Michał "rysiek" Woźniak
https://rys.io/
for Tactical Tech Collective / Exposing the Invisible
https://tacticaltech.org/projects/exposing-the-invisible/
.IS
)I have no way of knowing your exact needs and specific threats.
One size does not fit all.
As such, this is all illustrative and general.
Do listen to specific advice from information security experts working with you or for your organization.
If your organization does not have such a person, it should (even if just part-time/pro-bono).
I will also list some organizations providing more specific infosec advice for people at risk.
"It’s hard to explain to regular people how much technology barely works, how much the infrastructure of our lives is held together by the IT equivalent of baling wire.
Computers, and computing, are broken."
"Dynamic Data Exchange (DDE) was frst introduced in 1987 with the release of Windows 2.0"
"As part of the December 2017 Patch Tuesday, Microsoft has shipped an Office update that disables the DDE feature in Word applications, after several malware campaigns have abused this feature to install malware."
"Dynamic Data Exchange (DDE) was frst introduced in 1987 with the release of Windows 2.0"
"As part of the December 2017 Patch Tuesday, Microsoft has shipped an Office update that disables the DDE feature in Word applications, after several malware campaigns have abused this feature to install malware."
"Antivirus products riddled with security faws, researcher says"
"Critical vulnerability found in Microsoft Malware Protection Engine"
"Antivirus products riddled with security faws, researcher says"
"Critical vulnerability found in Microsoft Malware Protection Engine"
"How to crash any iPhone or iPad within WiFi range"
"Experts show how to run malware on chips of a turned-off iPhone"
"How to crash any iPhone or iPad within WiFi range"
"Experts show how to run malware on chips of a turned-off iPhone"
"[Security Researchers] Remotely Kill A Jeep On The Highway – with Me In It"
"Vehicle manufacturers dismissed prior warnings about flawed security"
"[Security Researchers] Remotely Kill A Jeep On The Highway – with Me In It"
"Vehicle manufacturers dismissed prior warnings about flawed security"
"[R]esearchers have managed to [break into] and gain access to the self-aiming sniper rifle's computer system."
"IoT worm can [exploit vulnerabilities in] Philips Hue lightbulbs, spread across cities"
"[Cybercriminals] stole a casino's high-roller database through a thermometer in the lobby fish tank"
"Paris Orly airport had to close temporarily last Saturday after the failure of a system running Windows 3.1 – yes, the operating system from 1992 – left it unable to operate in fog."
"Cyberattack Forces a Shutdown of a Top U.S. Pipeline"
"You don’t have to run faster than the bear to get away.
You just have to run faster than the guy next to you."
Disclaimer: this is a very simplified and quite naïve take on threat modeling; it is used here only as an illustrative example.
Instead of focusing on particular security tools or practices,
start with questions:
How hard/costly is it for them?
What are you trying to protect?
China: Scarlet Mimic, C0d0so, SVCMONDR, Big Panda, Electric Panda, Eloquent Panda, Pale Panda, Sabre Panda, Spicy Panda, Hammer Panda, Wisp Team, Mana Team, TEMP.Zhenbao, SPIVY, Mofang, PassCV, DragonOK, Group 27, Tonto Team, TA459, Tick, Lucky Cat, TEMP.Periscope, BARIUM, LEAD
Russia: Sofacy, APT 29, Turla Group , Energetic Bear, Sandworm, Anunak, FIN7, Inception Framework, TeamSpy Crew, BuhTrap, Carberb, FSB 16th & 18th Centers, Cyber Berkut, WhiteBea, GRU GTsST
North Korea: Lazarus Group, APT 37, Bluenorof, Andariel, Kimsuki, NoName, OnionDog, TEMP.Hermit
Iran: Cutting Kitten, Shamoon, Clever Kitten, Madi, Cyber fghters of Izz Ad-Din Al Qassam, Chafer, Cadelle, Prince of Persia, Sima, Oilrig, CopyKittens, Charming Kitten, Greenbug , Magic Hound, Rocket Kitten, ITSecTeam, MuddyWater, Mabna Institute
Israel: Unit 8200, Duqu Group, SunFlower, NSO Group
NATO: Equation Group, Snowglobe, Slingshot
Middle East: Molerats, AridViper, Volatile Cedar, Syrian Electronic Army (SEA), Cyber Caliphate Army (CCA), Ghost Jackal, Corsair Jackal, Extreme Jackal, Dark Caracal
Others: Corsair Jackal, The Mask, El Machete, Patchwork, Hellsing APT, Wild Neutron, Sykipot, Platinum, Magnetic Spider, Danti, SVCMONDR, Transparent Tribe, Singing Spider, Union Spider, Andromeda Spider, Dextorous Spider, APT 32, BlackOasis, NEODYMIUM, PROMETHIUM, Boson Spider, Carbon Spider, Hound Spider, Indrik Spider, Mimic Spider, Pizzo Spider, Shark Spider, Static Spider, Wicked Spider, Wold Spider, Zombie Spider, Cobalt Spider, Overlord Spider, Bamboo Spider, Monty Spider, Wizard Spider, Curious Jackal, Extreme Jackal, Gekko Jackal, Shifty Jackal, Dundeon Spider, Mummy Spider, Skeleton Spider, Mythic Leopard
Cost can be financial…
…but it can also be related to reputation or political damage.
