The Terror Of Tracking

oh good well thank very much guys for a film at the rim it's flatter and you'd rather be here than another talk ordered in the CTF if you can read you're already miles ahead of me my talk is called the taro tracking and it is about the industry of consumer spyware or as it's recently been tagged a stalker way so we're going to be it's it's an industry which has been built around our kind of most private fears and like some people's primal urge to like control and to know all so because everything kinda has to be about me I've got moon slide at the start so I'm a nice act on I failed my

OS CP and spent a lot of money doing so so I'd like to talk about it when I can I I work with Splunk at SES of an Edinburgh and I'm studying software engineering at Napier University under thank my like the crossroads between software engineering and security definitely is somewhere in malware my initial interest in security was definitely like remote access trojan that kind of game of cat and mouse between our developers and antivirus companies so I think it's really really cool like and I go so I own lots and lots of books about it but when it comes to the technical ones we never quite finished them because it's really hard to learn about especially after a long

day's work so before we go any further into this does anyone not know what malware is I wouldn't expect you to raise your hand in a forum like this but malware is essentially just any software which is specifically designed to disrupt damage or gain authorized access to a computer system so although whenever we say malware something might spring to mind like want to cry or like some sort of cryptolocker where for people who don't know that essentially locks your computer and perhaps your files and demands a ransom to to get them out to get them back but it can also be things like the the Nauvoo silverfish program which came pre-installed on a couple of their

laptops which is essentially just injected ads into your browser so both of those are an example of malware can be subversive it can be silent it can like even if you don't notice it it's still still malware so whenever we talk about malware they tend to be a few different I groups of thread actors that we tend to talk about so first off is just the year run-of-the-mill cyber criminal it's our job to hack into things it's their job to steal data from unsecure systems and so it's their job to make money off of and in the context of malware at least it's our job to make money from malware Campion's so generally we don't have to

like as consumers and as individuals we're not generally the target although obviously sometimes there are some malware companies which have targeted specifically consumer devices but there's more money in attacking enterprise so that's generally where they tend to stay next is um script kiddies or ass kids as they're commonly known and these will be similar to cyber criminals generally trying to make money or like I'm Gail I get some sort of Fame or they are Authority in the internet same kind of feels like a like say for mapping t-mobile for instance but the that script does tend to target consumers a bit more you've got political activists and I hope the the the people in this room are safe from

them but that's scripts like anonymous in groups like Isis who would attack for like to like to solve geopolitical objectives or to or to further their own gains and then this can be for money but it's often for like ideological reasons like for instance um Isis of Ron have been suspected of running a malware campaign against a group of journalists in Raqqa in Syria so that would be an example of what they do and then we have nation-state actors so you would better hope that we're not running the they are getting the attention to these guys but generally it's like geopolitical objectives and depending on the nation state like North Korea around it can be

money but um it's more like more common for it to be like for to like further like a geopolitical agenda like we see in Iran's attack on Saudis oil or denial rigs and so on so forth so the the common theme there was the majority of malware campaigns well target business and enterprise and but like obviously not all and marwah companies generally do want to make money so whenever it comes to stalker where and for those who don't know it's a stalker where is malware which is specifically designed to access somebody's someone specifics data and like in consumer electronics whether it's a laptop or whether it's a phone or whether it's whatever is just whatever you keep your data on the

generally want to go after so this is this is kind of neat because unauthorized access to personal info is kind of a hard sell in like a large market if you're Jessica if you don't know whose information you're getting or the best they can do is put into some kind of demographic it's still not that valuable or certainly not as valuable as like specific targeting specific people is so I'm an example I find outside of stalker where has been the sale of installs so what an install is is essentially access to an already existing backdoor and someone else's malware campaign if you call it that so like someone will get the initial infection and then sell access to that

