0:00:17.160,0:00:26.220
There's a long way from Argentina.[br]Argentine, Argentine to Prague to Leipzig.

0:00:27.420,0:00:33.120
These two young researchers, security[br]researchers, the lady and the gentleman,

0:00:38.160,0:00:46.020
Veronica and Sebastian are here to tell us[br]something about Emergency VPNs, virtual

0:00:46.020,0:00:54.360
private networks, analyzing mobile network[br]traffic to detect digital threats. And I'm

0:00:54.360,0:00:59.460
quite convinced you're going to have a[br]good time. You're welcome to have a big

0:00:59.460,0:01:08.820
hand for Veronica and Sebastian. Thank[br]you. Thank you. OK, thank you, everyone

0:01:08.820,0:01:15.360
for coming here. My name is Veronica[br]Valera's. I'm a researcher with the Czech

0:01:15.360,0:01:19.800
Technical University in Prague. Currently,[br]I'm the project leader of the Civilsphere

0:01:19.800,0:01:25.200
Project, and Sebastian Garcia, the[br]director of the Civilsphere Project in the

0:01:25.200,0:01:31.140
Czech Technical University in Prague. The[br]project is is part of the Stratosphere

0:01:31.140,0:01:36.960
Laboratory in the university. The main[br]purpose is to provide free services and

0:01:36.960,0:01:43.020
tools to help the civil society protect[br]them and help me then help them identify

0:01:43.800,0:01:55.347
targeted digital attacks. So Maati Monjib.[br]He's a Moroccan historian. He's the co-

0:01:55.347,0:02:02.640
founder of the Moroccan Association of[br]Independent Journalism. He was denouncing

0:02:02.640,0:02:08.040
some misbehavior of his government, and[br]because of that, he was targeted with

0:02:08.040,0:02:21.300
spyware. Around 2015. Alberto Nisman was a[br]lawyer in Argentina, he - he died. He was

0:02:21.300,0:02:26.940
until the moment of his death, the lead[br]investigator in the terrorist attack of

0:02:26.940,0:02:36.120
1994 that happened in Buenos Aires. It was[br]a sad incident that may have been covered

0:02:36.120,0:02:42.600
up by the government. And after his death,[br]the researchers found traces of a spyware

0:02:42.600,0:02:51.300
in his mobile phone allegedly installed by[br]the government to spy on him. Ahmed

0:02:51.300,0:03:03.120
Mansoor. He's an activist from the UAE.[br]He's also a human rights defendant. He

0:03:03.120,0:03:07.740
also denounces misbehaviors of his[br]government, and because of that, his

0:03:07.740,0:03:13.920
government targeted him repeatedly with[br]different type of spyware from different

0:03:13.920,0:03:23.700
places. Right now, he's in jail. He he's[br]been there for almost two years, and he

0:03:23.700,0:03:29.100
barely survived there for more than 40[br]days hunger strike. He did complain about

0:03:29.100,0:03:36.840
the prison conditions. Simón Barquera.[br]Maybe you can check the slides. They are

0:03:36.840,0:03:45.720
not. Simón Barquera is a researcher, food[br]scientist from Mexico. He is a weird case

0:03:45.720,0:03:52.320
because it's not very clear why he was[br]targeted. The Mexican government targeted

0:03:52.320,0:04:01.440
him and his colleagues with also spyware.[br]Karla Salas she's a she's a lawyer from

0:04:01.440,0:04:07.440
Mexico as well. She's representing and[br]investigating the murder of a group of

0:04:08.160,0:04:14.640
human rights defendants that were murdered[br]in Mexico. She and her colleagues were

0:04:14.640,0:04:22.200
targeted by the Mexican government with[br]the NSOs Pegasus spyware. Griselda Triana,

0:04:22.200,0:04:27.120
she's a widow. Her husband was a[br]journalist from Mexico covering drug

0:04:27.120,0:04:34.320
cartel activities and organized crime in[br]Sinaloa, Culiacán, Mexico. She was

0:04:34.320,0:04:38.580
targeted by the Mexican government with[br]spyware. Few days after her husband's

0:04:38.580,0:04:47.340
death, and we don't understand exactly[br]why. His, her husband's computer and

0:04:47.340,0:04:54.300
laptop were taken away when he was[br]murdered, so there was no known reason why

0:04:54.300,0:05:01.500
she was targeted. Emilio Aristegui, he's[br]the son of a lawyer, he is a minor, and he

0:05:01.500,0:05:06.420
was targeted. His phone was targeted by[br]the Mexican government with spyware to spy

0:05:06.420,0:05:12.780
on his mother and that she was a lawyer[br]investigating some cases. So these are

0:05:12.780,0:05:20.760
only a few cases of the dozens of hundreds[br]of cases where government use surveillance

0:05:20.760,0:05:26.040
technology to spy on people. But not only[br]civil society defendants, but also

0:05:26.040,0:05:32.760
civilians like this kid. And the common[br]case among all this is that their mobile

0:05:32.760,0:05:37.680
phones were targeted. And there is a[br]simple explanation for that. We take our

0:05:37.680,0:05:42.060
mobile phones with us everywhere we use[br]them. These we don't take computers

0:05:42.060,0:05:46.860
anymore. When we are in the front line in[br]Syria covering war, we regard the videos

0:05:46.860,0:05:52.020
with our phones. We send messages that we[br]are still alive with our phones. We

0:05:52.020,0:05:57.300
cannot. When we are working on this field,[br]we don't know. We cannot not use the

0:05:57.300,0:06:02.820
mobile phones. So they have photos, they[br]have documents, they have location, they

0:06:02.820,0:06:12.900
have everything. This is perfect for[br]spying on someone. So, it is a fact that

0:06:12.900,0:06:17.460
governments are using the spyware as a[br]surveillance technology not only to

0:06:17.460,0:06:25.200
surveil, but also to abuse, to imprison,[br]to sometimes to kill people. And we know

0:06:25.200,0:06:29.940
that they are governments because the[br]technology that they are using like, for

0:06:29.940,0:06:35.700
example, the Pegasus software by the[br]Israeli company NSO. They can only be

0:06:35.700,0:06:43.800
purchased by governments. So we know they[br]are doing this. So these tools are also

0:06:43.800,0:06:49.620
cheap, easy to use, cheap for them, right?[br]Easy to use. They can be used multiple

0:06:49.620,0:06:56.520
times all the times they want. Sometimes[br]they they cannot be traced back to their

0:06:56.520,0:07:00.900
sources. It's not that easy. So you find[br]an infection and it's hard to know who is

0:07:00.900,0:07:09.660
behind it. So for them it's a perfect[br]tool. So what can what can we do if we

0:07:09.660,0:07:14.820
think our mobile is compromised? There are[br]several things we can do. For instance, we

0:07:14.820,0:07:20.880
can do, our forensic analysis. It's costly[br]because it takes a lot of time. We need to

0:07:20.880,0:07:25.920
go on the phone to check the files, to try[br]to see if there is any sign of infections.

0:07:27.060,0:07:34.080
And sometimes this also involves like[br]sending our phone to somewhere to analyze.

0:07:34.080,0:07:39.000
And in the meantime, what are we going to[br]use? It's not very clear. We can factory

0:07:39.000,0:07:45.180
reset our phone. It might work sometimes,[br]sometimes not. And it's costly. Sometimes

0:07:45.180,0:07:51.000
we lose data. We can change phones which[br]is a simple solution. We just drop it to

0:07:51.000,0:07:56.160
trash. We pick another one. But how many[br]of us can afford to do these, like maybe

0:07:56.160,0:08:01.260
three or four times a year? It's very[br]expensive. But we can also do traffic

0:08:01.260,0:08:05.940
analysis. That means work on the[br]assumption that the malware that is

0:08:05.940,0:08:10.380
infecting our phones will try to steal[br]information from our phones and send it

0:08:10.380,0:08:17.580
somewhere. The sending of data will happen[br]over the internet because that's cheap so

0:08:17.580,0:08:24.660
that communication we can see and[br]hopefully we can identify it. So how can

0:08:24.660,0:08:30.120
we know? How can we know if our phone[br]right now is at risk? Imagine that you're

0:08:30.120,0:08:35.700
crossing a border. Someone from the police[br]takes your phone, then gives back to you.

