2. #INFOSEC HACKATHON
FOR JOURNALISTS
#HackForJournalism
Tanja Drca | CCO at Necunos | Mobile Security Enthusiast, Engineer
@tanjadrca
@necunoscom
WELCOME TO THE ERA OF
THE HIGHLY RESOURCED
MOBILE INFRASTRUCTURE
ATTACKS
Tanja Drca | Necunos | @tanjadrca
4. #HackForJournalism
INTRODUCING MOST SOPHISTICATED
SPYWARE EVER KNOWN: PEGASUS.
Material based on
1. Pegasos Product Description by vendor company NSO Group, sent via email to Italian surveillance malware vendor Hacking Team.
Leaked email, with attached file was released on WikiLeaks on July 8th 2015 along with more that 1 million other emails from Hacking
Team.
2. The Citizen Lab ‘Targeted Threats’ research, which reports a 10-part series on the abuse of NSO Group’s spyware. Referenced
materials are collected from published reports on The Citizen Lab’s web page.
3. Lookout, Technical Analysis of Pegasus Spyware. An Investigation Into Highly Sophisticated Espionage Software.
Range-free installation No Phishing needed
Impossible to detect by target Self-destructive
Full data collection Resilient to 'burner'-method
5. #HackForJournalism
INTRODUCING MOST SOPHISTICATED
SPYWARE EVER KNOWN: PEGASUS.
Material: 8,9
Born in 2009 IN UAE
No Phishing needed
Used undisclosed vulnerability in
Apple's iMessage software
In 2016-2017 used against hundreds
of targets across the Middle East
Used by project "Raven" according to
Reuters Investigates, on Jan 30th
HAS A "LITTLE SISTER": KARMA
Used by UAE's Project "Raven" according to Reuters
Investigate published on Jan 30th
Reported targets included:
-"The Iron Woman of Yemen", Tawakkol Karman
- Qatar’s Emir Sheikh Tamim bin Hamad al-Thani
- Hundreds of prominent Middle East political
figures and activists across the region and, in some cases,
Europe
7. #INFOSEC
HACKATHON FOR
JOURNALISTS
#HackForJournalism
09:15 PLENARY: #INFOSEC FOR
JOURNALISTS
09:25 What is FOSS (Free and Open Source
Software) and why is it important for
journalists?
09:40 Security tools that you use today and
why they aren't enough with Perugia
Principles
09:50 Necunos Solution is simple, powerful
and extremely hard to make.
8. Tanja Drca | Necunos | @tanjadrca
WHAT IS FOSS?
FREE AND OPEN SOURCE SOFTWARE
- OR HARDWARE
FREE AS IN FREEDOM
FSF.ORG
Access the source code
Run the program as we wish, for
any purpose
Study and change how the
program works
Redistribute copies of the
original, or modified versions.The term “free” indicates that the
software does not have constraints
on copyrights.
WE ARE FREE TO:
9. FOSS =! OPEN
SOURCE
Source code is released under a license in
which the copyright holder grants us the
rights to..
Tanja Drca | Necunos | @tanjadrca
Personal control, customization
and freedom
Privacy and security
Low costs or no costs
Quality, collaboration and
efficiency
FOSS BENEFITS:
Open Source-based Android and WordPress
10. Tanja Drca | Necunos | @tanjadrca
PROPRIETARY,
CLOSED
SYSTEMS
Prohibit users from studying, changing
and sharing the software with others.
Lisences
Closed code
3rd party corporations
SO, WHY SHOULD YOU CARE?
(Why) Is FOSS important for
journalists?
FOSS represents the 'civil rights'
of the tech world
It allows us to create
transparent, secure tools which
are not controlled by large
corporations and their interests.
It supports collaboration,
freedom of speech and
knowledge
11. SECURITY TOOLS JOURNALISTS USE TODAY AND
WHY THEY ALONE AREN'T ENOUGH
ENCRYPTION
Chats, emails, instant
messaging, hard drive.
ANONYMITY
TOR, SecureDrop, Tails
NON-TECHNICAL
STRATEGIES
Tanja Drca | Necunos | @tanjadrca
Technical limitations:
- Key management in memory
- =! Anonymity
- Metadata not encrypted
Operational limitations:
- Usability issues
- Digital divide
Technical limitations:
Operational limitations:
- Web vulnerabilities
- Execution on mobile devices
- Source verification
- Usability issues
- Interference with Journalism
Technical limitations:
No technology =! Safe from it
Face-to-Face, Not using
smart devices
Time limit?
13. Blueprint for Free Speech has launched a new report
outlining how journalists can work responsibly to safeguard
whistleblowers.
Tanja Drca | Necunos | @tanjadrca
https://blueprintforfreespeech.net/
12 PRINCIPLES FOR WORKING WITH
WHISTLEBLOWERS IN THE DIGITAL AGE
#2 Provide safe ways for sources to make 'first contact' with you, where possible.
ARE JOURNALISTS FUTURE
#INFOSEC PROFESSIONALS?
#3 Take responsibility for your digital defense and use encryption. Even though
encryption may not completely defend your source, it offers important first-line
protection.
What are your other options? What's
second-line protection?
Is security source-driven?
#7 Explain the risks of digital exposure..
..train your whistleblowers in basic digital security.
How big is your overall picture of
digital security?
#10 ..ensure any digital drop boxes for confidential sources and whistleblowers.
..offer a good level of security, and, for higher-risk materials, anonymity.
Technical skills?
Good level in security IRL vs. online
14. #INFOSEC HACKATHON FOR
JOURNALISTS
What makes these known spyware so powerful also makes them weak.
Duopoly: iOS and Android
Proprietary software
Firmware
Cellular modem
'Under the hood' = Same chips and components under
different brands
Linux-based free- and open software
Firmware in WiFi chip - not accessible to the memory
No cellular modem (weakest link)
Available source code and documentation
about the components
Tanja Drca | Necunos | @tanjadrca
15. #INFOSEC HACKATHON FOR
JOURNALISTS
SOLUTION PROPOSAL BY NECUNOS
Instead of developing security solutions on top of the rotten
platforms, let's start from the beginning.
Clean hardware and Software: Transparent, verifiable, auditable, open.
Security tools by default: Extreme security in user-friendly package.
Custom OS: Usability is crucial, we need your help.
Tanja Drca | Necunos | @tanjadrca
16. #INFOSEC HACKATHON FOR JOURNALISTS
WITH NC_1
#HackForJournalism
Small groups: Choose
in between awareness
and hands on session
1. I have “NO SECRETS”, why I need #infosec? (awareness,
hands on)
2. I need security beyond 'basics'. Let's hack together
(hack session)
17. 1. I HAVE “NO SECRETS”, WHY DO I
NEED #INFOSEC?
AWARENESS
1. Question form
- google forms, do it anonymously
- link: https://goo.gl/forms/EHc6xa36TXkCF0xL2
2. Discussion: Does 'no secrets' mean you shouldn't have privacy?
3. Who owns your nudes? Cloud services.
Go trough terms of service from your cloud provider. Explain to us who owns your
documents.
18. 2. I NEED SECURITY BEYOND 'BASICS'.
LET'S HACK TOGETHER
(HACK SESSION) HANDS ON SESSION
1. Question form
- google forms, do it anonymously
- link: https://goo.gl/forms/EHc6xa36TXkCF0xL2
2. Design
- What Necunos can provide
- What do you need? What's crucial? Missing now?
3. From idea to product
- How can we ensure usability
- Funding and operation