WEBVTT

00:00:17.160 --> 00:00:26.220
There's a long way from Argentina.
Argentine, Argentine to Prague to Leipzig.

00:00:27.420 --> 00:00:33.120
These two young researchers, security
researchers, the lady and the gentleman,

00:00:38.160 --> 00:00:46.020
Veronica and Sebastian are here to tell us
something about Emergency VPNs, virtual

00:00:46.020 --> 00:00:54.360
private networks, analyzing mobile network
traffic to detect digital threats. And I'm

00:00:54.360 --> 00:00:59.460
quite convinced you're going to have a
good time. You're welcome to have a big

00:00:59.460 --> 00:01:08.820
hand for Veronica and Sebastian. Thank
you. Thank you. OK, thank you, everyone

00:01:08.820 --> 00:01:15.360
for coming here. My name is Veronica
Valera's. I'm a researcher with the Czech

00:01:15.360 --> 00:01:19.800
Technical University in Prague. Currently,
I'm the project leader of the Civilsphere

00:01:19.800 --> 00:01:25.200
Project, and Sebastian Garcia, the
director of the Civilsphere Project in the

00:01:25.200 --> 00:01:31.140
Czech Technical University in Prague. The
project is is part of the Stratosphere

00:01:31.140 --> 00:01:36.960
Laboratory in the university. The main
purpose is to provide free services and

00:01:36.960 --> 00:01:43.020
tools to help the civil society protect
them and help me then help them identify

00:01:43.800 --> 00:01:55.347
targeted digital attacks. So Maati Monjib.
He's a Moroccan historian. He's the co-

00:01:55.347 --> 00:02:02.640
founder of the Moroccan Association of
Independent Journalism. He was denouncing

00:02:02.640 --> 00:02:08.040
some misbehavior of his government, and
because of that, he was targeted with

00:02:08.040 --> 00:02:21.300
spyware. Around 2015. Alberto Nisman was a
lawyer in Argentina, he - he died. He was

00:02:21.300 --> 00:02:26.940
until the moment of his death, the lead
investigator in the terrorist attack of

00:02:26.940 --> 00:02:36.120
1994 that happened in Buenos Aires. It was
a sad incident that may have been covered

00:02:36.120 --> 00:02:42.600
up by the government. And after his death,
the researchers found traces of a spyware

00:02:42.600 --> 00:02:51.300
in his mobile phone allegedly installed by
the government to spy on him. Ahmed

00:02:51.300 --> 00:03:03.120
Mansoor. He's an activist from the UAE.
He's also a human rights defendant. He

00:03:03.120 --> 00:03:07.740
also denounces misbehaviors of his
government, and because of that, his

00:03:07.740 --> 00:03:13.920
government targeted him repeatedly with
different type of spyware from different

00:03:13.920 --> 00:03:23.700
places. Right now, he's in jail. He he's
been there for almost two years, and he

00:03:23.700 --> 00:03:29.100
barely survived there for more than 40
days hunger strike. He did complain about

00:03:29.100 --> 00:03:36.840
the prison conditions. Simón Barquera.
Maybe you can check the slides. They are

00:03:36.840 --> 00:03:45.720
not. Simón Barquera is a researcher, food
scientist from Mexico. He is a weird case

00:03:45.720 --> 00:03:52.320
because it's not very clear why he was
targeted. The Mexican government targeted

00:03:52.320 --> 00:04:01.440
him and his colleagues with also spyware.
Karla Salas she's a she's a lawyer from

00:04:01.440 --> 00:04:07.440
Mexico as well. She's representing and
investigating the murder of a group of

00:04:08.160 --> 00:04:14.640
human rights defendants that were murdered
in Mexico. She and her colleagues were

00:04:14.640 --> 00:04:22.200
targeted by the Mexican government with
the NSOs Pegasus spyware. Griselda Triana,

00:04:22.200 --> 00:04:27.120
she's a widow. Her husband was a
journalist from Mexico covering drug

00:04:27.120 --> 00:04:34.320
cartel activities and organized crime in
Sinaloa, Culiacán, Mexico. She was