"One such firm, Zerodium, acquired an exploit chain similar to the Trident for one million dollars in November 2015."
"[A] zero-click (no user interaction) exploit chain for Android can get hackers and security researchers up to $2.5 million in rewards. A similar exploit chain impacting iOS is worth only $2 million."
Cost can be financial…
…but it can also be related to reputation or political damage.
"Israeli spyware company NSO Group placed on US blacklist"
"The Macedonian surveillance scandal that brought down a government"
These are often conflicting concerns!
"Ryszard, vote in our poll about our Senate candidate! It's ending very soon!
<malicious link>"
"New secrets about torture of Emiratis in state prisons
<malicious link>"
"We find that phishing attack traffic skyrocketed to 220% of its pre-COVID-19 rate, exceeding typical seasonal spikes, with attackers exploiting victims’ uncertainties about and fears of the pandemic"
I have shared an urgent document with you in Dropbox
<link>
Best way to attack you might be through your friends/colleagues.
Best way to attack your friends/colleagues might be through you.
Your security practices have material effect on the security of others in your environment.
It's not just about you.
Best way to attack you might be through your friends/colleagues.
Best way to attack your friends/colleagues might be through you.
Your security practices have material effect on the security of others in your environment.
It's not just about you.
1. | 123456 | 6. | 12345678 |
2. | 123456789 | 7. | 111111 |
3. | 12345 | 8. | 123123 |
4. | qwerty | 9. | 1234567890 |
5. | password | 10. | 1234567 |
diceware
"Citizen Lab said it reported its findings to Apple on
September 7."
"Today, September 13th, Apple is releasing an update that patches CVE-2021-30860. We urge readers to immediately update all Apple devices."
"Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals"
"Citizen Lab said it reported its findings to Apple on
September 7."
"Today, September 13th, Apple is releasing an update that patches CVE-2021-30860. We urge readers to immediately update all Apple devices."
"Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals"
"Citizen Lab said it reported its findings to Apple on
September 7."
"Today, September 13th, Apple is releasing an update that patches CVE-2021-30860. We urge readers to immediately update all Apple devices."
"Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals"
A different, but just as sophisticated attack was thwarted later, because the targeted person "had a hunch" and just… asked to verify.
Three-month preparation down the drain.
Trust your hunches.
A different, but just as sophisticated attack was thwarted later, because the targeted person "had a hunch" and just… asked to verify.
Three-month preparation down the drain.
Trust your hunches.
These are guidelines and potential red flags, not strict rules.
For example, there are tools that are closed source and just fine. There are also tools that are open-source, and completely crap.
This list has no particular order. Importance of items changes depending on the particular situation.
"All Telegram client apps are fully open source."
https://telegram.org/faq#q-can-i-get-telegram-39s-server-side-code
"Multiple encryption flaws uncovered in Telegram messaging protocol"
"The traits of MTProto pointed out by the group of researchers from the University of London and ETH Zurich were not critical, as they didn't allow anyone to decipher Telegram messages."
https://portswigger.net/daily-swig/multiple-encryption-flaws-uncovered-in-telegram-messaging-protocol
"Messages are not end to end encrypted by default. There is no way to opportunistically encrypt an existing session. Instead users must select a “New Secret Chat” and then start chatting. This is error prone."
https://medium.com/@thegrugq/operational-telegram-cbbaadb9013a
"Telegram does not provide end-to-end encryption of group chats, and it is disabled by default for two person chats."
https://nitter.eu/esultanik/status/1129026682260721666
"As with most instant messaging protocols, Telegram uses centralized servers. (...) Telegram's server-side software is closed-source and proprietary."
https://en.wikipedia.org/wiki/Telegram_(software)#Servers
"[W]e may collect metadata such as your IP address, devices and Telegram apps you've used, history of username changes, etc."
https://telegram.org/privacy#5-2-safety-and-security
"The entirety of users' chat history is stored on Telegram servers." https://hackernoon.com/7-reason-why-telegram-is-insecure-by-design-but-millions-still-flock-to-it-ignoring-privacy-concerns-qq1o344c
"Telegram messages are heavily encrypted"
"Telegram keeps your messages safe from hacker attacks."
https://telegram.org/
"All Telegram messages are always securely encrypted"
https://telegram.org/faq#q-why-not-just-make-all-chats-39secret-39
"Telegram brands itself as a "secure" app and says its chats are "highly encrypted". (…) Secret chats are end-to-end encrypted, but not regular chats. Telegram's website says nothing about groups being end-to-end encrypted (they are not), so many users may mistakenly believe that they are."
https://hackernoon.com/7-reason-why-telegram-is-insecure-by-design-but-millions-still-flock-to-it-ignoring-privacy-concerns-qq1o344c
"Police officers in Moscow today are stopping people, demanding to see their phones, READING THEIR MESSAGES, and refusing to release them if they refuse."