person's computer and although this is um used commercially like for cyber criminals who are looking to make money off exploiting people's computing power or exploiting people's bandwidth for like for bidders or for harvesting cryptocurrency I can also be used for because of the complete access it gives you to someone's machine it's often used for blackmail or for identity theft and that sort of thing so this kind of leads to leads to like lead to and the stalker where so it tends to run as a stalking as a service model so it right sources the infection the the the infection process to the actual client so the Mahamaya developer generally isn't looking to make money off the data or if

they are that's kind of a like a side that's the solid main point of the business the main point is to sell the actual installer to someone who wants to install it on the specific device and then run the command and control server and the lie this person to access the the data they've stolen so um and this is again like specific targeted information is much more valuable to certain people than generic information especially when it comes to those they have a they share a personal relationship with or they are involved with in some sort of institution whether that be work or school or even even government in placing so whenever I talk about specific people I

did a few examples we are a long time so I usually ask people to shed some light bill just I'll give you this one for free so generally I'll start from left to right we've got a big target for people for a big target a big audience for stalker we're developers is our car couples people who have been in a relationship because often there are unsavory people and my getting these wishes who do want to have kind of like total control of information or whether it's like harassment or intimidation like people are interested in having access to their significant others device without their knowledge but it also happens in dating so like whether you're like currently getting someone or

whether they're your ex or whether they're even interested in you and you don't know them there definitely is an audience for stalker where in this case too just because people want to find out like you like like what you're thinking or like or what you'd say or like are you interested in them and so on well sue got big mind mapping organizations at Cambridge and Ladoga we've realised the part of this personal information and realized the power in like aggregating this kind of data on like a massive scale so we saw that with Facebook they don't necessarily stalker where but it is that kind of pervasive surveillance of them taking your personal data and using it too and using

it in a way in in a way which in series incentives don't really align with yours like they're not really out for your best interests here and about nation-states again nation see it something like similar to like my map and organizations are very very interested in this data and will come more thought later advertisers for the same reason and then even in even if it's meant in a positive way schools and institutions like that are also interested in this Jerry and well and have tried to get access this information even if it's like oh are they okay at home or even if it's something like are they plagiarizing like they're very keen to find out so that is the who we're going

to talk briefly about the high and then the why this happens and like what kind of um and like a high prevalence it is and who is being targeted so with the high I took the example of the spy phone direct Prue this doesn't work anymore this isn't an instructional video this won't work if you waste 140 fines on this I didn't recommend that that's on you entirely so you can buy 140 points I did have the URL up there but that's that's a recipe for disaster sort a guide so essentially with this piece of malware stalkery um any access with the unlock device gives an opportunity for a total compromise it's again only on old

androids and all and all information harvested by this piece of malware is you can specify what email you want the dissent and it will send just like incremental logs it's like to your to your inbox essentially high convenient so it can be installed only or physical access so it's um like if someone gets onto your phone lose the password and turns off the security feature which blocks unauthorized CD ends so and Android is a feature which only allows apps to be installed from the from Google authorized content delivery networks but you can turn this off and they stick it on hold on droids and then once you've done that either you just go to their link 140 points buys you the

installer on the subscription key and once you enter that and when they opened the hidden mode it will then disappear off the devices normal app and appear as a android service so if you don't know what you're looking for it's essentially gone like if you're not sure anyone is like look to your device like I don't know how many people do want in check their services regularly and even if you do like you still might not see it so that's I got compromised with a device and it does take with a suitable internet connection we're talking under a minute here so like that's again like if I don't know I I carry my phone around with me a lot but there's

definitely been times where it's been out of my sight and or I don't know where it is for a minute or maybe I've left it at my desk and left my room or something like that so the Daphne is like this is a feasible attack so the the the certain malware gives access to essentially everything that the developer can get his hands on at the time so it records all phone calls it keeps the call log so you can tell who called who when they call too long they called for and allows you to remotely listening via microphone at any time so like like it essentially turns your phone into a listening device every tax you've