00:04:34.320 --> 00:04:38.580
targeted by the Mexican government with
spyware. Few days after her husband's

00:04:38.580 --> 00:04:47.340
death, and we don't understand exactly
why. His, her husband's computer and

00:04:47.340 --> 00:04:54.300
laptop were taken away when he was
murdered, so there was no known reason why

00:04:54.300 --> 00:05:01.500
she was targeted. Emilio Aristegui, he's
the son of a lawyer, he is a minor, and he

00:05:01.500 --> 00:05:06.420
was targeted. His phone was targeted by
the Mexican government with spyware to spy

00:05:06.420 --> 00:05:12.780
on his mother and that she was a lawyer
investigating some cases. So these are

00:05:12.780 --> 00:05:20.760
only a few cases of the dozens of hundreds
of cases where government use surveillance

00:05:20.760 --> 00:05:26.040
technology to spy on people. But not only
civil society defendants, but also

00:05:26.040 --> 00:05:32.760
civilians like this kid. And the common
case among all this is that their mobile

00:05:32.760 --> 00:05:37.680
phones were targeted. And there is a
simple explanation for that. We take our

00:05:37.680 --> 00:05:42.060
mobile phones with us everywhere we use
them. These we don't take computers

00:05:42.060 --> 00:05:46.860
anymore. When we are in the front line in
Syria covering war, we regard the videos

00:05:46.860 --> 00:05:52.020
with our phones. We send messages that we
are still alive with our phones. We

00:05:52.020 --> 00:05:57.300
cannot. When we are working on this field,
we don't know. We cannot not use the

00:05:57.300 --> 00:06:02.820
mobile phones. So they have photos, they
have documents, they have location, they

00:06:02.820 --> 00:06:12.900
have everything. This is perfect for
spying on someone. So, it is a fact that

00:06:12.900 --> 00:06:17.460
governments are using the spyware as a
surveillance technology not only to

00:06:17.460 --> 00:06:25.200
surveil, but also to abuse, to imprison,
to sometimes to kill people. And we know

00:06:25.200 --> 00:06:29.940
that they are governments because the
technology that they are using like, for

00:06:29.940 --> 00:06:35.700
example, the Pegasus software by the
Israeli company NSO. They can only be

00:06:35.700 --> 00:06:43.800
purchased by governments. So we know they
are doing this. So these tools are also

00:06:43.800 --> 00:06:49.620
cheap, easy to use, cheap for them, right?
Easy to use. They can be used multiple

00:06:49.620 --> 00:06:56.520
times all the times they want. Sometimes
they they cannot be traced back to their

00:06:56.520 --> 00:07:00.900
sources. It's not that easy. So you find
an infection and it's hard to know who is

00:07:00.900 --> 00:07:09.660
behind it. So for them it's a perfect
tool. So what can what can we do if we

00:07:09.660 --> 00:07:14.820
think our mobile is compromised? There are
several things we can do. For instance, we

00:07:14.820 --> 00:07:20.880
can do, our forensic analysis. It's costly
because it takes a lot of time. We need to

00:07:20.880 --> 00:07:25.920
go on the phone to check the files, to try
to see if there is any sign of infections.

00:07:27.060 --> 00:07:34.080
And sometimes this also involves like
sending our phone to somewhere to analyze.

00:07:34.080 --> 00:07:39.000
And in the meantime, what are we going to
use? It's not very clear. We can factory

00:07:39.000 --> 00:07:45.180
reset our phone. It might work sometimes,
sometimes not. And it's costly. Sometimes

00:07:45.180 --> 00:07:51.000
we lose data. We can change phones which
is a simple solution. We just drop it to

00:07:51.000 --> 00:07:56.160
trash. We pick another one. But how many
of us can afford to do these, like maybe

00:07:56.160 --> 00:08:01.260
three or four times a year? It's very
expensive. But we can also do traffic

00:08:01.260 --> 00:08:05.940
analysis. That means work on the
assumption that the malware that is

00:08:05.940 --> 00:08:10.380
infecting our phones will try to steal
information from our phones and send it

00:08:10.380 --> 00:08:17.580
somewhere. The sending of data will happen
over the internet because that's cheap so

00:08:17.580 --> 00:08:24.660
that communication we can see and
hopefully we can identify it. So how can

00:08:24.660 --> 00:08:30.120
we know? How can we know if our phone
right now is at risk? Imagine that you're

00:08:30.120 --> 00:08:35.700
crossing a border. Someone from the police
takes your phone, then gives back to you.

