Michał "rysiek" Woźniak
https://rys.io/

for Tactical Tech Collective / Exposing the Invisible
https://tacticaltech.org/projects/exposing-the-invisible/

• Information Security Officer at ISNIC (.IS)
• Collaborator at Fundacja Reporterów
• Member of the Technical Fact Checking Collective

Formerly

• CISO / Head of Infrastructure at OCCRP

I have no way of knowing your exact needs and specific threats.

One size does not fit all.

As such, this is all illustrative and general.

Do listen to specific advice from information security experts working with you or for your organization.

If your organization does not have such a person, it should (even if just part-time/pro-bono).

I will also list some organizations providing more specific infosec advice for people at risk.

"It’s hard to explain to regular people how much technology barely works, how much the infrastructure of our lives is held together by the IT equivalent of baling wire.

Computers, and computing, are broken."

• — Quinn Norton, "Everything is Broken"
  https://medium.com/message/everything-is-broken-81e5f33a24e1

"Dynamic Data Exchange (DDE) was frst introduced in 1987 with the release of Windows 2.0"

• https://en.wikipedia.org/wiki/Dynamic_Data_Exchange

"As part of the December 2017 Patch Tuesday, Microsoft has shipped an Office update that disables the DDE feature in Word applications, after several malware campaigns have abused this feature to install malware."

• https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/

"Dynamic Data Exchange (DDE) was frst introduced in 1987 with the release of Windows 2.0"

• https://en.wikipedia.org/wiki/Dynamic_Data_Exchange

"As part of the December 2017 Patch Tuesday, Microsoft has shipped an Office update that disables the DDE feature in Word applications, after several malware campaigns have abused this feature to install malware."

• https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/

"Antivirus products riddled with security faws, researcher says"

• https://www.pcworld.com/article/2459760/antivirus-products-riddled-with-security-faws-researcher-says.html

"Critical vulnerability found in Microsoft Malware Protection Engine"

• https://www.cyberscoop.com/critical-vulnerability-hits-microsoft-malware-protection-engine/

"Antivirus products riddled with security faws, researcher says"

• https://www.pcworld.com/article/2459760/antivirus-products-riddled-with-security-faws-researcher-says.html

"Critical vulnerability found in Microsoft Malware Protection Engine"

• https://www.cyberscoop.com/critical-vulnerability-hits-microsoft-malware-protection-engine/

"How to crash any iPhone or iPad within WiFi range"

• https://www.tripwire.com/state-of-security/security-data-protection/crash-iphone-wif/

"Experts show how to run malware on chips of a turned-off iPhone"

• https://securityaffairs.co/wordpress/131336/hacking/malware-execution-iphone-turned-off.html

"How to crash any iPhone or iPad within WiFi range"

• https://www.tripwire.com/state-of-security/security-data-protection/crash-iphone-wif/

"Experts show how to run malware on chips of a turned-off iPhone"

• https://securityaffairs.co/wordpress/131336/hacking/malware-execution-iphone-turned-off.html

"[Security Researchers] Remotely Kill A Jeep On The Highway – with Me In It"

• https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

"Vehicle manufacturers dismissed prior warnings about flawed security"

• https://www.eff.org/deeplinks/2015/07/jeep-hack-shows-why-dmca-must-get-out-way-vehicle-security-research

"[Security Researchers] Remotely Kill A Jeep On The Highway – with Me In It"

• https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

"Vehicle manufacturers dismissed prior warnings about flawed security"

• https://www.eff.org/deeplinks/2015/07/jeep-hack-shows-why-dmca-must-get-out-way-vehicle-security-research

"[R]esearchers have managed to [break into] and gain access to the self-aiming sniper rifle's computer system."

• https://www.hackread.com/computer-controlled-sniper-rifle-hacked/

"IoT worm can [exploit vulnerabilities in] Philips Hue lightbulbs, spread across cities"

• https://www.theregister.co.uk/2016/11/10/iot_worm_can_hack_philips_hue_lightbulbs_spread_across_cities/

"[Cybercriminals] stole a casino's high-roller database through a thermometer in the lobby fish tank"

• http://www.businessinsider.com/hackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4

"Paris Orly airport had to close temporarily last Saturday after the failure of a system running Windows 3.1 – yes, the operating system from 1992 – left it unable to operate in fog."

