04:38.580,0:04:47.340 death, and we don't understand exactly[br]why. His, her husband's computer and 0:04:47.340,0:04:54.300 laptop were taken away when he was[br]murdered, so there was no known reason why 0:04:54.300,0:05:01.500 she was targeted. Emilio Aristegui, he's[br]the son of a lawyer, he is a minor, and he 0:05:01.500,0:05:06.420 was targeted. His phone was targeted by[br]the Mexican government with spyware to spy 0:05:06.420,0:05:12.780 on his mother and that she was a lawyer[br]investigating some cases. So these are 0:05:12.780,0:05:20.760 only a few cases of the dozens of hundreds[br]of cases where government use surveillance 0:05:20.760,0:05:26.040 technology to spy on people. But not only[br]civil society defendants, but also 0:05:26.040,0:05:32.760 civilians like this kid. And the common[br]case among all this is that their mobile 0:05:32.760,0:05:37.680 phones were targeted. And there is a[br]simple explanation for that. We take our 0:05:37.680,0:05:42.060 mobile phones with us everywhere we use[br]them. These we don't take computers 0:05:42.060,0:05:46.860 anymore. When we are in the front line in[br]Syria covering war, we regard the videos 0:05:46.860,0:05:52.020 with our phones. We send messages that we[br]are still alive with our phones. We 0:05:52.020,0:05:57.300 cannot. When we are working on this field,[br]we don't know. We cannot not use the 0:05:57.300,0:06:02.820 mobile phones. So they have photos, they[br]have documents, they have location, they 0:06:02.820,0:06:12.900 have everything. This is perfect for[br]spying on someone. So, it is a fact that 0:06:12.900,0:06:17.460 governments are using the spyware as a[br]surveillance technology not only to 0:06:17.460,0:06:25.200 surveil, but also to abuse, to imprison,[br]to sometimes to kill people. And we know 0:06:25.200,0:06:29.940 that they are governments because the[br]technology that they are using like, for 0:06:29.940,0:06:35.700 example, the Pegasus software by the[br]Israeli company NSO. They can only be 0:06:35.700,0:06:43.800 purchased by governments. So we know they[br]are doing this. So these tools are also 0:06:43.800,0:06:49.620 cheap, easy to use, cheap for them, right?[br]Easy to use. They can be used multiple 0:06:49.620,0:06:56.520 times all the times they want. Sometimes[br]they they cannot be traced back to their 0:06:56.520,0:07:00.900 sources. It's not that easy. So you find[br]an infection and it's hard to know who is 0:07:00.900,0:07:09.660 behind it. So for them it's a perfect[br]tool. So what can what can we do if we 0:07:09.660,0:07:14.820 think our mobile is compromised? There are[br]several things we can do. For instance, we 0:07:14.820,0:07:20.880 can do, our forensic analysis. It's costly[br]because it takes a lot of time. We need to 0:07:20.880,0:07:25.920 go on the phone to check the files, to try[br]to see if there is any sign of infections. 0:07:27.060,0:07:34.080 And sometimes this also involves like[br]sending our phone to somewhere to analyze. 0:07:34.080,0:07:39.000 And in the meantime, what are we going to[br]use? It's not very clear. We can factory 0:07:39.000,0:07:45.180 reset our phone. It might work sometimes,[br]sometimes not. And it's costly. Sometimes 0:07:45.180,0:07:51.000 we lose data. We can change phones which[br]is a simple solution. We just drop it to 0:07:51.000,0:07:56.160 trash. We pick another one. But how many[br]of us can afford to do these, like maybe 0:07:56.160,0:08:01.260 three or four times a year? It's very[br]expensive. But we can also do traffic 0:08:01.260,0:08:05.940 analysis. That means work on the[br]assumption that the malware that is 0:08:05.940,0:08:10.380 infecting our phones will try to steal[br]information from our phones and send it 0:08:10.380,0:08:17.580 somewhere. The sending of data will happen[br]over the internet because that's cheap so 0:08:17.580,0:08:24.660 that communication we can see and[br]hopefully