 Hi everybody. Welcome back. Thank you for staying with us. We changed mods so today for the next five talks I'll be moderating. Thank you again. So now we're going to have Etienne Manier talk about defending human rights in the age of targeted attacks. Etienne Manier is a security researcher and activist working in the Amnesty Tech team on digital surveillance of human rights defenders. He enjoys political discussions, weird malware tricks, humus and hate ileism, which is the act of talking about oneself in the third person. So thank you and enjoy the talk. Hi everyone. It's great to be there. I'm sad I couldn't be with all of you in Montreal, but thanks for the Amnesty Tech team to make all the work to make this happen. I'm going to share my screen and hopefully you are going to see slides in a bit. It should work now. So I am Etienne Manier. I'm working for Amnesty Tech. I'm a security researcher. I'm also a research fellow at the citizen lab. And so basically I worked in the industry for some years before moving to more this kind of security research. So before getting into the work I do with my colleagues and we do at Amnesty Tech just a few words about the security industry. So when I started working 10 years ago, I mean APT was not even a thing. Defensive security was not really taken seriously. The cool people at the conferences were pentesters. Like of course you had a few people looking at IDSes, but targeted attacks were not yet a thing. And so it was not really serious. And I think one of the things one of the events that changed that a bit was the aura attack in 2010 when basically Google said oh we were hacked by targeted attacks by Chinese attributed group. And these one of the events that revealed the targeted attack were a thing. And after that a lot of companies started to openly say that they were hacked or more often would not say it, but journalists would still publish about it because everyone was kind of shy about that. But it creates quite a big change in the security industry. And so looking back at this 10 years later the security landscape is pretty different. We now have a lot of people working threat intelligence, intrusion detection. We have way more tools, services, passive DNS for a thing was like nonexistent 10 years ago. And so the industry has evolved to basically change the market, the people working, you now have conferences dedicated to that even nor a psychological part of the talks about defensive security. And so the industry now if you work for any large industry it's very likely that your company has some boxes to analyze every email especially attached file entering the network boxes to analyze every network traffic going out of the network and so on. If we look more now about what's happening for human right defenders, one thing we know is that the same attack the target industry and governments also target human right defenders. One example of that a month ago Google threat team at Google published an interesting blog post about APT28 also called Sunworm which is this Russian attributed group and the evolution of their targets. And if you look in the list you see a few companies, automotive, finance, real estate, a lot of government organizations, especially in Ukraine in the context of the annexation of Crimea. But you also see several organizations that are clearly defending human rights, anti-corruption organization, charities, LGBTQI, media. And so now we have a lot of evidences that the same groups that target companies, governments also target human right defenders. But the defensive security for human right defenders, the digital security is a completely different question. Of course there are a few large organizations like Amnesty Human Rights Watch and a few others that are kind of organized like companies and to them definitely the tools and services that the industry has are also available even though they are often underfunded compared to a company of the same size for instance. But most individual and small organization are actually human right defenders are actually mostly individual and small organization. And for them it's really hard because first they are already at risk. They are often threatened and sort of physically they are often doing their work in very hard condition in a very hard situation. Let's think about freelance journalists covering the corruption. Let's think about lawyers fighting for human rights in some countries. And so the technology is adding another layer of threat to them and the impact either compromise would be huge. For instance they could be jailed, they could be killed or some people they work with could be arrested or killed or forced to leave the country for instance sources of journalists and things like that. And if we look at the likelihood at the same time they do not have access to the digital security or even the funding that companies, people in companies would have. For instance often they have limited technical skills. Some people are definitely more tech savvy but they don't have access easily to people supporting them technically and they often have limited funding to a point that just buying an Android phone that's up to date could be challenging. So I'm working at Amnesty International I guess a lot of you have heard or seen this logo Amnesty is a human rights organization that started in the 60s in London at first to fight against the imprisonment of political opponents and then started to tackle more and more other human rights issues. And now Amnesty International is a large organization tackling human rights everywhere in the world. And some years ago it became obvious for some people at Amnesty that technology was becoming a human right question too. First because technology is changing society in a way that can create human rights issues. An example of that is an interesting work done by some of my colleagues last year called Servants Giant that's looking at how the business model of Google and Facebook threaten human rights by the gathering private information about billions of people create human rights issues. So that was an aspect of it all the question about the chain in society artificial intelligence and so on. But Amnesty is also doing a lot of work to support human right defenders take directly in a lot of different ways could be legal support could be funding could be a lot of things. And in that work there is also the fact that human right defender more and more are facing digital surveillance as a threat to them. And so there is now another part of the team in which I am