Building Low-Grade Security for Activists (and the Exposed guys are back)

Neat profile on a group of people who work with a decidedly contradictory threat situation: oppressed political NGOs. The groups face the highest levels of attackers, yet their existing security is minimal at best. It’s a fight to get them using even the lowest security defensive measures (like stuff to protect against malware attacks), since the activists and citizens — despite facing jail just for communicating with the outside world — blithely assume Skype and Android are safe.

Stop laughing, people are serving years in jail for making that assumption!

Perhaps the fluid and rapidly shifting nature of these groups precludes high levels of security, but for now the solution seems to be pallative… getting them the tools needed to protect against APT and SSL MITM attacks, and not worrying about the exotic stuff.

(Naivete does seem to play a massive role in this philosophy; quotes like this are seriously not funny: “The fear is that people won’t use or trust their phones to organize and defend themselves. We can’t let that happen.”)

Also: is back! Only it’s now (CAUTION: contains YouTube and Facebook embeds!)

Added to their trophy list are North Korea vetran Dennis Rodman and the head of the NSA, among others. (I feel like the latter completes some sort of a set… and watching all this makes me want to start holding up numbers for each release, like an Olympic ice-skating judge.)

“argeted groups such as the Tibetans and Uyghur living in China or in exile, or other oppressed citizens in Syria, Iran and other political hotspots, rely on technology to communicate and organize resources often under the threat of incarceration or worse. Meanwhile, details of hacks and malware attacks against these groups are bubbling to the surface. Attackers are using malware to not only maintain a persistent presence on laptops and PCs to monitor web activities and steal data from those computers, but they’re moving toward attacks on mobile devices and adding surveillance capabilities to their repertoire.

“It’s a widespread assumption that the Internet, mobile devices, social media are empowering, but [attackers] are finding leverage there to put NGOs at risk,” said Ronald Deibert, director of Citizen Lab, Munk School of Global Affairs at the University of Toronto. “They lack awareness. They’re poorly resourced. They’re left out to dry when it comes to policy; government focuses on the private sector and civil society is left defenseless.”[…]

Citizen Lab is one organization that has done intense research into understanding the threat environment facing those groups NGOs and human rights organizations seek to help. Often, these groups are desperate to communicate with others, and believe that social networks or tools such as Skype and other platforms are safe. But attackers, most of whom are believed to be state-sponsored, have infiltrated these networks and platforms with malware that reports back on the activities of these groups.”

%d bloggers like this: