1 00:00:17,160 --> 00:00:26,220 There's a long way from Argentina. Argentine, Argentine to Prague to Leipzig. 2 00:00:27,420 --> 00:00:33,120 These two young researchers, security researchers, the lady and the gentleman, 3 00:00:38,160 --> 00:00:46,020 Veronica and Sebastian are here to tell us something about Emergency VPNs, virtual 4 00:00:46,020 --> 00:00:54,360 private networks, analyzing mobile network traffic to detect digital threats. And I'm 5 00:00:54,360 --> 00:00:59,460 quite convinced you're going to have a good time. You're welcome to have a big 6 00:00:59,460 --> 00:01:08,820 hand for Veronica and Sebastian. Thank you. Thank you. OK, thank you, everyone 7 00:01:08,820 --> 00:01:15,360 for coming here. My name is Veronica Valera's. I'm a researcher with the Czech 8 00:01:15,360 --> 00:01:19,800 Technical University in Prague. Currently, I'm the project leader of the Civilsphere 9 00:01:19,800 --> 00:01:25,200 Project, and Sebastian Garcia, the director of the Civilsphere Project in the 10 00:01:25,200 --> 00:01:31,140 Czech Technical University in Prague. The project is is part of the Stratosphere 11 00:01:31,140 --> 00:01:36,960 Laboratory in the university. The main purpose is to provide free services and 12 00:01:36,960 --> 00:01:43,020 tools to help the civil society protect them and help me then help them identify 13 00:01:43,800 --> 00:01:55,347 targeted digital attacks. So Maati Monjib. He's a Moroccan historian. He's the co- 14 00:01:55,347 --> 00:02:02,640 founder of the Moroccan Association of Independent Journalism. He was denouncing 15 00:02:02,640 --> 00:02:08,040 some misbehavior of his government, and because of that, he was targeted with 16 00:02:08,040 --> 00:02:21,300 spyware. Around 2015. Alberto Nisman was a lawyer in Argentina, he - he died. He was 17 00:02:21,300 --> 00:02:26,940 until the moment of his death, the lead investigator in the terrorist attack of 18 00:02:26,940 --> 00:02:36,120 1994 that happened in Buenos Aires. It was a sad incident that may have been covered 19 00:02:36,120 --> 00:02:42,600 up by the government. And after his death, the researchers found traces of a spyware 20 00:02:42,600 --> 00:02:51,300 in his mobile phone allegedly installed by the government to spy on him. Ahmed 21 00:02:51,300 --> 00:03:03,120 Mansoor. He's an activist from the UAE. He's also a human rights defendant. He 22 00:03:03,120 --> 00:03:07,740 also denounces misbehaviors of his government, and because of that, his 23 00:03:07,740 --> 00:03:13,920 government targeted him repeatedly with different type of spyware from different 24 00:03:13,920 --> 00:03:23,700 places. Right now, he's in jail. He he's been there for almost two years, and he 25 00:03:23,700 --> 00:03:29,100 barely survived there for more than 40 days hunger strike. He did complain about 26 00:03:29,100 --> 00:03:36,840 the prison conditions. Simón Barquera. Maybe you can check the slides. They are 27 00:03:36,840 --> 00:03:45,720 not. Simón Barquera is a researcher, food scientist from Mexico. He is a weird case 28 00:03:45,720 --> 00:03:52,320 because it's not very clear why he was targeted. The Mexican government targeted 29 00:03:52,320 --> 00:04:01,440 him and his colleagues with also spyware. Karla Salas she's a she's a lawyer from 30 00:04:01,440 --> 00:04:07,440 Mexico as well. She's representing and investigating the murder of a group of 31 00:04:08,160 --> 00:04:14,640 human rights defendants that were murdered in Mexico. She and her colleagues were 32 00:04:14,640 --> 00:04:22,200 targeted by the Mexican government with the NSOs Pegasus spyware. Griselda Triana, 33 00:04:22,200 --> 00:04:27,120 she's a widow. Her husband was a journalist from Mexico covering drug 34 00:04:27,120 --> 00:04:34,320 cartel activities and organized crime in Sinaloa, Culiacán, Mexico. She was 35 00:04:34,320 --> 00:04:38,580 targeted by the Mexican government with spyware. Few days after her husband's 36 00:04:38,580 --> 00:04:47,340 death, and we don't understand exactly why. His, her husband's computer and 37 00:04:47,340 --> 00:04:54,300 laptop were taken away when he was murdered, so