We Could Be Heroes
Eva Galperin
Global Policy Analyst, Electronic Frontier Foundation
eva@eff.org
@evacide
No, really. Big damn heroes.
Ok, more like this
In the beginning, there were kittens
Activists are vulnerable
Meanwhile, in Syria…
The stakes are high
February 2011, Syria unbans Facebook
Anti-Dissident Campaign
Civil Unrest Begins
January 26, 2011
Anti-Dissident
Operations Discovered
Fake Youtube
[Deliver Ma...
Phish All The Things
Phish All The Things
Phish All The Things
Phish All The Things
Phish All The Things
Phish All The Things
Phish All The Things
Head of syrian opposition...
Fake Revolutionary Plans
Zero-Hour Plan for Aleppo
I’ve got a little list…
A message from Sheikh Adnan…
Encription... can haz?
Encription... can haz?
Anti Hacker
Anti Hacker
They’re ba-ack
Hijacked Facebook Group
A very bad day of malware analysis
False Flag
alosh66
Domains:
alosh66.no-ip.info
alosh66.myftp.org
alosh66.servecounterstrike.net
alosh66.linkpc.net
Distinguishing fea...
Attacks
March 2012: Fake YouTube Website
YouTube credential phishing
DarkComet RAT
June/July 2012: Skype phishing
BlackSha...
dot28 Gang
Domain:
meroo.no-ip.org
Distinguishing feature:
Repeated use of 216.6.0.28 as C2.
Tools:
Dark Comet RAT
Xtreme ...
Dot28 Gang
Operating from November 2012 to present
Campaigns:
Zero hour plan for the city of Aleppo
Plans for a revolution...
Dot28 Gang
30+ DarkComet RAT samples connecting to
216.6.0.28
1 Xtreme RAT sample connection to 216.6.0.28
C&C stayed up d...
Syrian students getting savvy
DarkcoderSc
Tools & Actors
Good morning Vietnam
Le Quoc Quan
Dieu Cay
Ceiling cat sez u want free flights and
hotels nao?
Attacks on Vietnamese bloggers
Ethiopia: One Step Beyond
Thanks, Snowden
The game is afoot!
“"The current Ethiopian government has a well-
documented history of human rights violations
against anyone it sees as pol...
Meanwhile, in the UK…
Thanks!
Many thanks to: John Adams, Morgan Marquis-
Boire, Bill Marczak, Cooper Quintin, Cindy Cohn,
Nate Cardozo, Citizen...
We couldbeheroes -recon2014
We couldbeheroes -recon2014
We couldbeheroes -recon2014
Upcoming SlideShare
Loading in …5
×

We couldbeheroes -recon2014

1,175 views

Published on

ReCON 2014 Keynote

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,175
On SlideShare
0
From Embeds
0
Number of Embeds
74
Actions
Shares
0
Downloads
6
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Ethiopia, by the way, is one of the NSA’s approved SIGINT partners. As you can see on this chart, taken from the Snowden documents published in Glenn Greenwald’s book “No Place to Hide,” Ethiopia received $450k from the NSA to build its surveillance capabilities, including those targeting “terrorists,” which is what the Ethiopian government calls political dissidents. Citizen Lab reports have found both FinFisher and HackingTeam command and control servers operating in Ethiopia. Given how relatively inexpensive these products are, $450k goes a long way towards covering those costs.
  • Three months later, I was put in touch with a person in Washington DC who provided technical support for Ginbot 7, known by the pseudonym Kidane. I explained the researcher’s findings, described FinFisher’s capabilities, and he allowed an expert to examine his computer for malware. Forensic analysis revealed that his computer had been infected with FinFisher’s surveillance tool, FinSpy. It had been uninstalled, but the uninstallation process had left traces which enabled us to know some of what the software had recorded and possibly exfiltrated back to the Ethiopian government. This data included Skype calls and Google searches. Further analysis traced the infection back to an infected Word document attachment that had been sent by agents of the Ethiopian government and forwarded to him.
  • Because the spying happened in the United States—in fact—Mr Kidane’s laptop never left the US, EFF is representing him in a lawsuit against the Ethiopian government. We are suing the Ethiopian government for violating the US wiretapping act and state privacy law.

