TC114: Basics of Digital Safety | TechChange | The Institute for Technology and Social Change

We are excited to introduce Robert Guerra as a co-facilitator in our upcoming course, TC114: Basics of Digital Safety. Robert is the founder and executive director of Privaterra, a Canadian based organization working with private industry and NGOs to assist them with issues of data privacy, secure communications, information security, internet governance, and internet freedom. Robert will be joining Norman Shamas in facilitating our upcoming course. We wanted to give you a little sneak peek to the course so we chatted with Robert:

Q: How do you define/think about digital safety?

R: I define digital safety simply as a set of steps, processes and mindset one should follow to keep one’s devices, data, communications and online interactions as protected and private as possible.

Here’s some key tips that I always mention to reduce digital risks:

#1. Be Aware!

When really wanting to keep yourself secure online or anywhere else is important to be mindful of your environment. It the most vital thing you can do.

Understand that there are many out there who are looking for simple chances to attack and steal your valuable assets. A common target will be an individual who does not take any precautions and might be intimidated by the internet and/or digital devices.

You wouldn’t leave your car door open with the keys in the ignition and the engine running, would you? Certainly not, as you run the risk of having your car stolen and driven away by someone who notices you aren’t around.

Are you taking the same precautions when using a mobile phone or using the internet? if you are, then you could be said to be doing something to protect yourself online – you in a way, implementing a digital safety practice of some kind.

#2. Guard Your valuables!

Activities that involve far more valuable, sensitive and confidential assets require one to take additional precautions. Not taking any precautions is an invitation for a burglar to target you.

Would you openly share the key to your safety deposit box where you keep your valuables and very private documents? Obviously not. However, do you take the same precautions to protect your online banking accounts, private photos, sensitive contacts on your devices?

#3. Plan for the worse, hope for the best…

Not a day goes by without some news of a retail store or online site being hacked and thousands of accounts being compromised. Attacks are increasingly unavoidable, so it is important that one has contingency plans in place to react to all sorts of possible incidents and attacks.

The worst might not happen, but if it does – you will know how to react quickly and perhaps be able to minimize the situation from getting worse.

Q: How did you get involved in the field of internet security?

R: I got seriously involved in the field of internet security back in 2001 when started a small Canadian NGO to provide encryption training to Human Rights NGOs in Guatemala and South America who were reporting that hard drives were being stolen, sensitive documents were being compromised and emails were being intercepted.

You could say, I was assisting at-risk groups who were reporting serious issues related to data breaches, surveillance and hacking almost 13 years before Edward Snowden raised the profile and importance of the issue.

Robert talks about what Privaterra and other organizations are doing to help identify and mitigate security vulnerabilities faced by Human Rights Organizations.

Q: Why is digital safety especially important for NGOs and organizations working with social justice issues?

R: NGOs and organizations working with social justice issues often deal with confidential and very sensitive data in the course of their work. This data if not adequately protected, can lead to very serious consequences including death.

These groups, as stated by the targeted threats report published last year by the Citizen Lab, also face persistent and disruptive targeted digital attacks. Unlike industry and government, however, NGOs have far fewer resources to deal with the problem.

Q: What are you most excited about for the Digital Safety course?

R: I’m excited to work with Norman and the team at TechChange to help leading organizations better understand digital security and what can be done to raise the bar. We’ve worked to put together a great curriculum, some great resource material, and invited leading experts to share their amazing experience to improve the security of at-risk groups around the world.

Q: What kind of conversations are you hoping to facilitate in the course?

R: I’m looking forward to facilitating a conversation among the course participants and invited experts on security challenges currently being faced by NGOs and what steps we can taken together to improve protection methods and organizational resiliency.

As well, I’m also interested in promoting a conversation and discussion about tools, best practices and resources that can be easily implemented to not only help individuals and activists but also social justice organizations working to promote human rights and democracy promotion in at-risk environments.

We are really excited to have Robert co-facilitating this course with Norman Shamas! We already have around 40 participants joining us. There is still time to enroll in the course. Apply now. Course begins August 17, 2015.

About Robert

Robert Guerra is a civil society expert specializing in issues of internet governance, cyber security, social networking, multi-stakeholder participation, internet freedom and human rights. Robert is the founder of Privaterra, a Canadian based organization that works with private industry and nongovernmental organizations to assist them with issues of data privacy, secures communications, information security, internet governance and internet freedom. Robert collaborates with the Citizen Lab and Canada Centre for Global Security Studies at the Munk School of Global Affairs at the University of Toronto.

Digital safety training is a social awareness issue. We are typically taught at a young age how to interact in society, but rarely are we taught how interact in the digital space. With more than three billion people around the world coming online, it is crucial today that we all understand how to interact online. In our recent virtual chat series, Mark Surman of Mozilla stressed that as more people come online exclusively through their smartphones through initiatives like internet.org, many remain unaware of the internet itself, so internet safety may not even cross their minds or becomes an ‘extra’ feature that they might not be able to afford.

Google recently conducted a study comparing digital security practices between experts and non-experts. The study included over 500 surveys of security experts and non-experts and the results are a useful examination of how expertise or knowledge reflects in practice of navigating in the digital world.

