 Okay, welcome to my talk, COVID-19-84, Propaganda and Surveillance During a Pandemic. Before we start, I would like to make a brief introduction both to this talk and to myself. My name is Mauro Eldridge, I work as a cyber security architect. I'm the founder of DC-5411 Argentina, and I was a speaker for DEF from Las Vegas, DEF in Siberia, Routes in Brazil, Ragonjar, Colombia, Boscon, Iran and Texas Cyber Summit, among other conferences. I'm a returning speaker to this billage, I spoke here on DEF CON 26. And this talk is about explaining the political situation of surveillance and propaganda in Argentina. Although, it is also compatible with the same situation in other countries and regions. This will be explained from a hacker's point of view using a hacker's toolbox, which in my case includes social engineering and open source intelligence, and there's even some application reverse engineering at the end. This talk will be divided into two chapters. The first propaganda about the Argentine pro-government propaganda apparatus and social networks, seen from the inside. We will see the process from the scratch, from the infiltration of a sock puppet account into the apparatus to its internal operation. The second part is surveillance. We will dissect the Quiddarcovid 19 mobile application, which is now mandatory by law in order to circulate. So if you want to leave your home, if you want to step away from your doorstep, you have to have this application installed on your phone. And we will dissect this application, uncovering many privacy abuses, bad practices, and lots of material worth of appearing on Reddit, especially on programming horror or subreddit. Just a brief disclaimer, every item disclosed here is publicly available through OSINT. On my George's rediction, it is totally legal to reverse and join any application or any software. And I wasn't involved in any illegal activity directly or indirectly. So that being said, let's start with our first chapter, propaganda. So what is propaganda, you might ask? Propaganda is a communication that is primarily focused on influencing an audience and furthering an agenda, which might not be objective or might not be real at all. And that may be presenting facts selectively. You might have heard the term alternative facts recently in media. Well, it's probably related to this kind of behavior. Online agents of propaganda are called trolls. They massively comment on social networks, supporting a certain government in this case or a certain movement. It may not always be a government, but a political movement. They try to establish their own debates and trends. For instance, in my country, it's pretty popular to see trendings like thanks, President Fernandez, or we support you, President Fernandez. There also may be found diverting the focus from opposition debates. For example, every time an opposition part tries to open a thread or tries to communicate something, you might find the trolls leaving spam comments, fancams, or any other material that, when exposed repeatedly, could turn this thread into something really difficult to follow for legit users or for interested users. So it may turn the conversation into something unbearable. They also work by establishing negative trends against the opposition, and they are usually grouped into troll farms, where they work together in an organized manner, surprisingly. How do you recognize a troll? Okay. First, it's pretty simple because lots of default configurations on their profile are present. For example, they don't have a picture, a profile picture. They use a fake one or a stock one. There are lots of numbers in their handlers, for instance, Mauro and a bunch of numbers. That's pretty common, pretty normal on Twitter, actually, because that's the default username that Twitter gives you and allows you to change later. They share common terms and phrases that have their own languages, surprisingly. They agree on a common version to answer debates. For example, the president's offshore accounts are a media operation. So they are basically saying that everyone else is lying and they are not. And they obviously work in swarm behavior. They never come alone. They act like a swarm. Many governments are credited with having online propaganda apparatus and agents. For example, Russia, with the collapse set on the trolls of Algino, China and the 57th Party, North Korea with the United Front Department, Venezuela with the Armada Bolivariana de Trolls, which barely translated to English its Bolivarian Army of Trolls, and also Argentina with the Cibercast or Tropacá, which translated from Spanish as K-Troop or Cyborg-K, which is not actually a K-pop supporting fandom. It's valid in the clarification. This global advance on propaganda apparatus around the world is such that there are social networks with firm positions towards them. For example, Counter-Social is against it. And countries with the highest propaganda incidents are absolutely valid, blocked entirely by their IP block. Some of them are listed here. And there are other social media sites, for example this one in my country, that supports the propaganda behavior. FacePopular.net was an Argentine social network against establishment and imperialism. And it's a firm supporter of the Peronist