The Eye on the Nile
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Untertitel |
| |
| Serientitel | ||
| Anzahl der Teile | 254 | |
| Autor | ||
| Lizenz | CC-Namensnennung 4.0 International: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/53210 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
| |
| Schlagwörter |
00:00
Soziale SoftwareSelbst organisierendes SystemAggregatzustandInformatikGruppenoperationHypermediaUnrundheitMereologieSondierungCybersexMultiplikationsoperatorWort <Informatik>GefangenendilemmaWeb SiteComputerspielMalwareBaumechanikComputeranimationVorlesung/Konferenz
02:13
PunktBaumechanikSelbst organisierendes SystemGoogolPasswortE-MailHypermediaProgrammverifikationKonstanteIndexberechnungKontrollstrukturGruppenoperationZeitzoneZählenDienst <Informatik>ComputersicherheitApp <Programm>Kartesische KoordinatenParametersystemE-MailVerschlingungStabRechter WinkelGoogolWeb SiteTaskServerWellenlehreResultanteVerkehrsinformationMailing-ListeStatistikInformationLoginWort <Informatik>Message-PassingNetzadressePasswortCASE <Informatik>Offene MengeVerzeichnisdienstMalwareAutomatische IndexierungBaumechanikCodeEinsCybersexElektronische PublikationMomentenproblemQuellcodeSchaltnetzZeitzoneZahlenbereichOrdnung <Mathematik>MAPTotal <Mathematik>p-BlockRPCDefaultGeradeGemeinsamer SpeicherDatenbankRandomisierungGruppenoperationPackprogrammSchreiben <Datenverarbeitung>Quick-SortQuaderLesen <Datenverarbeitung>Arithmetisches MittelExogene VariableURLRotationsflächeSkriptspracheAdressraumSichtenkonzeptBrowserVorlesung/Konferenz
09:43
CodeWeb-SeiteDatensichtgerätFunktion <Mathematik>SoftwareentwicklerKonfigurationsraumIndexberechnungVerschlingungSinusfunktionMotion CapturingInformationGoogolSicherungskopieE-MailUnordnungURLApp <Programm>Einfacher RingBildschirmsymbolOperations ResearchInternetworkingStatistikVerkehrsinformationSoftwaretestKartesische KoordinatenApp <Programm>SkriptspracheKontextbezogenes SystemWort <Informatik>Dienst <Informatik>Web SiteEinsElektronische PublikationNichtlineares GleichungssystemPuffer <Netzplantechnik>KonfigurationsraumSoftwareentwicklerDatenbankAdressraumVerschlingungVerschiebungsoperatorMessage-PassingReelle ZahlMechanismus-Design-TheorieTwitter <Softwareplattform>IdentitätsverwaltungServerQuick-SortPlotterBitBildschirmsymbolFigurierte ZahlMailing-ListeCodeCASE <Informatik>AutorisierungURLStellenringBootenInformationVersionsverwaltungInternetworkingEinfach zusammenhängender RaumE-MailQuaderZeitzoneTopologieTotal <Mathematik>DifferenteInformationsspeicherungPunktZählenElementargeometrieDatenreplikationHumanoider RoboterZeichenvorratAutomatische IndexierungXML
17:14
IndexberechnungZeitzoneInteraktives FernsehenElement <Gruppentheorie>ZeichenketteVersionsverwaltungKonstanteAggregatzustandServerFehlerkorrekturmodellKontrollstrukturMIDI <Musikelektronik>Trigonometrische FunktionGoogolCodeMathematikExogene VariableClientToken-RingDienst <Informatik>QuellcodeSkriptspracheDefaultE-MailProgrammierspracheInformationWeb SiteCASE <Informatik>CodeAutomatische IndexierungBildgebendes VerfahrenTemplateApp <Programm>GoogolDifferenteMereologieVerzeichnisdienstMaßerweiterungWeb-SeiteSystemverwaltungWort <Informatik>MAPPunktKartesische KoordinatenURLEinfach zusammenhängender RaumAlgebraisches ModellLoginStatistikGesetz <Physik>ZahlenbereichSystemaufrufBootstrap-AggregationWeb logDienst <Informatik>Service providerSoftwareentwicklerMessage-PassingBitTelekommunikationDeskriptive StatistikGarbentheorieVerknüpfungsgliedBildschirmfensterCOMSchnittmengeGraphfärbungDatenbankWeg <Topologie>AdditionInformationsspeicherungPhishingAdressraum
24:44
Digitale PhotographieBitMultiplikationsoperatorZahlenbereichE-MailGebäude <Mathematik>Betrag <Mathematik>Demoszene <Programmierung>Leistung <Physik>MaßerweiterungSoftwareVisualisierungCoxeter-GruppeGruppenoperationDatensatzMereologieVideokonferenzNormalvektorAnalysisProzess <Informatik>DatenmissbrauchComputerspielRechenschieberKollaboration <Informatik>AdressraumRandomisierungPunktFacebookInformationNetzadresseCodeHintertür <Informatik>URLTelekommunikationQuick-SortMarketinginformationssystemDienst <Informatik>Office-PaketOrtsoperatorTurm <Mathematik>UnordnungEinflussgrößeWeg <Topologie>Vorlesung/Konferenz