• https://arstechnica.com/information-technology/2015/11/failed-windows-3-1-system-blamed-for-taking-out-paris-airport/

"Cyberattack Forces a Shutdown of a Top U.S. Pipeline"

• https://www.nytimes.com/2021/05/08/us/politics/cyberattack-colonial-pipeline.html

• Thinking about digital security (and staying sane)
• Risk assessment and threat modelling
• Evaluating tools
• Staying safe in groups
• The broader picture
• Where to get help

"You don’t have to run faster than the bear to get away.
You just have to run faster than the guy next to you."

• — Jim Butcher

Disclaimer: this is a very simplified and quite naïve take on threat modeling; it is used here only as an illustrative example.

• Know your threats
  (the bear)
• Know your resources
  (how fast you can run)

Instead of focusing on particular security tools or practices,
start with questions:

• Who might target you?
• What might they want?
• What can they do?

• How hard/costly is it for them?
  
  

• What are you trying to protect?

• What can you do to prepare?

Standard background threats

• Ransomware, random malware/botnets, Bitcoin miners…
• General phishing
• Low effort, "shotgun" attacks
• Usually not specifically targeted

Somewhat targeted threats

• Script kiddies, pranksters, groups like Anonymous, etc.
• For the lulz/glory/fun/thrill, maybe an axe to grind
• Potentially some targeted phishing
• Medium effort, medium skill

Well-resourced, persistent threats

• Advanced Persistent Threats (APTs), "government-backed attackers", Pegasus, etc.
  • also: industrial actors, organized crime, etc.
• Well-funded, well-resourced
• Very targeted, long-term
• Want to stay hidden

China: Scarlet Mimic, C0d0so, SVCMONDR, Big Panda, Electric Panda, Eloquent Panda, Pale Panda, Sabre Panda, Spicy Panda, Hammer Panda, Wisp Team, Mana Team, TEMP.Zhenbao, SPIVY, Mofang, PassCV, DragonOK, Group 27, Tonto Team, TA459, Tick, Lucky Cat, TEMP.Periscope, BARIUM, LEAD

Russia: Sofacy, APT 29, Turla Group , Energetic Bear, Sandworm, Anunak, FIN7, Inception Framework, TeamSpy Crew, BuhTrap, Carberb, FSB 16^th & 18^th Centers, Cyber Berkut, WhiteBea, GRU GTsST

North Korea: Lazarus Group, APT 37, Bluenorof, Andariel, Kimsuki, NoName, OnionDog, TEMP.Hermit

Iran: Cutting Kitten, Shamoon, Clever Kitten, Madi, Cyber fghters of Izz Ad-Din Al Qassam, Chafer, Cadelle, Prince of Persia, Sima, Oilrig, CopyKittens, Charming Kitten, Greenbug , Magic Hound, Rocket Kitten, ITSecTeam, MuddyWater, Mabna Institute

Israel: Unit 8200, Duqu Group, SunFlower, NSO Group

NATO: Equation Group, Snowglobe, Slingshot

Middle East: Molerats, AridViper, Volatile Cedar, Syrian Electronic Army (SEA), Cyber Caliphate Army (CCA), Ghost Jackal, Corsair Jackal, Extreme Jackal, Dark Caracal

Others: Corsair Jackal, The Mask, El Machete, Patchwork, Hellsing APT, Wild Neutron, Sykipot, Platinum, Magnetic Spider, Danti, SVCMONDR, Transparent Tribe, Singing Spider, Union Spider, Andromeda Spider, Dextorous Spider, APT 32, BlackOasis, NEODYMIUM, PROMETHIUM, Boson Spider, Carbon Spider, Hound Spider, Indrik Spider, Mimic Spider, Pizzo Spider, Shark Spider, Static Spider, Wicked Spider, Wold Spider, Zombie Spider, Cobalt Spider, Overlord Spider, Bamboo Spider, Monty Spider, Wizard Spider, Curious Jackal, Extreme Jackal, Gekko Jackal, Shifty Jackal, Dundeon Spider, Mummy Spider, Skeleton Spider, Mythic Leopard

• https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/edit

• Specific private or sensitive information
• Casting a wide net, just "listening in"
• Destruction or manipulation of information
• Denial of service
• Targeting someone else
  (It's not just about you!)

• Specific private or sensitive information
• Casting a wide net, just "listening in"
• Destruction or manipulation of information
• Denial of service
• Targeting someone else
  (It's not just about you!)

