Posts Tagged ‘data protection’

Protecting human rights defenders from hackers and improving digital security

October 31, 2016

Joshua Oliver on 14 October, 2016 interviewed for NY City Lens, Kim Burton of Access Now about the digital security dangers faced by human rights defenders. A recent example is what happened to Ahmed Mansoor [https://thoolen.wordpress.com/2016/08/29/apple-tackles-iphone-one-tap-spyware-flaws-after-mea-laureate-discovers-hacking-attempt/] but there are many other cases. The staff of the Digital Security Helpline offers free, 24/7 technical support and advice on digital security to activists, journalists, and human rights defenders around the world. It is a project of Access Now, an NGO that promotes human rights online. The interview ends with 3 simple practical steps that any person can do to improve their security.

Kim Burton, security education coordinator at Access Now, works on the digital security helpline.

Kim Burton, security education coordinator at Access Now, works on the digital security helpline.

What makes the kind of targeted digital threat that a human rights defender or an activist might experience different from the threats that ordinary users might face?

The goal is different. When you’re targeting the average individual often these campaigns are really large. They’ll be interested in getting a lot of cash. When someone’s trying to compromise a human rights defender or activist or journalist, it’s usually because they want that person’s information. They want that person’s contacts. They want to be able to intimidate that person so they stop doing the work that they’re doing.

What type of things might prompt someone to contact the helpline?

They could receive an unfriendly email that scares them, and so they’ll bring that email to us. With journalists it’ll be more about protecting information that they’re trying to move out of the country, or it can just be protecting their publishing while they’re online. Often when we get contacted it’s for people who have had their accounts actually hacked. Where the account is posting information that the owner did not post, or it’s completely defaced.

Can you describe the difference between the support that’s typically available for someone in a corporate or government environment with a digital security problem as compared to someone in a non-governmental organization working on human rights or activism?

I think one of the major things is just having someone to call. In a corporate environment they have either an IT group or a person or systems administrator. So you already know who to call. In NGOs [non-governmental organizations], often times, there isn’t an IT person at all. There’s not a systems administrator. The tech support is not available. And part of that is funding. Corporate environments are able to spend a lot more money on salaries, so they’re able to pay the tech people a lot more than they would get in the NGO space.

What can be the direct consequences to the people who are targeted by this kind of threat? 

Unfortunately people can die. That’s one of the things that we have to be aware of every day on the helpline. People do get killed for the information that they have out there. The other consequences are: people’s lives can be ruined, people can be imprisoned, people can have to leave countries, their families can be hurt. The stakes are very high.

Can you define what phishing is?

It’s those emails that say something like “You’ve won a million dollars, click here to receive.” Or something that is a little bit more scary, like “This is your co-worker, I need the password to this account.” It can get more targeted. But everyone receives these — this isn’t unique to the people that we work with. It’s just that the people that we work with might have a higher chance of receiving a more targeted phishing campaign.

What are three easy things people can do to improve their own digital security? 

Number one, always install software updates. Updates are often released to address security vulnerabilities; updating is your first line of defense.

Two, use unique, long, and strong passwords. If your password is leaked in one place, and you have used the same password somewhere else, that other account can be compromised as well. Avoid remembering each of these unique passwords with a password manager, like KeePassX or LastPass. Password managers keep your credentials in an encrypted database and assist you in generating unpredictable strings to use as sturdy logins.

Three, use two-factor authentication when available. Instead of only using a password to protect your account, two-factor requires another “factor” to log in. Like a bank that needs your card and PIN to withdraw from an ATM, you’ll need your password and something else (like a SMS text, generated code, or fingerprint) to access your account. All of the major email providers provide multi-factor authentication, as do many other accounts, like Amazon, Twitter and Facebook; look for it in your security settings.

see also: https://thoolen.wordpress.com/tag/digital-security/

Source: Protecting Activists from Hackers – NY City Lens

HURIDOCS not too worried about the theft of its computers – read why

December 11, 2015

huridocs-logo-transparent-240x58Last weekend, HURIDOCS office in Geneva and the office of an ally organization were burglarized; two of its desktop computers were stolen. Computers were the only stolen items at both offices, but it’s not possible to say whether the theft was specifically for information stored on the hard drives or just for the computers themselves. Either way, it states confidently in a message that they have not experienced a data breach, because both computers were encrypted and locked with strong passwords. They also didn’t lose any data, because it’s safely stored in Casebox. Here’s how to protect your information and yourself, critical for human rights defenders, in case of physical computer theft:

  1. Lock your computer with a strong and unique password. All passwords should be strong and unique, but perhaps even most importantly for your computer itself. Simple passwords are more easily hacked by ‘brute force’ (guessing until success), seen by someone glancing as you type, or determined from camera footage (that’s why Snowden typed his passwords under a blanket in Citzenfour). There are some good tips for better passwords.
  2. Safeguard all passwords. Do not keep your passwords written on paper near your computer. A multitude of secure passwords will be impossible to keep in mind, so we recommend using a password manager like KeePassX instead; KeePassX also rates the strength of your passwords.
  3. Consistently lock your screen when you step away. Theft can happen very quickly and obviously, unexpectedly. Encrypt your hard drive. If it’s encrypted, no one else can read it. Check your settings in Filevault on Mac and Bitlocker or Veracrypt on Windows.
  4. Regularly back up your encrypted hard drive to another location. If your computer is stolen, you’ll still have all of your information. If you use a password manager like KeePassX, your backup will include a locked file containing all of your passwords. To further protect yourself against privacy breaches and malicious threats, we also recommend to: Scan your hard drive for viruses at least once a week with updated antivirus software like Sophos or Avast.
  5. Update your computer’s operating system and all critical software as soon as updates become available. These updates are often to better protect you from breaches. Set up two-factor authentication and two-step verification on all critical accounts like email, social networks, Apple ID, and shared workspaces. Change your passwords often.

HURIDOCS conclusion: If you’ve taken the above steps and your computer is stolen, you won’t need to worry about your data being stolen along with it. We strongly recommend all human rights defenders take these precautions.

 

https://www.huridocs.org/2015/12/steps-to-protect-your-data-computer-theft/