Welcome to the fourth newsletter from Security Without Borders. This is a somewhat regular newsletter covering recent cyber security issues, tools and events relevant for activists, dissidents, journalists and civil society at large.
Security Tip: when you get an email from a service that you use, such as Google or Facebook, asking you to login for one reason or another, teach yourself not to follow the link on the email, but access the site through its URL (or a bookmark in your browser). Whatever it was that required you to login, you should be able to find on the website as well; if not, it may be a phishing attempt.
This newsletter is an experiment. Please let us know if you enjoy it and suggest us any content you would like to see here either via Twitter or via email.
News from Security Without Borders
Due to the nature of the organisations and individuals we are assisting, most of the work we are doing happens behind the scenes. Don't let this be a reason for not contacting us, should you need assistance. For people who want to volunteer, a dedicated form was created.
Microsoft: as every month, Microsoft released security patches for various versions of Windows and for its products, including Office. These patches are very important, as they patch some vulnerabilities that were already used at a fairly large scale in the wild before the patches were released Tuesday last week.
During the Easter weekend, the 'Shadow Brokers' released a large number of exploits from the National Security Agency (NSA), the most important of which targeted Windows. Initially, it was believed that some of these exploits worked against fully patched versions of Windows, but later it turned out that Microsoft had patched these already. Technically, such exploits can be very interesting, but the main lesson that can be learned is that there are some very powerful agencies that have ways to get into almost all networks and devices. The fact that a large number of exploits have now been leaked and the vulnerabilities patched, doesn't mean that there aren't many other such exploits still unknown to the public; we can be certain there are. At the same time, most attacks, even by some powerful adversaries, use fairly common techniques such as phishing and off-the-shelf malware to compromise a target. The fact that you may not be able to fend off the NSA should not be an excuse not to practice proper security hygiene.
Sad news from the United Arab Emirates, where human rights activist Ahmed Mansoor has been arrested. Mansoor made the news last year when it was found he was targeted with highly advanced iPhone malware, which was very interesting from a technical point of view, as malware targeting iPhones is quite rare. However, this is a sad reminder that the targets of such attacks are real people, who often face real risks, that are not always restricted to their online activity. Unfortunately, punishments for the 'crimes' Mansoor may have committed in the UAE's government's eyes are very severe: another human rights activist was sentenced to ten years in prison.
More sad news from Iran, where 12 administrators of channels on the Telegram messaging app were arrested, a move that is likely related to elections that will take place in May; all of those arrested had expressed support for reformist candidate Rouhani. Telegram is a popular messaging app that provides some level of security against ordinary cybercriminals, but not against those who are able to intercept the SMS messsages the service relies on, which would include most governments. Last year, Claudio and Collin from SWB discovered a number of high-profile attacks in Iran using this very method.
AP reports how a 'panic button' provided by the Colombian government to some 400 high-risk activists and journalists has a number of serious security issues. While it is laudable that the government is concerned about these people's safety, the vulnerabilities, which could allow an adversary to track its users and listen in on their conversations, could actually make them less secure. This provides an important lesson for high-risk indivuduals around the world: there are many tools and devices that could increase your safety, but if these are themsevles vulnerable, they could actually make the situation worse. It is therefore important to look for tools and devices that have had a proper security audit; incidentally, this is something Security without borders can help with!
An unknown entity has published a fake PGP encryption key in the name of a prominent Egyptian activist. PGP is an important tool to encrypt emails, but as with all network encryption technologies, it is of vital importance to make sure you are communicating with the right individual or organisation. Always use another channel, such as a common acquaintance or a social media profile that you know belongs to them, to verify someone's PGP key.
Citizenlab looked at censorship on the popular Chinese WeChat and Weibo social networks, which not only includes the blocking of keywords and keyword combinations but also that of certain images. Such reports not only highlight the challenges faced by the human rights community in China, it could also help that same community find possible ways around the censorship.
Russian university lecturer and open source developer Dmitry Bogatov was arrested, allegedly after his tor exit node was used to post online messages inciting to violent actions. In a FAQ document written by the Electronic Frontier Foundation and focusing on legal issues surrounding Tor in the United States, the Tor Project actually warns against the use of running exit nodes from home. Those who want to run an exit node are advised to look into the potential legal issues in country from which they want to run the node.
Vice Motherboard is running a series of articles on spyware used by ordinary people. Often sold as parental control apps and available for relatively little money, such mobile spyware is often used to spy on (ex-)partners, not seldom as part of an abusive relationship; sometimes with very tragic consequences. The series is worth a read and should serve as a reminder that the threat from those with phisical access to our devices should not be discounted, especially for those whose activities make them a likely target of spyware.
- While there are many tools that could improve your online security, the biggest risk is often the end user, and security can often improved a great deal just by providing some basic training. Under the name Security First, Advocacy Assembly have put together a series of short courses to improve online safety for human rights defenders. The courses are free to use.