• Harass?
• Threaten physically?
• Surveil online?
• Remotely compromise devices?
• Abuse the legal system?

Cost can be financial…

…but it can also be related to reputation or political damage.

"One such firm, Zerodium, acquired an exploit chain similar to the Trident for one million dollars in November 2015."

• https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/

"[A] zero-click (no user interaction) exploit chain for Android can get hackers and security researchers up to $2.5 million in rewards. A similar exploit chain impacting iOS is worth only $2 million."

• https://www.zdnet.com/article/android-exploits-are-now-worth-more-than-ios-exploits-for-the-first-time/

Cost can be financial…

…but it can also be related to reputation or political damage.

"Israeli spyware company NSO Group placed on US blacklist"

• https://www.theguardian.com/us-news/2021/nov/03/nso-group-pegasus-spyware-us-blacklist

"The Macedonian surveillance scandal that brought down a government"

• https://www.computerweekly.com/feature/The-Macedonian-surveillance-scandal-that-brought-down-a-government

• Confidentiality
• Integrity
• Availability
  
  

These are often conflicting concerns!

• No such thing as perfect security
• The closer to perfect you get, the harder and more costly it becomes
  
  
• No need for perfect, just good enough
  ("running from a bear...")

• No such thing as perfect security
• The closer to perfect you get, the harder and more costly it becomes
  
  
• No need for perfect, just good enough
  ("You don’t have to run faster than the bear…")

• Security is like hygiene, not surgery
• Security is a process, not a state
• We’re all in this together
• Small improvements matter

• What you're feeling right now
• Thinking about security is exhausting
• One mistake is often enough

• Minimize hassle
• Maximize effect
• Very few "moving parts"
  • which are well-understood

• It's good to be a tiny bit paranoid
• Too much puts you at risk
• ...and makes it easy to miss details

• Stress causes "tunnel vision"
• Phishing and social engineering rely on that

"Ryszard, vote in our poll about our Senate candidate! It's ending very soon!
<malicious link>"

• https://niebezpiecznik.pl/post/sms-pegazus-brejza-losko-android/

"New secrets about torture of Emiratis in state prisons
<malicious link>"

• https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/

"We find that phishing attack traffic skyrocketed to 220% of its pre-COVID-19 rate, exceeding typical seasonal spikes, with attackers exploiting victims’ uncertainties about and fears of the pandemic"

• https://www.ftc.gov/system/files/documents/public_events/1582978/scam_pandemic_how_attackers_exploit_public_fear_through_phishing.pdf

• Emotional response is a red flag
• When in doubt:
  • take a deep breath
    (almost any task can wait a few minutes)
  • talk to someone
    (using a different channel)

• Person received an e-mail:

  I have shared an urgent document with you in Dropbox
  <link>

• E-mail apparently sent by their acquaintance
• Person clicks, provides credentials

• Plenty of red flags…
  • first time ever the acquaintance shared a Dropbox link
  • Wrong domain, no HTTPS
  • This is not how login-via-Google works

• …All missed due to tunnel vision
  • "urgent"
  • curiosity
  • person was too focused on the task ("get the document")
    to notice problems with the process

• Turned out to be a run-of-the-mill, non-targeted phishing campaign
• Acquaintance's e-mail account had been compromised first
• Attackers then targeted contacts gathered from their e-mails

Best way to attack you might be through your friends/colleagues.
Best way to attack your friends/colleagues might be through you.

Your security practices have material effect on the security of others in your environment.

It's not just about you.

Best way to attack you might be through your friends/colleagues.
Best way to attack your friends/colleagues might be through you.

Your security practices have material effect on the security of others in your environment.

It's not just about you.

• Disk or memory encryption
• Regular and tested backups
• Password managers
• Multifactor authentication
• Regular updates
• Compartmentalization of information

• Memory encryption on your mobile devices
• Full disk encryption on your laptop
  
  
• Doesn't help if someone grabs your unlocked device!

