Sharing real-life security incidents against human rights defenders can be a powerful way to show the importance of strong security practices. But this approach must be used with care. Some of the examples below are incredibly scary and can leave people feeling paralyzed with fear. Examples like these must be paired with solutions.
- Citizen Lab's report titled Communities at Risk: Targeted Digital Threats against Civil Society includes an Appendix with real-world examples of spear phishing emails sent to human rights defenders. https://targetedthreats.net/media/5-Appendix.pdf
- One documented case from 2014, a staff member of the Electronic Frontier Foundation in Vietnam received an email inviting him/her to attend an Oxfam conference. The email contained malicious links and attachments, that contained malware. And here's an article on Citizen's Lab's recent research that finds hackers targeting dissidents and journalists in South America with spying malware that was implanted onto their devices using spear phishing tactics. https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal and http://www.cbc.ca/news/technology/citizen-lab-packrat-1.3357099
- An EFF report (2013) outlines how pro-government attackers have targeted the opposition, as well as NGO workers and journalists, with social engineering and "Remote Access Tools" (RAT). https://www.eff.org/deeplinks/2013/12/social-engineering-and-malware-syria-eff-and-citizen-labs-latest-report-digital
- A report by Citizen Lab (2015) describes an elaborate phishing campaign against targets in Iran's diaspora, and at least one Western activist. The ongoing attacks attempt to circumvent the extra protections conferred by two-factor authentication in Gmail, and rely heavily on phone-call based phishing and "real time" login attempts by the attackers. Most of the attacks begin with a phone call from a UK phone number, with attackers speaking in either English or Farsi. https://citizenlab.org/2015/08/iran_two_factor_phishing/
- Alberto Nisman, the Argentine prosecutor known for doggedly investigating a 1994 Buenos Aires bombing, was targeted by invasive spy software downloaded onto his cellular phone shortly before his mysterious death. The software masqueraded as a confidential document and was intended to infect a Windows computer. https://theintercept.com/2015/08/21/inside-the-spyware-campaign-against-argentine-troublemakers-including-alberto-nisman/
- A journalist and photographer were likely deliberately killed by the Syrian army and their location may have been tracked down through their satellite phones. https://www.eff.org/deeplinks/2012/02/satphones-syria-and-surveillance
- A freedom of expression activist's email and computer were hacked into a week ago, and information stolen during the attack has appeared in disparaging articles published by a spoof online newspaper made to look like a real news outlet. The hackers also published all of her personal files on a website that is apparently also linked to the spoof online newspaper. (2013) https://freedomhouse.org/article/online-harassment-ukraine-activist-shows-pattern-hostility
- Examples of security training participants being targeted by authorities:
- Tibetan Uprising Day malware attacks (2015): https://citizenlab.org/2015/03/tibetan-uprising-day-malware-attacks/
- US-based Ethiopian Journalists Targeted (2015): https://citizenlab.org/2015/03/hacking-team-reloaded-us-based-ethiopian-journalists-targeted-spyware/
- LINE keyword filtering in Asia: https://citizenlab.org/2014/10/asia-chats-line-keyword-filtering-upgraded-include-regular-expressions/
¶ Understanding existing incentives
These are incentives that organizations may relate to that will make it easier to implement organizational security.
- Recognizing the importance of the topic
- awareness of consequences
- Experience with threats/risk awareness
- some news, examples of incidents (e.g. snowden)
- "feeling the threat" - having some experience with actual incidents
- connect security to mission of org
- passion/love for computing helps!
- funders want the organization to be more secure