we can identify it. So how can 0:08:24.660,0:08:30.120 we know? How can we know if our phone[br]right now is at risk? Imagine that you're 0:08:30.120,0:08:35.700 crossing a border. Someone from the police[br]takes your phone, then gives back to you. 0:08:35.700,0:08:41.232 Everything is fine. How can you know if[br]it's not compromised? So this is where in 0:08:41.232,0:08:50.039 Civilsphere we start thinking, which is[br]the simplest way we can go there and help 0:08:50.039,0:08:55.707 these people, which is the simplest way we[br]can go and check those phones in the field 0:08:55.707,0:09:01.047 while this is happening and we came up[br]with an Emergency VNP. So the Emergency 0:09:01.047,0:09:06.495 VPN is the service that we are providing[br]using OpenVPN, this free tool that you 0:09:06.495,0:09:11.425 know that you install in your phone. And[br]from these, we are sending the traffic 0:09:11.425,0:09:15.780 from their phones to their university[br]servers or the servers are in our office 0:09:15.780,0:09:20.790 and then to the internet and back. So we[br]have normal internet. And we are capturing 0:09:20.790,0:09:25.080 all your traffic. We store in there. What[br]we are doing with these? Well, we have our 0:09:25.080,0:09:29.655 security analysts looking at this traffic,[br]finding infection, finding that out, using 0:09:29.655,0:09:34.197 our tools, using our expertize threat[br]intelligence, threat hunting, handling 0:09:34.197,0:09:38.640 whatever we can and see everything in[br]there and then reporting back to you say, 0:09:38.640,0:09:42.706 Hey, you're safe, it's OK. Or, Hey, there[br]is something going on with your phone, 0:09:42.706,0:09:46.982 uninstall these applications or actually[br]change phones. We are from time to time 0:09:46.982,0:09:51.808 suggesting stop using that phone right[br]now. I don't know what you are doing, but 0:09:51.808,0:09:55.868 this is something you should stop. So we[br]are having experts looking at this 0:09:55.868,0:09:59.779 traffic. Also, we have the tools and[br]everything we do in there is free software 0:09:59.779,0:10:04.614 because we need these to be open for the[br]community. So how does it work? This is a 0:10:04.614,0:10:09.382 schema of the Emergency VPN. You have your[br]phone on in the situation. Like Veronica 0:10:09.382,0:10:13.351 was saying, you are at risk and you say[br]right now I'm crossing the border, I'm 0:10:13.351,0:10:17.993 going to a country that I don't know. I[br]suspect I might be targeted. In that 0:10:17.993,0:10:22.680 moment, you send an email to a special[br]email address that - the address is not 0:10:22.680,0:10:27.092 here because we cannot afford right now[br]everyone using the Emergency VPN, because 0:10:27.092,0:10:31.530 we have humans checking the traffic. So we[br]will give you later the address if you 0:10:31.530,0:10:37.020 need it, but you send an email to say,[br]Hey, help automatically. We check these 0:10:37.020,0:10:43.949 email, we create an OpenVPN profile for[br]you. We open this for you and we send by 0:10:43.949,0:10:49.359 email the profile. So you click on the[br]profile. You have the open VPN installed 0:10:49.359,0:10:53.586 or you can install the additional one. And[br]from that moment, your phone is sending 0:10:53.586,0:10:58.313 all your traffic to the university to the[br]internet maximum three days. We stop it 0:10:58.313,0:11:03.003 there automatically and then we create the[br]PCAP-file where the analysts are going 0:11:03.003,0:11:08.038 there and checking what's going on with[br]your traffic. After this, we create a 0:11:08.038,0:11:14.128 report that is being sent to you back by[br]email. OK, so this is the core operation 0:11:14.128,0:11:19.361 like 90 percent of the magic of the[br]Emergency VPN. So advantages of this 0:11:19.361,0:11:25.080 approach? Well, the first one is that this[br]is giving you an immediate analysis of the 0:11:25.080,0:11:30.155 traffic of your phone, wherever you are.[br]This is in the moment you need it and then 0:11:30.155,0:11:35.057 you can see what your phone is doing or[br]not doing right. Secondly, here is that we 0:11:35.057,0:11:38.921 have the technology. We have the[br]expertize. Our threat hunter, threat 0:11:38.921,0:11:43.050 intelligence people. We have tools. We are[br]doing machine learning also in the 0:11:43.050,0:11:46.892 university. So we have methods for[br]analyzing the behavior of encrypted 0:11:46.892,0:11:51.757 traffic. We do not open the traffic, but[br]we can analyze this also. So we took all 0:11:51.757,0:11:56.512 the tools we can to help the civil[br]society. Then we have the anonymity. We 0:11:56.512,0:12:01.239 want this to be as anonymous as possible,[br]which means we only know one email 0:12:01.239,0:12:06.306 address, the one used to send us an email.[br]And that's it. It doesn't even need to be 0:12:06.306,0:12:11.006 your real email. We don't care, right?[br]Moreover, this email address is only known 0:12:11.006,0:12:16.320 to the manager of the project. The people[br]analyzing the traffic do not have this 0:12:16.320,0:12:20.554 information. After that, they send the[br]report back to the email address and that 0:12:20.554,0:12:25.584 say we did a pcap, and that's all we know.[br]Of course, if your phone is leaking data, 0:12:25.584,0:12:31.088 which probably is, we see this information[br]because this is for the whole purpose of 0:12:31.088,0:12:35.670 the system, right? Then we have our[br]continuous research. We had a university 0:12:35.670,0:12:40.089 project like almost 30 people here. So we[br]are doing new research, new methods, new 0:12:40.089,0:12:44.233 tools, open source. We are applying,[br]checking, researching and publishing 0:12:44.233,0:12:49.444 research, continually moving at last. This[br]is the best way to have a report back to 0:12:49.444,0:12:54.796 you in your phone saying if you are[br]infected or not. OK, so some insights from 0:12:54.796,0:13:01.350 the Emergency VPN. The first one is this[br]is active since mid-2018. We analyzed 111 0:13:01.350,0:13:06.933 cases, roughly maybe a little bit more 60[br]percent of our Android devices here. We 0:13:06.933,0:13:11.903 can talk about that, but it's well known[br]that a lot of people at risk cannot afford 0:13:11.903,0:13:17.109 very expensive phones, which is also[br]impacting their security. Eighty two 0:13:17.109,0:13:24.322 gigabytes of traffic. 3200 hours of humans[br]analyzing this, which is huge and most 0:13:24.322,0:13:31.058 importantly, 95% of whatever we found[br]there. It's because of normal applications 0:13:31.058,0:13:37.280 like the applications you have right now[br]in your phone in this moment. And this is 0:13:37.280,0:13:43.820 a huge issue. The most common issues,[br]right, that we found, and we cannot say 0:13:43.820,0:13:51.013 this enough. Geolocation is an issue. Like[br]only three phones ever were not leaking 0:13:51.013,0:13:57.338 geolocation. So the rest of the phones are[br]leaking like weather applications, like 0:13:57.338,0:14:02.132 dating applications , to buy staff,[br]transport applications like a lot of 0:14:02.132,0:14:07.800 applications, are leaking these. Most are[br]leaking these in encrypted form. A lot of 0:14:07.800,0:14:12.930 them are leaking these unencrypted, which[br]means that not only we can see that, but 0:14:12.930,0:14:18.350 the people in your WiFi, your government,[br]the police, whoever has access to this 0:14:18.350,0:14:23.487 traffic can see your position almost in[br]real time. Which means that if the 0:14:23.487,0:14:29.067 government wants to know where you are,[br]they do not need to infect you. It's much 0:14:29.067,0:14:33.900 easier to go to a telco provider. They[br]look at your traffic and see that you are 0:14:33.900,0:14:37.600 leaking your location of all over the[br]place. We know that this is because of 0:14:37.600,0:14:41.853 advertising and marketing. The people are[br]selling this information a lot. Be very 0:14:41.853,0:14:46.408 careful with which application you have,[br]and this is the third point is secured 0:14:46.408,0:14:51.081 applications are a real hazard for you.