• Untested backup is no backup at all
• Stale backup is a useless backup
• Encrypt your backups

https://nordpass.com/most-common-passwords-list/

• You will forget your password
  • password you forget is useless
• If you don’t forget your password, it's probably too weak
• Use a password manager

• Generate different random passwords for different services
  • No matter how "unimportant" the service is
• When you have to remember, use passphrases
  • Make sure to use them regularly, to not forget
• Never re-use passwords
• Multifactor authentication on everything

• Five words is okay-ish, seven is good
  https://theintercept.com/2015/03/26/passphrases-can-memorize-attackers-cant-guess/
• Generate random passphrases
  • using diceware
  • in password managers

• Any is better than none
• Time-based codes (TOTP, "authenticator apps")
  better than SMS/voice call codes
• Use hardware keys / security tokens when possible

"Citizen Lab said it reported its findings to Apple on
September 7."

• https://techcrunch.com/2021/09/13/apple-zero-day-nso-pegasus/

"Today, September 13^th, Apple is releasing an update that patches CVE-2021-30860. We urge readers to immediately update all Apple devices."

• https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/

"Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals"

• https://www.wired.com/story/apple-imessage-zero-click-hacks/

"Citizen Lab said it reported its findings to Apple on
September 7."

• https://techcrunch.com/2021/09/13/apple-zero-day-nso-pegasus/

"Today, September 13^th, Apple is releasing an update that patches CVE-2021-30860. We urge readers to immediately update all Apple devices."

• https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/

"Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals"

• https://www.wired.com/story/apple-imessage-zero-click-hacks/

"Citizen Lab said it reported its findings to Apple on
September 7."

• https://techcrunch.com/2021/09/13/apple-zero-day-nso-pegasus/

"Today, September 13^th, Apple is releasing an update that patches CVE-2021-30860. We urge readers to immediately update all Apple devices."

• https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/

"Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals"

• https://www.wired.com/story/apple-imessage-zero-click-hacks/

• …by organizational means
  • need-to-know
• …by technical means
  • different devices
  • different browsers
  • different channels
  • different accounts

• Targeted phishing attack successfully tricks a person
  • Phishing site almost a pixel-perfect copy of a real internal service
  • Phishing site used a look-alike domain with HTTPS
• The person tries multiple passwords, unsure which one is the "right one"
• One of the provided passwords then used to sign into their e-mail account

• Password re-use made the person unsure "which password was the right one", and thus try several
• Using a password manager would have:
  • stopped the person from sharing more than one password
  • helped raise a red flag: "why doesn't my password work"

• Multifactor authentication would have stopped the attackers from actually signing into the e-mail account
• E-mail encryption helped, sensitive e-mails were encrypted and remained inaccessible to the attacker
• Later analysis showed at least 3 months of attack preparation

A different, but just as sophisticated attack was thwarted later, because the targeted person "had a hunch" and just… asked to verify.

Three-month preparation down the drain.

Trust your hunches.

A different, but just as sophisticated attack was thwarted later, because the targeted person "had a hunch" and just… asked to verify.

Three-month preparation down the drain.

Trust your hunches.

These are guidelines and potential red flags, not strict rules.

For example, there are tools that are closed source and just fine. There are also tools that are open-source, and completely crap.

This list has no particular order. Importance of items changes depending on the particular situation.

• Is the code/protocol open?
  Has it been audited?
• Is it safe by default?
  Is it easy to use correctly?
• Who controls the (meta)data?
  Where does it run?
• Buzzwords ("cloud", "cyber", "military-grade", etc)?
  Deceptive or deceitful communication?
• Does it fit my threat model and needs?

Open, audited?

• "All Telegram client apps are fully open source."
  https://telegram.org/faq#q-can-i-get-telegram-39s-server-side-code

• "Multiple encryption flaws uncovered in Telegram messaging protocol"
  "The traits of MTProto pointed out by the group of researchers from the University of London and ETH Zurich were not critical, as they didn't allow anyone to decipher Telegram messages."
  https://portswigger.net/daily-swig/multiple-encryption-flaws-uncovered-in-telegram-messaging-protocol

Safe by default?
Easy to use correctly?

• "Messages are not end to end encrypted by default. There is no way to opportunistically encrypt an existing session. Instead users must select a “New Secret Chat” and then start chatting. This is error prone."
  https://medium.com/@thegrugq/operational-telegram-cbbaadb9013a

• "Telegram does not provide end-to-end encryption of group chats, and it is disabled by default for two person chats."
  https://nitter.eu/esultanik/status/1129026682260721666

Who controls the (meta)data?
Where does it run?

