Posts Tagged ‘hacking’

Novalpina urged to come clean about targeting human rights defenders

February 19, 2019

In an open letter released today, 18 February 2019, Amnesty International, Human Rights Watch and five other NGOs urged Novalpina to publicly commit to accountability for NSO Group’s past spyware abuses, including the targeting of an Amnesty International employee and the alleged targeting of Jamal Khashoggi. [see also: https://humanrightsdefenders.blog/2016/08/29/apple-tackles-iphone-one-tap-spyware-flaws-after-mea-laureate-discovers-hacking-attempt/]

Danna Ingleton, Deputy Director of Amnesty Tech, said: “Novalpina’s executives have serious questions to answer about their involvement with a company which has become the go-to surveillance tool for abusive governments. This sale comes in the wake of reports that NSO paid private operatives to physically intimidate individuals trying to investigate its role in attacks on human rights defenders – further proof that NSO is an extremely dangerous entity.

We are calling on Novalpina to confirm an immediate end to the sale or further maintenance of NSO products to governments which have been accused of using surveillance to violate human rights. It must also be completely transparent about its plans to prevent further abuses.

This could be an opportunity to finally hold NSO Group to account. Novalpina must commit to fully engaging with investigations into past abuses of NSO’s spyware, and ensure that neither NSO Group nor its previous owners, Francisco Partners, are let off the hook.”

The signatories to the letter are:

  • Amnesty International
  • R3D: Red en Defensa de los Derechos Digitales
  • Privacy International
  • Access Now
  • Human Rights Watch
  • Reporters Without Borders
  • Robert L. Bernstein Institute for Human Rights, NYU School of Law and Global Justice Clinic, NYU School of Law

https://www.amnesty.org/en/latest/news/2019/02/spyware-firm-buyout-reaffirms-urgent-need-for-justice-for-targeted-activists/

https://www.amnesty.org/en/latest/research/2019/02/open-letter-to-novalpina-capital-nso-group-and-francisco-partners/

European Parliament votes to restrict exports of surveillance equipment

January 22, 2018

Members of the European Parliament have voted to curb export of surveillance equipment to states with poor human rights records, following mounting evidence that equipment supplied by companies in Europe has been used by oppressive regimes to suppress political opponents, journalists and campaigners. MEPs in Strasbourg agreed on 17 January to extend EU export controls to include new restrictions on the export of surveillance equipment, including devices for intercepting mobile phones, hacking computers, circumventing passwords and identifying internet users. The proposals also seek to remove encryption technologies from the list of technologies covered by EU export controls, in a move which aims to make it easier for people living in oppressive regimes to gain access to secure communications which can circumvent state surveillance.

Dictators spy on their citizens using EU cyber-surveillance. This must stop. The EU cannot contribute to the suffering of courageous activists, who often risk their lives for freedom and democracy,” said MEP Klaus Buchner, European Parliament rapporteur. “We are determined to close dangerous gaps in the export of dual-use goods and call on member states to follow suit.”

The proposed changes to the EU dual use export control regime are likely to face opposition from the defence industry and governments, as the European Parliament, and the European Commission prepare to negotiate their implantation with Europe’s 28 member states.

European technology companies, including UK firms, have supplied equipment that  has been used for arresting, torturing, and killing people in Iran, Egypt, Ethiopia, and Morocco, according to the European Parliament. An investigation by Computer Weekly revealed that the UK government had approved export licences to Gamma International (UK) to supply mobile phone interception equipment, known as IMSI catchers, to Macedonia, when the regime was engaged in a massive illegal surveillance operation against the public and political opponents.

And the UK’s largest arms manufacturer, BAE Systems, has exported equipment capable of mass internet surveillance to countries that campaigners say regularly commit human rights abuses, including Saudi Arabia, Qatar, Oman, Morocco and Algeria. An overwhelming majority of MEPs supported reforms to the EU’s export control regime, which will require member states to deny export licences if the export of surveillance technology is likely to lead to a serious impact on human rights in the destination country. The proposed changes, backed by 571 votes to 29 against, with 29 abstentions, will impose tough requirements for EU governments.

Member states will be required to assess the likely impact of surveillance technology on citizens’ right to privacy, freedom of speech, and freedom of association, in the destination country before they grant  export licences – a significant step up from current levels of scrutiny.