sent to receive that's still on the phone every photo just I'll everything essentially on live GPS location is something we're going to come back to as well so that's the high and that's kind of asking to what they're getting I'm gonna talk a bit more about hey because I taught summer pre flavor they only touched on the like the environment so once she'd find it I didn't really touched on exactly who was doing it so the first to the main audience from what I can tell for stalker where is is people who say to abuse their partner or someone close to her or or someone he trusts them and 140 points to know everything that they because like if I

don't know how much you guys use your phone but I certainly use enough that if someone could listen in to everything about it they would know an awful lot more about me than I'd be comfortable with like a lot of others private information and like we are seeing quite a lot of this especially when within the es their husband a few cases in the UK as well where people have been sentence for it and I mean like not every crime is called so like I can only imagine how many how many Pony people's is happening to me presently but a 85% of the shelters we surveyed this is in the this is in America are seventy shelters

around the u.s. seventy eighty five percent of the shelters we surveyed said they're working directly with victims whose abusers tracked them using GPS so that's again that functionality from that stalker where and these percentages aren't just stalker area like it can be things like Find My iPhone or like other the morning expect us program spawn like this technology this capability is being used to hurt vulnerable people and that is something but as because I quite like at the core of this talk and seventy-five percent say they're working with victims whose abusers eavesdropped on the conversation remotely and that's like it's not so simple to do that like that does require a piece of piece of

technology to enable it and often that comes in the form of stalker way but moving on from that [Music] divorcees especially know are increasingly turning to because of the impact that that kind of situation and not like like like very like like very horrible time for everyone involved like the stakes of it people are two people are turning to pervasive surveillance solutions to find like like to find dirt on their partner or to find like a reason that like like either to divorce them or hi-de-hi to win the divorce settlement and so on and so forth so like this stuff happened in our relationships regardless of whether it's like just dating or whether it's like

something which has been going on a while outside of personal relationships it also is in our education institutions in Philadelphia there was a school with 1,800 laptops they give it to their students because I am I guess it makes sense because like I said I just think schools are figuring out that kids need a work station right so but what they didn't say is or what's been alleged is that a UH or they each of the one-fives minute laptops had a piece of spyware on it which'll ID and as it says in the article indiscriminate use inability to remotely activate the webcam is incorporated into each laptop so yeah that's 1,800 students and it was find

out when one of the teachers tried to desert him one of the students for something they done at home so I mean like the people doing these kind of campaigns aren't smart like they're not security like with like researchers so not like incredibly like talented people they're just you know people who want to know more who want to have that kind of control so we'll go back to the here in a minute but most of these examples um the the spy phone was an exception in the sense that it sends the email back to or it sends the data back in the form of an email a lot of this data is stored on the server and it is accessible on

that server so I mean I imagine most of us are interested in security I don't really feel like it needs more explanation I did have a timeline for who got breached but it just changed every time I had to I'd look at this talk again so the guys at motherboard I've done a great job of doing that for me so in the last 18 months this is Lorenzo FB on Twitter by the way hem and Joseph F Cox I think is here at the conference today both do great work on this subject I've got a fantastic piece of journalism called when spies come home and it really is a like it's a really eye-opening piece and it's over

many months and many different topics and it really is if you want to know more about this or more by this industry or more about like what people are doing about it that's definitely the first the first stop for it but you can see a massive amount of these spyware companies are getting breached and like it's it's like it's happening all the time as I imagine the shady organizations which rely on this kind of business model don't really employ the best cyber talent because like why would you work there when you could work for somewhere that won't you know damage your CV or probably right but essentially it determines pervasive monitoring into massive massive data

loss because like people don't even know that this information is leaving their phones like this malware is subversive there's no pop up to say that like they've lost control of this data like it's essentially confidential an anonymized private data which highly again is massive consequences for the person that it's leaking for so like blackmail like identity fraud like a day it becomes a much bigger problem not to downplay the initial problem if that makes sense so back to the hey the good thing about these breaches is a dead tell us that a number of organizations have have been using these using their work emails I think it was so again like the people doing this on for a smart and

