There's a long way from Argentina.
Argentine, Argentine to Prague to Leipzig.
These two young researchers, security
researchers, the lady and the gentleman,
Veronica and Sebastian are here to tell us
something about Emergency VPNs, virtual
private networks, analyzing mobile network
traffic to detect digital threats. And I'm
quite convinced you're going to have a
good time. You're welcome to have a big
hand for Veronica and Sebastian. Thank
you. Thank you. OK, thank you, everyone
for coming here. My name is Veronica
Valera's. I'm a researcher with the Czech
Technical University in Prague. Currently,
I'm the project leader of the Civilsphere
Project, and Sebastian Garcia, the
director of the Civilsphere Project in the
Czech Technical University in Prague. The
project is is part of the Stratosphere
Laboratory in the university. The main
purpose is to provide free services and
tools to help the civil society protect
them and help me then help them identify
targeted digital attacks. So Maati Monjib.
He's a Moroccan historian. He's the co-
founder of the Moroccan Association of
Independent Journalism. He was denouncing
some misbehavior of his government, and
because of that, he was targeted with
spyware. Around 2015. Alberto Nisman was a
lawyer in Argentina, he - he died. He was
until the moment of his death, the lead
investigator in the terrorist attack of
1994 that happened in Buenos Aires. It was
a sad incident that may have been covered
up by the government. And after his death,
the researchers found traces of a spyware
in his mobile phone allegedly installed by
the government to spy on him. Ahmed
Mansoor. He's an activist from the UAE.
He's also a human rights defendant. He
also denounces misbehaviors of his
government, and because of that, his
government targeted him repeatedly with
different type of spyware from different
places. Right now, he's in jail. He he's
been there for almost two years, and he
barely survived there for more than 40
days hunger strike. He did complain about
the prison conditions. Simón Barquera.
Maybe you can check the slides. They are
not. Simón Barquera is a researcher, food
scientist from Mexico. He is a weird case
because it's not very clear why he was
targeted. The Mexican government targeted
him and his colleagues with also spyware.
Karla Salas she's a she's a lawyer from
Mexico as well. She's representing and
investigating the murder of a group of
human rights defendants that were murdered
in Mexico. She and her colleagues were
targeted by the Mexican government with
the NSOs Pegasus spyware. Griselda Triana,
she's a widow. Her husband was a
journalist from Mexico covering drug
cartel activities and organized crime in
Sinaloa, Culiacán, Mexico. She was
targeted by the Mexican government with
spyware. Few days after her husband's
death, and we don't understand exactly
why. His, her husband's computer and
laptop were taken away when he was
murdered, so there was no known reason why
she was targeted. Emilio Aristegui, he's
the son of a lawyer, he is a minor, and he
was targeted. His phone was targeted by
the Mexican government with spyware to spy
on his mother and that she was a lawyer
investigating some cases. So these are
only a few cases of the dozens of hundreds
of cases where government use surveillance
technology to spy on people. But not only
civil society defendants, but also
civilians like this kid. And the common
case among all this is that their mobile
phones were targeted. And there is a
simple explanation for that. We take our
mobile phones with us everywhere we use
them. These we don't take computers
anymore. When we are in the front line in
Syria covering war, we regard the videos
with our phones. We send messages that we
are still alive with our phones. We
cannot. When we are working on this field,
we don't know. We cannot not use the
mobile phones. So they have photos, they
have documents, they have location, they
have everything. This is perfect for
spying on someone. So, it is a fact that
governments are using the spyware as a
surveillance technology not only to
surveil, but also to abuse, to imprison,
to sometimes to kill people. And we know
that they are governments because the
technology that they are using like, for
example, the Pegasus software by the
Israeli company NSO. They can only be
purchased by governments. So we know they
are doing this. So these tools are also
cheap, easy to use, cheap for them, right?
Easy to use. They can be used multiple
times all the times they want. Sometimes
they they cannot be traced back to their
sources. It's not that easy. So you find
an infection and it's hard to know who is
behind it. So for them it's a perfect
tool. So what can what can we do if we
think our mobile is compromised? There are
several things we can do. For instance, we
can do, our forensic analysis. It's costly
because it takes a lot of time. We need to
go on the phone to check the files, to try
to see if there is any sign of infections.
And sometimes this also involves like
sending our phone to somewhere to analyze.
And in the meantime, what are we going to
use? It's not very clear. We can factory
reset our phone. It might work sometimes,
sometimes not. And it's costly. Sometimes
we lose data. We can change phones which
is a simple solution. We just drop it to
trash. We pick another one. But how many
of us can afford to do these, like maybe
three or four times a year? It's very
expensive. But we can also do traffic
analysis. That means work on the
assumption that the malware that is
infecting our phones will try to steal
information from our phones and send it
somewhere. The sending of data will happen
over the internet because that's cheap so
that communication we can see and
hopefully we can identify it. So how can
we know? How can we know if our phone
right now is at risk? Imagine that you're
crossing a border. Someone from the police
takes your phone, then gives back to you.
