 Okay, welcome to my talk, COVID-19-84, Propaganda and Surveillance during a Pandemic. Before we start, I would like to make a brief introduction, both to this talk and to myself. My name is Mauro Eldridge, I work as a cyber security architect. I'm the founder of DC5411 Argentina, and I was a speaker for Deaf in Las Vegas, Deaf in Siberia, Roads in Brazil, Ragonjar, Colombia, Boscon, Iran and Texas Cyber Summit, among other conferences. I'm a returning speaker to this billage, I spoke here on Deafcon 26. And this talk is about explaining the political situation of surveillance and propaganda in Argentina. Also, it is also compatible with the same situation in other countries and regions. This will be explained from a hacker's point of view using a hacker's toolbox, which in my case includes social engineering and open source intelligence, and there's even some application reverse engineering at the end. This talk will be divided into two chapters. The first propaganda about the Argentine pro-government propaganda apparatus and social networks, seen from the inside. We will see the process from the scratch, from the infiltration of a sock puppet account into the apparatus to its internal operation. The second part is surveillance. We will dissect the Quiddarcovid-19 mobile application, which is now mandatory by law in order to circulate. So if you want to leave your home, if you want to step away from your doorstep, you have to have this application installed on your phone. And we will dissect this application, uncovering many privacy abuses, bad practices, and lots of material worth of appearing on Reddit, especially on programming horror or subreddit. Just a brief disclaimer, every item disclosed here is publicly available through OSINT. On my George's rediction, it is totally legal to reverse and join any application on any software. And I wasn't involved in any illegal activity directly or indirectly. So that being said, let's start with our first chapter, propaganda. So what is propaganda, you might ask? Propaganda is a communication that is primarily focused on influencing an audience and furthering an agenda, which might not be objective or might not be real at all. And that may be presenting facts selectively. You might have heard the term alternative facts recently in media. Well, it's probably related to this kind of behavior. Online, agents of propaganda are called trolls. They massively comment on social networks, supporting a certain government in this case or a certain movement. It may not always be a government, but a political movement. They try to establish their own debates and trends. For instance, in my country, it's pretty popular to see trendings like Thanks, President Fernandez, or we support you, President Fernandez. There also may be found diverting the focus from opposition debates. For example, every time an opposition part tries to open a thread or tries to communicate something, you might find the trolls leaving spam comments, fancams, or any other material that, when exposed repeatedly, could turn this thread into something really difficult to follow for legit users or for interested users. So it may turn the conversation into something unbearable. They also work by establishing negative trends against the opposition, and they are usually grouped into troll farms where they work together in an organized manner, surprisingly. How do you recognize a troll? Okay, first it's pretty simple because lots of default configurations on their profile are present. For example, they don't have a profile picture. They use a fake one or a stock one. There are lots of numbers in their handlers, for instance, Mauro and a bunch of numbers. That's pretty common, pretty normal on Twitter, actually, because that's the default username that Twitter gives you and allows you to change later. They share common terms and phrases that have their own languages, surprisingly. They agree on a common version to answer debates. For example, the president's offshore accounts are a media operation. So they are basically saying that everyone else is lying and they are not. And they obviously work in swarm behavior. They never come alone. They act like a swarm. Many governments are credited with having online propaganda apparatus and agents. For example, Russia, with the collapse of the trolls of Allgino, China and the 57th Party, North Korea with the United Front Department, Venezuela with the Armada Bolivariana de Trolls, which barely translated to English its Bolivarian Army of Trolls, and also Argentina with the Cibercast or Tropaca, which translated from Spanish as K-Troop or Cyborg-K, which is not actually a K-pop supporting fandom. It's valid in the clarification. This global advance on propaganda apparatus around the world is such that there are social networks with firm positions towards them. For example, Counter-Social is against it. And countries with the highest propaganda incidents are absolutely valid, blocked entirely by their IP block. Some of them are listed here. And there are other social media sites, for example this one in my country, that supports the propaganda behavior. FacePopular.net was an Argentine social network against establishment and imperialism. And it's a firm supporter of the Peronist