Party. It was a place where only its militants participated and it was backed, supported, by the Ministry of Culture. At the first sight you might obviously see that this is a bad rip-off of Facebook. And it even allows you to register with Facebook. This project is now default and it's no longer active. But it was heavily used by users from Argentina and Venezuela some years ago. Throws and censorship. The goal of a troll is not only to spread messages, but to prevent the opposition from doing so. Lots of groups participate in massively reporting the digit that posts or accounts from the opposition in order to take them down. They are actively abusing an automatic mechanism for reporting. So if a lot of users report someone, it must be true. And this automatic behavior takes down the post or the account without any real intervention. Argentina, it's an ideal terrain for these surveillance experiments since many times the government have tried to control social networks to no avail. For example, Peronist legislators proposing that the users who comment on websites identify themselves with their national identification number, which is like the social security number for US residents. Or a senator from the same party proposing a public and democratic regulation of social networks. Or the cyber patrol protocol imposed this year, which basically ended up with a lot of people being detained for tweeting or for expressing themselves on social media. You know, there are a lot of projects and already installed measures to control social networks. But what about the trolls? The trolls continue working together and growing. So this is where we start after this introduction. Tracking trolls. The Argentine apparatus has the particularity of being made up of real users, as well as trolls and bots, as you can see when exploring their hashtags. Rumors indicated that many users received invitations to join this apparatus. My goal was to get that invitation. You know, it's like a golden ticket to the chocolate factory. So after a month of silent observation, I created a sock puppet account mimicking the behavior of these users. And it was configured using these settings. Profile photo, President Fernandez, and Vice President Fernandez together. The cover photo was Vice President Fernandez giving a speech at Belles Stadium. And who was I following? The President and some ministers, along with a few real pro-government accounts. What about the description and tweets? Both I made them imitating the specific languages and symbolism used by these users. How? Well, using Twitter API to monitor the hashtags and extracts the most repeated words. You might find them here as a word cloud. Most of these are pejorative terms to refer to opponents like Bolsonaro and Piranha, instead of Sebastián Piner at the Chilean president. So, after learning how they speak, now that we speak the same languages, it was a matter of time before getting the invitation. This sock puppet raised 100 or so followers in a few hours. I have my original Twitter account since 2015 and I think I have less than 300 users, just for comparing. Most of these were trolls, but a few real users too. So, I started retweeting official accounts and these real users and tweeting with their same hashtags. For instance, map should be in jail, our ex president for the opposition. And after only three days, I received my invitation, this golden ticket, from a user we'll call DC. On the left you can see the original conversation in Spanish and I translated it the best I could to English. Hey buddy, we are making Twitter groups to install hashtags. Wanna join? Hey buddy, sure, what am I supposed to do? Well, basically you have to treat the hashtags that we send to the group. After agreeing this, I was sent to the group number 300 and some of soldiers of the National Project, containing 50 people. One of the messages shared there was this. Guys, Ariel Garbarz is asking us to use La Reta is responsible. La Reta is the mayor of one side of Syria and a member of the opposition. Now you may ask, who is Ariel Garbarz by the way? No clue so far. But in fact, both of these hashtags that made the top five in my country, one of them being pescado, potrido, La Reta is responsible, are fabricated trends proposed on propaganda groups. You may find the source on getdaytrends.com. Just for confirmation, I went to trending earlier and I found that this information was right. And these trendings lasted for at least 12 hours, which gives us a little help toxic artist propaganda interventions. Another message on this group is, hey guys, with Ariel Garbarz, we formed a group where he's the administrator and tells us what to publish and at what time. So we can get our trend to always be on first place. Another user replies, it's like you say, we used to do the same long ago with the K Youth, a new group. You have to set a day and a time, it's the best. Again, who is Ariel Garbarz? Okay, remember DC, the original member who invited me here? Well, 10 days later, another account from him tried to recruit me again. So he has probably forgot about my account. Hey buddy, we're making Twitter groups to install hashtags. Wanna join? And I say, hey buddy, sure, go ahead. I was added once again to another soldiers of the national project, 300 