31:53
Grundsätze ordnungsmäßiger DatenverarbeitungDatensatzMusterspracheVideokonferenzApp <Programm>InformationDienst <Informatik>MultiplikationsoperatorVerkehrsinformationCASE <Informatik>GoogolUnrundheitMereologieBitEinsE-MailOrtsoperatorServerMessage-PassingZahlenbereichRegulator <Mathematik>Puffer <Netzplantechnik>Ordnung <Mathematik>MatchingAdressraumWort <Informatik>Web SiteComputersicherheitCodeBestimmtheitsmaßFacebookGeradeURLNichtlinearer OperatorObjekt <Kategorie>MomentenproblemAggregatzustandComputerspielSoftwareentwicklerMailing-ListeRechter WinkelResultanteRegistrierung <Bildverarbeitung>TriangulierungMobiles InternetMechanismus-Design-TheorieHidden-Markov-ModellSichtenkonzeptMAP
39:02
Schreib-Lese-KopfComputeranimation
Transkript: Englisch(automatisch erzeugt)
00:22
Egypt's civil society under attack. I believe that a lot of people only in the year 2011 became aware of the Egyptian state attacking activists and survey them and use technology for that. But of course, there was surveillance of activists before and after that. The government has changed a couple of times since then
00:42
but surveillance of activists has not. And this talk gives us some insights into how these state actors work, how they survey and target activists. And it's actually going to be super interesting, I believe, because there was an OPSEC fail and nothing is more interesting than OPSEC fails, especially when our enemies make them.
01:01
And our speaker is Asil Kayal and she's a malware analyst. She studied computer science and she researches cyber attacks in the Middle East. So basically, she's who I want to be in my next life. Super cool. Please have a big warm round of applause for Asil and enjoy the talk. Thank you very much. Thank you.
01:28
Imagine you live in a place where you witness corruption all around you. You see innocent people being thrown into prison over made-up charges, newspapers being censored and shut down,
01:44
their websites becoming inaccessible. And the worst part is you have to be silent about it because each word you say, each social media post you share, and each action you take can and will be used against you.
02:04
That is the reality people face daily in Egypt. Hello, everyone. My name is Asil and thank you for coming to my talk, The Eye on Denial. Like Najum mentioned, I am a malware analyst at Check Point, a few words about me. I work in the threat intelligence department
02:21
and I am mostly interested in researching advanced threats and state-sponsored attacks and cyber attacks in the Middle East region. And so it's not surprising that reading this report that was published by Amnesty International back in March discussing phishing attacks against Egypt civil society
02:41
got me really curious. And the phishing attacks discussed in this report are not your typical ones because basically in this case, the attacker set up third-party applications for popular mailing services like Outlook or Gmail or Yahoo Mail. And they would send links for those applications
03:00
to the victims to fix a security issue in their account. But the third-party applications would request permissions to read, write, send, and delete all of the emails in the victim's inbox. So basically if the victim grants the app the requested permissions, the attacker gets unlimited access to their inbox.
03:21
Later on, some of the victims received official warnings from Google telling them that government-backed attackers are trying to access their accounts. And the report mentioned that the attacks were mainly targeting human rights defenders and prominent civil society member staff in Egypt.
03:41
And reading that, I knew I wanted to get involved in that research. I knew I wanted to contribute to it. And I didn't know how. How do you investigate a wave of attacks after it is over? Now Amnesty International didn't really share a lot of technical information about those attacks,
04:02
but luckily they shared a list of websites that they saw were operated by the attackers and that appeared in those emails. And naturally looking over at them after a while, they were all dead, they were down. And I started gathering in that case
04:21
and trying to see the information I can get about the history of those websites, how they were used, any public information about them. And soon enough I noticed that a lot of them had subdomains that mentioned the services they were trying to impersonate. So things like Outlook or Yahoo Mail or sign-in services to try and appear more legitimate
04:41
in those phishing attempts. And I saw that there was one subdomain that stood out. And looking at that at first, it might appear to you as if this is a random combination of letters and numbers but really each character in this subdomain corresponds to a letter in Arabic.
05:03
And writing that in the right order from right to left because Arabic is from right to left results in a phrase called the popular movement. And looking up the English transliteration that appeared in the subdomain led to one result only in Google, a telegram channel using the same name
05:22
and promoting a popular movement in Egypt. And that channel was sharing messages like these which were basically telling the members, you should go out on the streets, you should get angry, you should start a second revolution, you should join this popular movement.
05:40
But most importantly, make sure you contact the admins and provide them with all of your information or they will contact you. So at a very early on stage of my investigation of this infrastructure, I knew that it was devoted to try and target or to locate people who are possibly interested in opposing
06:01
the Egyptian regime or possible dissidents. One other thing I noticed while looking over this infrastructure is that a lot of the websites resolve to the same IP addresses. And those IP addresses were in the same range or in the same net block. And I started monitoring those IP addresses
06:22
and I saw newer websites being registered and resolving to the same addresses. And one of those websites that was associated with such an IP address also followed the same naming convention as the malicious website. So again, using the words mail and login
06:41
to appear like a legitimate mailing service. But what was really special about this website is that it had an open directory indexing. So I was able to see everything that the attacker stored on this website, which was nice for me.
07:00
Now, the folders in this website contained mainly PHP scripts, which as you would probably know, if you're accessing the open directory using a browser, you cannot really view the source code. But there was a zip file that contained the exact same folders on this website that I could download and view all of the PHP source code, and I did.
07:22
And looking over the folders that I found in this archive, I saw that each one had a different purpose. The first one that I looked into called WS served as a control panel for the attackers of some sort. So the attackers could send this control panel remote requests and with a parameter called action,
07:44
they could specify certain tasks for this control panel to perform on the server. So again, they would be able to gather certain statistics from the data that is stored there, they could delete certain things or certain information that they stored on the server, and so on and so forth.
08:01
And there were a few interesting moments in this control panel code. For example, I could see the credentials for the attacker's database, so I could see the user name and the password that they set. And I also saw that the attackers defined the default time zone of the server to be that of Cairo.
08:22
Interesting. The control panel would also count the amount of requests that it received, and it would check the total amount of requests over three hours. And if that amount exceeds 30 requests, it's considered to be a bit high, so they think there might be some suspicious activity
08:42
or someone is trying to mess with the server. And in that case, an email is sent to this devd at gmail account, telling them, hey, would you mind coming and taking a look at the server? Something might be off. And so, seeing that, I realized
09:00
that this gmail account is probably, again, affiliated with the attackers or created by the attackers. You might also notice that the code snippets I'm showing you have a lot of comments. These aren't ones that I've added. These were left there by the attackers, documenting almost every line of the code
09:22
and telling what it does, which was really helpful for me going over all of this PHP code and trying to understand what it does, so it helped me analyze that in a way. But mainly, a lot of the comments had very, very bad English, so they would make a lot of mistakes and a lot of spelling mistakes
09:41
and grammatical mistakes and so on. And I think my favorite mistake that they made was this one. When the attackers misspelled the word buffering and instead wrote buffering. Now, if you know Arabic, you would know that we don't really have the letter P in the alphabet,
10:01
so a lot of us would confuse the letters P and B, and that's a classic mistake we make. Sorry. And I think this tweet really explains this better than I do by Ahmed Zidane, who says, well, if you know anyone from Egypt, this typo is conclusive evidence that whoever wrote this code is Egyptian. Next up, another folder on the server
10:23
served as a link-shortening service of some sort that was called Shorten Me. And basically, the attackers would send this script, long URLs, usually phishing URLs, this script would generate a very short token,
10:42
add that to another link, creating a much shorter URL, as it promises. Now, the attackers decided to store all of the long URLs they've submitted to the service in a database. And the database was stored on the server, and I had access to everything on the server,
11:00
so I could see all of the long URLs that they've submitted. And the first one that was there was apparently a test of some sort, and the email, and it mentioned the Gmail account that we have seen before. And this was apparently, again, the attackers testing out this script.