and we are investigating target attacks against human right defenders. And for that we have a security lab would call security lab which is a group of people in different places over the world doing technical investigations and we do investigation digital security support and try to develop tools and technology and share that knowledge. So I'm going quickly through I'm going to go quickly through two examples of reports we published over the past year that I think are two different examples that are interesting and complementary. The first one is about attacks against Uzbekistan human right defenders. So Uzbekistan you may know is this country in Central Asia former US former Soviet Soviet country. Once there are a lot of questions about human right abuse in Uzbekistan Amnesty and the organization have raised the issue of forced labor but will torture or a lot of repression of human right defenders. One thing to point out about Uzbekistan that because of this threat intelligence industry in which we are we are there are some countries that are researched a lot Russia Iran China but some other country are definitely not research that much in Uzbekistan is one of these countries where we had very good information about the servant there until a few years ago. It does change quite a bit because of a few reports I'm going to talk about but also now we know that there were a customer of hacking team for instance but also Kaspersky has done some work on the groups they call Suncat that are tribute to the state services. So we now have a bit more information about that. So the first work by Amnesty on Actual Digital Surveillance was in these three political will find you anywhere in 2017 and if you have the chance to have a look at it I think it's a very good example about how the impact of target attacks is very different for human right defenders. One of the testimonies there is in these reports is from a journalist who created this online media independent media trying to cover Uzbekistan called Uznews.net and she was actually hacked her mailbox was hacked and the emails were released online and that created a lot of trouble for several people in Uzbekistan who were anonymously working with her from Uzbekistan to a point that several of them had to leave the country and be in exile and one person in exile from this report is even talking about how he's not even calling his family within Uzbekistan because he's afraid that because of digital surveillance he would put them at risk of retaliation. So it shows that first this kind of attacks was already there quite a few years ago so attacks this attack I'm mentioning is from 2014 but also clearly shows this big difference between what the impact is for the industry and what the impact is for human right defenders. Two years ago I was working in late 2018 for non-profit call equality which is protecting digital website for political organizations and I was actually doing investigations on this attack and somewhere in December I found this weird appear dress doing a lot of web scans pretty basic WordPress scans this kind of things and but what I found was this one IP was actually used as a proxy to target a lot of websites and pretty much all of them were related to the Uzbekistan and by digging more what happened that some other coordinated attack for two to three years using a few IP addresses that were doing a lot of web scans but also hosted phishing domains and and use these phishing domains and phishing emails to several human right defenders from Uzbekistan. And so that was interesting for me first work on the attacks from this country but also what's interesting is that this campaign had been running for at least two years to two three years without either being researched at all by anyone or without anyone reporting about it which is also another point about how under research some countries are. So last year last year when I joined Amnesty we started to track this campaign see what's happening see the change in infrastructure and we find a few things for we we found that the campaign continued through a lot of phishing but also we found more malware so I'm going to go through quickly the different bits and pieces of it. The first one was a lot of phishing like a lot of phishing more like more than 70 domain I think and at first it was pretty basic it was mostly a fake login page which is what you see most of the time in phishing but in May or June last year we saw them change to use instead a more complex phishing framework and this phishing tool instead of just copying the page would act as a relay between the victim and Google. It's pretty obvious when you find the domain you see this one which is one of the domain from the campaign and when you interact with it you basically can interact with all the Google services because it's acting as a reverse proxy and this has one interest which is that it can bypass most forms of two-factor authentication for instance when you log in you put your login password then you get this code by text message and when you enter the code it would actually work because the code would be sent by the attacker to the real Google server and the Google server would give an authorization token that would be recorded by the attacker which would get access to your account and this is not new it was discussed quite a bit in 2016 in the security community there are a few open source tools out there to do that but since mostly 2018 mid 2018 I would say we have started to see this more and more use in the wild and actually my colleagues have written a report in December 2018 with a complete different group using the kind of same technique and so the only thing that protects against is the target using hardware keys because the keys would check the domain before putting any token in it and so we are now recommending more and more to human right defenders to use this kind of UB keys whole keys and all these hardware keys even though we know it can be hard to use especially for less technical people we also found some Windows malware nothing really fancy the Windows malware was a back door telegram desktop with a few tools taken from open source rats and then some VBS script to gather the passwords the cookies the screenshot and send them to remote server so it was pretty simple and not very complex and same for the Android malware actually it was an open source a fork of an open source malware the only difference was instead of having the C2 hard coded it was actually querying a twitter profile and this weird string you see in