[ Written for Simon Says column on Computer World UK ]
It’s a remarkable work that has been achieved by the Digital Defenders in partnership with the Electronic Frontier Foundation, Access and a group of human rights NGOs with the release of the Digital First Aid Kit – a well-designed website addressing digital emergencies of varying kinds.
The resource covers basics for secure communication, establishing trust but also how to react in case of account hijacking and devices that are seized, stollen or lost, plus mitigation for malware and DDoS. What do these barbarian terms stand for though, might be the first question a non-tech user would wonder.
Whereas we can regret that the different sections are given here very technical titles, which might discourage some to pursue the reading to understand in which category their particular situation actually matches, clear descriptions are luckily provided for each of them.
The Kit starts with the necessary self-discipline of choosing secure communication, stating that most of usual communications tools are not as secure as one can hope: “Mobile and landline phone communication is not encrypted and can be listened to by governments, law enforcement agencies, or other parties with the necessary technical equipment. Sending unencrypted communication is like sending a postcard, anyone who has access to the postcard can read the message”.
The solution here is quite naturally the use of encrypted communication, the Kit explains: “Sending encrypted communication is like placing the postcard inside a safe and then sending the safe, which only you and those you trust know the combination to and are able to open and read the message. […] Choosing the most appropriate form of secure communication will depend on your unique situation, your threat model and the activities in which you are involved”.
It then goes through the various emergency situations that can arise, among which account hijacking and devices seized – or lost – are probably the most common: “Are you having a problem accessing an email, social media or web account? Does an account show activity that you do not recognize? There are many things you can do to mitigate this problem. […] Is your device lost? Has it been stolen or seized by a third party? In any of these incidences it is very important to get a clear picture of what happened, what kinds of data and accounts may be vulnerable as a result and what steps must be taken to prevent the leaking and misuse of your information, contacts and accounts”.
Dealing with malware is less familiar to most users, but certainly not less concerning: “‘Malware’ is malicious software that facilitates an unauthorized takeover of your device by another user, government or third party to perform surveillance functions such as recording keystrokes, stealing passwords, taking screenshots, recording audio, video and more. While most malware is designed for and utilized by criminals, state-sponsored actors have increasingly adopted malware as a tool for surveillance, espionage and sabotage. Malware is used to gain control of devices. It exploits access to the device to send out spam, seize banking, email or social media credentials, shut down websites and collect vital information from journalists, human rights defenders, NGOs, activists and bloggers”.
Distributed Denial-Of-Service mitigation – DDoS – comes last: “A threat faced by many independent journalists, news sites and bloggers is having their voices muted because their website is down or defaced. In many cases, this maybe an innocent and frustrating problem, but on occasion, it may be due to a ‘denial of service’ attack or a website takeover”.
The Kit concludes with a more technical section on establishing trust to help understand the tools aimed at maintaining secure conversations with only the person we think we are conversing with. Take a look and pass it on!