11:20
But then the following entries in the database had other email addresses. Real accounts, Hotmail and Gmail accounts, which I have redacted in this case, but looking them up led me to the real identity of the individuals behind them. And I was able to identify more than 30 targets
11:41
that received those phishing links, or that were targeted by this attack. And all of those targets were lawyers, journalists, professors, NGO members, and prominent figures from Egypt. And while I do not know if those attacks were successful,
12:02
and if their accounts were compromised, again, it could just mean that they were targeted and received those links, but not really clicked them, or were a victim of the actual attacks, I do know that some of the victims I was able to identify in this list were arrested months later for criticizing the Egyptian authorities.
12:25
And the remaining folders in the server were devoted to setting up phishing apps, or third-party applications, like the ones that were seen in the Amnesty International report. So again, the attackers would set up those third-party applications and links to the victims,
12:42
and in return, gain access to everything in their accounts. And we saw such an app for Outlook that was set up back in 2018, and again, you can see it requesting crazy permissions for the victim's inbox or email.
13:01
And there were also two other applications, and in this case, they were targeting Google Drive. So again, we also see a shift of the attackers, not just trying to monitor messages or emails, but also trying to see which files are stored, potentially, on the victim's drives.
13:21
And in Gmail, clicking the third-party application's name would show you information about its developer, and clicking both of these names showed that the same Gmail account was used to create both of those applications, the same account we have seen before.
13:40
But the screenshot also shows that the apps are supposed to redirect the victim after they grant them the permission to a website called drivebackup.co. And this website wasn't known anywhere else before. It wasn't seen in a malicious context whatsoever. And when I saw it in the configuration files
14:02
of those third-party applications and I tried to access it, once again, it was down. And while I was trying not to get frustrated again and find out more things about this website, I came across an interesting finding. An Android application that was submitted to VirusTotal
14:24
and that communicated with this website, drivebackup.co. So plot thickens. And just in case you're lost at this point, let's recap what we've done so far. So we've started out with an old infrastructure that led us to a new website, maillogin.live,
14:43
that we believe are operated by the same attackers. This website was used to store phishing applications and third-party applications that redirected to drivebackup.co, this website, and now we have an Android application in the equation contacting this website. So the question is, what the hell is this Android app
15:03
and is it related to that other side? To try and answer that question, I installed the app on an Android device and the displayed name for the app was iLoud 200%. Now, when I installed this app, it had no icon.
15:24
So it looked like this. And also the file name or the APK name was v1.apk or version one. And these two things can tell us that this app is probably still in early development phases. And the app would show the user messages
15:42
that their ringtone is 100% louder. Whereas in fact, it did nothing with the ringtone at all in the code. So digging a bit deeper into the code of this app, I saw that the internal name or the package name for it was iRout, not iLoud, iRout.
16:03
And that it requested permissions for the device's internet connection, location, and to be automatically started after the device is rebooted. And what it did with those permissions is that it constantly monitored the device's location. And it did that by contacting drivebackup.co
16:22
and constantly uploading the device's coordinates, local time, and battery statistics to that website. And if the user would try to stop the application from running or stop the service that does this, it had a persistence mechanism to start over again and make sure that the device is constantly monitored
16:42
and its location is known. So again, this is ideal for someone who wants to know where a device is at at all times. And because it was impersonating this different service and pretending to be this ringtone app whatsoever, this started to look very, very bad.
17:01
And to make matters more complicated, I saw from VirusTotal that this app was downloaded from a website called indexy.org. And going into this website, I saw that it was still there. For once, something is up, something is active. Not only that, there was also an administration panel
17:23
for this app on that website. And here, it was referred to as iTrack. So again, it has three names now. Now, I didn't log into this panel on this website. I didn't do that. But poking around this website, I saw that the styles directory of this panel is exposed.
17:44
So while I could not log in and see the data that was stored there, I could see the layout of the panel after the admins log in and which pages they get. And I saw that a bootstrap template was used for the design of this panel.
18:02
And that this directory, in this open directory, was used to store the default images of the bootstrap template, which looked like this. Lovely pictures. But there was just one image in this directory that was not part of the default bootstrap template. And it was called logo.png.