there was no known reason why 38 00:04:54,300 --> 00:05:01,500 she was targeted. Emilio Aristegui, he's the son of a lawyer, he is a minor, and he 39 00:05:01,500 --> 00:05:06,420 was targeted. His phone was targeted by the Mexican government with spyware to spy 40 00:05:06,420 --> 00:05:12,780 on his mother and that she was a lawyer investigating some cases. So these are 41 00:05:12,780 --> 00:05:20,760 only a few cases of the dozens of hundreds of cases where government use surveillance 42 00:05:20,760 --> 00:05:26,040 technology to spy on people. But not only civil society defendants, but also 43 00:05:26,040 --> 00:05:32,760 civilians like this kid. And the common case among all this is that their mobile 44 00:05:32,760 --> 00:05:37,680 phones were targeted. And there is a simple explanation for that. We take our 45 00:05:37,680 --> 00:05:42,060 mobile phones with us everywhere we use them. These we don't take computers 46 00:05:42,060 --> 00:05:46,860 anymore. When we are in the front line in Syria covering war, we regard the videos 47 00:05:46,860 --> 00:05:52,020 with our phones. We send messages that we are still alive with our phones. We 48 00:05:52,020 --> 00:05:57,300 cannot. When we are working on this field, we don't know. We cannot not use the 49 00:05:57,300 --> 00:06:02,820 mobile phones. So they have photos, they have documents, they have location, they 50 00:06:02,820 --> 00:06:12,900 have everything. This is perfect for spying on someone. So, it is a fact that 51 00:06:12,900 --> 00:06:17,460 governments are using the spyware as a surveillance technology not only to 52 00:06:17,460 --> 00:06:25,200 surveil, but also to abuse, to imprison, to sometimes to kill people. And we know 53 00:06:25,200 --> 00:06:29,940 that they are governments because the technology that they are using like, for 54 00:06:29,940 --> 00:06:35,700 example, the Pegasus software by the Israeli company NSO. They can only be 55 00:06:35,700 --> 00:06:43,800 purchased by governments. So we know they are doing this. So these tools are also 56 00:06:43,800 --> 00:06:49,620 cheap, easy to use, cheap for them, right? Easy to use. They can be used multiple 57 00:06:49,620 --> 00:06:56,520 times all the times they want. Sometimes they they cannot be traced back to their 58 00:06:56,520 --> 00:07:00,900 sources. It's not that easy. So you find an infection and it's hard to know who is 59 00:07:00,900 --> 00:07:09,660 behind it. So for them it's a perfect tool. So what can what can we do if we 60 00:07:09,660 --> 00:07:14,820 think our mobile is compromised? There are several things we can do. For instance, we 61 00:07:14,820 --> 00:07:20,880 can do, our forensic analysis. It's costly because it takes a lot of time. We need to 62 00:07:20,880 --> 00:07:25,920 go on the phone to check the files, to try to see if there is any sign of infections. 63 00:07:27,060 --> 00:07:34,080 And sometimes this also involves like sending our phone to somewhere to analyze. 64 00:07:34,080 --> 00:07:39,000 And in the meantime, what are we going to use? It's not very clear. We can factory 65 00:07:39,000 --> 00:07:45,180 reset our phone. It might work sometimes, sometimes not. And it's costly. Sometimes 66 00:07:45,180 --> 00:07:51,000 we lose data. We can change phones which is a simple solution. We just drop it to 67 00:07:51,000 --> 00:07:56,160 trash. We pick another one. But how many of us can afford to do these, like maybe 68 00:07:56,160 --> 00:08:01,260 three or four times a year? It's very expensive. But we can also do traffic 69 00:08:01,260 --> 00:08:05,940 analysis. That means work on the assumption that the malware that is 70 00:08:05,940 --> 00:08:10,380 infecting our phones will try to steal information from our phones and send it 71 00:08:10,380 --> 00:08:17,580 somewhere. The sending of data will happen over the internet because that's cheap so 72 00:08:17,580 --> 00:08:24,660 that communication we can see and hopefully we can identify it. So how can 73 00:08:24,660 --> 00:08:30,120 we know? How can we know if our phone right now is at risk? Imagine that you're 74 00:08:30,120 --> 