Source: Amnesty International NZ
From sophisticated spyware attacks to mass phishing via smartphones and the rise of facial recognition technology, the range and reach of surveillance threats to human rights defenders is growing.
For security teams trying to keep activists safe, it is a cat-and-mouse game as attackers rapidly adapt to developments aimed at protection.
“When cyber-attackers see people are switching to using (messaging app) Signal, for example, then they will try to target Signal. If people start changing to VPN technology, they will start blocking VPN technology. If people are using Tor browser, they will target Tor traffic,” says Ramy Raoof, tactical technologist with Amnesty Tech.
Raoof says one of the main focuses for 2020 will be tackling customized targeting of smartphones, which hit headlines in 2019. Last October, messaging app WhatsApp, owned by Facebook, launched a high-profile case against surveillance company NSO Group for spyware attacks on more than a thousand of its users.
Malicious digital attacks will be in the spotlight this week, when a legal action brought by Amnesty and other rights groups comes to court in Tel Aviv. The activists are seeking to force Israel’s defence ministry to revoke the export licence of NSO, whose products have been used to target activists globally.
More advanced techniques now no longer require a target to actively click on a link in order to infect a device, explains Amnesty Tech security researcher Etienne Maynier. An attack using NSO spyware on an activist in Morocco covertly intercepted the activist’s web browsing to infect their phone with spyware. “Instead of waiting for you to click on a link, they instead hijack your web browser’s traffic and redirect you to a malicious website which tries to secretly install spyware,” says Maynier.
Successful targeting of well-protected phones is becoming more common and security teams are under added pressure from a burgeoning industry in so-called ‘zero-day’ exploits, in which unscrupulous hackers seek to find unknown vulnerabilities in software to sell.
In May 2019, NSO Group exploited a zero-day vulnerability in WhatsApp that was used to target more than 100 human rights activists across the world with spyware.
Amnesty Tech is also trying to combat less hi-tech attacks which are nonetheless effective and can hit large numbers of victims within minutes.
Mass phishing via SMS or within applications on smartphones is a low-cost method that is more common and too often succeeds.
Phishing looks to trick people into providing personal information such as passwords. The attacks often come in the form of a password reset request and link, which mimics a mobile phone operator or social media company as the sender. Other times, attackers pose as a friend or contact of the victim and will share a link to an app which is already embedded with malicious code.
Maynier adds that attacks like these often use some kind of “social engineering”, pressurising the user to click on a link or open a document by, for example, pretending to represent a trusted organisation that purports to want to work with the target.
“It’s very cheap and very efficient – and you can scale this type of attack very easily,” says Raoof, who predicts the new wave of phishing will be a threat to human rights defenders globally in 2020 as they become increasingly dependent on mobile phones.
How to keep your communications safe
Here are some easy tips from Amnesty Tech’s tactical technologist Ramy Raoof
Phone basics for iPhone or Android: Only download apps from the official app store to prevent your personal information from being accessed without your consent and to minimise the risk of attacks. Update your system and apps frequently to ensure they have the latest security patches. Enable ‘account recovery’ in case you lose access to your phone. Finally, choose a mobile screen lock that is not easily guessed, such as an 8-digit pin or an alphanumeric code.
Password management: Using a password manager means you don’t have to worry about forgetting passwords and can avoid using the same ones. It’s a tool that creates and safely stores strong passwords for you, so you can use many different passwords on different sites and services. There are various password managers such as KeePassXC , 1Password or Lastpass. Remember to back up your password manager database.
Messaging apps: When we advise human rights defenders about messaging apps, we assess each app on its policies (such as terms of service, privacy agreement), its technology (if it’s open source, available for review, has been audited, security) and finally the situation (if the app provides the features and functionality that fits the need and threat model). Generally speaking, Signal and Wire are two apps with strong privacy features. Remember: Signal requires a SIM card to register, and for Wire you can sign up with a username/email.
Using public Wi-Fi and VPNs: When you connect to Wi-Fi in a cafe or airport your internet activities are routed through that network. If attackers are on the network, they could capture your personal data. By using a VPN app on your devices, you protect your online activities when accessing public connections, preventing your internet activities from being seen by others on the same network. If you want to explore options, try NordVPN and TunnelBear.