the profile is actually in coded C2 domain one interesting thing is that during this investigation we found one folder with a lot an open index completely openly available and a lot of HTML files and these were actually templates of phishing email that included the for some of them at least the target so that way we were able to identify civil human right defender targeted and and reach out to them so this was one of the one of the example you can see it was not very complex technically as the second one I'm going to go through is definitely more evolved and I will talk a bit later about this difference um my colleagues in last year my some of my colleagues did a lot of research in morocco and identify civil human right defenders targeted by um many issues attacks using nsr group malware so you may have heard about nsr group it's an Israeli company selling malware to governments and so we identified two different um human right defenders one is Abdesadek al-Bushidawi who is a lawyer it's especially interesting because he's doing the legal defense of several protesters that were involved in large protests in the north of morocco as a second human right defender it's my team on jib who is an historian but also co-created the organization for the freedom of the press and between 2017 and 2018 we identified several text messages um that were sent to them as an attack and the uh the link was related to the exploitation for structure of nsr group so if they if they had clicked on it it would have exploited their browser with zero date and their phone with zero day and in fact their phone with the malware called Pegasus that nsr group is selling that's basically would wiretap and record everything happening on their phone and send it to a remote server and we know that because um in 2018 an nsr international staff member was actually targeted by a similar attack and when uh my colleagues discovered that they did a lot of work to investigate on the infrastructure and were able to find a link between this 2018 nsr infrastructure to deliver exploits and the same attacks we saw targeting moroccan activists but from 2018 then we started to see a different kind of attack instead of doing text messages it used network injections uh so network injection how it works it basically when the phone would connect to a clear text um web page through hgp there is an element somewhere in the network that would redirect to the exploit link and so the exploit page would be loaded by the browser be exploited and and the phone would be compromised so it's um a tool we know is sold by several companies including nsr group and uh it's a way also to convert to one click attack like the text message into a zero-click attack so we um do not have technical evidence that this is nsr group but it may complete sense for that because nsr group was already used to attack them uh just before um that they were very likely compromised by actually the same uh nsr group tool so a few words about nsr group um nsr group so is it's an Israeli company selling malware to governments officially to fight against terrorism uh but we know uh we have a lot of evidences that it has been used to target human right defenders again and again and just a few example of that uh the citizen library is a report in 2016 showing that it was used to attack a UAE human right defenders called manman surm who is actually now in jail several uh activists in Mexico were also targeted by that same tool um several people close to jamal kashogi uh were actually spied by this tool before he was killed and we've even learned a few months ago that one of the nsr employee used this tool to target a woman he was into some years ago um so we basically learned um every few months we learned a new case where this was used to target activists journalists everywhere and there are several legal actions against nsr group today one of them for instance is what's up um having um suing nso because of the hack they did of the platform with amnesty intentional worth supporting actually uh a legal action in israel uh where we take the israeli ministry of defense to court uh where we ask to revoke the export license uh so the export license is a document that allows nsr group to um serve their tools outside of israel so we hope to um stop that so about lessons learned um a few things the first one is most attacks we see are not technically complex and there are actually way closer to use big eastern case i show you than the moroccan case i show you and there is a lot of there are a lot of discussion in the security community about your days very complex and advanced attacks and and i think they're legitimate but way too often we tend to dismiss the attacks that aren't complex even though they create um a big uh security issue for a lot of human right defenders in the world an example of that is people are still hacked in 2020 by mad issues micros in in world documents which is a problem we have known for 15 years or maybe even more than that and still this this is actually still an issue for a lot of people people get compromised daily by these kind of attacks so i think we have an issue in on that in the security committee that we focus too much on the cool new fancy things and not focus enough on a lot of simple attacks that are actually a big issue another lesson is some political context or under research that there is a lot of research done on some countries china russia iran and this because of an alignment i guess of some government interest and some companies interest but there are a lot of countries in which we know very little and that's an issue because it's very hard to support human right defenders from these attacks without having knowledge of what's happening and the last thing is human right defenders are not reading threat reports and if you work in a company now if i publish tomorrow a threat report with a list of malicious domains it's very likely that these domains will end up in a list of a threat feed somewhere that will be pulled more or less automatically on sort of device on your network and this domain will be blocked so publishing something directly means often increasing security of companies this is not working at all for human right defenders for it to work you need to have some people knowing the threats and converting that into direct digital security support to them helping them to change their hardware the ways they deal with their websites doing digital security training doing long term support or this and this has to work through a chain of people who