0:08:35.700,0:08:41.232
Everything is fine. How can you know if[br]it's not compromised? So this is where in

0:08:41.232,0:08:50.039
Civilsphere we start thinking, which is[br]the simplest way we can go there and help

0:08:50.039,0:08:55.707
these people, which is the simplest way we[br]can go and check those phones in the field

0:08:55.707,0:09:01.047
while this is happening and we came up[br]with an Emergency VNP. So the Emergency

0:09:01.047,0:09:06.495
VPN is the service that we are providing[br]using OpenVPN, this free tool that you

0:09:06.495,0:09:11.425
know that you install in your phone. And[br]from these, we are sending the traffic

0:09:11.425,0:09:15.780
from their phones to their university[br]servers or the servers are in our office

0:09:15.780,0:09:20.790
and then to the internet and back. So we[br]have normal internet. And we are capturing

0:09:20.790,0:09:25.080
all your traffic. We store in there. What[br]we are doing with these? Well, we have our

0:09:25.080,0:09:29.655
security analysts looking at this traffic,[br]finding infection, finding that out, using

0:09:29.655,0:09:34.197
our tools, using our expertize threat[br]intelligence, threat hunting, handling

0:09:34.197,0:09:38.640
whatever we can and see everything in[br]there and then reporting back to you say,

0:09:38.640,0:09:42.706
Hey, you're safe, it's OK. Or, Hey, there[br]is something going on with your phone,

0:09:42.706,0:09:46.982
uninstall these applications or actually[br]change phones. We are from time to time

0:09:46.982,0:09:51.808
suggesting stop using that phone right[br]now. I don't know what you are doing, but

0:09:51.808,0:09:55.868
this is something you should stop. So we[br]are having experts looking at this

0:09:55.868,0:09:59.779
traffic. Also, we have the tools and[br]everything we do in there is free software

0:09:59.779,0:10:04.614
because we need these to be open for the[br]community. So how does it work? This is a

0:10:04.614,0:10:09.382
schema of the Emergency VPN. You have your[br]phone on in the situation. Like Veronica

0:10:09.382,0:10:13.351
was saying, you are at risk and you say[br]right now I'm crossing the border, I'm

0:10:13.351,0:10:17.993
going to a country that I don't know. I[br]suspect I might be targeted. In that

0:10:17.993,0:10:22.680
moment, you send an email to a special[br]email address that - the address is not

0:10:22.680,0:10:27.092
here because we cannot afford right now[br]everyone using the Emergency VPN, because

0:10:27.092,0:10:31.530
we have humans checking the traffic. So we[br]will give you later the address if you

0:10:31.530,0:10:37.020
need it, but you send an email to say,[br]Hey, help automatically. We check these

0:10:37.020,0:10:43.949
email, we create an OpenVPN profile for[br]you. We open this for you and we send by

0:10:43.949,0:10:49.359
email the profile. So you click on the[br]profile. You have the open VPN installed

0:10:49.359,0:10:53.586
or you can install the additional one. And[br]from that moment, your phone is sending

0:10:53.586,0:10:58.313
all your traffic to the university to the[br]internet maximum three days. We stop it

0:10:58.313,0:11:03.003
there automatically and then we create the[br]PCAP-file where the analysts are going

0:11:03.003,0:11:08.038
there and checking what's going on with[br]your traffic. After this, we create a

0:11:08.038,0:11:14.128
report that is being sent to you back by[br]email. OK, so this is the core operation

0:11:14.128,0:11:19.361
like 90 percent of the magic of the[br]Emergency VPN. So advantages of this

0:11:19.361,0:11:25.080
approach? Well, the first one is that this[br]is giving you an immediate analysis of the