The proposed rules contain safeguards, however, that will allow legitimate cyber-security research to continue. Companies exporting products that are not specifically listed will be expected to follow the OECD’s “due diligence” guidelines, if there is a risk they could support human-rights violations.

Improved transparency measures will require member states to record and make data on approved and declined export licences publicly available, opening up the secretive global trade in surveillance technologies to greater public scrutiny.

http://www.computerweekly.com/news/252433519/European-Parliament-votes-to-restrict-exports-of-surveillance-equipment

Snowden claims his Haven is safe

December 28, 2017

US whistle-blower Edward Snowden has helped create an Android app designed to protect the possessions of journalists and human rights defenders. The software uses sensors – including a phone’s camera, microphone, gyroscope and accelerometer – to detect intruders tampering with someone’s possessions. It is open source, meaning its code can be inspected. It is designed to be used on a “second” smartphone that can be left with the possessions a user wishes to monitor. The app was created as a joint venture between The Guardian Project and Freedom of the Press Foundation, of which Edward Snowden is board president.

Haven turns any spare android phone into a safe room that fits in your pocket,” claims Edward Snowden. In an age where our digital security is at more risk than our physical security, Snowden claims that Haven will change the game of cyber surveillance.

Here’s how it works: once you install the app, it uses the smartphone’s in-built equipment, like cameras, light sensor and microphones, to monitor for any motion, sound or disturbance of the phone. As explained by WIRED: “Leave the app running in your hotel room, for instance, and it can capture photos and audio of anyone entering the room while you’re out, whether an innocent housekeeper or an intelligence agent trying to use his alone time with your laptop to install spyware on it.” Alerts can be sent to your phone, via SMS, Signal or to a Tor-based website.

You shouldn’t have to be saving the world to benefit from Haven,said Snowden, though the app’s primary users are meant to be investigative journalists, human rights defenders, and other people at risk of forced disappearance.

see also: https://humanrightsdefenders.blog/2016/09/29/edward-snowden-can-still-not-collect-his-awards/

——-

https://video.scroll.in/862821/watch-nsa-whistleblower-edward-snowdens-app-turns-your-phone-into-a-physical-security-system

https://www.thequint.com/tech-and-auto/tech-news/edward-snowden-data-privacy-haven-app-android-released

http://www.bbc.co.uk/news/technology-42493028

Ahmed Mansoor, MEA Laureate 2015, arrested in middle-of-the-night raid in Emirates

March 21, 2017

Ahmed Mansoor’s whereabouts are unknown © Martin Ennals Foundation

On 20 March, 2017, around midnight, Mr. Ahmed Mansoor was arrested at his home in Ajman, UAE, by a large team of the Emirates’ security forces. The Government has finally confirmed that it is holding him, but until today we don’t know where. The reasons for his arrest remain unknown but might be linked to a series of tweets he posted on Twitter in recent days, calling for the release of UAE human rights defender Osama Al-Najjar or to a letter that he signed, along with other activists in the region, calling for the release of all prisoners of conscience in the Middle East ahead of an Arab League Summit scheduled to be held in Jordan on 29 March 2017.

Following a massive crackdown on human rights defenders in the UAE in recent years, Ahmed Mansoor is today widely respected as the only independent voice still speaking out through his blog and Twitter account against human rights violations from inside the country. He was the Laureate of the Martin Ennals Award 2015. [https://humanrightsdefenders.blog/2015/10/07/the-link-to-the-full-mea-2015-ceremony-of-6-october/]. Mr. Mansoor has faced repeated intimidation, harassment, and death threats from the UAE authorities or their supporters, including arrest and imprisonment in 2011 following an unfair trial. Although pardoned and released later that year, the UAE authorities have arbitrarily imposed a travel ban on him. [https://humanrightsdefenders.blog/2015/09/15/fly-emirates-if-the-emirs-let-you/]

In August 2016 Ahmed Mansoor was at the centre of a hacking scandal involving Apple’s iOS operating system [https://humanrightsdefenders.blog/2016/08/29/apple-tackles-iphone-one-tap-spyware-flaws-after-mea-laureate-discovers-hacking-attempt/]

Sources:

UAE: alarm at middle-of-the-night arrest of leading human rights activist | Amnesty International UK

http://www.omct.org/human-rights-defenders/urgent-interventions/united-arab-emirates/2017/03/d24255/

Security Without Borders offers free security help to human rights defenders

January 10, 2017

Network World of 3 January 2017 carried an interesting piece on Claudio Guarnieri who launched Security Without Borders which offers free cybersecurity help to journalists, activists and human rights defenders.