18:23
And it looked like this. And seeing that, I was like, hey, I've seen that word before. And you've seen that word before. I don't know if you remember. But it was used in the credentials for the attacker's database from the open directory.
18:40
So this really gave me a nice connection between the phishing apps for the emails and the mobile application, besides them both being connected to drivebackup.co. But now indexy.org started to look very suspicious to me, and I wanted to find out more information about this website. And once again, looking stuff up about indexy.org,
19:03
I came across a mobile application that communicated with this website. But in this case, the mobile application was downloaded from Google's Play Store. And it was called Indexy. And this Indexy had more than 5,000 downloads
19:21
on Google's Play Store. And while it could have been downloaded by anyone, the description of the app and also the default settings of it showed that it was mainly aimed at Egyptians. That was the audience it was interested in. And it was supposed to provide a service
19:41
that is similar to the known Truecaller app. So again, you would look up a phone number and you would find out their owner's name and you would look up a name and you would find out their phone number. And to do that, it requested permissions to the user's contacts and call history, which again is fine if you're setting up a service that is similar to Truecaller
20:00
because you want to improve your database and you want to have as many phone numbers as possible. What is not fine is that once again, there was an administration panel for this app on indexy.org. And once again, the styles directory was exposed. So I was able to see what was being done
20:20
with that data after it is collected. And I saw that there were multiple pages in that admin panel that were storing the statistics and going through them. And basically I saw that the user's data was being monitored and inspected and there were logs of cross-country communication.
20:42
So basically trying to see which user is calling someone from abroad for how long, from which country, and what is the duration of that call and what is the phone number. And that looked bad. And so we reported that to Google and the app was taken down from Google's Play Store
21:01
and it is no longer available for download. So we've been through hell and back. We've covered a lot of things and a lot of layers for this deck. But I think we're still missing some pieces or some information.
21:23
And we didn't look in depth into the indexy source code or the application's source code, and we won't, I promise. But there were some interesting things in that as well. I saw that some of the messages that this app logs were tagged with the word shinu.
21:44
And in the about section of this app, in a different window, there was another website that was mentioned, servegates.com, in addition to indexy.org. And this website, and like the rest of the websites we have seen so far, had Whois information.
22:03
So I was able to see who registered this website. And it was supposedly an individual from Egypt who had the last name Shinawe. And shinu is a very common abbreviation for that last name
22:22
and the email address that was used or that appeared in the Whois information here was used to register other websites. And one of those websites that it registered was called TX Tips. And it was supposed to be this technical blog to provide developers with tips
22:42
when they're using certain programming languages like, oh, if you're using MySQL, here is this bit of code for you. If you're using PHP, here is this and that. And all of the posts in this website were added by shinu. And there was one post in this website
23:00
that talked about using Google's API to maintain offline access to users' accounts. And this is the code snippet from this website, TX Tips. And this is the code snippet from the open directory of the third-party phishing applications.
23:22
And both of these look very, very, very similar. So again, this kind of shows us that everything is connected and really whoever wrote that code is also responsible for the code of indexy which is related to everything else we have seen so far.
23:45
But I wasn't really able to find out anything about this shinu person or individual or if they're really a real person to begin with. But maybe I was asking myself the wrong questions.
24:02
Maybe I shouldn't have been asking who is this person but rather where is. Because what I forgot to mention intentionally is that in the admin panel of the iLoud application there was a page that initialized a map
24:22
that was supposed to collect all of the coordinates that this app got. And for that map to be initialized it had to zoom in to a default location to default coordinates that were hard-coded in the script. You see where it might be problematic. And those coordinates didn't just point to Egypt
24:46
and they didn't just point to Cairo. They pointed to a very specific building there. And seeing that again for the first time and knowing how densely populated the city of Cairo is
25:00
I was like, well, it looks a bit weird like this building, this unnamed building that is walled off and surrounded by those fancy gardens. A bit suspicious. And I didn't know what this was before or if it is affiliated with the attackers but later on we were able to find out that these are actually the headquarters
25:21
of the Egyptian General Intelligence Services. So that might show us again that this attack is originating from Egypt and mainly targeting Egyptians for surveillance purposes trying to track their emails, their location,
25:41
their communications, calls, you name it. And if you think that's bad, if you think that's an invasion of people's privacy Egypt has just started a new practice where people walking down the street can be stopped by officers, be asked to unlock their phones and be inspected
26:02
to see if they were planning to participate in a protest, if they shared a post on Facebook criticizing something or if they saw a video that they shouldn't have. So why bother build a mobile backdoor when you can do that, when you can inspect people's phones and exercise that power on them?