00:08:35.700 --> 00:08:41.232
Everything is fine. How can you know if
it's not compromised? So this is where in

00:08:41.232 --> 00:08:50.039
Civilsphere we start thinking, which is
the simplest way we can go there and help

00:08:50.039 --> 00:08:55.707
these people, which is the simplest way we
can go and check those phones in the field

00:08:55.707 --> 00:09:01.047
while this is happening and we came up
with an Emergency VNP. So the Emergency

00:09:01.047 --> 00:09:06.495
VPN is the service that we are providing
using OpenVPN, this free tool that you

00:09:06.495 --> 00:09:11.425
know that you install in your phone. And
from these, we are sending the traffic

00:09:11.425 --> 00:09:15.780
from their phones to their university
servers or the servers are in our office

00:09:15.780 --> 00:09:20.790
and then to the internet and back. So we
have normal internet. And we are capturing

00:09:20.790 --> 00:09:25.080
all your traffic. We store in there. What
we are doing with these? Well, we have our

00:09:25.080 --> 00:09:29.655
security analysts looking at this traffic,
finding infection, finding that out, using

00:09:29.655 --> 00:09:34.197
our tools, using our expertize threat
intelligence, threat hunting, handling

00:09:34.197 --> 00:09:38.640
whatever we can and see everything in
there and then reporting back to you say,

00:09:38.640 --> 00:09:42.706
Hey, you're safe, it's OK. Or, Hey, there
is something going on with your phone,

00:09:42.706 --> 00:09:46.982
uninstall these applications or actually
change phones. We are from time to time

00:09:46.982 --> 00:09:51.808
suggesting stop using that phone right
now. I don't know what you are doing, but

00:09:51.808 --> 00:09:55.868
this is something you should stop. So we
are having experts looking at this

00:09:55.868 --> 00:09:59.779
traffic. Also, we have the tools and
everything we do in there is free software

00:09:59.779 --> 00:10:04.614
because we need these to be open for the
community. So how does it work? This is a

00:10:04.614 --> 00:10:09.382
schema of the Emergency VPN. You have your
phone on in the situation. Like Veronica

00:10:09.382 --> 00:10:13.351
was saying, you are at risk and you say
right now I'm crossing the border, I'm

00:10:13.351 --> 00:10:17.993
going to a country that I don't know. I
suspect I might be targeted. In that

00:10:17.993 --> 00:10:22.680
moment, you send an email to a special
email address that - the address is not

00:10:22.680 --> 00:10:27.092
here because we cannot afford right now
everyone using the Emergency VPN, because

00:10:27.092 --> 00:10:31.530
we have humans checking the traffic. So we
will give you later the address if you

00:10:31.530 --> 00:10:37.020
need it, but you send an email to say,
Hey, help automatically. We check these

00:10:37.020 --> 00:10:43.949
email, we create an OpenVPN profile for
you. We open this for you and we send by

00:10:43.949 --> 00:10:49.359
email the profile. So you click on the
profile. You have the open VPN installed

00:10:49.359 --> 00:10:53.586
or you can install the additional one. And
from that moment, your phone is sending

00:10:53.586 --> 00:10:58.313
all your traffic to the university to the
internet maximum three days. We stop it

00:10:58.313 --> 00:11:03.003
there automatically and then we create the
PCAP-file where the analysts are going

00:11:03.003 --> 00:11:08.038
there and checking what's going on with
your traffic. After this, we create a

00:11:08.038 --> 00:11:14.128
report that is being sent to you back by
email. OK, so this is the core operation

00:11:14.128 --> 00:11:19.361
like 90 percent of the magic of the
Emergency VPN. So advantages of this

00:11:19.361 --> 00:11:25.080
approach? Well, the first one is that this
is giving you an immediate analysis of the