00:08:35,700 crossing a border. Someone from the police takes your phone, then gives back to you. 75 00:08:35,700 --> 00:08:41,232 Everything is fine. How can you know if it's not compromised? So this is where in 76 00:08:41,232 --> 00:08:50,039 Civilsphere we start thinking, which is the simplest way we can go there and help 77 00:08:50,039 --> 00:08:55,707 these people, which is the simplest way we can go and check those phones in the field 78 00:08:55,707 --> 00:09:01,047 while this is happening and we came up with an Emergency VNP. So the Emergency 79 00:09:01,047 --> 00:09:06,495 VPN is the service that we are providing using OpenVPN, this free tool that you 80 00:09:06,495 --> 00:09:11,425 know that you install in your phone. And from these, we are sending the traffic 81 00:09:11,425 --> 00:09:15,780 from their phones to their university servers or the servers are in our office 82 00:09:15,780 --> 00:09:20,790 and then to the internet and back. So we have normal internet. And we are capturing 83 00:09:20,790 --> 00:09:25,080 all your traffic. We store in there. What we are doing with these? Well, we have our 84 00:09:25,080 --> 00:09:29,655 security analysts looking at this traffic, finding infection, finding that out, using 85 00:09:29,655 --> 00:09:34,197 our tools, using our expertize threat intelligence, threat hunting, handling 86 00:09:34,197 --> 00:09:38,640 whatever we can and see everything in there and then reporting back to you say, 87 00:09:38,640 --> 00:09:42,706 Hey, you're safe, it's OK. Or, Hey, there is something going on with your phone, 88 00:09:42,706 --> 00:09:46,982 uninstall these applications or actually change phones. We are from time to time 89 00:09:46,982 --> 00:09:51,808 suggesting stop using that phone right now. I don't know what you are doing, but 90 00:09:51,808 --> 00:09:55,868 this is something you should stop. So we are having experts looking at this 91 00:09:55,868 --> 00:09:59,779 traffic. Also, we have the tools and everything we do in there is free software 92 00:09:59,779 --> 00:10:04,614 because we need these to be open for the community. So how does it work? This is a 93 00:10:04,614 --> 00:10:09,382 schema of the Emergency VPN. You have your phone on in the situation. Like Veronica 94 00:10:09,382 --> 00:10:13,351 was saying, you are at risk and you say right now I'm crossing the border, I'm 95 00:10:13,351 --> 00:10:17,993 going to a country that I don't know. I suspect I might be targeted. In that 96 00:10:17,993 --> 00:10:22,680 moment, you send an email to a special email address that - the address is not 97 00:10:22,680 --> 00:10:27,092 here because we cannot afford right now everyone using the Emergency VPN, because 98 00:10:27,092 --> 00:10:31,530 we have humans checking the traffic. So we will give you later the address if you 99 00:10:31,530 --> 00:10:37,020 need it, but you send an email to say, Hey, help automatically. We check these 100 00:10:37,020 --> 00:10:43,949 email, we create an OpenVPN profile for you. We open this for you and we send by 101 00:10:43,949 --> 00:10:49,359 email the profile. So you click on the profile. You have the open VPN installed 102 00:10:49,359 --> 00:10:53,586 or you can install the additional one. And from that moment, your phone is sending 103 00:10:53,586 --> 00:10:58,313 all your traffic to the university to the internet maximum three days. We stop it 104 00:10:58,313 --> 00:11:03,003 there automatically and then we create the PCAP-file where the analysts are going 105 00:11:03,003 --> 00:11:08,038 there and checking what's going on with your traffic. After this, we create a 106 00:11:08,038 --> 00:11:14,128 report that is being sent to you back by email. OK, so this is the core operation 107 00:11:14,128 --> 00:11:19,361 like 90 percent of the magic of the Emergency VPN. So advantages of this 108 00:11:19,361 --> 00:11:25,080 approach? Well, the first one is that this is giving you an immediate analysis of the 109 00:11:25,080 --> 00:11:30,155 traffic of your phone, wherever you are. This is in the moment you need it and then 110 00:11:30,155 --> 00:11:35,057 you can see