-
There's a long way from Argentina.
Argentine, Argentine to Prague to Leipzig.
-
These two young researchers, security
researchers, the lady and the gentleman,
-
Veronica and Sebastian are here to tell us
something about Emergency VPNs, virtual
-
private networks, analyzing mobile network
traffic to detect digital threats. And I'm
-
quite convinced you're going to have a
good time. You're welcome to have a big
-
hand for Veronica and Sebastian. Thank
you. Thank you. OK, thank you, everyone
-
for coming here. My name is Veronica
Valera's. I'm a researcher with the Czech
-
Technical University in Prague. Currently,
I'm the project leader of the Civilsphere
-
Project, and Sebastian Garcia, the
director of the Civilsphere Project in the
-
Czech Technical University in Prague. The
project is is part of the Stratosphere
-
Laboratory in the university. The main
purpose is to provide free services and
-
tools to help the civil society protect
them and help me then help them identify
-
targeted digital attacks. So Maati Monjib.
He's a Moroccan historian. He's the co-
-
founder of the Moroccan Association of
Independent Journalism. He was denouncing
-
some misbehavior of his government, and
because of that, he was targeted with
-
spyware. Around 2015. Alberto Nisman was a
lawyer in Argentina, he - he died. He was
-
until the moment of his death, the lead
investigator in the terrorist attack of
-
1994 that happened in Buenos Aires. It was
a sad incident that may have been covered
-
up by the government. And after his death,
the researchers found traces of a spyware
-
in his mobile phone allegedly installed by
the government to spy on him. Ahmed
-
Mansoor. He's an activist from the UAE.
He's also a human rights defendant. He
-
also denounces misbehaviors of his
government, and because of that, his
-
government targeted him repeatedly with
different type of spyware from different
-
places. Right now, he's in jail. He he's
been there for almost two years, and he
-
barely survived there for more than 40
days hunger strike. He did complain about
-
the prison conditions. Simón Barquera.
Maybe you can check the slides. They are
-
not. Simón Barquera is a researcher, food
scientist from Mexico. He is a weird case
-
because it's not very clear why he was
targeted. The Mexican government targeted
-
him and his colleagues with also spyware.
Karla Salas she's a she's a lawyer from
-
Mexico as well. She's representing and
investigating the murder of a group of
-
human rights defendants that were murdered
in Mexico. She and her colleagues were
-
targeted by the Mexican government with
the NSOs Pegasus spyware. Griselda Triana,
-
she's a widow. Her husband was a
journalist from Mexico covering drug
-
cartel activities and organized crime in
Sinaloa, Culiacán, Mexico. She was
-
targeted by the Mexican government with
spyware. Few days after her husband's
-
death, and we don't understand exactly
why. His, her husband's computer and
-
laptop were taken away when he was
murdered, so there was no known reason why
-
she was targeted. Emilio Aristegui, he's
the son of a lawyer, he is a minor, and he
-
was targeted. His phone was targeted by
the Mexican government with spyware to spy
-
on his mother and that she was a lawyer
investigating some cases. So these are
-
only a few cases of the dozens of hundreds
of cases where government use surveillance
-
technology to spy on people. But not only
civil society defendants, but also
-
civilians like this kid. And the common
case among all this is that their mobile
-
phones were targeted. And there is a
simple explanation for that. We take our
-
mobile phones with us everywhere we use
them. These we don't take computers
-
anymore. When we are in the front line in
Syria covering war, we regard the videos
-
with our phones. We send messages that we
are still alive with our phones. We
-
cannot. When we are working on this field,
we don't know. We cannot not use the
-
mobile phones. So they have photos, they
have documents, they have location, they
-
have everything. This is perfect for
spying on someone. So, it is a fact that
-
governments are using the spyware as a
surveillance technology not only to
-
surveil, but also to abuse, to imprison,
to sometimes to kill people. And we know
-
that they are governments because the
technology that they are using like, for
-
example, the Pegasus software by the
Israeli company NSO. They can only be
-
purchased by governments. So we know they
are doing this. So these tools are also
-
cheap, easy to use, cheap for them, right?
Easy to use. They can be used multiple
-
times all the times they want. Sometimes
they they cannot be traced back to their
-
sources. It's not that easy. So you find
an infection and it's hard to know who is
-
behind it. So for them it's a perfect
tool. So what can what can we do if we
-
think our mobile is compromised? There are
several things we can do. For instance, we
-
can do, our forensic analysis. It's costly
because it takes a lot of time. We need to
-
go on the phone to check the files, to try
to see if there is any sign of infections.
-
And sometimes this also involves like
sending our phone to somewhere to analyze.
-
And in the meantime, what are we going to
use? It's not very clear. We can factory
-
reset our phone. It might work sometimes,
sometimes not. And it's costly. Sometimes
-
we lose data. We can change phones which
is a simple solution. We just drop it to
-
trash. We pick another one. But how many
of us can afford to do these, like maybe
-
three or four times a year? It's very
expensive. But we can also do traffic
-
analysis. That means work on the
assumption that the malware that is
-
infecting our phones will try to steal
information from our phones and send it
-
somewhere. The sending of data will happen
over the internet because that's cheap so
-
that communication we can see and
hopefully we can identify it. So how can
-
we know? How can we know if our phone
right now is at risk? Imagine that you're
-
crossing a border. Someone from the police
takes your phone, then gives back to you.