00:11:25.080 --> 00:11:30.155
traffic of your phone, wherever you are.
This is in the moment you need it and then

00:11:30.155 --> 00:11:35.057
you can see what your phone is doing or
not doing right. Secondly, here is that we

00:11:35.057 --> 00:11:38.921
have the technology. We have the
expertize. Our threat hunter, threat

00:11:38.921 --> 00:11:43.050
intelligence people. We have tools. We are
doing machine learning also in the

00:11:43.050 --> 00:11:46.892
university. So we have methods for
analyzing the behavior of encrypted

00:11:46.892 --> 00:11:51.757
traffic. We do not open the traffic, but
we can analyze this also. So we took all

00:11:51.757 --> 00:11:56.512
the tools we can to help the civil
society. Then we have the anonymity. We

00:11:56.512 --> 00:12:01.239
want this to be as anonymous as possible,
which means we only know one email

00:12:01.239 --> 00:12:06.306
address, the one used to send us an email.
And that's it. It doesn't even need to be

00:12:06.306 --> 00:12:11.006
your real email. We don't care, right?
Moreover, this email address is only known

00:12:11.006 --> 00:12:16.320
to the manager of the project. The people
analyzing the traffic do not have this

00:12:16.320 --> 00:12:20.554
information. After that, they send the
report back to the email address and that

00:12:20.554 --> 00:12:25.584
say we did a pcap, and that's all we know.
Of course, if your phone is leaking data,

00:12:25.584 --> 00:12:31.088
which probably is, we see this information
because this is for the whole purpose of

00:12:31.088 --> 00:12:35.670
the system, right? Then we have our
continuous research. We had a university

00:12:35.670 --> 00:12:40.089
project like almost 30 people here. So we
are doing new research, new methods, new

00:12:40.089 --> 00:12:44.233
tools, open source. We are applying,
checking, researching and publishing

00:12:44.233 --> 00:12:49.444
research, continually moving at last. This
is the best way to have a report back to

00:12:49.444 --> 00:12:54.796
you in your phone saying if you are
infected or not. OK, so some insights from

00:12:54.796 --> 00:13:01.350
the Emergency VPN. The first one is this
is active since mid-2018. We analyzed 111

00:13:01.350 --> 00:13:06.933
cases, roughly maybe a little bit more 60
percent of our Android devices here. We

00:13:06.933 --> 00:13:11.903
can talk about that, but it's well known
that a lot of people at risk cannot afford

00:13:11.903 --> 00:13:17.109
very expensive phones, which is also
impacting their security. Eighty two

00:13:17.109 --> 00:13:24.322
gigabytes of traffic. 3200 hours of humans
analyzing this, which is huge and most

00:13:24.322 --> 00:13:31.058
importantly, 95% of whatever we found
there. It's because of normal applications

00:13:31.058 --> 00:13:37.280
like the applications you have right now
in your phone in this moment. And this is

00:13:37.280 --> 00:13:43.820
a huge issue. The most common issues,
right, that we found, and we cannot say

00:13:43.820 --> 00:13:51.013
this enough. Geolocation is an issue. Like
only three phones ever were not leaking

00:13:51.013 --> 00:13:57.338
geolocation. So the rest of the phones are
leaking like weather applications, like

00:13:57.338 --> 00:14:02.132
dating applications , to buy staff,
transport applications like a lot of

00:14:02.132 --> 00:14:07.800
applications, are leaking these. Most are
leaking these in encrypted form. A lot of

00:14:07.800 --> 00:14:12.930
them are leaking these unencrypted, which
means that not only we can see that, but

00:14:12.930 --> 00:14:18.350
the people in your WiFi, your government,
the police, whoever has access to this

00:14:18.350 --> 00:14:23.487
traffic can see your position almost in
real time. Which means that if the

00:14:23.487 --> 00:14:29.067
government wants to know where you are,
they do not need to infect you. It's much

00:14:29.067 --> 00:14:33.900
easier to go to a telco provider. They
look at your traffic and see that you are

00:14:33.900 --> 00:14:37.600
leaking your location of all over the
place. We know that this is because of