For all the wonderful things that the internet has given us, the internet also has been turned into a tool for repression. Nation states have deep pockets and use the imbalance to their own advantage. Technology has been used “to curb dissent, to censor information, to identify and monitor people.” ..Billions of dollars have been poured into surveillance—both passive and active.”Sadly, electronic surveillance and censorship have become so commonplace that nowadays people can get arrested for a tweet. There are places were dissidents are hunted down, using crypto is illegal, where sites are blocked and even internet access can be cut off. “Those who face imprisonment and violence in the pursuit of justice and democracy cannot succeed if they don’t communicate securely as well as remain safe online.”

Security “is a precondition for privacy, which is the key enabler for freedom of expression.” He was not implying that the security should come from big firms, either, since big security businesses often need contracts with the government and are dependent on the national security sector. So, Guarnieri turned to the hacker community and launched Security Without Borders, which “is an open collective of hackers and cybersecurity professionals who volunteer with assisting journalists, human rights defenders, and non-profit organizations with cyber security issues.”

security without borders

The website Security Without Borders has a big red button labeled “Request Assistance.” Activists, journalists and human rights defenders are encouraged to reach out for help. The group of “penetration testers, malware analysts, developers, engineers, system administrators and hackers” from all walks of life offer cybersecurity help. We can assist with web security assessments, conduct breach investigations and analysis, and generally act as an advisor in questions pertaining to cybersecurity. As security services are often expensive to come by, SWB offers these services free to organizations and people fighting against human rights abuse, racism, and other injustices.

When requesting help, you are asked to give your name or organization’s name, an email address, a description of the work you do and what kind of help you need. Hackers and computer security geeks who support freedom of speech are also encouraged to reach out and volunteer their skills.

There is still on-going discussions on the mailing list on issues such as trust and where to draw the line for extending free help to specific groups. Security Without Borders is just getting off the ground, and will have to deal with some of the same problems that earlier efforts in this area face, see e.g:  https://humanrightsdefenders.blog/2016/08/25/datnav-new-guide-to-navigate-and-integrate-digital-data-in-human-rights-research/ and https://humanrightsdefenders.blog/2016/10/31/protecting-human-rights-defenders-from-hackers-and-improving-digital-security/

Sources:

Security Without Borders: Free security help for dissidents | Network World

http://motherboard.vice.com/read/hacker-claudio-guarnieri-security-without-borders-political-dissidents

Protecting human rights defenders from hackers and improving digital security

October 31, 2016

Joshua Oliver on 14 October, 2016 interviewed for NY City Lens, Kim Burton of Access Now about the digital security dangers faced by human rights defenders. A recent example is what happened to Ahmed Mansoor [https://thoolen.wordpress.com/2016/08/29/apple-tackles-iphone-one-tap-spyware-flaws-after-mea-laureate-discovers-hacking-attempt/] but there are many other cases. The staff of the Digital Security Helpline offers free, 24/7 technical support and advice on digital security to activists, journalists, and human rights defenders around the world. It is a project of Access Now, an NGO that promotes human rights online. The interview ends with 3 simple practical steps that any person can do to improve their security.

Kim Burton, security education coordinator at Access Now, works on the digital security helpline.

Kim Burton, security education coordinator at Access Now, works on the digital security helpline.

What makes the kind of targeted digital threat that a human rights defender or an activist might experience different from the threats that ordinary users might face?

The goal is different. When you’re targeting the average individual often these campaigns are really large. They’ll be interested in getting a lot of cash. When someone’s trying to compromise a human rights defender or activist or journalist, it’s usually because they want that person’s information. They want that person’s contacts. They want to be able to intimidate that person so they stop doing the work that they’re doing.

What type of things might prompt someone to contact the helpline?

They could receive an unfriendly email that scares them, and so they’ll bring that email to us. With journalists it’ll be more about protecting information that they’re trying to move out of the country, or it can just be protecting their publishing while they’re online. Often when we get contacted it’s for people who have had their accounts actually hacked. Where the account is posting information that the owner did not post, or it’s completely defaced.

