 As Tix just said, I'm going to talk to you about a little bit of the background on how we formed this group back in Tijuana, Mexico. We are from DC664, that's the area code for Tijuana. And next slide, please. Okay, so a little bit about myself is, well, my real name is Juan. I'm the co-founder of this group along with my other partner. He wasn't able to make it to this little session. But we both started working together on what I'm going to present to you guys. And we both decided to start this group. I've worked everything from help desk to security or intelligence consultant for the government here in Mexico. And I think that's pretty much the only irrelevant thing about me for now, right? If you're ever come down to Tijuana, feel free to give us a call or send us an email. And we'll set you up with a couple of cool places to drink once this COVID thing is over. Next slide, okay. So the purpose of this presentation or this small talk is just to give you an outline of three things, right? Like why did we go into surveillance? What we did and well, what went wrong? Next slide, please. Okay, so why surveillance? Next slide. Okay, so we thought that we wanted to make a difference, right? But we didn't want to do it the stupid way. So we didn't want to get really like involved on anything that had to do with narcos or with, I don't know, like human trafficking. We wanted to start with something, let's say simple. So one of the states here in Mexico had a problem with foreign criminal bans coming overseas and smuggling CQ cumbers. And we thought, well, that's like simple enough. We might get that working. And what we had to do was really simple, right? We had to find the government official that was working with that state government. And there was also an inside man for that criminal organization. We just had to find out who it was. And it should have been like real simple. The thing was that we could not use either hacking team system or FinFisher system because I'm speaking of something that happened at around 2015, right? So that's around the FinFisher and hacking team leaks. So we were limited on that end. So we had to develop something new. Next slide, please. Okay, so what we had for that was that we had one higher up personnel, like let's say a manager for the IT department inside the government. We had also one person for field operations who was ex-military. And we also had a house, just an abandoned house that no one really knew about. And we also had a fake phone repair joint that was set up. The other thing that we had was a pentester that was really me and my partner who co-founded this DEF CON group who used to work for the federal government operating the hacking teams platform, the RCS platform. The other thing that we had for our advantage was that hacking teams just got hacked themselves. So we had all their source code and demos and documentation on weak leaks that we can consult on. Next slide, please. Yep, but what we didn't have was money, right? So this was just a small kind of black cops operation. It was really just about 10 people that were in on it due to the governor's orders per se. But there wasn't really any like big budget, right? Because the former two programs with FinFisher and hacking team had just been burned. So next slide, please. Okay, here's what we did. Next slide. We went through all the hacking team leaked information on weak leaks and we went through a ton of DEF CON videos on YouTube. The other thing that we had to do was drink a lot because we usually met at bars and we slept very little because it was just overnight. Everything we did was just working overnight and we had enough budget just to work on buying some tough books, two of them, and two sets of omnidirectional antennas and some alpha adapters. Next slide, please. Okay, so the tools that we worked on are these. These are the main ones. I mean, everything just works great. I haven't used them in a while, but this was what we were using back in 2015, 2016. So it was pretty much by leaders in the middle framework. We used a backdoor factory from Joshua Pitts. We used platypus for generating some backdoor applications for Mac OS. We also used the browser exploitation framework and Cat Metasploit because it just made control and command control easier. And we also used Fluxian for gaining access into the wireless networks whenever needed because it wasn't really that necessary since we already had someone working on the inside of the government's network. Next slide, please. Yeah, okay. So what we did was we worked on four phases, right? We had phase one, we had to gain access to the network. That was easy. We already had someone in there. If not, then we can use Fluxian. Then we would use just Manon in the middle framework to just to intercept their communications or their networking activities. Then we would just send out some payloads to infect their PCs. And then we would just go through all the information to see if anyone was communicating with non-government or with any foreign actor. Next slide, please. Okay, so the first thing that we did to gain access was using Fluxian. We used the authentication attack. So pretty much knocking down the legit AP. Next slide, please. Okay, so after that, we would just gather the handshake. And then what Fluxian helps you out with is that if you create a login page for one of the local providers, in our case, something like companies called Telnor, Telmax, Telcel, just our local carriers, we did some legit login screens for that. And we asked the users to input their WPK key and then validate it against what they had to capture during the D-auth attack. Next slide, please. And after that, we just stopped the authentication attack and we logged into the legit AP. Next slide, please. Then after that, I'm going to leave you with a link. If in case these slides are shared, I can leave you with a link of the video where we showcase how we modified some stuff on beef to send out, we basically what we did here was drop SSL for the local newspapers. And then we would request the user to update Chrome. We would send out infected HTA files. But if that failed, what we would do is we found a Google Chrome update website or a server that wasn't using the HSTS. So what we did was using the bagger factory, we would request the user to go to the Chrome website that we found downloaded from there and just decrypted and infected on the backend. And you can see that process in the video. It was really simple. Once we got to automating the beef part through JavaScript, it was really working wonderfully. And we couldn't believe that it was all open source and all the things that the community was putting out there. It was just really great. Next slide, please. The thing we did there was that we also set up some sort of recognition so that if you were using if we recognized that you were using something like Safari through beef, then we would ask you to update your flash player or anything Adobe related because Adobe wasn't using HSTS at the time. So we can just drop down the encryption and then do the same thing either infected on the go or we would use Plattipus to serve a backdoor OSX format application. Then again, that's right there on our slide. So what went wrong? Next slide, please. Pretty much all of it. I mean, there was no follow-through on the gathered information, which was a lot. Besides this, we also intercepted SIP calls. We used the SSL export vulnerability from Chrome to gather their private keys and then load them up on Wireshark to decrypt the traffic that we had caught over a course of weeks or two weeks. But the thing was that it was a lot of information. The team was really small. There was really no follow-through. Some target selection seemed that it was really personal and it wasn't really official. Like we couldn't see anything that would point us to the fact that maybe they were working with a foreign actor and some targets were not government related as they stipulated at the beginning, right? Some were reporters or civilians or the house cleaning personnel. We thought it wasn't getting the proper usage and that's why we decided to just kill everything off. The thing was that this wasn't necessarily on let's say higher government's orders. It seemed more to be like a problem with their middle management, right? So the guys that hired us, though they were the ones that were doing this, this misuse of false information that we really worked hard on and that we were getting some great results. Next slide, please. And if we were to flash forward two years, well, that same misuse of interception systems, well, it really came to shine on the news, right? They started working with NSO and they really started just blasting people with BAM SMS. So again, you can see that they were tracking everyone, right? Presidential candidates, reporters, human rights people.