[br]Maybe you need two phones like your 0:14:51.081,0:14:55.920 professional phones and your everyday life[br]phone. We don't know what the problem 0:14:55.920,0:15:00.599 usually comes for the applications that[br]you're installing, just because, right, 0:15:00.599,0:15:05.549 these applications are leaking so much[br]data like your email, your name, your 0:15:05.549,0:15:11.190 phone number, credit cards, user behavior,[br]your preferences if you are dating or not. 0:15:11.190,0:15:17.049 If you are buying and where you're buying,[br]which transports you are taking which seat 0:15:17.049,0:15:22.876 you're taking the bus. So a lot of[br]information really, really being believe-I 0:15:22.876,0:15:28.026 believe us here. Alas, the email and the[br]emcee that these two identifiers of the 0:15:28.026,0:15:32.010 phone are usually leaked by the[br]applications. We don't know why. And this 0:15:32.010,0:15:37.316 is very dangerous because identifies your[br]phone uniquely OK. From the point of view 0:15:37.316,0:15:42.542 of the important cases, there are two[br]things that we want to say. The first one 0:15:42.542,0:15:47.644 is that we found trojans here that are[br]infecting your phones, but none of these 0:15:47.644,0:15:53.582 trojans were actually targeted. Trojans[br]like trojans for you. They were like, 0:15:53.582,0:15:58.945 Let's call normal trojans. So this is a[br]thing. And the second one is malicious 0:15:58.945,0:16:03.299 files. A lot of phones are doing this[br]peer-to-peer file sharing thing. Even if 0:16:03.299,0:16:07.468 you don't know some applications. I'm not[br]going to give you names, but they're doing 0:16:07.468,0:16:11.424 this peer-to-peer file sharing, even if[br]you don't know and they were malicious 0:16:11.424,0:16:17.746 files going over the wire there. However,[br]why is it that after a year or something 0:16:17.746,0:16:25.162 of analysis after 111 cases analyze, we[br]did not found any targeted attack? Why? 0:16:25.162,0:16:34.515 Why this is the case? I mean, the answer?[br]The answer is simple. No. Yes. The answer 0:16:34.515,0:16:43.933 is simple. The Emergency VPN works for[br]three days maximum, so it's not about 0:16:43.933,0:16:49.913 reaching the right people, but reaching[br]the right people at the right time. Like, 0:16:49.913,0:16:55.692 if we take three days before the incident,[br]we might not see it. If we check three 0:16:55.692,0:17:02.057 days later, we might not see it. So right[br]now, we we need your help. Reaching the 0:17:02.057,0:17:09.355 right population is very important because[br]we need people to know that these services 0:17:09.355,0:17:15.089 exist and it's always tricky. If we tell[br]you, Hey, connect, here we are going to 0:17:15.089,0:17:19.955 see all your traffic is like, Are you[br]insane? Why? Why would I do that? However, 0:17:19.955,0:17:26.022 remember that the other options are not[br]very cheap or easy or even feasible if you 0:17:26.022,0:17:31.947 are traveling, for example. And again, as[br]Sebastian said. Like, everything that goes 0:17:31.947,0:17:37.878 encrypted is called, We don't see it. We[br]are not doing man in the middle. If we see 0:17:37.878,0:17:44.773 anything, we see it because it's not[br]encrypted. So if you believe that you are 0:17:44.773,0:17:50.843 a people, a person that is at risk because[br]of the work you do or because of the type 0:17:50.843,0:17:55.368 of information or people that you help,[br]please contact us. We are willing to 0:17:55.368,0:18:00.270 answer all the questions that you might[br]have about data retention, how we handle 0:18:00.270,0:18:06.450 the data, how we store it, how we delete[br]it after how long, etc. And if you know 0:18:06.450,0:18:12.870 people that might be at risk because of[br]the work they do, because the people they 0:18:12.870,0:18:18.349 protect, the people, they represent the[br]type of investigation they do, please tell 0:18:18.349,0:18:23.696 them about the service. We, we can.