Welcome to the first newsletter from Security Without Borders. This is a somewhat regular newsletter covering recent cyber security issues, tools and events relevant for activists, dissidents, journalists and civil society at large.
Security Tip: If you cross borders or you participate in protests, you might get your phone seized. Make sure it is encrypted. You should use a strong - at least 6-digits long - PIN code, and turn the phone off, especially if you use TouchID or other biometric locking. In the case you might get compelled to unlock your phone, make sure you familiarize yourself with the local laws, and you have the number of a lawyer written on a piece of paper in your wallet.
This newsletter is an experiment. Please let us know if you enjoy it and suggest us any content you would like to see here either via Twitter or via email.
News from Security w/o Borders
Starting an initiative like Security Without Borders takes a lot of effort and time. This past month we've been primarily working on stabilizing the group and setting up the necessary infrastructure to properly organize our activities. We have already started carrying out a number of assistance efforts, mostly penetration testing.
The next step will be to initiate an outreach campaign to make sure the right people and organizations learn about who we are, what we can do, and how they can best leverage us. There are several other initiatives who are doing great work in civil society. We are looking forward to cooperate closely to as many as possible, and provide the specialized security expertise that we are aggregating. We have some amazing people on board who are seasoned security professionals. If you are an NGO and are interested in working with us, please get in contact.
In the month of January we have seen a good number of security vulnerabilities in prominent software. Here is a little recap, in case you are still behind on your software updates.
Wordpress: Sites running the popular Wordpress content management system are constantly probed by all sorts of attackers and are commonly compromised to serve malicious content. If your website runs Wordpress, it is vital that you always run the most recent versions of both Wordpress itself and its plugins and themes. The Wordpress Dashboard tells you what version you are running; it usually alerts you when it isn't the latest. The most recent version is 4.7.1 which is a security fix released on 10 January, intending to resolve a number of vulnerabilities in the software and in some of its plugins (PHPMailer, particularly). You might also find interesting a guide on how to harden your Wordpress installation published by its developers.
Firefox and Thunderbird: In the last few days, Mozilla has issued security fixes for both Firefox and Thunderbird. There are no public reports of these vulnerabilities being currently exploited by attackers, and normally both Firefox and Thunderbird should automatically download security updates. Just in case, make sure you're running the latest versions, which are 51 for Firefox and 45.7 for Thunderbird. You can find out which version you are running by going to Help > About Firefox and Help > About Thunderbird respectively. Some recent changes in Firefox mean that it is possible you see warnings about certificates and/or password submission on some websites. It is important that you do NOT ignore these warnings and do not proceed or at the very least ask a trusted security expert before proceeding.
Apple: In January Apple also released numerous security updates for their primary products, including macOS as well as iPhone iOS, which saw the release of version 10.2.1. If you haven't done so already, make sure you have installed all the offered updates, as they fix critical vulnerabilities. For your mac read here on how to update your software. For iPhones, you can do so through Settings > General > Software Update.
Flash Player and Adobe Reader: In January Adobe has released multiple updates to fix critical vulnerabilities in Flash Player and Adobe Reader, including their browser plugins and extensions. Flash Player and Adobe Reader have become mostly superfluous with the progress of mainstream browsers (particularly Google Chrome, which to this day offers the better security protections) and with the advent of modern web technology. Quite frankly, we recommend uninstalling both.
China: China tightens its restrictions on VPN use by declaring unauthorized VPN services illegal. According to BBC, the block includes, among others, three popular VPN providers (Astrill, StrongVPN and Golden Frog). Major VPN providers are working on a solution. The ban continues until March 31, 2018.
USA: On January 25th, President Trump signed an executive order for "Enhancing Public Safety in the Interior of the United States" that denies privacy protection to non-US citizens "to the extent consistent with applicable law" (Sec. 14). The concrete implications of this executive order and whether it affects the Privacy Shield agreement are still a matter of debate.
Some researchers analyzed over 289 VPN apps for Android and found not only that the a concerning number leak information and track users, but that 18% of them don't even encrypt any traffic at all!. You should really check this article from ArsTechnica explaining the results of this research and providing some advices on what VPN apps might be safer to use.
Joshua Foust published a good blog post detailing how he successfully identified an attempted phishing attack. Phishing (an attack with the intent of stealing online credentials by mimicking login pages) remains one of the most common techniques employed by attackers all over the world. Using two-factor-authentication and training an eye for recognizing these attacks, can go a very long way.
The Grugq published a good guide on how to securely operate dissident Twitter accounts. Many activists use Twitter as an important outreach and advocacy tool, often anonymously or pseudonymously, and are consequently often victims of attacks. Knowing what type of threats you face and how to protect youself online is becoming critical. This guide is a great start.
An extensive list of security resources for journalists, lawyers, activists and other groups has been published at the beginning of the year. The list is quite extensive but if you are aiming at improving your security level you will certainly find helpful information there.
People who contributed to this newsletter
This newsletter is edited collaboratively by the larger Security Without Borders community. These are some of the people who helped with this issue: Agent X, Jens Kubieziel, Peter Tonoli, Martin "Mrtn" Ingesen, Michael Helwig (@c0dmtr1x), Martijn Grooten. Curated by Claudio "nex" Guarnieri.