and something. Now by accident, I was a member of two propaganda groups. There was a six digit difference between each group ID, for example, 301 and 307. Each group can have up to 50 users, 49 if you do not take into account administrator. So 49 users multiplied by six new groups almost 300 new users in 10 days. This is how fast can these apparatus grow without almost no any effort. Currently, according to the last group ID I managed to find, there are at least about 350 propaganda groups on Twitter alone. This give us a total of 17,150 users. I imagine all these people try to picture all these people tweeting five or six times a day. They can make any trend they want. Well, also this doesn't ends here. A WhatsApp group is shared with both groups I belong to and of course hashtags are shared there too. This group is CT7. There are seven groups of around 256 users. If we take into account 255 users, we are not taking into account administration, multiplied by these seven groups, there are almost 2000 new users here that may be repeated. And adding them all together, we have almost 20,000 users. Again, there may be repeated users. This doesn't ends here. This group had members from the USA, Spain, the United Arab Emirates and even Germany. So upon joining, the administrator started sending hashtags. In this case, at half past seven, we come out with $Witter. That administrator, as you may see in the message, on the leading message, is Ariel Garbaros. And that name now definitely rings a bell for you, right? So, okay, let's try to answer who is Ariel Garbaros. He's the CEO of Protection Digital, which is Digital Protection, a company which was favored with many contracts by the federal justice and various Argentine governments. He was benefitted with two direct, several state infrastructure projects. He was appointed computer attorney general for the 17 and 19 elections. And he's the leader of the propaganda, paratus on social networks. The Lord of the Trolls, we might say. The source of this is the newspaper Perfel, where he answered an interview. Here is a video of Ariel Garbaros instructing the trolls live. But it is in Spanish. And for time reasons, I'm not going to show it here, but it will be shared on the GitHub repository, along with the slides. Obviously, since in Argentina we speak Spanish, the video is in Spanish. This was leaked on Twitter by a user. So the final diagram of the trolls, or a simplified one, is here. Ariel Garbaros acts as a leader, sends the trending topics to be installed to its coordinators, the coordinators of each group, which then share this objective to robot Twitter groups and WhatsApp groups, which then are executed by the trolls. So is this illegal? In Twitter platform, it is against the terms of service. The Twitter safety team actively tracks and takes down state-linked propaganda groups. In our country, well, it is not. In fact, it looks suspiciously endorsed, like the Facebook ripoff social media I showed you some slides ago. What tools did you use for this chapter? Trendy and Alia, Trends24in, Boutometer, Get Day Trends, the Twitter API, the Twitter Ruby Gem, and my own tool, which is also in the repository, Venator.lua, for recognizing both or troll-like behavior. So what is the propaganda apparatus up to right now? Generating hashtags supporting the use of the government application to monitor the coronavirus outbreak. You know, the Quidarkovid-19 application, which leads us to the next part, surveillance, or dissecting the Argov coronavirus application. So this is the tracking application proposed by the Argentine Ministry of Modernization. It is mandatory by law to circulate. So if you want to leave your home, you want to step outside your front door, you need to have this application installed. The current version is 331, but here we analyzed 102, 307, and 33, using the most common tools available for Android, the compiling and reverse engine. At first glance, I noticed a lot of broken functions, and reviewing the code, I found many dyslexic errors. Like, for example, the sabilidad instead of desabilitar, which in English means disabled. Bonotas instead of botones, barons. And this problem is repeated regardless of the decompiler using. Númer instead of número, number. Masculio instead of masculino, male. Auto-evaluate coin instead of auto-evaluation, which is a critical feature of this application, the auto-evaluation module. And after digging a little bit further, I found a new Roligrid only token is closer, which is not a vulnerability per se, what will become handy later. Insecuration structure creation, vulnerable to injection or manipulation, instead of using the Java-provided functions to build JSON. A reference to a long-dead product, Google Bluth. Lots of insecure and unsanitized executable calls. Really, a lot of them. And some even could lead to SQL injection. The application communicates with foreign servers, which is by our national law or local law, it's not allowed. These servers are not pretty much safe for storing medical data or well, anything. This is the map of the application. All of these assets inherit the qualification of C, so it's not secure at all. A lot of missing security features. And privacy is also at risk. Of a total score of 100, this application received a 61 