• "As with most instant messaging protocols, Telegram uses centralized servers. (...) Telegram's server-side software is closed-source and proprietary."
  https://en.wikipedia.org/wiki/Telegram_(software)#Servers

• "[W]e may collect metadata such as your IP address, devices and Telegram apps you've used, history of username changes, etc."
  https://telegram.org/privacy#5-2-safety-and-security

• "The entirety of users' chat history is stored on Telegram servers." https://hackernoon.com/7-reason-why-telegram-is-insecure-by-design-but-millions-still-flock-to-it-ignoring-privacy-concerns-qq1o344c

Buzzwords?
Deceptive or deceitful communication?

• "Telegram messages are heavily encrypted"
  "Telegram keeps your messages safe from hacker attacks."
  https://telegram.org/

• "All Telegram messages are always securely encrypted"
  https://telegram.org/faq#q-why-not-just-make-all-chats-39secret-39

• "Telegram brands itself as a "secure" app and says its chats are "highly encrypted". (…) Secret chats are end-to-end encrypted, but not regular chats. Telegram's website says nothing about groups being end-to-end encrypted (they are not), so many users may mistakenly believe that they are."
  https://hackernoon.com/7-reason-why-telegram-is-insecure-by-design-but-millions-still-flock-to-it-ignoring-privacy-concerns-qq1o344c

Does it fit my threat model and needs?

• "Police officers in Moscow today are stopping people, demanding to see their phones, READING THEIR MESSAGES, and refusing to release them if they refuse."
  https://nitter.it/KevinRothrock/status/1500458582902460420

• "Telegram overtakes WhatsApp as Russia’s top messaging app"
  https://english.alarabiya.net/business/technology/2022/03/21/Telegram-overtakes-WhatsApp-as-Russia-s-top-messaging-app

• Would I generally recommend Telegram?
  absolutely not
  • Deceptive communication around encryption
  • Easy to forget to enable end-to-end encryption
  • Suspect metadata collection practices

• Would I consider using it if in Russia?
  possibly
  • Having Signal or Briar installed might be seen as suspicious by the police
  • If used carefully and being mindful of it's problems, Telegram might be good enough in these very specific circumstances

"[T]he WannaCry ransomware attack crippled more than 300,000 machines in 150 countries, including 80 [NHS] hospitals in Britain that were forced to divert patients"

• https://www.fiercehealthcare.com/tech/lingering-impacts-from-wannacry-40-healthcare-organizations-suffered-from-attack-past-6-months

"The WannaCry ransomware attack (...) propagated through EternalBlue"

• https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

"EternalBlue is an exploit developed by the [NSA] according to testimony by former NSA employees. It was leaked by the Shadow Brokers"

• https://en.wikipedia.org/wiki/EternalBlue

"[T]he WannaCry ransomware attack crippled more than 300,000 machines in 150 countries, including 80 [NHS] hospitals in Britain that were forced to divert patients"

• https://www.fiercehealthcare.com/tech/lingering-impacts-from-wannacry-40-healthcare-organizations-suffered-from-attack-past-6-months

"The WannaCry ransomware attack (...) propagated through EternalBlue"

• https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

"EternalBlue is an exploit developed by the [NSA] according to testimony by former NSA employees. It was leaked by the Shadow Brokers"

• https://en.wikipedia.org/wiki/EternalBlue

"[T]he WannaCry ransomware attack crippled more than 300,000 machines in 150 countries, including 80 [NHS] hospitals in Britain that were forced to divert patients"

• https://www.fiercehealthcare.com/tech/lingering-impacts-from-wannacry-40-healthcare-organizations-suffered-from-attack-past-6-months

"The WannaCry ransomware attack (...) propagated through EternalBlue"

• https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

"EternalBlue is an exploit developed by the [NSA] according to testimony by former NSA employees. It was leaked by the Shadow Brokers"

• https://en.wikipedia.org/wiki/EternalBlue

"In June 2017, a new variant of Petya was used for a global cyberattack, primarily targeting Ukraine. The new variant propagates via the EternalBlue exploit. (…)
Kaspersky Lab referred to this new version as NotPetya."

• https://en.wikipedia.org/wiki/Petya_and_NotPetya

"How NotPetya accidentally took down global shipping giant Maersk"

• https://www.industrialcybersecuritypulse.com/throwback-attack-how-notpetya-accidentally-took-down-global-shipping-giant-maersk/

"In June 2017, a new variant of Petya was used for a global cyberattack, primarily targeting Ukraine. The new variant propagates via the EternalBlue exploit. (…)
Kaspersky Lab referred to this new version as NotPetya."