Party. It was a place where only its militants participated and it was back supported by the Ministry of Culture. At the first sight you might obviously see that this is a bad rip-off of Facebook. And it even allows you to register with Facebook. This project is now default and it's no longer active. But it was heavily used by users from Argentina and Venezuela some years ago. Gross and censorship. The goal of a troll is not only to spread messages, but to prevent the opposition from doing so. Lots of groups participate in massively reporting legends that posts or accounts from the opposition in order to take them down. They are actively abusing an automatic mechanism for reporting. So if a lot of users report someone, it must be true. And this automatic behavior takes down the post or the account without any real intervention. Argentina is an ideal terrain for this surveillance experiment since many times the government have tried to control social networks to no avail. For example, Peronist legislators proposing that users who comment on websites identify themselves with their national identification number, which is like the social security number for US residents. Or a senator from the same party proposing a public and democratic regulation of social networks. Or the cyber patrol protocol imposed this year, which basically ended up with a lot of people being detained for tweeting or for expressing themselves on social media. You know, there are a lot of projects and already installed measures to control social networks. But what about the trolls? The trolls continue working together and growing. So this is where we start after this introduction. Tracking trolls. The Argentine apparatus has the particularity of being made up of real users as well as trolls and bots as you can see when exploring their hashtags. Rumors indicated that many users received invitations to join this apparatus. My goal was to get that invitation. You know, it's like a golden ticket to the chocolate factory. So after a month of silent observation, I created a sock puppet account mimicking the behavior of these users. And it was configured using these settings. Profile photo, President Fernandez and Vice President Fernandez together. The cover photo was Vice President Fernandez giving a speech at Bellas Stadium. And who was I following? The President and some ministers. Along with a few real pro-government accounts. What about the description and tweets? Both I made them imitating the specific languages and symbolism used by these users. How? Well, using Twitter API to monitor the hashtags and extracts the most repeated words. You might find them here as a word cloud. Most of these are pejorative terms to refer to opponents like Bolsonaro and Piranha instead of Sebastian Piner at the Chilean president. So after learning how to speak, now that we speak the same languages, it was a matter of time before getting the invitation. This sock puppet raised 100 or so followers in a few hours. I have my original Twitter account since 2015 and I think I have less than 300 users just for comparing. Most of these were trolls, but a few real users too. So I started retweeting official accounts and these real users and tweeting with their same hashtags. For instance, I received my invitation, this golden ticket, from a user who will call DC. On the left you can see the original conversation in Spanish and I translated it the best I could to English. Hey buddy, we are making Twitter groups to install hashtags, wanna join? Hey buddy, sure, what am I supposed to do? Well basically you have to treat the hashtags that we send to the group. After agreeing this, I was cited to the group number 300 and some of soldiers of the National Project, containing 50 people. One of the messages shared there was this, guys, Ariel Garbarz is asking us to use LaReta is responsible. LaReta is the mayor of Buenos Aires city and a member of the opposition. Now you may ask, who is Ariel Garbarz, by the way? No clue so far. But in fact, both of these hashtags that made the top five in my country, one of them being Pescado, Potrido and LaReta is responsible are fabricated trends proposed on propaganda groups. You may find the source on getdaytrends.com Just for confirmation, I went to trending earlier and I found that this information was right. And these trendings lasted for at least 12 hours, which give us a little hope toxic artist propaganda interventions. Another message on this group is Hey guys, with Ariel Garbarz we formed a group where he's the administrator and tells us what to publish and at what time. So we can get our trend to always be on first place. Another user replies it's like you say, we used to do the same long ago with the K Youth, a new group. You have to set a day and a time, it's the best. Again, who is Ariel Garbarz? Okay, remember DC, the original member who invited me here? Well, 10 days later another account from him tried to recruit me again. So he has probably forgot about my account. Hey buddy, we're making Twitter groups to install hashtags. Wanna join? And I say, hey buddy, sure, go ahead. I was added once again to another soldiers of the national project 300 and something. By accident, I was a member of two propaganda groups. There was a six digit difference between each group ID. For example, 301 and 307. Each group can have up to 50 users. 