-
Everything is fine. How can you know if
it's not compromised? So this is where in
-
Civilsphere we start thinking, which is
the simplest way we can go there and help
-
these people, which is the simplest way we
can go and check those phones in the field
-
while this is happening and we came up
with an Emergency VNP. So the Emergency
-
VPN is the service that we are providing
using OpenVPN, this free tool that you
-
know that you install in your phone. And
from these, we are sending the traffic
-
from their phones to their university
servers or the servers are in our office
-
and then to the internet and back. So we
have normal internet. And we are capturing
-
all your traffic. We store in there. What
we are doing with these? Well, we have our
-
security analysts looking at this traffic,
finding infection, finding that out, using
-
our tools, using our expertize threat
intelligence, threat hunting, handling
-
whatever we can and see everything in
there and then reporting back to you say,
-
Hey, you're safe, it's OK. Or, Hey, there
is something going on with your phone,
-
uninstall these applications or actually
change phones. We are from time to time
-
suggesting stop using that phone right
now. I don't know what you are doing, but
-
this is something you should stop. So we
are having experts looking at this
-
traffic. Also, we have the tools and
everything we do in there is free software
-
because we need these to be open for the
community. So how does it work? This is a
-
schema of the Emergency VPN. You have your
phone on in the situation. Like Veronica
-
was saying, you are at risk and you say
right now I'm crossing the border, I'm
-
going to a country that I don't know. I
suspect I might be targeted. In that
-
moment, you send an email to a special
email address that - the address is not
-
here because we cannot afford right now
everyone using the Emergency VPN, because
-
we have humans checking the traffic. So we
will give you later the address if you
-
need it, but you send an email to say,
Hey, help automatically. We check these
-
email, we create an OpenVPN profile for
you. We open this for you and we send by
-
email the profile. So you click on the
profile. You have the open VPN installed
-
or you can install the additional one. And
from that moment, your phone is sending
-
all your traffic to the university to the
internet maximum three days. We stop it
-
there automatically and then we create the
PCAP-file where the analysts are going
-
there and checking what's going on with
your traffic. After this, we create a
-
report that is being sent to you back by
email. OK, so this is the core operation
-
like 90 percent of the magic of the
Emergency VPN. So advantages of this
-
approach? Well, the first one is that this
is giving you an immediate analysis of the
-
traffic of your phone, wherever you are.
This is in the moment you need it and then
-
you can see what your phone is doing or
not doing right. Secondly, here is that we
-
have the technology. We have the
expertize. Our threat hunter, threat
-
intelligence people. We have tools. We are
doing machine learning also in the
-
university. So we have methods for
analyzing the behavior of encrypted
-
traffic. We do not open the traffic, but
we can analyze this also. So we took all
-
the tools we can to help the civil
society. Then we have the anonymity. We
-
want this to be as anonymous as possible,
which means we only know one email
-
address, the one used to send us an email.
And that's it. It doesn't even need to be
-
your real email. We don't care, right?
Moreover, this email address is only known
-
to the manager of the project. The people
analyzing the traffic do not have this
-
information. After that, they send the
report back to the email address and that
-
say we did a pcap, and that's all we know.
Of course, if your phone is leaking data,
-
which probably is, we see this information
because this is for the whole purpose of
-
the system, right? Then we have our
continuous research. We had a university
-
project like almost 30 people here. So we
are doing new research, new methods, new
-
tools, open source. We are applying,
checking, researching and publishing
-
research, continually moving at last. This
is the best way to have a report back to
-
you in your phone saying if you are
infected or not. OK, so some insights from
-
the Emergency VPN. The first one is this
is active since mid-2018. We analyzed 111
-
cases, roughly maybe a little bit more 60
percent of our Android devices here. We
-
can talk about that, but it's well known
that a lot of people at risk cannot afford
-
very expensive phones, which is also
impacting their security. Eighty two
-
gigabytes of traffic. 3200 hours of humans
analyzing this, which is huge and most
-
importantly, 95% of whatever we found
there. It's because of normal applications
-
like the applications you have right now
in your phone in this moment. And this is
-
a huge issue. The most common issues,
right, that we found, and we cannot say
-
this enough. Geolocation is an issue. Like
only three phones ever were not leaking
-
geolocation. So the rest of the phones are
leaking like weather applications, like
-
dating applications , to buy staff,
transport applications like a lot of
-
applications, are leaking these. Most are
leaking these in encrypted form. A lot of
-
them are leaking these unencrypted, which
means that not only we can see that, but
-
the people in your WiFi, your government,
the police, whoever has access to this
-
traffic can see your position almost in
real time. Which means that if the
-
government wants to know where you are,
they do not need to infect you. It's much
-
easier to go to a telco provider. They
look at your traffic and see that you are
-
leaking your location of all over the
place. We know that this is because of
-
advertising and marketing. The people are
selling this information a lot. Be very
-
careful with which application you have,
and this is the third point is secured
-
applications are a real hazard for you.