you've got like organizations like the FBI the ice and in that place so what I'd like to highlight here is that these organizations have find in the past to have them proper oversight like the like there's not enough control like like we were not allowed in many cases like the NPS refused to investigate when motherboard tried to find out why the Metropolitan Police we're working with these stalker noir technologies the NPS refused to investigate it I think citing national security but I'm not sure but like it's like this refused to ask any questions about it so that's I mean the terrifies may add I don't know it yourselves but um and not only do they

have this complete lack of like acceptable oversight but they also have access to vulnerable people especially in terms of like ice on the Metropolitan place and there would be ample opportunity for these people to armed with these technologies and these like pieces of malware they don't have to maintain themselves like there's plenty of opportunity for them to install these on the phones of victims or people here going through the justice system or people here are going through immigration and things like that and that's just like a real recipe for this stickers are very vulnerable people are very vulnerable times in their lives you might not have any recourse legally and certainly like if like if they're going

through a tough time you can really expect them to polite like an Android reversing book and figure I try to check whether their phone's been tampered with it's just not feasible so in summary the times are changing and the the pay of the people who seek the abusers around them are going to change with them and they're going to find new methods they're going to find the easiest route to what they want which is to intimidate which is to like take advantage of trust which is to be like Abby's information like this and one thing I've noticed in research and witness is that vulnerable people are continuing to be left behind by the law and by software providers so

less so at something that's becoming increasingly last so the protections were made by the people who provide the platform so it's like Apple and Google are improving for phones for affordable foods as well so that's good but I still don't think it's enough um so it's all well and good for me to tell you that this sucks and it's gonna continue happening but what can we actually do so I don't think that there's an easy answer or no we're not gonna make people not want to do this that's kind of I mean life it's a sad fact of life but I don't think I don't think about the power of persuasion to do that and we

could make it illegal but under the investigator investigatory regulatory powers act it's illegal to wire top electronic communications order warrant anyway so that's not stopping anyone that the law is in more gray area when it comes to devices you so for households and indeed institutions where the people at the top were the people or like certain people own all the electronics or certain people own handhelds and laptops that other people are going to use it does become a bit more grey when you're wiretapping your own device that someone else is using so yeah that's that's it's it's not as clear-cut as you might think so I think the place to start for protecting these people here I did it here are victims to

this essentially victims of abuse children's and people in the people in the workplace is like essentially increasing funding for local place cyber crime units if we can get support for these people if we can give them like somewhere to go with these problems and potentially offer them a solution then like like we could maybe see this like being addressed but we'll see and people's BS I mean I'm sure we're all aware the baseline knowledge of security and for the general public is very very low especially when it comes to cases like this so I feel like security awareness campaigns are bite knowing what's on your phone like so have having secure passwords and nobody else knows keeping your phone updated

regularly like like should like not having it in a hostile environment where this might happen would would also be really important but on the other end I mean like with like you can't look at the onus and the victims for all of this so companies currently there's a lot of companies that produce this kind of Spira like politely leg for Vava which still operate in the UK you can look them up I think that insider threat or something like but um they they essentially make these pieces of software which they I don't want to say intent but they have no mitigations and it being used on unlawfully so they say place when used on anyone else's um

computer and then they have odds like that many spices cheat they all use cellphones like that's not really an application more than there's a statement right so then the slammer is like like this drivel you know the law generally requires you to notify owners of devices on what she intend to install the license software and then they also have blog posts and promotionals and say this that's the same company both those things it's not a coherent message in fact it's it's by essentially the minimum that can get away with like they know who they're marketing to they know who they're selling through they know how their products gonna be used there are absolutely no medications to stop it