can convert the knowledge we have about attacks into something that can directly help human right defenders so to work on that we are trying to find some ways to improve this instant detection for human right defenders one thing we realized is that for forensic for instance we cannot really use cold forensic that's traditionally used in the industry because we don't have access always to the hard drive and even if we do we don't really want to complete make a complete copy of the hard drive and and then take it because that's access to too much data so we have worked on methodology to do live forensic and at least find ways to catch the low-hanging fruits check running processes check author and hope that this is becoming more common because a lot of attacks are not that that complex it can actually be caught quite easily if you know what to look for and to help with that my colleague called your guarnieri has developed several tools one of them is snoop droid which is an apk a common line tool to pull apk's from an Android phone so you can analyze the apk's and this one is called snoop dig which is basically pulling all the interesting information from a system so you can analyze them later on so I I think I have a few minutes I would like to use these few minutes to talk a bit more broadly about the issue of technology and human rights so when I started playing with technology and I think like some of you in the nineties in the nineties it was pretty different because for one the internet was way less connected with the rest of society so you could basically use the internet as a playground to learn and fail sometime without that much risk but also internet was bringing a lot of hope into creating more openness and democracy in our societies I mean Wikipedia was there and everything and looking back at this from now it feels like pretty different first to see how internet is connected to everything you can tweet today and and and create so much trouble with the tweets or not even talking about hacking a server but also like internet and technology feels that we are jumping a bit more every day into some kind of dystopia and so clearly technology reflects society issues and in a lot of places our society they're not doing very well these days but these clearly show that technology is political and so as technologists developer hackers we have a political role to play in that and often we we did not get into technology thinking about that but we are the best person to both understand how the technology can go wrong but also to decide how it can be done or how it will be done and a lot of people don't want technologies to take political position or political positions an example of that is um hacking team um was organized in a way that there was two different flow one for the management and one for the technologist so that the people building the technology would not know how it was used so that they could not have ethical questions so maybe they didn't want to but there was a conscious decision to avoid that and I think as technologists we have to jump into this discussion now and and be clear that we cannot build technology without having the ethical discussion discussion that should go with it so what can we do better um I have of course there are a lot of answers there I'm going to go through just two of my interesting questions the first one is just saying don't be able is clearly not enough we have learned that a lot and good intention doesn't need to good action so saying don't be able doesn't help if you don't look at the consequences of what you do and the first thing I think that I think is important is considering user at risk when we develop technology and and for that product design makes a lot of difference um when I talk about user at risk of course there are human right defenders activists journalists um clearly and I'm kind of sad to see again and again people fighting with for instance bad abuse process in big companies that treat in the same way journalists or media websites and small businesses but also way too often women general conforming people uh LGBTQI people are actually user at risk online especially considering harassment and so for instance harassment is clearly due to a lot of decision in product design so I think we really should consider that consequences when we build technology and the last thing is um if I go back to this more specific topic I work on which is targeted attack against human right defenders we need to we need to know more about what's happening and in many cases some people doing research on these attacks end up finding information about journalists or activists targeted but won't do anything with it and I get that there are a lot of cases where people don't have time or there is too much pressure or it's not very interesting for the company or it's not a big focus but with all these information make them completely useless while in a lot of cases it could be so useful to help human right defender be better protected so I think we really need to improve that kind of connection to make sure that there are ways to share information about attacked human right defenders and find ways to use information the better way to improve their security so that was my talk I think I am meaning for questions um I'm trying to take them or you can of course reach out to me online either twitter by email later on okay thank you very much I do agree technology is political we have to consider this it's nice to have a talk that is a little bit more light in the middle of the day and we do have a few questions here don't hesitate to ask more people if you have some the first question was uh how do you decide which group people to help like how do they contact you how do you know uh yeah if you could tell us a little bit more about that so I think within amnesty it's um dependent on a lot of things it could be uh because so amnesty is a large organization and there are sections in many countries and researchers working on human right issues so it could be either uh quite opportunistic uh someone is reaching to us to ask for help uh it can also be that in some specific region there is um an interest into doing more research there and so it can be more organized research to try to look at what's happening and discover some surveillance issues um there are also the organization working some context so sometime we just redirect to an organization that's better suited to help in the region um yeah I think it's a it's a mix of all that okay good do you have like an email