what your phone is doing or not doing right. Secondly, here is that we 111 00:11:35,057 --> 00:11:38,921 have the technology. We have the expertize. Our threat hunter, threat 112 00:11:38,921 --> 00:11:43,050 intelligence people. We have tools. We are doing machine learning also in the 113 00:11:43,050 --> 00:11:46,892 university. So we have methods for analyzing the behavior of encrypted 114 00:11:46,892 --> 00:11:51,757 traffic. We do not open the traffic, but we can analyze this also. So we took all 115 00:11:51,757 --> 00:11:56,512 the tools we can to help the civil society. Then we have the anonymity. We 116 00:11:56,512 --> 00:12:01,239 want this to be as anonymous as possible, which means we only know one email 117 00:12:01,239 --> 00:12:06,306 address, the one used to send us an email. And that's it. It doesn't even need to be 118 00:12:06,306 --> 00:12:11,006 your real email. We don't care, right? Moreover, this email address is only known 119 00:12:11,006 --> 00:12:16,320 to the manager of the project. The people analyzing the traffic do not have this 120 00:12:16,320 --> 00:12:20,554 information. After that, they send the report back to the email address and that 121 00:12:20,554 --> 00:12:25,584 say we did a pcap, and that's all we know. Of course, if your phone is leaking data, 122 00:12:25,584 --> 00:12:31,088 which probably is, we see this information because this is for the whole purpose of 123 00:12:31,088 --> 00:12:35,670 the system, right? Then we have our continuous research. We had a university 124 00:12:35,670 --> 00:12:40,089 project like almost 30 people here. So we are doing new research, new methods, new 125 00:12:40,089 --> 00:12:44,233 tools, open source. We are applying, checking, researching and publishing 126 00:12:44,233 --> 00:12:49,444 research, continually moving at last. This is the best way to have a report back to 127 00:12:49,444 --> 00:12:54,796 you in your phone saying if you are infected or not. OK, so some insights from 128 00:12:54,796 --> 00:13:01,350 the Emergency VPN. The first one is this is active since mid-2018. We analyzed 111 129 00:13:01,350 --> 00:13:06,933 cases, roughly maybe a little bit more 60 percent of our Android devices here. We 130 00:13:06,933 --> 00:13:11,903 can talk about that, but it's well known that a lot of people at risk cannot afford 131 00:13:11,903 --> 00:13:17,109 very expensive phones, which is also impacting their security. Eighty two 132 00:13:17,109 --> 00:13:24,322 gigabytes of traffic. 3200 hours of humans analyzing this, which is huge and most 133 00:13:24,322 --> 00:13:31,058 importantly, 95% of whatever we found there. It's because of normal applications 134 00:13:31,058 --> 00:13:37,280 like the applications you have right now in your phone in this moment. And this is 135 00:13:37,280 --> 00:13:43,820 a huge issue. The most common issues, right, that we found, and we cannot say 136 00:13:43,820 --> 00:13:51,013 this enough. Geolocation is an issue. Like only three phones ever were not leaking 137 00:13:51,013 --> 00:13:57,338 geolocation. So the rest of the phones are leaking like weather applications, like 138 00:13:57,338 --> 00:14:02,132 dating applications , to buy staff, transport applications like a lot of 139 00:14:02,132 --> 00:14:07,800 applications, are leaking these. Most are leaking these in encrypted form. A lot of 140 00:14:07,800 --> 00:14:12,930 them are leaking these unencrypted, which means that not only we can see that, but 141 00:14:12,930 --> 00:14:18,350 the people in your WiFi, your government, the police, whoever has access to this 142 00:14:18,350 --> 00:14:23,487 traffic can see your position almost in real time. Which means that if the 143 00:14:23,487 --> 00:14:29,067 government wants to know where you are, they do not need to infect you. It's much 144 00:14:29,067 --> 00:14:33,900 easier to go to a telco provider. They look at your traffic and see that you are 145 00:14:33,900 --> 00:14:37,600 leaking your location of all over the place. We know that this is because of 146 00:14:37,600 --> 00:14:41,853 advertising and marketing. The people are selling