0:11:25.080,0:11:30.155
traffic of your phone, wherever you are.[br]This is in the moment you need it and then

0:11:30.155,0:11:35.057
you can see what your phone is doing or[br]not doing right. Secondly, here is that we

0:11:35.057,0:11:38.921
have the technology. We have the[br]expertize. Our threat hunter, threat

0:11:38.921,0:11:43.050
intelligence people. We have tools. We are[br]doing machine learning also in the

0:11:43.050,0:11:46.892
university. So we have methods for[br]analyzing the behavior of encrypted

0:11:46.892,0:11:51.757
traffic. We do not open the traffic, but[br]we can analyze this also. So we took all

0:11:51.757,0:11:56.512
the tools we can to help the civil[br]society. Then we have the anonymity. We

0:11:56.512,0:12:01.239
want this to be as anonymous as possible,[br]which means we only know one email

0:12:01.239,0:12:06.306
address, the one used to send us an email.[br]And that's it. It doesn't even need to be

0:12:06.306,0:12:11.006
your real email. We don't care, right?[br]Moreover, this email address is only known

0:12:11.006,0:12:16.320
to the manager of the project. The people[br]analyzing the traffic do not have this

0:12:16.320,0:12:20.554
information. After that, they send the[br]report back to the email address and that

0:12:20.554,0:12:25.584
say we did a pcap, and that's all we know.[br]Of course, if your phone is leaking data,

0:12:25.584,0:12:31.088
which probably is, we see this information[br]because this is for the whole purpose of

0:12:31.088,0:12:35.670
the system, right? Then we have our[br]continuous research. We had a university

0:12:35.670,0:12:40.089
project like almost 30 people here. So we[br]are doing new research, new methods, new

0:12:40.089,0:12:44.233
tools, open source. We are applying,[br]checking, researching and publishing

0:12:44.233,0:12:49.444
research, continually moving at last. This[br]is the best way to have a report back to

0:12:49.444,0:12:54.796
you in your phone saying if you are[br]infected or not. OK, so some insights from

0:12:54.796,0:13:01.350
the Emergency VPN. The first one is this[br]is active since mid-2018. We analyzed 111

0:13:01.350,0:13:06.933
cases, roughly maybe a little bit more 60[br]percent of our Android devices here. We

0:13:06.933,0:13:11.903
can talk about that, but it's well known[br]that a lot of people at risk cannot afford

0:13:11.903,0:13:17.109
very expensive phones, which is also[br]impacting their security. Eighty two

0:13:17.109,0:13:24.322
gigabytes of traffic. 3200 hours of humans[br]analyzing this, which is huge and most

0:13:24.322,0:13:31.058
importantly, 95% of whatever we found[br]there. It's because of normal applications

0:13:31.058,0:13:37.280
like the applications you have right now[br]in your phone in this moment. And this is

0:13:37.280,0:13:43.820
a huge issue. The most common issues,[br]right, that we found, and we cannot say

0:13:43.820,0:13:51.013
this enough. Geolocation is an issue. Like[br]only three phones ever were not leaking

0:13:51.013,0:13:57.338
geolocation. So the rest of the phones are[br]leaking like weather applications, like

0:13:57.338,0:14:02.132
dating applications , to buy staff,[br]transport applications like a lot of

0:14:02.132,0:14:07.800
applications, are leaking these. Most are[br]leaking these in encrypted form. A lot of

0:14:07.800,0:14:12.930
them are leaking these unencrypted, which[br]means that not only we can see that, but

0:14:12.930,0:14:18.350
the people in your WiFi, your government,[br]the police, whoever has access to this

0:14:18.350,0:14:23.487
traffic can see your position almost in[br]real time. Which means that if the

0:14:23.487,0:14:29.067
government wants to know where you are,[br]they do not need to infect you. It's much

0:14:29.067,0:14:33.900
easier to go to a telco provider. They[br]look at your traffic and see that you are

0:14:33.900,0:14:37.600
leaking your location of all over the[br]place. We know that this is because of

0:14:37.600,0:14:41.853
advertising and marketing. The people are[br]selling this information a lot. Be very

0:14:41.853,0:14:46.408
careful with which application you have,[br]and this is the third point is secured

0:14:46.408,0:14:51.081
applications are a real hazard for you.[br]Maybe you need two phones like your

0:14:51.081,0:14:55.920
professional phones and your everyday life[br]phone. We don't know what the problem

0:14:55.920,0:15:00.599
usually comes for the applications that[br]you're installing, just because, right,

0:15:00.599,0:15:05.549
these applications are leaking so much[br]data like your email, your name, your

0:15:05.549,0:15:11.190
phone number, credit cards, user behavior,[br]your preferences if you are dating or not.

0:15:11.190,0:15:17.049
If you are buying and where you're buying,[br]which transports you are taking which seat

0:15:17.049,0:15:22.876
you're taking the bus. So a lot of[br]information really, really being believe-I

0:15:22.876,0:15:28.026
believe us here. Alas, the email and the[br]emcee that these two identifiers of the

0:15:28.026,0:15:32.010
phone are usually leaked by the[br]applications. We don't know why. And this

0:15:32.010,0:15:37.316
is very dangerous because identifies your[br]phone uniquely OK. From the point of view

0:15:37.316,0:15:42.542
of the important cases, there are two[br]things that we want to say. The first one

0:15:42.542,0:15:47.644
is that we found trojans here that are[br]infecting your phones, but none of these

0:15:47.644,0:15:53.582
trojans were actually targeted. Trojans[br]like trojans for you. They were like,

0:15:53.582,0:15:58.945
Let's call normal trojans. So this is a[br]thing. And the second one is malicious

0:15:58.945,0:16:03.299
files. A lot of phones are doing this[br]peer-to-peer file sharing thing. Even if

0:16:03.299,0:16:07.468
you don't know some applications. I'm not[br]going to give you names, but they're doing

0:16:07.468,0:16:11.424
this peer-to-peer file sharing, even if[br]you don't know and they were malicious

0:16:11.424,0:16:17.746
files going over the wire there. However,[br]why is it that after a year or something

0:16:17.746,0:16:25.162
of analysis after 111 cases analyze, we[br]did not found any targeted attack? Why?

0:16:25.162,0:16:34.515
Why this is the case? I mean, the answer?[br]The answer is simple. No. Yes. The answer

0:16:34.515,0:16:43.933
is simple. The Emergency VPN works for[br]three days maximum, so it's not about

0:16:43.933,0:16:49.913
reaching the right people, but reaching[br]the right people at the right time. Like,

0:16:49.913,0:16:55.692
if we take three days before the incident,[br]we might not see it. If we check three

0:16:55.692,0:17:02.057
days later, we might not see it. So right[br]now, we we need your help. Reaching the

0:17:02.057,0:17:09.355
right population is very important because[br]we need people to know that these services

0:17:09.355,0:17:15.089
exist and it's always tricky. If we tell[br]you, Hey, connect, here we are going to

0:17:15.089,0:17:19.955
see all your traffic is like, Are you[br]insane? Why? Why would I do that? However,

0:17:19.955,0:17:26.022
remember that the other options are not[br]very cheap or easy or even feasible if you

0:17:26.022,0:17:31.947
are traveling, for example. And again, as[br]Sebastian said. Like, everything that goes

0:17:31.947,0:17:37.878
encrypted is called, We don't see it. We[br]are not doing man in the middle. If we see

0:17:37.878,0:17:44.773
anything, we see it because it's not[br]encrypted. So if you believe that you are

0:17:44.773,0:17:50.843
a people, a person that is at risk because[br]of the work you do or because of the type

0:17:50.843,0:17:55.368
of information or people that you help,[br]please contact us. We are willing to

0:17:55.368,0:18:00.270
answer all the questions that you might[br]have about data retention, how we handle

0:18:00.270,0:18:06.450
the data, how we store it, how we delete[br]it after how long, etc. And if you know

0:18:06.450,0:18:12.870
people that might be at risk because of[br]the work they do, because the people they