that the organization can contact you directly and ask for help like is it easy to find you guys yes um we we I can give my you can contact me uh we don't have an email that we give um publicly because we're a bit afraid of being overflown under too many emails but you can definitely contact me or some people on my team and find us pretty easily online we have a website where you can also find information about us okay if you if you people get in touch if if you have anything interesting you know good um a second question are there any specific types of attack that amnesty tech things will become significant going forward that you'd like the audience to be aware of um so yes I can a few things I think this uh what I mentioned about bypassing to factor authentication uh in phishing attacks uh I think this is uh will be kind of by default now we're expecting most groups doing phishing now to be able to bypass most form of factor authentication beside hardware keys um I think also we we had several cases over the past year to see more attacks against smartphones and some attacks are using zero day but we also had several cases of attacking civil society with uh old days basically um using bugs in Android that were like fixed a month ago and because very few people actually have an Android that up to date this actually works so I think this kind of attacks on smartphone are also going to increase some with zero days but a lot of them just with old days because the Android ecosystem is not working very well for that makes sense and if you consider as well the digital divides sometimes yeah it's a massive issue like the discussion we have a lot in the community are about like the other day on iphone that are updated but but the large powers of planets is having cheap Android phones that never seem to date for like years um and that's a big problem I agree okay third question uh what quick wins tips could you give to an organization like these trying to first build their defenses where to start well I think there is a first question which is like working on understanding the threats you have and the focus here my presentation was a lot on targeted attacks depending on your organization it may or may not be a big issue for you we see also website being hacked you also have to consider often like the physical servants you can have phone tapings like you have to consider all the different type of servants you can you can face and find solution and and and based on that you can start to build a strategy and it can go yeah then it can go in a lot of directions depending on what you have I think on the question of specifically targeted attacks two factor authentication is making such a big difference and if you can use hardware keys to protect your mailbox for instance like Google has said we have not seen any successful phishing attempts since we have done that so on phishing specifically that's really helpful and and then the problem of malware in general is a bit harder to tackle especially like if you're a journalist it's very easy to say or don't open a touch file of people you don't know but that's not very realistic for journalists so then you have to find other ways to do that maybe having a machine just to open them these kind of things there's also probably difficulties if you're in the country and you figure out that you've been spied by your government like you do want to take measures to not be spied but at the same time legally you see that you're in trouble potentially like do sometimes they contact you for legal advice too so what are their options like do they need to flee a country or so yes there can be some legal advice within amnesty which is outside of my team but there are definitely a lot of lawyers within amnesty really question is way different if you are within the country of outside of the country if you're outside of the country i think targeted attacks are more because it's one of the few way you can be actually targeted if you are within the country then there are already a lot of things that can be done without getting into that for instance tapping phone calls um joculating your phones and also just physical surveillance and sometimes we we might i talk with people who are at risk and has some have something weird happening to them and the answer is more likely to be something kind of less technical like like tapping phone calls like that's very classical and most states have a way to do that don't target attacks even though target attacks are quite common i see good we'll have time for one last question asked by an anonymous person again how can NGOs and other politically inclined organization or low fund organizations hope to deal with the very rapid face of technology like should they have a corporation model or anything that sort of could help them sort of be together and move forward i guess that's the question okay that's a very broad question and i don't know if i can give an answer to just like summarize what you should do yeah i think it's really depends about like what the organization is doing um i think for activists and defenders a lot a lot of people just have for instance started to use social network very early in social media because it was the right way to connect to people but do you see them organize and cooperate together like for example journalists from different countries facing not the same threats but in the end yeah i think um i think there are more and more collaboration especially on digital security and there are more and more networks um of people facing the same threats um what i also think is that some people stay outside of this network um just because they may not know um that they uh that they exist and and so one of the problems this network is that they are working pretty well but um some people may be completely screwed it without um without us really knowing it so one of the things we're trying to do is definitely to reach out to more people outside of this network we know especially people fighting new fights especially all the for instance um indigenous fight um environmental fights that are happening everywhere i don't know how much these groups are connected with these traditional existing digital security networks i agree cool well that's it for today would you like to say anything else or no thanks a lot for having me and feel free to contact me uh anywhere on the internet and hope to see you in Montreal at some point hopefully thank you very much give us a 10 minutes break for the audience and then we'll be talking about dma attacks