this information a lot. Be very 147 00:14:41,853 --> 00:14:46,408 careful with which application you have, and this is the third point is secured 148 00:14:46,408 --> 00:14:51,081 applications are a real hazard for you. Maybe you need two phones like your 149 00:14:51,081 --> 00:14:55,920 professional phones and your everyday life phone. We don't know what the problem 150 00:14:55,920 --> 00:15:00,599 usually comes for the applications that you're installing, just because, right, 151 00:15:00,599 --> 00:15:05,549 these applications are leaking so much data like your email, your name, your 152 00:15:05,549 --> 00:15:11,190 phone number, credit cards, user behavior, your preferences if you are dating or not. 153 00:15:11,190 --> 00:15:17,049 If you are buying and where you're buying, which transports you are taking which seat 154 00:15:17,049 --> 00:15:22,876 you're taking the bus. So a lot of information really, really being believe-I 155 00:15:22,876 --> 00:15:28,026 believe us here. Alas, the email and the emcee that these two identifiers of the 156 00:15:28,026 --> 00:15:32,010 phone are usually leaked by the applications. We don't know why. And this 157 00:15:32,010 --> 00:15:37,316 is very dangerous because identifies your phone uniquely OK. From the point of view 158 00:15:37,316 --> 00:15:42,542 of the important cases, there are two things that we want to say. The first one 159 00:15:42,542 --> 00:15:47,644 is that we found trojans here that are infecting your phones, but none of these 160 00:15:47,644 --> 00:15:53,582 trojans were actually targeted. Trojans like trojans for you. They were like, 161 00:15:53,582 --> 00:15:58,945 Let's call normal trojans. So this is a thing. And the second one is malicious 162 00:15:58,945 --> 00:16:03,299 files. A lot of phones are doing this peer-to-peer file sharing thing. Even if 163 00:16:03,299 --> 00:16:07,468 you don't know some applications. I'm not going to give you names, but they're doing 164 00:16:07,468 --> 00:16:11,424 this peer-to-peer file sharing, even if you don't know and they were malicious 165 00:16:11,424 --> 00:16:17,746 files going over the wire there. However, why is it that after a year or something 166 00:16:17,746 --> 00:16:25,162 of analysis after 111 cases analyze, we did not found any targeted attack? Why? 167 00:16:25,162 --> 00:16:34,515 Why this is the case? I mean, the answer? The answer is simple. No. Yes. The answer 168 00:16:34,515 --> 00:16:43,933 is simple. The Emergency VPN works for three days maximum, so it's not about 169 00:16:43,933 --> 00:16:49,913 reaching the right people, but reaching the right people at the right time. Like, 170 00:16:49,913 --> 00:16:55,692 if we take three days before the incident, we might not see it. If we check three 171 00:16:55,692 --> 00:17:02,057 days later, we might not see it. So right now, we we need your help. Reaching the 172 00:17:02,057 --> 00:17:09,355 right population is very important because we need people to know that these services 173 00:17:09,355 --> 00:17:15,089 exist and it's always tricky. If we tell you, Hey, connect, here we are going to 174 00:17:15,089 --> 00:17:19,955 see all your traffic is like, Are you insane? Why? Why would I do that? However, 175 00:17:19,955 --> 00:17:26,022 remember that the other options are not very cheap or easy or even feasible if you 176 00:17:26,022 --> 00:17:31,947 are traveling, for example. And again, as Sebastian said. Like, everything that goes 177 00:17:31,947 --> 00:17:37,878 encrypted is called, We don't see it. We are not doing man in the middle. If we see 178 00:17:37,878 --> 00:17:44,773 anything, we see it because it's not encrypted. So if you believe that you are 179 00:17:44,773 --> 00:17:50,843 a people, a person that is at risk because of the work you do or because of the type 180 00:17:50,843 --> 00:17:55,368 of information or people that you help, please contact us. We are willing to 181 00:17:55,368 --> 00:18:00,270 answer all the questions that you might have about data retention, how we handle 182 00:18:00,270 --> 00:18:06,450 the data, how we store it, how we delete it after