Everything is fine. How can you know if
it's not compromised? So this is where in
Civilsphere we start thinking, which is
the simplest way we can go there and help
these people, which is the simplest way we
can go and check those phones in the field
while this is happening and we came up
with an Emergency VNP. So the Emergency
VPN is the service that we are providing
using OpenVPN, this free tool that you
know that you install in your phone. And
from these, we are sending the traffic
from their phones to their university
servers or the servers are in our office
and then to the internet and back. So we
have normal internet. And we are capturing
all your traffic. We store in there. What
we are doing with these? Well, we have our
security analysts looking at this traffic,
finding infection, finding that out, using
our tools, using our expertize threat
intelligence, threat hunting, handling
whatever we can and see everything in
there and then reporting back to you say,
Hey, you're safe, it's OK. Or, Hey, there
is something going on with your phone,
uninstall these applications or actually
change phones. We are from time to time
suggesting stop using that phone right
now. I don't know what you are doing, but
this is something you should stop. So we
are having experts looking at this
traffic. Also, we have the tools and
everything we do in there is free software
because we need these to be open for the
community. So how does it work? This is a
schema of the Emergency VPN. You have your
phone on in the situation. Like Veronica
was saying, you are at risk and you say
right now I'm crossing the border, I'm
going to a country that I don't know. I
suspect I might be targeted. In that
moment, you send an email to a special
email address that - the address is not
here because we cannot afford right now
everyone using the Emergency VPN, because
we have humans checking the traffic. So we
will give you later the address if you
need it, but you send an email to say,
Hey, help automatically. We check these
email, we create an OpenVPN profile for
you. We open this for you and we send by
email the profile. So you click on the
profile. You have the open VPN installed
or you can install the additional one. And
from that moment, your phone is sending
all your traffic to the university to the
internet maximum three days. We stop it
there automatically and then we create the
PCAP-file where the analysts are going
there and checking what's going on with
your traffic. After this, we create a
report that is being sent to you back by
email. OK, so this is the core operation
like 90 percent of the magic of the
Emergency VPN. So advantages of this
approach? Well, the first one is that this
is giving you an immediate analysis of the
traffic of your phone, wherever you are.
This is in the moment you need it and then
you can see what your phone is doing or
not doing right. Secondly, here is that we
have the technology. We have the
expertize. Our threat hunter, threat
intelligence people. We have tools. We are
doing machine learning also in the
university. So we have methods for
analyzing the behavior of encrypted
traffic. We do not open the traffic, but
we can analyze this also. So we took all
the tools we can to help the civil
society. Then we have the anonymity. We
want this to be as anonymous as possible,
which means we only know one email
address, the one used to send us an email.
And that's it. It doesn't even need to be
your real email. We don't care, right?
Moreover, this email address is only known
to the manager of the project. The people
analyzing the traffic do not have this
information. After that, they send the
report back to the email address and that
say we did a pcap, and that's all we know.
Of course, if your phone is leaking data,
which probably is, we see this information
because this is for the whole purpose of
the system, right? Then we have our
continuous research. We had a university
project like almost 30 people here. So we
are doing new research, new methods, new
tools, open source. We are applying,
checking, researching and publishing
research, continually moving at last. This
is the best way to have a report back to
you in your phone saying if you are
infected or not. OK, so some insights from
the Emergency VPN. The first one is this
is active since mid-2018. We analyzed 111
cases, roughly maybe a little bit more 60
percent of our Android devices here. We
can talk about that, but it's well known
that a lot of people at risk cannot afford
very expensive phones, which is also
impacting their security. Eighty two
gigabytes of traffic. 3200 hours of humans
analyzing this, which is huge and most
importantly, 95% of whatever we found
there. It's because of normal applications
like the applications you have right now
in your phone in this moment. And this is
a huge issue. The most common issues,
right, that we found, and we cannot say
this enough. Geolocation is an issue. Like
only three phones ever were not leaking
geolocation. So the rest of the phones are
leaking like weather applications, like
dating applications , to buy staff,
transport applications like a lot of
applications, are leaking these. Most are
leaking these in encrypted form. A lot of
them are leaking these unencrypted, which
means that not only we can see that, but
the people in your WiFi, your government,
the police, whoever has access to this
traffic can see your position almost in
real time. Which means that if the
government wants to know where you are,
they do not need to infect you. It's much
easier to go to a telco provider. They
look at your traffic and see that you are
leaking your location of all over the
place. We know that this is because of
advertising and marketing. The people are
selling this information a lot. Be very
careful with which application you have,
and this is the third point is secured
applications are a real hazard for you.