• https://en.wikipedia.org/wiki/Petya_and_NotPetya

"How NotPetya accidentally took down global shipping giant Maersk"

• https://www.industrialcybersecuritypulse.com/throwback-attack-how-notpetya-accidentally-took-down-global-shipping-giant-maersk/

This story again:

US National Security Agency's security failure provided criminal ransomware groups and Russian cyber-sabotage agencies with weaponized vulnerabilities affecting globally used software.

Their attacks forced hospitals to turn away patients and adversely affected global logistics.

NSA could have informed the vendors about vulnerabilities found in their products, instead of weaponizing them, which would have helped make critical software more secure.

"[Security Researchers] Remotely Kill A Jeep On The Highway
– with Me In It"

• https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

"Vehicle manufacturers dismissed prior warnings about flawed security"

• https://www.eff.org/deeplinks/2015/07/jeep-hack-shows-why-dmca-must-get-out-way-vehicle-security-research

"Hackers Remotely Kill A Jeep On The Highway
– with Me In It"

• https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

"Vehicle manufacturers dismissed prior warnings about flawed security"

• https://www.eff.org/deeplinks/2015/07/jeep-hack-shows-why-dmca-must-get-out-way-vehicle-security-research

"[R]esearchers have managed to [break into] and gain access to
the self-aiming sniper rifle's computer system."

• https://www.hackread.com/computer-controlled-sniper-rifle-hacked/

"IoT worm can [exploit vulnerabilities in] Philips Hue lightbulbs,
spread across cities"

• https://www.theregister.co.uk/2016/11/10/iot_worm_can_hack_philips_hue_lightbulbs_spread_across_cities/

"[Cybercriminals] stole a casino's high-roller database through a
thermometer in the lobby fish tank"

• http://www.businessinsider.com/hackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4

"[R]esearchers have managed to hack and gain access to
the self-aiming sniper rifle's computer system."

• https://www.hackread.com/computer-controlled-sniper-rifle-hacked/

"IoT worm can hack Philips Hue lightbulbs,
spread across cities"

• https://www.theregister.co.uk/2016/11/10/iot_worm_can_hack_philips_hue_lightbulbs_spread_across_cities/

"Hackers stole a casino's high-roller database through a
thermometer in the lobby fish tank"

• http://www.businessinsider.com/hackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4

This story again:

Internet of Things devices hilariously and dangerously insecure.

Jeep, Philips, other IoT device manufacturers sell faulty, potentially life-threatening products, ignore warnings from security researchers.

• Framing matters
• Language matters
• Don't write…
  • …"hackers" when you mean "cybercriminals"
  • …"hack" when you mean "compromise"

How we talk about problems
defines how we think about solutions.

• Digital Security Helpline, by Access Now
  https://www.accessnow.org/help/

• CiviCERT
  https://www.civicert.org/

• Helpdesk, by Reporters Without Borders
  https://helpdesk.rsf.org/

• CERT NGO (for Polish speakers)
  https://cert.ngo/

Useful resources

• "Holistic Security", by Tactical Tech Collective
  https://holistic-security.tacticaltech.org/

• "Digital Protection Resources", by Frontline Defenders
  https://www.frontlinedefenders.org/en/digital-protection-resources

• "Phishing Quiz", by Google Jigsaw
  https://phishingquiz.withgoogle.com/

• WITNESS Guides and Resources for video activists, trainers and their allies.
  https://www.witness.org/resources/

Useful resources

• "Online Harassment: Strategies for Journalists’ Defense"
  https://journalismcourses.org/course/onlineharassment/

• "Protocol for newsrooms to support journalists
  targeted with online harassment"
  https://newsrooms-ontheline.ipi.media/wp-content/uploads/2020/02/IPI_newsrooms_protocol_address_online_harassment_ok_022020.pdf

• Chayn: Supporting survivors of abuse across borders
  https://www.chayn.co/

These are community-driven, and should not be seen as a replacement for dedicated information security experts working with you on a regular basis.

However, they may be a good place to find volunteers that could help.

• Cryptoparties
  https://www.cryptoparty.in/location

• Hackerspaces
  https://wiki.hackerspaces.org/List_of_Hacker_Spaces