Can you describe the difference between the support that’s typically available for someone in a corporate or government environment with a digital security problem as compared to someone in a non-governmental organization working on human rights or activism?

I think one of the major things is just having someone to call. In a corporate environment they have either an IT group or a person or systems administrator. So you already know who to call. In NGOs [non-governmental organizations], often times, there isn’t an IT person at all. There’s not a systems administrator. The tech support is not available. And part of that is funding. Corporate environments are able to spend a lot more money on salaries, so they’re able to pay the tech people a lot more than they would get in the NGO space.

What can be the direct consequences to the people who are targeted by this kind of threat? 

Unfortunately people can die. That’s one of the things that we have to be aware of every day on the helpline. People do get killed for the information that they have out there. The other consequences are: people’s lives can be ruined, people can be imprisoned, people can have to leave countries, their families can be hurt. The stakes are very high.

Can you define what phishing is?

It’s those emails that say something like “You’ve won a million dollars, click here to receive.” Or something that is a little bit more scary, like “This is your co-worker, I need the password to this account.” It can get more targeted. But everyone receives these — this isn’t unique to the people that we work with. It’s just that the people that we work with might have a higher chance of receiving a more targeted phishing campaign.

What are three easy things people can do to improve their own digital security? 

Number one, always install software updates. Updates are often released to address security vulnerabilities; updating is your first line of defense.

Two, use unique, long, and strong passwords. If your password is leaked in one place, and you have used the same password somewhere else, that other account can be compromised as well. Avoid remembering each of these unique passwords with a password manager, like KeePassX or LastPass. Password managers keep your credentials in an encrypted database and assist you in generating unpredictable strings to use as sturdy logins.

Three, use two-factor authentication when available. Instead of only using a password to protect your account, two-factor requires another “factor” to log in. Like a bank that needs your card and PIN to withdraw from an ATM, you’ll need your password and something else (like a SMS text, generated code, or fingerprint) to access your account. All of the major email providers provide multi-factor authentication, as do many other accounts, like Amazon, Twitter and Facebook; look for it in your security settings.

see also: https://thoolen.wordpress.com/tag/digital-security/

Source: Protecting Activists from Hackers – NY City Lens

Apple tackles iPhone one-tap spyware flaws after MEA Laureate discovers hacking attempt

August 29, 2016

Ahmed Mansoor, the Laureate of the Martin Ennals Award 2015, was the target of a major hacking attempt. Fortunately it received global coverage on 26 and 27 August 2016 and Apple has immediately issued a security update to address the vulnerabilities. [For those with Iphones/Ipads, you may want to update your IOS software to 9.3.5!]


Ahmed MansoorImage copyrightAP – human rights defender Ahmed Mansoor

The flaws in Apple’s iOS operating system were discovered by Mansoor who alerted security researchers to unsolicited text messages he had received on 10 and 11 August. They discovered three previously unknown flaws within Apple’s code that meant spyware could be installed with a single tap. Apple has since released a software update that addresses the problem. The two security firms involved, Citizen Lab and Lookout, said they had held back details of the discovery until the fix had been issued.

The texts promised to reveal “secrets” about people allegedly being tortured in the United Arab Emirates (UAE)’s jails if he tapped the links. Had he done so, Citizen Lab says, his iPhone 6 would have been “jailbroken”, meaning unauthorised software could have been installed. “Once infected, Mansoor’s phone would have become a digital spy in his pocket, capable of employing his iPhone’s camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements,” said Citizen Lab. The researchers say they believe the spyware involved was created by NSO Group, an Israeli “cyber-war” company.

Text message
The spyware would have been installed if Mansoor had tapped on the links. Image copyright CITIZENLAB

For more on Mansoor: https://thoolen.wordpress.com/tag/ahmed-mansoor/

Sources:

http://www.bbc.com/news/technology-37185544

https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/  (from the researchers who identified the vulnerabilities. Good summary followed by full technical analysis)

http://www.dailymail.co.uk/sciencetech/article-3758671/Apple-boosts-iPhone-security-Mideast-spyware-discovery.html

For HRDs digital surveillance can mark the difference between life and death says Mary Lawlor

September 22, 2013

This blog has tried to pay regularly attention to the crucial issue of electronic security and referred to the different proposal that aim to redress the situation in favour of human rights defenders. In a column of Friday 20 September the Director of Front Line, Mary Lawlor, writes about the digital security programme “Security in a Box” which her organisation and the Tactical Technology collective started some years ago. For Sunday reading here the whole text:

Mary Lawlor

ARE YOU AWARE that the recording device on your smartphone can be activated remotely and record sensitive conversations? And that the webcam on your PC can film inside your office without you knowing?