Maybe you need two phones like your
professional phones and your everyday life
phone. We don't know what the problem
usually comes for the applications that
you're installing, just because, right,
these applications are leaking so much
data like your email, your name, your
phone number, credit cards, user behavior,
your preferences if you are dating or not.
If you are buying and where you're buying,
which transports you are taking which seat
you're taking the bus. So a lot of
information really, really being believe-I
believe us here. Alas, the email and the
emcee that these two identifiers of the
phone are usually leaked by the
applications. We don't know why. And this
is very dangerous because identifies your
phone uniquely OK. From the point of view
of the important cases, there are two
things that we want to say. The first one
is that we found trojans here that are
infecting your phones, but none of these
trojans were actually targeted. Trojans
like trojans for you. They were like,
Let's call normal trojans. So this is a
thing. And the second one is malicious
files. A lot of phones are doing this
peer-to-peer file sharing thing. Even if
you don't know some applications. I'm not
going to give you names, but they're doing
this peer-to-peer file sharing, even if
you don't know and they were malicious
files going over the wire there. However,
why is it that after a year or something
of analysis after 111 cases analyze, we
did not found any targeted attack? Why?
Why this is the case? I mean, the answer?
The answer is simple. No. Yes. The answer
is simple. The Emergency VPN works for
three days maximum, so it's not about
reaching the right people, but reaching
the right people at the right time. Like,
if we take three days before the incident,
we might not see it. If we check three
days later, we might not see it. So right
now, we we need your help. Reaching the
right population is very important because
we need people to know that these services
exist and it's always tricky. If we tell
you, Hey, connect, here we are going to
see all your traffic is like, Are you
insane? Why? Why would I do that? However,
remember that the other options are not
very cheap or easy or even feasible if you
are traveling, for example. And again, as
Sebastian said. Like, everything that goes
encrypted is called, We don't see it. We
are not doing man in the middle. If we see
anything, we see it because it's not
encrypted. So if you believe that you are
a people, a person that is at risk because
of the work you do or because of the type
of information or people that you help,
please contact us. We are willing to
answer all the questions that you might
have about data retention, how we handle
the data, how we store it, how we delete
it after how long, etc. And if you know
people that might be at risk because of
the work they do, because the people they
protect, the people, they represent the
type of investigation they do, please tell
them about the service. We, we can.
Contact us via email. As we say, the
information, how specifically do you see
it is not publicly available, available
because we cannot handle hundreds of cases
at the same time. However, if you think
you are a person at risk, we we will send
it to you right away. This is the contact
phone number we are in Telegram. Wire,
Signal, WhatsApp, anything that you need
to to reach out and we will answer any
questions. So we need to reach these
people. OK, so thank you very much and we
will be around for the rest of the
congress. If you want to stop us, ask
questions. Tell us something. If you need,
tell us about these two other people in
the field that they needed. Trust is very
important here. And let us know. OK? Yes,
thank you. Thank you. OK. And as usual, we
will take questions from the public. There
are two microphones. Yes, go ahead. Talk
into the mick one sentence, please. Just a
quick. Thanks for your excellent service.
My question is how can you be sure that
all the traffic of a compromised phone is
run through your VPN? Mm-Hmm. So of course
we cannot. We can't say that in our
experience, we never found or saw any
malware that is trying to avoid the VPN in
the phone. So we rely on that. No, no
malware or APT ever that we saw or known
about is actually trying to about the VPN
service in some phones. I'm not sure if
you can avoid it. Maybe, yes, I don't
know. In our experiments on trials with
different phones and tablets and
everything, all the traffic is going
through the VPN service, right? Because
like a proxy in your phone? Yes. So if you
if you know, if any case. Yeah, we would
love to know. We try. We we run a malware
laboratory and we run malware on phones
and computers to try to understand them.
And we have not encountered such a case.
SMS, for example, we are not seeing.
Right? Yes. One more question, please.
Yeah. So you're running the net, you're
running the data through your network at
the university. Do you have a like a lot
of exit IP numbers? Because, yes, a
malware app could maybe identify it is
routing through you and decide not to act?
Yeah. So that's a good question actually.
In the university. We have a complete
class public network. We have, of course,
agreements with the university to use part
of the IPs. So this is part of the
equation in the right, like any way we are
taking precautions. But so far we did not
found anyone blocking or checking our IPs.
So we would say that it's true, right?
Yeah, we would say that if that happens,
we would consider our project very
successful. We we haven't we haven't heard
of such a case yet. Thank you. OK. Let's
have a big hand final for Veronica and
Sebastian. Thank you very much.
Subtitles created by many many volunteers and
the c3subtitles.de team. Join us, and help us!