There's a long way from Argentina. Argentine, Argentine to Prague to Leipzig. These two young researchers, security researchers, the lady and the gentleman, Veronica and Sebastian are here to tell us something about Emergency VPNs, virtual private networks, analyzing mobile network traffic to detect digital threats. And I'm quite convinced you're going to have a good time. You're welcome to have a big hand for Veronica and Sebastian. Thank you. Thank you. OK, thank you, everyone for coming here. My name is Veronica Valera's. I'm a researcher with the Czech Technical University in Prague. Currently, I'm the project leader of the Civilsphere Project, and Sebastian Garcia, the director of the Civilsphere Project in the Czech Technical University in Prague. The project is is part of the Stratosphere Laboratory in the university. The main purpose is to provide free services and tools to help the civil society protect them and help me then help them identify targeted digital attacks. So Maati Monjib. He's a Moroccan historian. He's the co- founder of the Moroccan Association of Independent Journalism. He was denouncing some misbehavior of his government, and because of that, he was targeted with spyware. Around 2015. Alberto Nisman was a lawyer in Argentina, he - he died. He was until the moment of his death, the lead investigator in the terrorist attack of 1994 that happened in Buenos Aires. It was a sad incident that may have been covered up by the government. And after his death, the researchers found traces of a spyware in his mobile phone allegedly installed by the government to spy on him. Ahmed Mansoor. He's an activist from the UAE. He's also a human rights defendant. He also denounces misbehaviors of his government, and because of that, his government targeted him repeatedly with different type of spyware from different places. Right now, he's in jail. He he's been there for almost two years, and he barely survived there for more than 40 days hunger strike. He did complain about the prison conditions. Simón Barquera. Maybe you can check the slides. They are not. Simón Barquera is a researcher, food scientist from Mexico. He is a weird case because it's not very clear why he was targeted. The Mexican government targeted him and his colleagues with also spyware. Karla Salas she's a she's a lawyer from Mexico as well. She's representing and investigating the murder of a group of human rights defendants that were murdered in Mexico. She and her colleagues were targeted by the Mexican government with the NSOs Pegasus spyware. Griselda Triana, she's a widow. Her husband was a journalist from Mexico covering drug cartel activities and organized crime in Sinaloa, Culiacán, Mexico. She was targeted by the Mexican government with spyware. Few days after her husband's death, and we don't understand exactly why. His, her husband's computer and laptop were taken away when he was murdered, so there was no known reason why she was targeted. Emilio Aristegui, he's the son of a lawyer, he is a minor, and he was targeted. His phone was targeted by the Mexican government with spyware to spy on his mother and that she was a lawyer investigating some cases. So these are only a few cases of the dozens of hundreds of cases where government use surveillance technology to spy on people. But not only civil society defendants, but also civilians like this kid. And the common case among all this is that their mobile phones were targeted. And there is a simple explanation for that. We take our mobile phones with us everywhere we use them. These we don't take computers anymore. When we are in the front line in Syria covering war, we regard the videos with our phones. We send messages that we are still alive with our phones. We cannot. When we are working on this field, we don't know. We cannot not use the mobile phones. So they have photos, they have documents, they have location, they have everything. This is perfect for spying on someone. So, it is a fact that governments are using the spyware as a surveillance technology not only to surveil, but also to abuse, to imprison, to sometimes to kill people. And we know that they are governments because the technology that they are using like, for example, the Pegasus software by the Israeli company NSO. They can only be purchased by governments. So we know they are doing this. So these tools are also cheap, easy to use, cheap for them, right? Easy to use. They can be used multiple times all the times they want. Sometimes they they cannot be traced back to their sources. It's not that easy. So you find an infection and it's hard to know who is behind it. So for them it's a perfect tool. So what can what can we do if we think our mobile is compromised? There are several things we can do. For instance, we can do, our forensic analysis. It's costly because it takes a lot of time. We need to go on the phone to check the files, to try to see if there is any sign of infections. And sometimes this also involves like sending our phone to somewhere to analyze. And in the meantime, what are we going to use? It's not very clear. We can factory reset our phone. It might work sometimes, sometimes not. And it's costly. Sometimes we lose data. We can change phones which is a simple solution. We just drop it to trash. We pick another one. But how many of us can afford to do these, like maybe three or four times a year? It's very expensive. But we can also do traffic analysis. That means work on the assumption that the malware that is infecting our phones will try to steal information from our phones and send it somewhere. The sending of data will happen over the internet because that's cheap so that communication we can see and hopefully we can identify it. So how can we know? How can we know if our phone right now is at risk? Imagine that you're crossing a