how long, etc. And if you know 183 00:18:06,450 --> 00:18:12,870 people that might be at risk because of the work they do, because the people they 184 00:18:12,870 --> 00:18:18,349 protect, the people, they represent the type of investigation they do, please tell 185 00:18:18,349 --> 00:18:23,696 them about the service. We, we can. Contact us via email. As we say, the 186 00:18:23,696 --> 00:18:29,128 information, how specifically do you see it is not publicly available, available 187 00:18:29,128 --> 00:18:34,400 because we cannot handle hundreds of cases at the same time. However, if you think 188 00:18:34,400 --> 00:18:40,716 you are a person at risk, we we will send it to you right away. This is the contact 189 00:18:40,716 --> 00:18:47,119 phone number we are in Telegram. Wire, Signal, WhatsApp, anything that you need 190 00:18:47,119 --> 00:18:52,263 to to reach out and we will answer any questions. So we need to reach these 191 00:18:52,263 --> 00:18:56,527 people. OK, so thank you very much and we will be around for the rest of the 192 00:18:56,527 --> 00:19:00,644 congress. If you want to stop us, ask questions. Tell us something. If you need, 193 00:19:00,644 --> 00:19:05,400 tell us about these two other people in the field that they needed. Trust is very 194 00:19:05,400 --> 00:19:15,190 important here. And let us know. OK? Yes, thank you. Thank you. OK. And as usual, we 195 00:19:15,190 --> 00:19:24,491 will take questions from the public. There are two microphones. Yes, go ahead. Talk 196 00:19:24,491 --> 00:19:29,461 into the mick one sentence, please. Just a quick. Thanks for your excellent service. 197 00:19:29,461 --> 00:19:35,001 My question is how can you be sure that all the traffic of a compromised phone is 198 00:19:35,001 --> 00:19:41,690 run through your VPN? Mm-Hmm. So of course we cannot. We can't say that in our 199 00:19:41,690 --> 00:19:48,167 experience, we never found or saw any malware that is trying to avoid the VPN in 200 00:19:48,167 --> 00:19:53,454 the phone. So we rely on that. No, no malware or APT ever that we saw or known 201 00:19:53,454 --> 00:19:58,433 about is actually trying to about the VPN service in some phones. I'm not sure if 202 00:19:58,433 --> 00:20:02,529 you can avoid it. Maybe, yes, I don't know. In our experiments on trials with 203 00:20:02,529 --> 00:20:06,103 different phones and tablets and everything, all the traffic is going 204 00:20:06,103 --> 00:20:11,910 through the VPN service, right? Because like a proxy in your phone? Yes. So if you 205 00:20:11,910 --> 00:20:19,076 if you know, if any case. Yeah, we would love to know. We try. We we run a malware 206 00:20:19,076 --> 00:20:24,420 laboratory and we run malware on phones and computers to try to understand them. 207 00:20:24,420 --> 00:20:28,560 And we have not encountered such a case. SMS, for example, we are not seeing. 208 00:20:28,560 --> 00:20:33,031 Right? Yes. One more question, please. Yeah. So you're running the net, you're 209 00:20:33,031 --> 00:20:39,152 running the data through your network at the university. Do you have a like a lot 210 00:20:39,152 --> 00:20:44,791 of exit IP numbers? Because, yes, a malware app could maybe identify it is 211 00:20:44,791 --> 00:20:49,109 routing through you and decide not to act? Yeah. So that's a good question actually. 212 00:20:49,109 --> 00:20:54,300 In the university. We have a complete class public network. We have, of course, 213 00:20:54,300 --> 00:20:58,440 agreements with the university to use part of the IPs. So this is part of the 214 00:20:58,440 --> 00:21:05,940 equation in the right, like any way we are taking precautions. But so far we did not 215 00:21:05,940 --> 00:21:10,620 found anyone blocking or checking our IPs. So we would say that it's true, right? 216 00:21:10,620 --> 00:21:17,040 Yeah, we would say that if that happens, we would consider our project very 217 00:21:17,040 --> 00:21:25,200 successful. We we haven't we haven't heard of such a case yet. Thank you. OK. Let's 218 00:21:25,200 --> 00:21:29,640 have a big hand final for Veronica and Sebastian. Thank you very much.