Closed L0laL33tz closed 5 months ago
Hey @L0laL33tz thanks for opening an issue.
Re:
MVT seems to make no distinctions between websites visited and software installed
could you give more details on the false positive you encountered, e.g. which modules are involved?
We've recently added some clearer messaging around non-expert use, particularly if detections are found:
NOTE: Detected indicators of compromise. Only expert review can confirm if the detected indicators are signs of an attack. Please seek reputable expert help if you have serious concerns about a possible spyware attack. Such support is available to human rights defenders and civil society through Amnesty International's Security Lab at https://securitylab.amnesty.org/get-help/?c=mvt
Sure, here's the detection it threw:
I did reach out to amnesty techlab but never heard back. I understand that it's probably overwhelming to answer every request, so re:
Only expert review can confirm if the detected indicators are signs of an attack
do you think its possible to document verified detections vs. false positives or offer some training for MVT? Seems like this would have been an easy catch for someone more versed in the software even if not a technical expert
do you think its possible to document verified detections vs. false positives or offer some training for MVT? Seems like this would have been an easy catch for someone more versed in the software even if not a technical expert
We're looking at introducing confidence levels in detections in future - some early work around this in https://github.com/mvt-project/mvt/pull/431.
It looks like this ClevGuard indicator originated from https://github.com/AssoEchap/stalkerware-indicators. In this case it's detecting a visit to a stalkerware related domain name - an expert should review among other things the MVT output, the possible matching indicator and the context of other events on the forensic timeline to determine whether an infection actually occurred.
At this time the Security Lab can only provide forensic support to members of civil society. If you fulfil this category and have a concern in future please do reach out again via https://securitylab.amnesty.org/get-help/ and we'll do our best to help. In terms of partnership proposals please reach out to share [ AT symbol] amnesty.tech. Due to the volume of requests, we may be unable to respond to requests which are not clearly from civil society.
MVT seems to make no distinctions between websites visited and software installed
Got a detection warning a few months back. Got extremely spooked, notified colleagues for possible spyware detection, never heard back from Amnesty Techlab – all in all an extremely unpleasant experience. Turned out I had visited a spyvendors website.
Please find a way to deal with false postivie detections if you can't respond to them individually.
Some documentation of verified detections vs. possible false positives may help, or offering training in using MVT beyond the yearly five-person FFD fellowship program. Trained journos/activists could train others, etc – happy to help with this if someone wants to give me a run down.