49 if you do not take into account administrator. So 49 users multiplied by 6 new groups are almost 300 new users in 10 days. This is how fast can these apparatus grow without almost no any effort. Currently, according to the last group ID I managed to find, there are at least about 350 propaganda groups on Twitter alone. This give us a total of 17,150 users. I imagine all these people try to picture all these people tweeting 5 or 6 times a day. They can make any trend I want. Well, also this doesn't ends here. Now what's a group is sure with both groups I belong to. And of course, hashtags are shared there too. This group is city 7. There are 7 groups of around 156 users. If we take into account 255 users we are not taking into account administration. Multiplied by these 7 groups, there are almost 2,000 new users here that may be repeated. And adding them all together, we have almost 20,000 users. Again, there may be repeated users. This doesn't ends here. This group had members from the USA, Spain, the United Arab Emirates and even Germany. So upon joining, the administrator started sending hashtags. In this case at half past 7, we come out with $ with it. That administrator as you may see in the message, on the leading message, is Ariel Garbaros. And that name now definitely rings a bell for you, right? So, let's try to answer who is Ariel Garbaros. He's the CEO of Protection Digital which is Digital Protection a company which was favorited with many contracts by the Federal Justice and various Argentine governments. He was benefitted to direct several state infrastructure projects. He was appointed computer attorney general for the 17 and 19 elections. And he's the leader of the propaganda paratus on social networks. The lord of the trolls, you might say. The source of this is the newspaper Perfel where he answered an interview. Here is a video of Ariel Garbaros instructing the trolls live. But it is in Spanish and for time reasons, I'm not going to show it here. But it will be shared on the GitHub repository along with the slides. Obviously, since in Argentina we speak Spanish, the video is in Spanish. This was linked on Twitter by a user. So, the final diagram of the trolls for a simplified one is here. Ariel Garbaros acts as a leader sends the trending topics to be installed to its coordinators, the coordinators of each group, which then share this objective to both Twitter groups and WhatsApp groups, which then are executed by the trolls. So, is this illegal? In Twitter platform it is against the terms of service. The Twitter safety team actively tracks and takes down state-linked propaganda groups. In our country, well, it is not. In fact, it looks suspiciously endorse it. Like the Facebook ripoff social media I showed you some slides ago. What tools did you use for this chapter? Well, Trendianalia, Trends24in, Boutometer, GetDaythrends, the Twitter API, the Twitter RubyGem, and my own tool, which is also in the repository venator.lua, for recognizing both or troll-like behavior. So, what is the propaganda palatus up to right now? Generating hashtags supporting the use of the government application to monitor the coronavirus outbreak. You know, the Quiddarcovid19 application, which leads us to the next part. Surveillance, or dissecting the Argov coronavirus application. So, this is the tracking application proposed by the Argentine Ministry of Modernization. It is mandatory by law to circulate. So, if you want to leave your home, you want to step outside your front door. You need to have this application installed. The current version is 331, but here we analyze it 102, 307, and 33. Using the most common tools of a label for Android, the compiling and reverse engine. At first glance, I noticed a lot of broken functions. And reviewing the code, I found many dyslexic errors. Like, for example, desabilidad instead of desabilitar, which in English means disabled. Bonotas instead of botones, bottoms. And this problem is repeated regardless of the decompiler using. Número instead of número, número. Masculio instead of masculino, male. Auto-evaluate coin instead of auto-evaluation, which is a critical feature of this application, the auto-evaluation module. And after digging a little bit further, I found a neurologic ride-only token is closer, which is not a vulnerability per se, what will become handy label. Insecuritization structure creation, vulnerable to injection or manipulation, instead of using the Java-provided functions to build JSON. A reference to a long-dead product, Google Blues. Lots of insecure and unsanitized executes calls. Really, a lot of them. And some even could lead to SQL injection. The application communicates with foreign servers, which is by national law or local law, it's not allowed. These servers are not pretty much safe for storing medical data or well, anything. This is the map of the application. All of these assets enter the qualification of C, so it's not secure at all. A lot of missing security features. And privacy is also at risk. Of a total score of this application received a 61 score. There are many write operations that record PII about the device, which are in base 54. Whatever