Welcome to the third newsletter from Security Without Borders. This is a somewhat regular newsletter covering recent cyber security issues, tools and events relevant for activists, dissidents, journalists and civil society at large.
Security Tip: The 'green padlock' shown next to HTTPS URLs in a browser indicates that the connection is encrypted. It does not make any claim about whether the site is what it claims to be; in fact, many fake and/or malicious websites use HTTPS and thus show the green padlock. Never use the green padlock on its own as a proof that the site safe to enter personal details; always check the URL as well, in particular the part that most web browsers display in a slightly darker colour. In case of doubt, don't enter any details.
This newsletter is an experiment. Please let us know if you enjoy it and suggest us any content you would like to see here either via Twitter or via email.
News from Security Without Borders
Since going live a few months ago, we have received many requests for assistance and many offers to volunteer. We are currently working hard on the framework that allows us to assist as many people as possible, but while we may appear busy, please don't hesitate to get in contact. For people who want to volunteer, a dedicated form was created.
Microsoft: As is customary on the second Tuesday of the month, both Microsoft and Adobe released updates for their various products. As with all software, if you are using products from either of these vendors, it is always important to apply these patches as soon as possible. This is even more the case now, as exploits are known for some of the vulnerabilities patched by Microsoft (most notably one in Internet Explorer): this means that an adversary could put malicious code on a website, then trick you into visiting it and thus silently infect your computer without any user interaction. You can read more on Microsoft's patches here
Adobe: Adobe makes a.o. Acrobat Reader, Flash Player and Photoshop. Their patches are equally important to apply; you can read about them here. You would be wise to uninstall Flash Player altogether though: it is very commonly used as an attack vector, including many attacks against activists and few websites need it these days. You can read about how to uninstall Flash Player here
Wordpress: The popular Wordpress content management system also fixed some security flaws. Though none of them appear to be exploited in the wild, it is nevertheless important that you upgrade to version 4.7.3. More on what was fixed here
A group of researchers, including Claudio and Collin from SWB, published research on online attacks against dissidents in Azarbaijan. The attacks, which are likely linked to the Azarbaijani government, used social engineering and relatively basic malware, showing how once again that humans are often the weakest link when it comes to security.
A US Court of Appeals has ruled that an American citizen can not sue the Ethiopian government for using FinSpy, a hacking tool made by a German company and regularly used against dissidents and activists. The Electronic Fronteer Foundation (EFF), who represented the Ethiopian-born man, say this case sets a dangerous precedent. A decision on whether to appeal has yet to be made.
The security of devices and digital information when crossing international borders is a hotly debated issue, especially in the context of recent developments in the United States. Focusing specifically on crossing the US border, the Electronic Frontier Foundation published a long guide on the subject. The guide provides you with some practical advice, but more importantly helps you assess the risks you should consider when travelling to the United States, both as a U.S. citizen and as a foreigner.
Another debated topic is the security of messaging platforms. The 'Vault7' leaks of internal CIA documents showed that it's the device on which messages are read that is being targeted rather than the messaging app. With that in mind (though written before the leaks become known), Johns Hopkins University cryptographer Matthew Green wrote a blog post on secure computing for journalists, in which he explains why mobile messaging apps (including Signal) tend to be more secure than their desktop equivalent, and why iOS is the most secure mobile operating system (but far from being bulletproof.
On Wednesday 15 March, a large number of Twitter accounts (including those of Amnesty International and Unicef) were sending out tweets that appeared to support the Turkish government. It is easy to overstate the importance of this and the 'hack' was likely the action of some trolls rather than government-sponsored hackers, but there is an important lesson in it for everyone using Twitter: the tweets were posted through a third-party app that had permission to post on the users' behalf. Such apps can be very useful, but unless they are very important, you would be advised to review and / or revoke access.
German magazine Der Spiegel reports how over the course of several years the country's foreign intelligence agency BND spied on a large number of foreign journalists, including individuals from New York Times and BBC. While Germany, unlike many other countries, has a large amount of press freedom and journalists typically don't have to fear imprisonment or worse, this is still a serious concern: sources may not want to talk to journalists if they have a reason to fear others are listening in on their conversations.
We remind everyone of Hardentools, a small Windows tool developed by Security Without Borders. Hardentools makes some simple modifications to your Windows computer that greatly reduce the attack surface while for the average user barely compromising on usability. You can read Claudio's motivation for writing the tool, but before using it should definitely read the README and understand that this is an experimental beta release. Feedback is very welcome.
We also remind everyone of Blockade, a Google Chrome browser extension designed to block malicious or suspicious sites. For this it can use data feeds and Security Without Borders is running such a feed. As with all security software and tools, using Blockade does not make you 100% secure and is not a replacement for good security practice, but it is likely to block some attack attempts. We made a short video that shows how to use it and to use our cloud node at https://blockade.securitywithoutborders.org/.