score. There are many right operations that record PII about the device, which are in base 54. Whenever you decode them, you get that this application is trying to keep track of the device ID, the build of the own application, and the device manufacturer. Obviously, since this is an emulated device, the application was not able to extract any valid information at all. From the very first version, the possibility of permanently tracking the user was considered. As you might see, permiso de ubicación means access, location, permission, and todo el tiempo means all the time. The application has farset updates that try to run as start-up. For example, show farset update dialog, and device start-up or on boot. Also, this location tracker attempts to listen for boot events. The app tracks and asks for medical history. For example, cancer, diabetes, pregnancy, cardiac hepatic renal respiratory diseases, and all this data is stored abroad. Auto-evaluations are not stored at client-side, but rather sent to the server. The user's location, along with his or her DNA, a national document ID number, are sent to a remote server. Again, this identification number is like the social security number of U.S. residents. If the user's evaluation returns that he or she is infected, the tracking service is activated in the background. Also, by default, the app allows backup mode, which may send private medical information to Google. Now, it's unreliable for an application to diagnose a disease, but it's less reliable for an app to say, okay, you're not contagious, bro. We are during a pandemic, but, hey, you're not contagious. You are safe to go. Nosus contagioso means in English you're not contagious, so the app has an option or feature for that. Now, remember the last time you Google your symptoms of something for anything you have. I had a slight fever, my ankle hurts, I have a headache. What is the first result that Google answered you? You know, it's probably not something good at all, or not accurate at all. Again, for example, in this snippet of code, it tries to determine if the user is not infected or not contagious. Again, you might have to see a professional, not an application. And this is not the first time we do something like this on the Argentine government. We were featured a lot of times on programming horror on Reddit for this kind of things. For example, this was the application that the Argentine government forces people to download when they land on Argentina to control coronavirus infections. As you can see, it's really long if it might give you a little sample of how we work here. Now, on the first version, the 102 that I have reversed, I found this string all across the code base, all across. So, who is Sergio C? We want to disclose its full name. Who is Sergio? A possible author, a project lead. After some Google queries are landed on his personal site. He has worked on a lot of government apps before, including transport, local government, national government, healthcare, and even now, the government's main application, Mi Argentina, which is my Argentina. So, following the email he provided on his site, I found out that he was licking a good couple of times. So, this might even rise the attacks on face for this kind of application. Now, what is everybody else doing? What are all our neighbors doing? All of them are dropping centralized solutions or centralized contact tracing. But, we insist on keeping this model, on pushing forward this model. And so, to close this chapter, this application was launched without publishing an audit report or penetration test. And it isn't EVA EVA compliant, not at all. This is especially serious knowing that it handles medical information and sends it to servers abroad. Now, ask yourself, please, what will happen if you develop an application of this poor quality for your company? Let's jump to the conclusions and questions and answers. I thought it might seem obvious for us who are techies, geeks, hackers or whatever, always inform yourself through professional, neutral and verified sources. They are not easy to get and again, it may seem obvious to us, but not to the rest of the world out there. And so, if you have a problem or a phrase is trending, does not mean that it is real or automatically represents the thinking of the majority, right? Every day, somewhere and at all times there are groups of people and machines designed to install biased thoughts and debates in society. Surveillance and monitoring of citizens created systematic abuses against freedom of expression, especially in digital media and obviously, especially in Argentina. You have seen some examples in this talk. Investing thousands in technology and applications after neglecting the earth infrastructure is not the solution. An expensive app does not replace a doctor at all. You can get in touch with me, the Atolegram or GitHub share and the video that I didn't have the time to play and feel free to follow me on Twitter at Mauro Eldridge as you may see, I have a few followers since I'm not into trolls, actually. I really hope you enjoyed this talk and if you had any questions I'm glad to help you and to answer. So, please feel free to drop in and ask whatever you like. Thanks for watching this and I hope to see you again next year.