border. Someone from the police takes your phone, then gives back to you. Everything is fine. How can you know if it's not compromised? So this is where in Civilsphere we start thinking, which is the simplest way we can go there and help these people, which is the simplest way we can go and check those phones in the field while this is happening and we came up with an Emergency VNP. So the Emergency VPN is the service that we are providing using OpenVPN, this free tool that you know that you install in your phone. And from these, we are sending the traffic from their phones to their university servers or the servers are in our office and then to the internet and back. So we have normal internet. And we are capturing all your traffic. We store in there. What we are doing with these? Well, we have our security analysts looking at this traffic, finding infection, finding that out, using our tools, using our expertize threat intelligence, threat hunting, handling whatever we can and see everything in there and then reporting back to you say, Hey, you're safe, it's OK. Or, Hey, there is something going on with your phone, uninstall these applications or actually change phones. We are from time to time suggesting stop using that phone right now. I don't know what you are doing, but this is something you should stop. So we are having experts looking at this traffic. Also, we have the tools and everything we do in there is free software because we need these to be open for the community. So how does it work? This is a schema of the Emergency VPN. You have your phone on in the situation. Like Veronica was saying, you are at risk and you say right now I'm crossing the border, I'm going to a country that I don't know. I suspect I might be targeted. In that moment, you send an email to a special email address that - the address is not here because we cannot afford right now everyone using the Emergency VPN, because we have humans checking the traffic. So we will give you later the address if you need it, but you send an email to say, Hey, help automatically. We check these email, we create an OpenVPN profile for you. We open this for you and we send by email the profile. So you click on the profile. You have the open VPN installed or you can install the additional one. And from that moment, your phone is sending all your traffic to the university to the internet maximum three days. We stop it there automatically and then we create the PCAP-file where the analysts are going there and checking what's going on with your traffic. After this, we create a report that is being sent to you back by email. OK, so this is the core operation like 90 percent of the magic of the Emergency VPN. So advantages of this approach? Well, the first one is that this is giving you an immediate analysis of the traffic of your phone, wherever you are. This is in the moment you need it and then you can see what your phone is doing or not doing right. Secondly, here is that we have the technology. We have the expertize. Our threat hunter, threat intelligence people. We have tools. We are doing machine learning also in the university. So we have methods for analyzing the behavior of encrypted traffic. We do not open the traffic, but we can analyze this also. So we took all the tools we can to help the civil society. Then we have the anonymity. We want this to be as anonymous as possible, which means we only know one email address, the one used to send us an email. And that's it. It doesn't even need to be your real email. We don't care, right? Moreover, this email address is only known to the manager of the project. The people analyzing the traffic do not have this information. After that, they send the report back to the email address and that say we did a pcap, and that's all we know. Of course, if your phone is leaking data, which probably is, we see this information because this is for the whole purpose of the system, right? Then we have our continuous research. We had a university project like almost 30 people here. So we are doing new research, new methods, new tools, open source. We are applying, checking, researching and publishing research, continually moving at last. This is the best way to have a report back to you in your phone saying if you are infected or not. OK, so some insights from the Emergency VPN. The first one is this is active since mid-2018. We analyzed 111 cases, roughly maybe a little bit more 60 percent of our Android devices here. We can talk about that, but it's well known that a lot of people at risk cannot afford very expensive phones, which is also impacting their security. Eighty two gigabytes of traffic. 3200 hours of humans analyzing this, which is huge and most importantly, 95% of whatever we found there. It's because of normal applications like the applications you have right now in your phone in this moment. And this is a huge issue. The most common issues, right, that we found, and we cannot say this enough. Geolocation is an issue. Like only three phones ever were not leaking geolocation. So the rest of the phones are leaking like weather applications, like dating applications , to buy staff, transport applications like a lot of applications, are leaking these. Most are leaking these in encrypted form. A lot of them are leaking these unencrypted, which means that not only we can see that, but the people in your WiFi, your government, the police, whoever has access to this traffic can see your position almost in real time. Which means that if the government wants to know where you are, they do not need to infect you. It's much easier to go to a telco provider. They look at your traffic and see that you are leaking your location of all over the place. We know that this is because of advertising and marketing. The people are selling this information a lot. Be very careful with which