For most people, debates about the snooping NSA and GCHQ are little more than great material for a chat down the pub, but for human rights defenders around the world, digital security is synonymous with personal security. For a gay rights campaigner in Honduras or a trade unionist in Colombia, safety from interception of communications or seizure of data can be the difference between freedom or imprisonment, life or death.

Digital surveillance has been described as “connecting the boot to the brain of the repressive regime”. Governments are developing the capacity to manipulate, monitor and subvert electronic information. Surveillance and censorship is growing and the lack of security for digitally stored or communicated information is becoming a major problem for human rights defenders in many countries.

By hacking into the computer system of a human rights organisation, governments or hostile hackers can access sensitive information, including the details of the organisation’s members and supporters. They can also install spyware or viruses to monitor or disrupt the work of the organisation.

Dangerous in the wrong hands

One of the best-documented cyber attacks on an NGO was the hacking of the Political Prisoner’s Solidarity Committee, a Colombian human rights organisation. The organisation’s email account was hacked and used to send malicious viruses and spam messages, and all employee work email accounts were deleted.

The hacked email account was also used to send threatening emails to a member of the organisation based in a different region. Their offices were broken into and the hard disk of one computer was stolen and replaced with a faulty one. Spyware was found on the computer used to maintain the organisation’s website; this recorded all the information on the computer and sent it via the internet to an unknown location. This cyber attack also coincided with a wave of anonymous phone calls and direct threats to staff members.

In this digital age how can human rights defenders make sure their online communications and their data are safe and that they are not putting themselves or colleagues in danger?

This is where Front Line Defenders is able to give practical help. With a security grant from Front Line Defenders, the Political Prisoner’s Solidarity Committee installed a new secured server and router, and upgraded their whole computer security system. We also organised a workshop on digital security for all the members of their organisation.

This was useful for a seriously at-risk organisation. But there are effective steps all of us can take to stay safe. Most of us have a computer or laptop and most have a password. That password is probably a cat’s name or a daughter’s name – which can be broken in about 10 seconds. Simply by changing your password to a longer one which combines upper case, lower case and digits makes the password virtually unbreakable and is a simple, first step to improve your online security.

“Back doors”

Recent revelations have shown that even encrypted communications that were previously thought to be secure have been built with deliberately included “back doors”, so that organisations like the NSA and GCHQ can access information that people think is secret. One protection against these built-in weaknesses is to use open-source software – this is software not provided by a big-name company like Microsoft or Apple, but one in which the workings of the software are made available for all to see, so that any such intended weakness in the encryption would be spotted and exposed by the global community of digital security experts.

Even if authorities or malicious hackers can’t see what you’re communicating, it can still be possible for them to see when you communicate and with whom. The Tactical Technology Collective has said, “If you use a computer, surf the internet, text your friends via a mobile phone or shop online – you leave a digital shadow.” If you want to find out the size of your digital shadow, and more importantly want to know what you can do about it, visit their award-winning website myshadow.org.

Security in-a-box (available onlineis a collaborative effort of the Tactical Technology collective and Front Line Defenders. It was created to meet the digital security and privacy needs of advocates and human rights defenders, but can also be used by members of the public.Security in-a-box includes a how-to booklet  which addresses a number of important digital security issues.

It also provides a collection of Hands-on Guides, each of which includes a particular freeware or open source software tool, as well as instructions on how you can use that tool to secure your computer, protect your information or maintain the privacy of your internet communication.

A clear understanding of the risks

When we started our Digital Security Programme we only ran one or two trainings per year. Now we are organising workshops on digital security all over the world, sometimes in secret locations for human rights defenders from countries where even to use the word “encryption” in an email would bring you under the eagle eye of the security services.

Electronic communication enables human rights defenders to network and cooperate as never before but survival depends on having a clear understanding of the risks involved and the need for a well thought-out digital security strategy.

Column: For some people, digital surveillance can mark the difference between life and death.