00:14:37.600 --> 00:14:41.853
advertising and marketing. The people are
selling this information a lot. Be very

00:14:41.853 --> 00:14:46.408
careful with which application you have,
and this is the third point is secured

00:14:46.408 --> 00:14:51.081
applications are a real hazard for you.
Maybe you need two phones like your

00:14:51.081 --> 00:14:55.920
professional phones and your everyday life
phone. We don't know what the problem

00:14:55.920 --> 00:15:00.599
usually comes for the applications that
you're installing, just because, right,

00:15:00.599 --> 00:15:05.549
these applications are leaking so much
data like your email, your name, your

00:15:05.549 --> 00:15:11.190
phone number, credit cards, user behavior,
your preferences if you are dating or not.

00:15:11.190 --> 00:15:17.049
If you are buying and where you're buying,
which transports you are taking which seat

00:15:17.049 --> 00:15:22.876
you're taking the bus. So a lot of
information really, really being believe-I

00:15:22.876 --> 00:15:28.026
believe us here. Alas, the email and the
emcee that these two identifiers of the

00:15:28.026 --> 00:15:32.010
phone are usually leaked by the
applications. We don't know why. And this

00:15:32.010 --> 00:15:37.316
is very dangerous because identifies your
phone uniquely OK. From the point of view

00:15:37.316 --> 00:15:42.542
of the important cases, there are two
things that we want to say. The first one

00:15:42.542 --> 00:15:47.644
is that we found trojans here that are
infecting your phones, but none of these

00:15:47.644 --> 00:15:53.582
trojans were actually targeted. Trojans
like trojans for you. They were like,

00:15:53.582 --> 00:15:58.945
Let's call normal trojans. So this is a
thing. And the second one is malicious

00:15:58.945 --> 00:16:03.299
files. A lot of phones are doing this
peer-to-peer file sharing thing. Even if

00:16:03.299 --> 00:16:07.468
you don't know some applications. I'm not
going to give you names, but they're doing

00:16:07.468 --> 00:16:11.424
this peer-to-peer file sharing, even if
you don't know and they were malicious

00:16:11.424 --> 00:16:17.746
files going over the wire there. However,
why is it that after a year or something

00:16:17.746 --> 00:16:25.162
of analysis after 111 cases analyze, we
did not found any targeted attack? Why?

00:16:25.162 --> 00:16:34.515
Why this is the case? I mean, the answer?
The answer is simple. No. Yes. The answer

00:16:34.515 --> 00:16:43.933
is simple. The Emergency VPN works for
three days maximum, so it's not about

00:16:43.933 --> 00:16:49.913
reaching the right people, but reaching
the right people at the right time. Like,

00:16:49.913 --> 00:16:55.692
if we take three days before the incident,
we might not see it. If we check three

00:16:55.692 --> 00:17:02.057
days later, we might not see it. So right
now, we we need your help. Reaching the

00:17:02.057 --> 00:17:09.355
right population is very important because
we need people to know that these services

00:17:09.355 --> 00:17:15.089
exist and it's always tricky. If we tell
you, Hey, connect, here we are going to

00:17:15.089 --> 00:17:19.955
see all your traffic is like, Are you
insane? Why? Why would I do that? However,

00:17:19.955 --> 00:17:26.022
remember that the other options are not
very cheap or easy or even feasible if you

00:17:26.022 --> 00:17:31.947
are traveling, for example. And again, as
Sebastian said. Like, everything that goes

00:17:31.947 --> 00:17:37.878
encrypted is called, We don't see it. We
are not doing man in the middle. If we see

00:17:37.878 --> 00:17:44.773
anything, we see it because it's not
encrypted. So if you believe that you are

00:17:44.773 --> 00:17:50.843
a people, a person that is at risk because
of the work you do or because of the type

00:17:50.843 --> 00:17:55.368
of information or people that you help,
please contact us. We are willing to

00:17:55.368 --> 00:18:00.270
answer all the questions that you might
have about data retention, how we handle

00:18:00.270 --> 00:18:06.450
the data, how we store it, how we delete
it after how long, etc. And if you know