you decode them, you get that this application is trying to keep track of the device ID, the build of the own application and the device manufacturer. Obviously, since this is an emulated device, the application was not able to extract any valid information at all. From the very first version, the possibility of permanently tracking the user was considered. As you may see, permissual ubication means access, location, permission, and total tempo means all the time. The application has far-set updates that try to run a start-up. For example, show-forset update dialogue and device start-up or on boot. Also, this location tracker attempts to listen for boot events. The app tracks and asks for medical history. For example, cancer, diabetes, pregnancy, cardiac hepatic renal respiratory diseases, and all these data is stored abroad. Auto-evaluations are not stored on the client side, but rather sent to the server. The user's identification, along with his or her DNI, a national document ID number, are sent to a remote server. Again, this identification number is like the social security number of U.S. residents. If the user's evaluation returns that he or she is infected, the tracking service is activated in the background. Also, by default, the app allows backup mode, which may send private medical information to Google. Now, it's unreliable for an application to diagnose an ICS. But it's less reliable for an app to say okay, you're not contagious, bro. We are during a pandemic but hey, you're not contagious. You are safe to go. Nosus contagioso means in English you're not contagious. So the app has an option or feature for that. Now, remember the last time you Google your symptoms of something for anything you have. I had a slight fever, my ankle hurts. I have a headache. What is the first result that Google answered you? You know, it's probably not something good at all or not accurate at all. Again, for example, in this snippet of code it tries to determine if a user is not infected or not contagious. Again, you might have to see a professional, not an application. And this is not the first time we do something like this on the Argentine Government. We were featured a lot of times on programming horror on Reddit for this kind of things. For example, this was the application that the Argentine Government forces people to download when they land on Argentina to control coronavirus infections. As you can see it is really long if it might give you a little sample of how we work here. Now, on the first version the 102 that I have reversed I found this string all across the code base, all across. As you can see, we won't disclose its full name. Who is Sergio? A possible author, a project lead after some Google Foo, after some Google queries are landed on his personal site. He has worked on a lot of Government apps before, including Transport Local Government, National Government Healthcare, and even now on the Government's main application, Mi Argentina which is my Argentina. So, following the email he provided on his site, I found out that he was licking a good couple of times. So this might even rise the taxul face for this kind of application. Now, what is everybody else doing? What are all our neighbors doing? All of them are dropping centralized solutions or centralized contact tracing. But we insist on keeping this model and pushing forward this model. And so, to close this chapter this application was launched without publishing an audit report or penetration test. And it isn't EVA APA compliant not at all. This is especially serious knowing that it handles medical information and sends it to servers abroad. Now, ask yourself, please, what will happen if you develop an application of this poor quality for your employer? Let's jump to the conclusions and questions and answers. I thought it might seem obvious for us who are techies, geeks, hackers or whatever always inform yourself through professional, neutral and verified sources. They are not easy to get and again it may seem obvious to us but not to the rest of the world out there. Just because a term or a phrase is trending does not mean that it is real or automatically represents the thinking of a majority, right? Every day somewhere and at all times there are groups of people and machines designed to install various thoughts and debates in society. Survey lens and monitoring of citizens is not the answer. Particularly in the hands of government that have constantly committed systematic abuses against freedom of expression especially in digital media and obviously especially in Argentina you have seen some examples in this talk. Investing thousands in technology and applications after neglecting the old infrastructure is not the solution. The extensive app does not replace a doctor at all. You can get in touch with me via telegram or github where these slides will be shared and the video that I didn't have the time to play. Feel free to follow me on Twitter at Mauro Eldridge as you may see I have a few followers since I'm not into trolls actually. I really hope you enjoy this talk and if you have any questions I'm glad to help you and to answer so please feel free to drop in and ask whatever you like. Thanks for watching this and I hope to see you again next year.