0:18:12.870,0:18:18.349
protect, the people, they represent the[br]type of investigation they do, please tell

0:18:18.349,0:18:23.696
them about the service. We, we can.[br]Contact us via email. As we say, the

0:18:23.696,0:18:29.128
information, how specifically do you see[br]it is not publicly available, available

0:18:29.128,0:18:34.400
because we cannot handle hundreds of cases[br]at the same time. However, if you think

0:18:34.400,0:18:40.716
you are a person at risk, we we will send[br]it to you right away. This is the contact

0:18:40.716,0:18:47.119
phone number we are in Telegram. Wire,[br]Signal, WhatsApp, anything that you need

0:18:47.119,0:18:52.263
to to reach out and we will answer any[br]questions. So we need to reach these

0:18:52.263,0:18:56.527
people. OK, so thank you very much and we[br]will be around for the rest of the

0:18:56.527,0:19:00.644
congress. If you want to stop us, ask[br]questions. Tell us something. If you need,

0:19:00.644,0:19:05.400
tell us about these two other people in[br]the field that they needed. Trust is very

0:19:05.400,0:19:15.190
important here. And let us know. OK? Yes,[br]thank you. Thank you. OK. And as usual, we

0:19:15.190,0:19:24.491
will take questions from the public. There[br]are two microphones. Yes, go ahead. Talk

0:19:24.491,0:19:29.461
into the mick one sentence, please. Just a[br]quick. Thanks for your excellent service.

0:19:29.461,0:19:35.001
My question is how can you be sure that[br]all the traffic of a compromised phone is

0:19:35.001,0:19:41.690
run through your VPN? Mm-Hmm. So of course[br]we cannot. We can't say that in our

0:19:41.690,0:19:48.167
experience, we never found or saw any[br]malware that is trying to avoid the VPN in

0:19:48.167,0:19:53.454
the phone. So we rely on that. No, no[br]malware or APT ever that we saw or known

0:19:53.454,0:19:58.433
about is actually trying to about the VPN[br]service in some phones. I'm not sure if

0:19:58.433,0:20:02.529
you can avoid it. Maybe, yes, I don't[br]know. In our experiments on trials with

0:20:02.529,0:20:06.103
different phones and tablets and[br]everything, all the traffic is going

0:20:06.103,0:20:11.910
through the VPN service, right? Because[br]like a proxy in your phone? Yes. So if you

0:20:11.910,0:20:19.076
if you know, if any case. Yeah, we would[br]love to know. We try. We we run a malware

0:20:19.076,0:20:24.420
laboratory and we run malware on phones[br]and computers to try to understand them.

0:20:24.420,0:20:28.560
And we have not encountered such a case.[br]SMS, for example, we are not seeing.

0:20:28.560,0:20:33.031
Right? Yes. One more question, please.[br]Yeah. So you're running the net, you're

0:20:33.031,0:20:39.152
running the data through your network at[br]the university. Do you have a like a lot

0:20:39.152,0:20:44.791
of exit IP numbers? Because, yes, a[br]malware app could maybe identify it is

0:20:44.791,0:20:49.109
routing through you and decide not to act?[br]Yeah. So that's a good question actually.

0:20:49.109,0:20:54.300
In the university. We have a complete[br]class public network. We have, of course,

0:20:54.300,0:20:58.440
agreements with the university to use part[br]of the IPs. So this is part of the

0:20:58.440,0:21:05.940
equation in the right, like any way we are[br]taking precautions. But so far we did not

0:21:05.940,0:21:10.620
found anyone blocking or checking our IPs.[br]So we would say that it's true, right?

0:21:10.620,0:21:17.040
Yeah, we would say that if that happens,[br]we would consider our project very

0:21:17.040,0:21:25.200
successful. We we haven't we haven't heard[br]of such a case yet. Thank you. OK. Let's

0:21:25.200,0:21:29.640
have a big hand final for Veronica and[br]Sebastian. Thank you very much.

0:21:29.640,0:22:01.000
Subtitles created by many many volunteers and[br]the c3subtitles.de team. Join us, and help us!