    This case is important because it demonstrates that state-sponsored malware infections and can indeed are occurring in the U.S. against U.S. citizens. It seeks to demonstrate that warrantless wiretapping is illegal and can be the basis of a lawsuit in the United States, regardless of who engages in it.   
  • Meanwhile, British privacy watchdogs Privacy International the findings on Mr. Kidane’s computer, as well as Citizen Lab’s extensive research into the use of UK-based Gamma International’s surveillance software to facilitate human rights violations to put pressure on Her Majesty’s Revenue and Customs to investigate these exports. We expect that EF’s law suit and PI’s legal action will take a long time to work their way through the courts. The fight against governments that abuse human rights through targeted surveillance and the companies that sell to them, facilitating that abuse, but is a long one, but it would not be possible at all without public research directly linking human rights abuses to the surveillance software.
  • So, what do I want you to do with your next year of research? If you find malware targeting vulnerable groups, publish your research. Ideally, it should be written in a way that can be understood by journalists and activists and ordinary readers, who can turn it into advice for the targets and fodder for policy decisions—and if you can’t do that, partner with a journalist or activist from the affected community.

    If you are concerned about the possibly legal implications of publishing your research, contact me at the Electronic Frontier Foundation. We have an entire floor of lawyers who have been defending the rights of security researchers to publish their work for decades. If you are located outside of the United States, or you are concerned about legal action outside of the US, I can make a referral.
  • We couldbeheroes -recon2014

    1. 1. We Could Be Heroes Eva Galperin Global Policy Analyst, Electronic Frontier Foundation eva@eff.org @evacide
    2. 2. No, really. Big damn heroes.
    3. 3. Ok, more like this
    4. 4. In the beginning, there were kittens
    5. 5. Activists are vulnerable
    6. 6. Meanwhile, in Syria…
    7. 7. The stakes are high
    8. 8. February 2011, Syria unbans Facebook
    9. 9. Anti-Dissident Campaign Civil Unrest Begins January 26, 2011 Anti-Dissident Operations Discovered Fake Youtube [Deliver Malware] [Phishing] 2012 CNN Reporting Skype [Deliver Malware] Fake Facebook Deliver Malware
    10. 10. Phish All The Things
    11. 11. Phish All The Things
    12. 12. Phish All The Things
    13. 13. Phish All The Things
    14. 14. Phish All The Things
    15. 15. Phish All The Things
    16. 16. Phish All The Things Head of syrian opposition...
    17. 17. Fake Revolutionary Plans
    18. 18. Zero-Hour Plan for Aleppo
    19. 19. I’ve got a little list…
    20. 20. A message from Sheikh Adnan…
    21. 21. Encription... can haz?
    22. 22. Encription... can haz?
    23. 23. Anti Hacker
    24. 24. Anti Hacker
    25. 25. They’re ba-ack
    26. 26. Hijacked Facebook Group
    27. 27. A very bad day of malware analysis
    28. 28. False Flag
    29. 29. alosh66 Domains: alosh66.no-ip.info alosh66.myftp.org alosh66.servecounterstrike.net alosh66.linkpc.net Distinguishing feature: Predictable C2 domain naming convention. Tools: Dark Comet RAT BlackShades RAT
    30. 30. Attacks March 2012: Fake YouTube Website YouTube credential phishing DarkComet RAT June/July 2012: Skype phishing BlackShades RAT August 2012: Facebook phishing BlackShades RAT
    31. 31. dot28 Gang Domain: meroo.no-ip.org Distinguishing feature: Repeated use of 216.6.0.28 as C2. Tools: Dark Comet RAT Xtreme RAT
    32. 32. Dot28 Gang Operating from November 2012 to present Campaigns: Zero hour plan for the city of Aleppo Plans for a revolutionary high council Skype encryption program Anti-Hacker application Names of some militants in Syria and abroad who are wanted by the Syrian regime
    33. 33. Dot28 Gang 30+ DarkComet RAT samples connecting to 216.6.0.28 1 Xtreme RAT sample connection to 216.6.0.28 C&C stayed up during Internet blackout in Syria
    34. 34. Syrian students getting savvy
    35. 35. DarkcoderSc
    36. 36. Tools & Actors
    37. 37. Good morning Vietnam
    38. 38. Le Quoc Quan
    39. 39. Dieu Cay
    40. 40. Ceiling cat sez u want free flights and hotels nao?
    41. 41. Attacks on Vietnamese bloggers
    42. 42. Ethiopia: One Step Beyond
    43. 43. Thanks, Snowden
    44. 44. The game is afoot!
    45. 45. “"The current Ethiopian government has a well- documented history of human rights violations against anyone it sees as political opponents. Here, it wiretapped a United States citizen on United States soil in an apparent attempt to obtain information about members of the Ethiopian diaspora who have been critical of their former government. U.S. laws protect Americans from this type of unauthorized electronic spying, regardless of who is responsible." EFF Staff attorney Nate Cardozo
    46. 46. Meanwhile, in the UK…
    47. 47. Thanks! Many thanks to: John Adams, Morgan Marquis- Boire, Bill Marczak, Cooper Quintin, Cindy Cohn, Nate Cardozo, Citizen Lab, and Privacy International. Heroes and rock stars.

    ×