[br]Contact us via email. As we say, the 0:18:23.696,0:18:29.128 information, how specifically do you see[br]it is not publicly available, available 0:18:29.128,0:18:34.400 because we cannot handle hundreds of cases[br]at the same time. However, if you think 0:18:34.400,0:18:40.716 you are a person at risk, we we will send[br]it to you right away. This is the contact 0:18:40.716,0:18:47.119 phone number we are in Telegram. Wire,[br]Signal, WhatsApp, anything that you need 0:18:47.119,0:18:52.263 to to reach out and we will answer any[br]questions. So we need to reach these 0:18:52.263,0:18:56.527 people. OK, so thank you very much and we[br]will be around for the rest of the 0:18:56.527,0:19:00.644 congress. If you want to stop us, ask[br]questions. Tell us something. If you need, 0:19:00.644,0:19:05.400 tell us about these two other people in[br]the field that they needed. Trust is very 0:19:05.400,0:19:15.190 important here. And let us know. OK? Yes,[br]thank you. Thank you. OK. And as usual, we 0:19:15.190,0:19:24.491 will take questions from the public. There[br]are two microphones. Yes, go ahead. Talk 0:19:24.491,0:19:29.461 into the mick one sentence, please. Just a[br]quick. Thanks for your excellent service. 0:19:29.461,0:19:35.001 My question is how can you be sure that[br]all the traffic of a compromised phone is 0:19:35.001,0:19:41.690 run through your VPN? Mm-Hmm. So of course[br]we cannot. We can't say that in our 0:19:41.690,0:19:48.167 experience, we never found or saw any[br]malware that is trying to avoid the VPN in 0:19:48.167,0:19:53.454 the phone. So we rely on that. No, no[br]malware or APT ever that we saw or known 0:19:53.454,0:19:58.433 about is actually trying to about the VPN[br]service in some phones. I'm not sure if 0:19:58.433,0:20:02.529 you can avoid it. Maybe, yes, I don't[br]know. In our experiments on trials with 0:20:02.529,0:20:06.103 different phones and tablets and[br]everything, all the traffic is going 0:20:06.103,0:20:11.910 through the VPN service, right? Because[br]like a proxy in your phone? Yes. So if you 0:20:11.910,0:20:19.076 if you know, if any case. Yeah, we would[br]love to know. We try. We we run a malware 0:20:19.076,0:20:24.420 laboratory and we run malware on phones[br]and computers to try to understand them. 0:20:24.420,0:20:28.560 And we have not encountered such a case.[br]SMS, for example, we are not seeing. 0:20:28.560,0:20:33.031 Right? Yes. One more question, please.[br]Yeah. So you're running the net, you're 0:20:33.031,0:20:39.152 running the data through your network at[br]the university. Do you have a like a lot 0:20:39.152,0:20:44.791 of exit IP numbers? Because, yes, a[br]malware app could maybe identify it is 0:20:44.791,0:20:49.109 routing through you and decide not to act?[br]Yeah. So that's a good question actually. 0:20:49.109,0:20:54.300 In the university. We have a complete[br]class public network. We have, of course, 0:20:54.300,0:20:58.440 agreements with the university to use part[br]of the IPs. So this is part of the 0:20:58.440,0:21:05.940 equation in the right, like any way we are[br]taking precautions. But so far we did not 0:21:05.940,0:21:10.620 found anyone blocking or checking our IPs.[br]So we would say that it's true, right? 0:21:10.620,0:21:17.040 Yeah, we would say that if that happens,[br]we would consider our project very 0:21:17.040,0:21:25.200 successful. We we haven't we haven't heard[br]of such a case yet. Thank you. OK. Let's 0:21:25.200,0:21:29.640 have a big hand final for Veronica and[br]Sebastian. Thank you very much.