00:18:06.450 --> 00:18:12.870
people that might be at risk because of
the work they do, because the people they

00:18:12.870 --> 00:18:18.349
protect, the people, they represent the
type of investigation they do, please tell

00:18:18.349 --> 00:18:23.696
them about the service. We, we can.
Contact us via email. As we say, the

00:18:23.696 --> 00:18:29.128
information, how specifically do you see
it is not publicly available, available

00:18:29.128 --> 00:18:34.400
because we cannot handle hundreds of cases
at the same time. However, if you think

00:18:34.400 --> 00:18:40.716
you are a person at risk, we we will send
it to you right away. This is the contact

00:18:40.716 --> 00:18:47.119
phone number we are in Telegram. Wire,
Signal, WhatsApp, anything that you need

00:18:47.119 --> 00:18:52.263
to to reach out and we will answer any
questions. So we need to reach these

00:18:52.263 --> 00:18:56.527
people. OK, so thank you very much and we
will be around for the rest of the

00:18:56.527 --> 00:19:00.644
congress. If you want to stop us, ask
questions. Tell us something. If you need,

00:19:00.644 --> 00:19:05.400
tell us about these two other people in
the field that they needed. Trust is very

00:19:05.400 --> 00:19:15.190
important here. And let us know. OK? Yes,
thank you. Thank you. OK. And as usual, we

00:19:15.190 --> 00:19:24.491
will take questions from the public. There
are two microphones. Yes, go ahead. Talk

00:19:24.491 --> 00:19:29.461
into the mick one sentence, please. Just a
quick. Thanks for your excellent service.

00:19:29.461 --> 00:19:35.001
My question is how can you be sure that
all the traffic of a compromised phone is

00:19:35.001 --> 00:19:41.690
run through your VPN? Mm-Hmm. So of course
we cannot. We can't say that in our

00:19:41.690 --> 00:19:48.167
experience, we never found or saw any
malware that is trying to avoid the VPN in

00:19:48.167 --> 00:19:53.454
the phone. So we rely on that. No, no
malware or APT ever that we saw or known

00:19:53.454 --> 00:19:58.433
about is actually trying to about the VPN
service in some phones. I'm not sure if

00:19:58.433 --> 00:20:02.529
you can avoid it. Maybe, yes, I don't
know. In our experiments on trials with

00:20:02.529 --> 00:20:06.103
different phones and tablets and
everything, all the traffic is going

00:20:06.103 --> 00:20:11.910
through the VPN service, right? Because
like a proxy in your phone? Yes. So if you

00:20:11.910 --> 00:20:19.076
if you know, if any case. Yeah, we would
love to know. We try. We we run a malware

00:20:19.076 --> 00:20:24.420
laboratory and we run malware on phones
and computers to try to understand them.

00:20:24.420 --> 00:20:28.560
And we have not encountered such a case.
SMS, for example, we are not seeing.

00:20:28.560 --> 00:20:33.031
Right? Yes. One more question, please.
Yeah. So you're running the net, you're

00:20:33.031 --> 00:20:39.152
running the data through your network at
the university. Do you have a like a lot

00:20:39.152 --> 00:20:44.791
of exit IP numbers? Because, yes, a
malware app could maybe identify it is

00:20:44.791 --> 00:20:49.109
routing through you and decide not to act?
Yeah. So that's a good question actually.

00:20:49.109 --> 00:20:54.300
In the university. We have a complete
class public network. We have, of course,

00:20:54.300 --> 00:20:58.440
agreements with the university to use part
of the IPs. So this is part of the

00:20:58.440 --> 00:21:05.940
equation in the right, like any way we are
taking precautions. But so far we did not

00:21:05.940 --> 00:21:10.620
found anyone blocking or checking our IPs.
So we would say that it's true, right?

00:21:10.620 --> 00:21:17.040
Yeah, we would say that if that happens,
we would consider our project very

00:21:17.040 --> 00:21:25.200
successful. We we haven't we haven't heard
of such a case yet. Thank you. OK. Let's

00:21:25.200 --> 00:21:29.640
have a big hand final for Veronica and
Sebastian. Thank you very much.