being used unlawfully so I think that's kind of lean media question I think that can someone confirm that slider link still works but uh should developers of consumer software be held accountable legally if they write software intended for hidden wiretapping without a reasonable attempt at restricting or mitigating unauthorized usage because if a lot of these products tend to market themselves is like taking care of your kids or watching what your kids do online making sure they're safe but for that for that goal to be achieved for instance it doesn't have to be entirely subversive like it's today it doesn't have to be it doesn't have to be like completely hidden their car like a pop-up that says hi this is being

monitored or like there or this is like a child-friendly software world whatever like it's not really impossible to do if it's not entirely subversive so I just I thought that was an interesting question to put out there because maybe there are there is too much freedom for developers to write things which could be used for bad but then also on the other hand restricting software and such a census isn't really it's restricts innovation this is a whole bunch of freedom problems with it so I was just wondering you guys think it's outside your thing upper is working alright okay there's no reception well it's just the haba thing could please also a question at the end

because there we come for it snow thanks for checking

we do have two more slides to go so thank you very much for your I know I mean I did it just means I get to it's fun to me so essentially I'll be I'll be fossil before so I'm one last Blake kind of section for us to hope some people find it helpful despite manufactures best efforts you are on your own when it comes to your own security it is does require a presence of mind for you to for you to secure yourself and keep yourself safe from the threats that are there in your personal life so it doesn't just stop and around companies so I've just made a quick game plan this isn't foolproof I

did someone stick their hand up three nights ago and say or a couple of nights ago and say yeah why would you do any of this when I can just set up a cell tour and interested intercept the traffic like that in seconds I know you can't but it's not really helpful so keeping your device locked when you're under I'm sure we're all on Twitter I'm sure we've all seen people are posting photos of just unlocked laptops and phones on trains while they go and get like coffee or whatever please don't do that how many people here there spice or their or their partner whatever knows their password so like I mean yeah I mean I got a hundred percent there's

more but like no don't do that your password is your password if you give it anyone else it's pointless I guess is literally defeats the purpose of in the password so don't do that set aside the time to update your device's regularly and I don't mean just update them like when you have time I mean literally set aside a block of time for you to go through and make sure your devices are updated it doesn't have to be every week it doesn't have to be every month just make sure you did semi-regularly because a lot of these likes walk around on a lot of this malware is targeting like old versions because it's easier it takes less

development time you don't need updated on the cheaper essentially and if you're unsure if your phone has adjusted in the hostile environment like this for some time please factory reset it the gay and that's not foolproof and like saying that rickets exists isn't really helpful either so uh yeah and the settings of device again a lot of a lot of these malware's will try and run as a service so please understand what's on your own device so yeah freelancer excuse me on your risk consumer aspire isn't difficult to make but a well read there well ruin your life essentially the conscious of how much info is just on your phone like eggs basket sir and the conscious of bad security

practice in your personal life I imagine we do a lot of stuff with our personal security that we wouldn't do in the office because we get us in trouble so so there's a reason that's the law in the office so follow me on Twitter as well thank you very much guys awesome thank you I have one question already you mentioned mostly Android iPhone as well I didn't look and iPhone and more firmly understand there's a man in the front row there he's very keen on iOS and Mac security yes iOS tends to be a lot more secure in terms of unauthorized ops and things and like app isolation especially so I didn't research into it

but you're generally not entirely safe don't you break it out too terrible idea a little bit safer okay thank you any other questions in the audience over here I will walk to one moment hmm how does it work I don't think many were connected to question um are you aware of any apps you know if Linux is like chef routine things like app cell that actually scan your device arms and installed I because I thought about giving a recommendation but the amount of apps are there especially on the Play Store which was all full fishing and like malware controls to begin with there's a lot more apps masquerading as like clean up your phone apps which

actually decide junk onto and their spyware and and and among themselves because fair enough to do that it would require like Reaper missions it would require extended permissions and I certainly wouldn't recommend that people just search it on the Play Store and download an app but no I don't have an actual recommendation in terms of Android ops no I should hey any more go around go around go around no all right coffee break and thank you again thank you very much