Here are my takeaways from the Google report:

Passwords, Passwords, Passwords

Both groups (experts and non-experts) highlight the need for strong passwords as one of the top 3 things to stay safe online — something malware creator Hacking Team needed a lesson on.
The experts mentioned the need for updates, unique passwords, and two-factor authentication. They highlighted the use of password managers as a way to have both strong and unique passwords.
The non-experts, on the other hand, highlighted using antivirus, changing passwords, and visiting known sites as some of their top advice other than strong passwords.

Importance of a secure connection

One of the results that I found most interesting is the fact that experts and non-experts overall recognized the value of verifying the site they are visiting by looking at the URL.
But, experts were far more likely to check if the site was connected through a secure connection, using HTTPS.
Non-experts, however, didn’t check for a secure connection. Modern browsers make recognition easy through lock icons and color coding. One explanation is that non-experts didn’t know how to check or what it means. As Google noted in the full research paper, this is interesting because verification of the site URL and secure connection (HTTPS) are right next to each other! Why wouldn’t you check both as once?

Photo credit: Google Online Security Blog

Two-factor authentication

Google’s survey results suggest a knowledge gap for non-experts: two-factor authentication. As noted above, two-factor authentication was one of the top recommendations by experts and a growing trend in digital safety because it offers an additional, second way of verifying identity after a password. Unfortunately, setting up two-factor authentication is up to the web service provider, and not us, the end users.

While not one of Google’s conclusions, the report highlights a need for greater digital literacy training to improve digital safety. And here at TechChange we agree.

So, what does this mean for TechChange’s Digital Safety Course?
For our upcoming Digital Safety course, we are providing comprehensive training to empower the you to make informed decisions. This means that we will cover digital literacy topics, such as how the Internet and mobile networks work, as well as providing in-depth tool studies.

Most importantly, we will provide an analytical framework to assess risk and determine what tools or approaches make the most sense for a particular location and situation. What works to keep someone safe in the US wouldn’t work in countries where encryption is regulated. Lhadon Tethong, a leader in the Free Tibet movement, notes that providing basic user education to understand the risks of technology to make informed decisions is key. Whether for your personal accounts, and for your organization, especially if you are working with sensitive data, it is crucial that all your information is safe online.

We begin our Basics of Digital Safety online course on August 17! More than 30 participants from around the world have already signed up. Read more details here and join us!

While many people were watching the final match of the Women’s World Cup last week, the Hacking Team was hacked. Hacking Team, an Italian digital security company, provided surveillance software to law enforcement agencies. Their clients are government agencies, but they have been accused of selling to oppressive regimes, despite embargoes like the Wassenaar Arrangement. Last week’s hack proved that they have in fact sold software to Sudan and a number of other oppressive regimes, including Ethiopia, Azerbaijan and Saudi Arabia.

Why should you care about these hackings? And if a digital security company can get hacked, what can you and I do to prevent ourselves from becoming victims as well?

The power of a strong password is not a myth
Passwords are an important aspect of digital safety because they act as a form of authentication, often times as the only method. It’s important not just for individual accounts, but also for bigger organizations. So, how strong were the Hacking Team’s passwords?

Apparently, not strong enough. Their Twitter account was hijacked and used to spread the cache of files published in the hack. The Twitter password was one of many passwords that were stored in files that anyone with access could read (i.e., in plain text). I can presume this was how their Twitter account was compromised.

Poor policies around how passwords are selected and stored are what led to the publishing of passwords for the Hacking Team and one of their software engineers, Christian Pozzi. As lampooned by security professionals on Twitter, the majority of the passwords Pozzi used were variations on the word ‘password.’

What’s the major takeaway here? That the best practices of choosing strong passwords, not reusing passwords and storing them safely are just as important as we’re always told.

A strong password isn’t enough: Get to know your software
With the exception of having a long password, not everyone agrees on what constitutes a strong password. If you know your password has been compromised, you can be notified and immediately change it. But not all threats to one’s digital data are as transparent and easy to address. You especially need to be aware of what kind of software you have installed on your computers.

In the world of cyber warfare, there are holes in software that are discovered but remain undisclosed and unpatched. They are known as “zero-day exploits” (0-day) because they are released on or before the day an exploit is publicly revealed. It essentially means that some person or some organization/agency might be able to install malicious software without you, the software provider, or any defensive software (e.g., antivirus) knowing.

This issue is serious because there is a thriving market where people can purchase these exploits, which disincentivizes security researchers from disclosing their findings.

Hacking Team used 0-day exploits to hide their surveillance software. As of today, three 0-day exploits for flash have been revealed from Hacking Team’s files. How can you avoid this yourself? Always make sure that you upgrade your flash player and keep it updated. Or better yet, consider having it set to run selectively by using the option “click to run” when on a website that requires flash.

The more software you have installed (especially out of date and/or unnecessary software), the more chances there are for exploits to be used to compromise your system. This is even truer on mobile phones, which receive fewer software updates.

In addition to removing unnecessary software and keeping necessary ones updated, it is crucial to understand the limitations of software you are using. While not a new vulnerability, Hacking Team also had a Skype decoder to listen in on Skype calls. The published files revealed that they had this software from around 2006. Understanding the software you are using is essential to prevent having a false sense of security.

In the now immortal words of the Hacking Team “If your company hasn’t been #hacked, it will be.”

If your organization works with personally identifiable data,it is crucial to make sure the data is safe. Learn more about digital safety in our brand new upcoming course, Basics of Digital Safety. The course begins on August 17, lock in early bird rate now!