application you have, and this is the third point is secured applications are a real hazard for you. Maybe you need two phones like your professional phones and your everyday life phone. We don't know what the problem usually comes for the applications that you're installing, just because, right, these applications are leaking so much data like your email, your name, your phone number, credit cards, user behavior, your preferences if you are dating or not. If you are buying and where you're buying, which transports you are taking which seat you're taking the bus. So a lot of information really, really being believe-I believe us here. Alas, the email and the emcee that these two identifiers of the phone are usually leaked by the applications. We don't know why. And this is very dangerous because identifies your phone uniquely OK. From the point of view of the important cases, there are two things that we want to say. The first one is that we found trojans here that are infecting your phones, but none of these trojans were actually targeted. Trojans like trojans for you. They were like, Let's call normal trojans. So this is a thing. And the second one is malicious files. A lot of phones are doing this peer-to-peer file sharing thing. Even if you don't know some applications. I'm not going to give you names, but they're doing this peer-to-peer file sharing, even if you don't know and they were malicious files going over the wire there. However, why is it that after a year or something of analysis after 111 cases analyze, we did not found any targeted attack? Why? Why this is the case? I mean, the answer? The answer is simple. No. Yes. The answer is simple. The Emergency VPN works for three days maximum, so it's not about reaching the right people, but reaching the right people at the right time. Like, if we take three days before the incident, we might not see it. If we check three days later, we might not see it. So right now, we we need your help. Reaching the right population is very important because we need people to know that these services exist and it's always tricky. If we tell you, Hey, connect, here we are going to see all your traffic is like, Are you insane? Why? Why would I do that? However, remember that the other options are not very cheap or easy or even feasible if you are traveling, for example. And again, as Sebastian said. Like, everything that goes encrypted is called, We don't see it. We are not doing man in the middle. If we see anything, we see it because it's not encrypted. So if you believe that you are a people, a person that is at risk because of the work you do or because of the type of information or people that you help, please contact us. We are willing to answer all the questions that you might have about data retention, how we handle the data, how we store it, how we delete it after how long, etc. And if you know people that might be at risk because of the work they do, because the people they protect, the people, they represent the type of investigation they do, please tell them about the service. We, we can. Contact us via email. As we say, the information, how specifically do you see it is not publicly available, available because we cannot handle hundreds of cases at the same time. However, if you think you are a person at risk, we we will send it to you right away. This is the contact phone number we are in Telegram. Wire, Signal, WhatsApp, anything that you need to to reach out and we will answer any questions. So we need to reach these people. OK, so thank you very much and we will be around for the rest of the congress. If you want to stop us, ask questions. Tell us something. If you need, tell us about these two other people in the field that they needed. Trust is very important here. And let us know. OK? Yes, thank you. Thank you. OK. And as usual, we will take questions from the public. There are two microphones. Yes, go ahead. Talk into the mick one sentence, please. Just a quick. Thanks for your excellent service. My question is how can you be sure that all the traffic of a compromised phone is run through your VPN? Mm-Hmm. So of course we cannot. We can't say that in our experience, we never found or saw any malware that is trying to avoid the VPN in the phone. So we rely on that. No, no malware or APT ever that we saw or known about is actually trying to about the VPN service in some phones. I'm not sure if you can avoid it. Maybe, yes, I don't know. In our experiments on trials with different phones and tablets and everything, all the traffic is going through the VPN service, right? Because like a proxy in your phone? Yes. So if you if you know, if any case. Yeah, we would love to know. We try. We we run a malware laboratory and we run malware on phones and computers to try to understand them. And we have not encountered such a case. SMS, for example, we are not seeing. Right? Yes. One more question, please. Yeah. So you're running the net, you're running the data through your network at the university. Do you have a like a lot of exit IP numbers? Because, yes, a malware app could maybe identify it is routing through you and decide not to act? Yeah. So that's a good question actually. In the university. We have a complete class public network. We have, of course, agreements with the university to use part of the IPs. So this is part of the equation in the right, like any way we are taking precautions. But so far we did not found anyone blocking or checking our IPs. So we would say that it's true, right? Yeah, we would say that if that happens, we would consider our project very successful. We we haven't we haven't heard of such a case yet. Thank you. OK. Let's have a big hand final for Veronica and Sebastian. Thank you very much. Subtitles created by many many volunteers and the c3subtitles.de team. Join us, and help us!