Maybe you need two phones like your
-
professional phones and your everyday life
phone. We don't know what the problem
-
usually comes for the applications that
you're installing, just because, right,
-
these applications are leaking so much
data like your email, your name, your
-
phone number, credit cards, user behavior,
your preferences if you are dating or not.
-
If you are buying and where you're buying,
which transports you are taking which seat
-
you're taking the bus. So a lot of
information really, really being believe-I
-
believe us here. Alas, the email and the
emcee that these two identifiers of the
-
phone are usually leaked by the
applications. We don't know why. And this
-
is very dangerous because identifies your
phone uniquely OK. From the point of view
-
of the important cases, there are two
things that we want to say. The first one
-
is that we found trojans here that are
infecting your phones, but none of these
-
trojans were actually targeted. Trojans
like trojans for you. They were like,
-
Let's call normal trojans. So this is a
thing. And the second one is malicious
-
files. A lot of phones are doing this
peer-to-peer file sharing thing. Even if
-
you don't know some applications. I'm not
going to give you names, but they're doing
-
this peer-to-peer file sharing, even if
you don't know and they were malicious
-
files going over the wire there. However,
why is it that after a year or something
-
of analysis after 111 cases analyze, we
did not found any targeted attack? Why?
-
Why this is the case? I mean, the answer?
The answer is simple. No. Yes. The answer
-
is simple. The Emergency VPN works for
three days maximum, so it's not about
-
reaching the right people, but reaching
the right people at the right time. Like,
-
if we take three days before the incident,
we might not see it. If we check three
-
days later, we might not see it. So right
now, we we need your help. Reaching the
-
right population is very important because
we need people to know that these services
-
exist and it's always tricky. If we tell
you, Hey, connect, here we are going to
-
see all your traffic is like, Are you
insane? Why? Why would I do that? However,
-
remember that the other options are not
very cheap or easy or even feasible if you
-
are traveling, for example. And again, as
Sebastian said. Like, everything that goes
-
encrypted is called, We don't see it. We
are not doing man in the middle. If we see
-
anything, we see it because it's not
encrypted. So if you believe that you are
-
a people, a person that is at risk because
of the work you do or because of the type
-
of information or people that you help,
please contact us. We are willing to
-
answer all the questions that you might
have about data retention, how we handle
-
the data, how we store it, how we delete
it after how long, etc. And if you know
-
people that might be at risk because of
the work they do, because the people they
-
protect, the people, they represent the
type of investigation they do, please tell
-
them about the service. We, we can.
Contact us via email. As we say, the
-
information, how specifically do you see
it is not publicly available, available
-
because we cannot handle hundreds of cases
at the same time. However, if you think
-
you are a person at risk, we we will send
it to you right away. This is the contact
-
phone number we are in Telegram. Wire,
Signal, WhatsApp, anything that you need
-
to to reach out and we will answer any
questions. So we need to reach these
-
people. OK, so thank you very much and we
will be around for the rest of the
-
congress. If you want to stop us, ask
questions. Tell us something. If you need,
-
tell us about these two other people in
the field that they needed. Trust is very
-
important here. And let us know. OK? Yes,
thank you. Thank you. OK. And as usual, we
-
will take questions from the public. There
are two microphones. Yes, go ahead. Talk
-
into the mick one sentence, please. Just a
quick. Thanks for your excellent service.
-
My question is how can you be sure that
all the traffic of a compromised phone is
-
run through your VPN? Mm-Hmm. So of course
we cannot. We can't say that in our
-
experience, we never found or saw any
malware that is trying to avoid the VPN in
-
the phone. So we rely on that. No, no
malware or APT ever that we saw or known
-
about is actually trying to about the VPN
service in some phones. I'm not sure if
-
you can avoid it. Maybe, yes, I don't
know. In our experiments on trials with
-
different phones and tablets and
everything, all the traffic is going
-
through the VPN service, right? Because
like a proxy in your phone? Yes. So if you
-
if you know, if any case. Yeah, we would
love to know. We try. We we run a malware
-
laboratory and we run malware on phones
and computers to try to understand them.
-
And we have not encountered such a case.
SMS, for example, we are not seeing.
-
Right? Yes. One more question, please.
Yeah. So you're running the net, you're
-
running the data through your network at
the university. Do you have a like a lot
-
of exit IP numbers? Because, yes, a
malware app could maybe identify it is
-
routing through you and decide not to act?
Yeah. So that's a good question actually.
-
In the university. We have a complete
class public network. We have, of course,
-
agreements with the university to use part
of the IPs. So this is part of the
-
equation in the right, like any way we are
taking precautions. But so far we did not
-
found anyone blocking or checking our IPs.
So we would say that it's true, right?
-
Yeah, we would say that if that happens,
we would consider our project very
-
successful. We we haven't we haven't heard
of such a case yet. Thank you. OK. Let's
-
have a big hand final for Veronica and
Sebastian. Thank you very much.
