Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Mobile #Infosec hackathon for journalists(2)


Published on

Hackathon for Journalists in Brussels on Feb 4th.

Published in: Mobile
  • Be the first to comment

  • Be the first to like this

Mobile #Infosec hackathon for journalists(2)

  2. 2. #INFOSEC HACKATHON FOR JOURNALISTS #HackForJournalism Tanja Drca | CCO at Necunos | Mobile Security Enthusiast, Engineer @tanjadrca @necunoscom WELCOME TO THE ERA OF THE HIGHLY RESOURCED MOBILE INFRASTRUCTURE ATTACKS Tanja Drca | Necunos | @tanjadrca
  3. 3. Tanja Drca | Necunos | @tanjadrca
  4. 4. #HackForJournalism INTRODUCING MOST SOPHISTICATED SPYWARE EVER KNOWN: PEGASUS. Material based on 1. Pegasos Product Description by vendor company NSO Group, sent via email to Italian surveillance malware vendor Hacking Team. Leaked email, with attached file was released on WikiLeaks on July 8th 2015 along with more that 1 million other emails from Hacking Team. 2. The Citizen Lab ‘Targeted Threats’ research, which reports a 10-part series on the abuse of NSO Group’s spyware. Referenced materials are collected from published reports on The Citizen Lab’s web page. 3. Lookout, Technical Analysis of Pegasus Spyware. An Investigation Into Highly Sophisticated Espionage Software. Range-free installation No Phishing needed Impossible to detect by target Self-destructive Full data collection Resilient to 'burner'-method
  5. 5. #HackForJournalism INTRODUCING MOST SOPHISTICATED SPYWARE EVER KNOWN: PEGASUS. Material: 8,9 Born in 2009 IN UAE No Phishing needed Used undisclosed vulnerability in Apple's iMessage software In 2016-2017 used against hundreds of targets across the Middle East Used by project "Raven" according to Reuters Investigates, on Jan 30th HAS A "LITTLE SISTER": KARMA Used by UAE's Project "Raven" according to Reuters Investigate published on Jan 30th Reported targets included: -"The Iron Woman of Yemen", Tawakkol Karman - Qatar’s Emir Sheikh Tamim bin Hamad al-Thani - Hundreds of prominent Middle East political figures and activists across the region and, in some cases, Europe
  6. 6. #INFOSEC HACKATHON FOR JOURNALISTS #HackForJournalism Tanja Drca | CCO at Necunos | Mobile Security Enthusiast, Engineer @tanjadrca @necunoscom SHARE KNOWLEDGE AND EXPERIENCE, DEBATE, ANALYZE, LEARN, HACK
  7. 7. #INFOSEC HACKATHON FOR JOURNALISTS #HackForJournalism 09:15 PLENARY: #INFOSEC FOR JOURNALISTS 09:25 What is FOSS (Free and Open Source Software) and why is it important for journalists? 09:40 Security tools that you use today and why they aren't enough with Perugia Principles 09:50 Necunos Solution is simple, powerful and extremely hard to make.
  8. 8. Tanja Drca | Necunos | @tanjadrca WHAT IS FOSS? FREE AND OPEN SOURCE SOFTWARE - OR HARDWARE FREE AS IN FREEDOM FSF.ORG Access the source code Run the program as we wish, for any purpose Study and change how the program works Redistribute copies of the original, or modified versions.The term “free” indicates that the software does not have constraints on copyrights. WE ARE FREE TO:
  9. 9. FOSS =! OPEN SOURCE Source code is released under a license in which the copyright holder grants us the rights to.. Tanja Drca | Necunos | @tanjadrca Personal control, customization and freedom Privacy and security Low costs or no costs Quality, collaboration and efficiency FOSS BENEFITS: Open Source-based Android and WordPress
  10. 10. Tanja Drca | Necunos | @tanjadrca PROPRIETARY, CLOSED SYSTEMS Prohibit users from studying, changing and sharing the software with others. Lisences Closed code 3rd party corporations SO, WHY SHOULD YOU CARE? (Why) Is FOSS important for journalists? FOSS represents the 'civil rights' of the tech world It allows us to create transparent, secure tools which are not controlled by large corporations and their interests. It supports collaboration, freedom of speech and knowledge
  11. 11. SECURITY TOOLS JOURNALISTS USE TODAY AND WHY THEY ALONE AREN'T ENOUGH ENCRYPTION Chats, emails, instant messaging, hard drive. ANONYMITY TOR, SecureDrop, Tails NON-TECHNICAL STRATEGIES Tanja Drca | Necunos | @tanjadrca Technical limitations: - Key management in memory - =! Anonymity - Metadata not encrypted Operational limitations: - Usability issues - Digital divide Technical limitations: Operational limitations: - Web vulnerabilities - Execution on mobile devices - Source verification - Usability issues - Interference with Journalism Technical limitations: No technology =! Safe from it Face-to-Face, Not using smart devices Time limit?
  13. 13. Blueprint for Free Speech has launched a new report outlining how journalists can work responsibly to safeguard whistleblowers. Tanja Drca | Necunos | @tanjadrca 12 PRINCIPLES FOR WORKING WITH WHISTLEBLOWERS IN THE DIGITAL AGE #2 Provide safe ways for sources to make 'first contact' with you, where possible. ARE JOURNALISTS FUTURE #INFOSEC PROFESSIONALS? #3 Take responsibility for your digital defense and use encryption. Even though encryption may not completely defend your source, it offers important first-line protection. What are your other options? What's second-line protection? Is security source-driven? #7 Explain the risks of digital exposure.. ..train your whistleblowers in basic digital security. How big is your overall picture of digital security? #10 ..ensure any digital drop boxes for confidential sources and whistleblowers. ..offer a good level of security, and, for higher-risk materials, anonymity. Technical skills? Good level in security IRL vs. online
  14. 14. #INFOSEC HACKATHON FOR JOURNALISTS What makes these known spyware so powerful also makes them weak. Duopoly: iOS and Android Proprietary software Firmware Cellular modem 'Under the hood' = Same chips and components under different brands Linux-based free- and open software Firmware in WiFi chip - not accessible to the memory No cellular modem (weakest link) Available source code and documentation about the components Tanja Drca | Necunos | @tanjadrca
  15. 15. #INFOSEC HACKATHON FOR JOURNALISTS SOLUTION PROPOSAL BY NECUNOS Instead of developing security solutions on top of the rotten platforms, let's start from the beginning. Clean hardware and Software: Transparent, verifiable, auditable, open. Security tools by default: Extreme security in user-friendly package. Custom OS: Usability is crucial, we need your help. Tanja Drca | Necunos | @tanjadrca
  16. 16. #INFOSEC HACKATHON FOR JOURNALISTS WITH NC_1 #HackForJournalism Small groups: Choose in between awareness and hands on session 1. I have “NO SECRETS”, why I need #infosec? (awareness, hands on) 2. I need security beyond 'basics'. Let's hack together (hack session)
  17. 17. 1. I HAVE “NO SECRETS”, WHY DO I NEED #INFOSEC? AWARENESS 1. Question form - google forms, do it anonymously - link: 2. Discussion: Does 'no secrets' mean you shouldn't have privacy? 3. Who owns your nudes? Cloud services. Go trough terms of service from your cloud provider. Explain to us who owns your documents.
  18. 18. 2. I NEED SECURITY BEYOND 'BASICS'. LET'S HACK TOGETHER (HACK SESSION) HANDS ON SESSION 1. Question form - google forms, do it anonymously - link: 2. Design - What Necunos can provide - What do you need? What's crucial? Missing now? 3. From idea to product - How can we ensure usability - Funding and operation