You know about malware, ransomware, spyware. But there’s an increasing concern about something called stalkerware, a creepy breed of apps that allow someone else to digitally monitor you. What is stalkerware all about, and how can you recognize it? Who plants it and why, and who are its victims? Joining episode 45 of Cyber Security Sauna are Eva Galperin, director of cyber security at the Electronic Frontier Foundation who also helped found the Coalition Against Stalkerware, and Anthony Melgarejo, threat researcher in F-Secure’s Tactical Defense Unit.
Janne: Welcome to both of you.
Eva: Thank you so much.
Anthony: Thank you. Glad to be here.
So Eva, tell us about yourself. How did you get into fighting stalkerware?
Eva: Well, I was a normal sort of security researcher, mostly studying APTs that were targeting journalists and activists for many years. And then it turned out that the person with whom I had been doing the majority of my APT research was outed as a serial rapist. And I was really, really angry. And so one of the things that I did was I read an interview with one of his victims, and what really struck me in that interview was how scared she was. She was really frightened, and she hadn’t come forward earlier because she was worried about stalkerware. She was worried that this guy was a hacker and he had threatened to compromise her devices. So she felt that her devices weren’t safe, and that she would not be physically safe.
I got so mad that I tweeted, a thing which happens a lot, and what I tweeted a couple years ago was that if you are a woman who has been sexually abused by a hacker, and you are concerned about your devices, that you could reach out to me and I would make sure that you would get a full forensic workup of your device.
Ten thousand retweets later, I had involuntarily started a project.
Project slash landslide.
Eva: Yes. I was getting between zero and up to 30 messages a day from different people. I still get messages from people who are in really alarming situations. And I spent a year and a half just working with the people on the ground and trying to get a good feel for what their problem really was.
Because one of the things that security researchers are often wrong about is what the problem is. Frequently we look at some group that we want to protect and we say “If only you do blah blah blah and blah blah blah, then everything would be fixed.” It turns out, often, that there are reasons that people behave the way that they do.
So I discovered that mostly we were looking at not device compromise, but at account compromise. That most of what people think of as device compromise, if they’re nontechnical, is in fact account compromise. And I thought, “Well, this is great news, because we have solutions for account compromise.” You tell everybody to use a password manager, you have them use unique and strong passwords for everything, use the highest level of 2FA that’s available and thatContinue reading