26:22
And if someone opposes to that, like the woman in this video did, if you fail to comply, they're as bad as someone who was found with incriminating material on their phone. And if it's just, again, normal people, random people, anyone walking on the street being this violated,
26:42
it is no wonder that journalists, lawyers and activists, people who are supposed to defend and stop those violations, it's no wonder that they're being targets to such an attack that we have seen. And with that, thank you.
27:17
Thank you for the phenomenal talk. Thanks for taking us along on this super exciting ride.
27:23
Now we still have some time left for questions and answers. So if you have any questions, you can pile up at the microphones. First people are answering that call. So let's start with a question from microphone number one, please. Hi, thank you for a super inspirational presentation.
27:42
So my question is that we've seen the homegrown and home-built technology has so many loopholes which you were able to find, but do you also know if the Egyptian government is also importing the tech, which might not be as simple as this or simple as this, from, I don't know, European providers?
28:01
And if yes, are you able to detect to what extent the journalists and dissidents and activists are being targeted? Thank you. Thank you for the question. I don't think there are public records of Egypt using any imported technology or abiding any offensive tool of that sort,
28:21
but it really wouldn't surprise me in that case. And we've seen other countries in the Middle East doing that, Morocco, for example, recently. So it wouldn't come as a shock. Microphone number two. Thank you for that amazing talk. I too want to be you in my next slide. Welcome to my life.
28:42
Okay, well, my question is personal. It's aren't you afraid that this might backfire on you? Now you have so much data and so much information in your mind and on paper. Yeah, yeah. You know what, I considered that and everything,
29:01
especially going through this material and other research I've done in the past. But this pissed me off. Like I thought, you know what, I'm just gonna go ahead and report it and say it as is and I'll just take the risk, I guess. Don't kill me. Okay, stay safe.
29:25
I wholeheartedly agree with that scene applause. Microphone number one, please. Thank you for also the amazing visuals. I really like that part. Your narrative was very long and you had exploration, how you presented it,
29:43
but I'm very curious, how did that feel? You mentioned being frustrated, but it, to me, it sounded like a miracle that it's really, okay, and that is exposed and that is exposed and I can just search through it. How did that process really feel?
30:02
Did you have collaborators that also worked through it or did it go through in two days? Can you extend a bit on the process? Definitely, excellent question. It was an absolute chaos, pun intended. Just seriously going through all of the material and everything and especially when you're going
30:21
through the raw stuff so you don't know what's interesting and what's not, what the hell is this PHP code and what's not. I was going through everything, sometimes fighting things honestly by mistake. Some of the things I found were not planned at all and the thing that helped me most, I think, was also consulting with my colleagues. A lot of the times, I'd just have them come in
30:40
and ask me questions and make me doubt everything I have and then I would make sure that I'm not sounding like a crazy person and also would get their confirmation that I'm on the right track as well. So that really helped. Thank you. Microphone number two, please. Hi, thank you for your amazing talk. This might sound like a crazy question
31:01
given that you are exposing everything you've done but while doing it, did you use any precaution like obscuring your IP address while, I don't know. Yeah, so yeah, everything was done on like a separate network for this analysis
31:21
and behind VPN and whatnot. Yeah, tried to not to drag it to myself as much as possible. Another question for microphone number two. Thank you also for my side. Can you talk about the victims, the targets, since you said they were identifiable
31:41
by their email addresses and did you take measure, take action to inform them or like deal with that information and second question would be is your, are you or your team like working
32:00
on any guidance on how people can like protect themselves or stuff like that? Yeah, so basically with regards to the victims, we've had like I said, a list of victims and we worked on, when we've had everything and went through the technical stuff as well,
32:20
we reached out to the New York Times who then had contacts in the region and were able to even talk to some of the victims directly and make sure they know that they were targeted in that case and as for the second part of your question, I would say that if you're someone from that region and you're working in those sensitive positions,
32:41
just like watch out for anything that you might receive via email, via text message, watch out for your phone and just make sure you like, watch out for those things. Sometimes again, it's something that you unfortunately cannot avoid, especially against if you're walking
33:01
down the street and someone stops you but just be careful, I think is the best advice I can give in that case. Yeah, I guess one thing that we learned from your talk is OPSEC, OPSEC, OPSEC, so microphone number two again. Hi, I was wondering, you mentioned the location in the application, how was it deriving the location?