https://nitter.it/KevinRothrock/status/1500458582902460420
"Telegram overtakes WhatsApp as Russia’s top messaging app"
https://english.alarabiya.net/business/technology/2022/03/21/Telegram-overtakes-WhatsApp-as-Russia-s-top-messaging-app
"[T]he WannaCry ransomware attack crippled more than 300,000 machines in 150 countries, including 80 [NHS] hospitals in Britain that were forced to divert patients"
"The WannaCry ransomware attack (...) propagated through EternalBlue"
"EternalBlue is an exploit developed by the [NSA] according to testimony by former NSA employees. It was leaked by the Shadow Brokers"
"[T]he WannaCry ransomware attack crippled more than 300,000 machines in 150 countries, including 80 [NHS] hospitals in Britain that were forced to divert patients"
"The WannaCry ransomware attack (...) propagated through EternalBlue"
"EternalBlue is an exploit developed by the [NSA] according to testimony by former NSA employees. It was leaked by the Shadow Brokers"
"[T]he WannaCry ransomware attack crippled more than 300,000 machines in 150 countries, including 80 [NHS] hospitals in Britain that were forced to divert patients"
"The WannaCry ransomware attack (...) propagated through EternalBlue"
"EternalBlue is an exploit developed by the [NSA] according to testimony by former NSA employees. It was leaked by the Shadow Brokers"
"In June 2017, a new variant of Petya was used for a global cyberattack, primarily targeting Ukraine. The new variant propagates via the EternalBlue exploit. (…)
Kaspersky Lab referred to this new version as NotPetya."
"How NotPetya accidentally took down global shipping giant Maersk"
"In June 2017, a new variant of Petya was used for a global cyberattack, primarily targeting Ukraine. The new variant propagates via the EternalBlue exploit. (…)
Kaspersky Lab referred to this new version as NotPetya."
"How NotPetya accidentally took down global shipping giant Maersk"
This story again:
US National Security Agency's security failure provided criminal ransomware groups and Russian cyber-sabotage agencies with weaponized vulnerabilities affecting globally used software.
Their attacks forced hospitals to turn away patients and adversely affected global logistics.
NSA could have informed the vendors about vulnerabilities found in their products, instead of weaponizing them, which would have helped make critical software more secure.
"[Security Researchers] Remotely Kill A Jeep On The Highway
– with Me In It"
"Vehicle manufacturers dismissed prior warnings about flawed security"
"Hackers Remotely Kill A Jeep On The Highway
– with Me In It"
"Vehicle manufacturers dismissed prior warnings about flawed security"
"[R]esearchers have managed to [break into] and gain access to
the self-aiming sniper rifle's computer system."
"IoT worm can [exploit vulnerabilities in] Philips Hue lightbulbs,
spread across cities"
"[Cybercriminals] stole a casino's high-roller database through a
thermometer in the lobby fish tank"
"[R]esearchers have managed to hack and gain access to
the self-aiming sniper rifle's computer system."
"IoT worm can hack Philips Hue lightbulbs,
spread across cities"
"Hackers stole a casino's high-roller database through a
thermometer in the lobby fish tank"
This story again:
Internet of Things devices hilariously and dangerously insecure.
Jeep, Philips, other IoT device manufacturers sell faulty, potentially life-threatening products, ignore warnings from security researchers.
How we talk about problems
defines how we think about solutions.
Digital Security Helpline, by Access Now
https://www.accessnow.org/help/
CiviCERT
https://www.civicert.org/
Helpdesk, by Reporters Without Borders
https://helpdesk.rsf.org/
CERT NGO (for Polish speakers)
https://cert.ngo/
"Holistic Security", by Tactical Tech Collective
https://holistic-security.tacticaltech.org/
"Digital Protection Resources", by Frontline Defenders
https://www.frontlinedefenders.org/en/digital-protection-resources
"Phishing Quiz", by Google Jigsaw
https://phishingquiz.withgoogle.com/
WITNESS Guides and Resources for video activists, trainers and their allies.
https://www.witness.org/resources/
"Online Harassment: Strategies for Journalists’ Defense"
https://journalismcourses.org/course/onlineharassment/
"Protocol for newsrooms to support journalists
targeted with online harassment"
https://newsrooms-ontheline.ipi.media/wp-content/uploads/2020/02/IPI_newsrooms_protocol_address_online_harassment_ok_022020.pdf
Chayn: Supporting survivors of abuse across borders
https://www.chayn.co/
These are community-driven, and should not be seen as a replacement for dedicated information security experts working with you on a regular basis.
However, they may be a good place to find volunteers that could help.
Cryptoparties
https://www.cryptoparty.in/location
Hackerspaces
https://wiki.hackerspaces.org/List_of_Hacker_Spaces
Table of Contents | t |
---|---|
Exposé | ESC |
Presenter View | p |
Source Files | s |
Slide Numbers | n |
Toggle screen blanking | b |
Show/hide next slide | c |
Notes | 2 |
Help | h |