33:22
Was it from base station triangulation or was it switching the GPS on? Or how was it, what kind of data was it getting? The mobile application? Yeah. It was accessing the device's fine location and then trying to, trying some methods, I think GPS and if it doesn't have access to that
33:42
then other things and uploading what it can find and the method that it was using. Microphone number one again. Yeah, hi, great talk, thank you for that. Just a small remark. I don't believe that this buffer buffer mistake is a thing that points to Egyptians solely because in German the word buffer also starts with a P.
34:06
Yeah, I also have Syrian friends who do the same mistake so it's not exclusively Egyptian. Yeah, I do wanna say that it's, oh my God, how do I explain this without being tricky? It's an Arab mistake in general,
34:21
usually like in my region for example, it's mistaking a P for a B but the other way around is a bit more Egyptian in that sense. So again, yeah, I do agree, not conclusive evidence but it was a hint in a way. Thanks, microphone number two please. Hi, thanks for the talk. Just curious, did you try to write an email
34:41
to the developer? No. I did not, I should have maybe. Does it give a result online with this email or? No, yeah, so I looked it up, I tried to see if there was a Facebook account maybe associated with that email, nothing came up,
35:00
it was just in the code I think and I think the name devd.log something just says that it's like supposed to be a dev log or developer logs, I think that's what the name might be hinting so it's just used for that but no conclusive evidence. Is there another question on microphone number two? Perfect, move on up.
35:21
Thank you for the talk. I was thinking about sending this talk to Egyptian friends, is it safe? Oh, my God. Yes, no, maybe, question mark? I am not sure, I'm not sure.
35:42
I would say be careful. If they're abroad then gladly but be careful. Thank you. Microphone number one. So you've been doing a lot of work to investigate the infrastructure from a state surveillance agency and there are other institutions like Citizen Lab
36:02
and Amnesty that do a lot of work on this and also don't always expose it so it's ongoing. Have you shared the information you have with them so they can continue their own investigations? Yeah, we basically, my work started by looking over at the findings from Amnesty International's reports
36:22
so yeah and we reached out to Amnesty after we've had those findings to try and cooperate and we informed them of everything that we found on this. Now, have we reached the end of your questions? Search your souls. Are there maybe any questions left? Because we would have another two or three minutes.
36:41
Yes, thank you. Soul searcher, move to microphone number two. Your question please. Should Google have done anything better to make sure that the apps weren't uploaded to the Play Store? Hmm. Should they have? I'm not really sure because they do have
37:02
their mechanisms to protect against if you've identified malicious patterns within the apps or see malicious views right away. In this case, I think it was a bit more tricky because again, if you're somewhat providing a legitimate service, then the tricky things where the malicious stuff are being done on the server side, it's a bit harder to prevent against that.
37:21
Supposedly, there was even a new report about this app from UAE called Totak which appeared to be completely legitimate but might have been used to gather intelligence by the UAE government. So could they have known that? I don't think so, not in advance. Microphone number two. You were able to look up every WHOIS information
37:41
of the registered websites. My question is did the registrant names match and were there street addresses to their registrants because in the Dutch WHOIS, if they're not secured, well, there's an address to it usually. Yeah, so basically most of the websites
38:01
did not have WHOIS information. This one specifically did and there was, I don't think there was a street name but there was a region name in Egypt or like a town name, so nothing too specific. Are we now at the end? Any more questions? This would be your last moment. Three, two, one, no. So I thank you for all of you.
38:22
Oh, there's one person. Yeah, it's like, is someone disagreeing with this marriage? Yes, you. So your last question, please. Just came to my mind. How did you figure out the place in the map was the general agency for? Yeah, so like I said, we talked to reporters
38:42
from the New York Times who had contacts in the region and were able to confirm that. Thank you. All right, thank you very much for all of your very interesting, enthusiastic and engaged questions. I think that showed that you all appreciated the talk as much as I did. So please give Hasil another big warm round of applause. Thank you for the great talk.
Empfehlungen
Serie mit 2 Medien