[via Ralf Bendrath]
The Irish based Front Line Defenders charity has published a very useful free online book, entitled Digital Security & Privacy for Human Rights Defenders (9Mb .pdf 164 pages) with text mostly by Dmitri Vitaliev, but with contributions from the likes of Privacy International, Professor Ross Anderson and Stephen Murdoch from the University of Cambridge Computer Science Laboratory etc.
UPDATE 22/03/2007: There is now a web page version Digital Security & Privacy for Human Rights Defenders manual available online, for easier access and translation.
There is some common sense guidance, spelt out clearly and simply, especially regarding physical security and the establishment of a trustworthy computing base, with an overview of topics such as circumventing web censorship, cryptology, steganography, backing up data or securely erasing it etc.
There is also practical advice on software settings for common software, with the acknowledgement that although Microsoft Windows operating systems and application software is not ideal, it is the de facto world standard, and, with care, it can be configured to provide a high degree of security and privacy, especially with the help of free tools such as those in the NGO in a Box Security Edition toolset.
We have a few minor quibbles, but, overall, this is an excellent guide to general, common sense, computer and internet security aimed at human rights workers around the world, which complements our own more modest modest hints and tips for whistleblowers, journalists and bloggers.
A few minor quibbles:
- We would, for example, not configure our web server or web browser software to accept SSL version 2.0 connections (SSL version 3 and TLS version 1 are ok), because of inherent weaknesses, such as the possibility of a cipher strength downgrade attack which reduces the strength of the encryption to only 40 bit encryption, which is crackable in near real time on most desktop computers sold today.
- The use of USB memory sticks or similar flash media is more convenient than , say floppy diskettes, but, the very reliability and ruggedness of these devices also makes them extremely difficult to erase securely, without resorting to physical destruction.
- There is also no guidance on the use and possible abuse of mobile telephones, which are, of course, more common than personal computers. (see our hints and tips blog post for some ideas on this)
As the main author Dmitri Vitaliev says, security is a process, and a habit and a mindset, which, hopefully, this publication will help to stimulate and inspire people to take their own tailored precautions and conduct their own research and risk assessments, into what suits them and their associates best.
CONTENTS Introduction 1
The Problems; Security as a process; A guide to the manual
1.1 Security and Insecurity 4
Methods and trends of surveillance, censorship and electronic attacks;
Specific threats faced by human rights defenders
1.2 Security awareness 9
Securing: Your operational environment; Office environment;
Personal Workspace; Public environment
Questions to ask yourself 11
Where is my data?
Who knows my password?
Whose computer is this?
Who is this?
Who can access my computer?
Do I know my environment ?
1.3 Threat assessment and the security circle 14
Modelling risk and developing a strategic diagram;
Reactions to threats; Security circle
2.1 Windows Security 20
Operating system updates;
2.2 Password Protection 26
How passwords are compromised through profiling, social engineering, brute force attacks
Creating Passwords 28
How to create passwords using mnemonics and software
2.3 Information Backup, Destruction and Recovery 30
Information backup strategies; frequent access files, non-frequent access files, system backup
Information Destruction 32
Secure and permanent data deletion;
Wiping removable devices;
Information Recovery 34
Prevention of information loss;
Recovering lost data
2.4 Cryptology 36
History of modern cryptology;
Encrypting your computer;
Public key encryption and security;
2.5 Internet Surveillance and Monitoring 43
How the Internet is monitored;
Threats from cookies;
Monitoring email communications;
Internet & Email Filtering 46
Filtering email for specific keywords;
Internet Censorship 48
Blocking websites from access by DNS, IP, keyword blocking;
2.6 Circumvention of Internet censorship and filtering 51
Circumventing Internet censorship with proxy servers;
Different types of proxy servers, their features and advantages;
Anonymous Internet publishing
2.7 Encryption on the Internet 59
Verifying secure Internet connection with SSL certificates;
2.8 Steganography 67
Linguistic Steganography - Semagrams;
Data Steganography - Hiding text in images, in audio; Steganography software;
2.9 Malicious software and Spam 75
History of viruses;
Malware variations and their effects;
Reacting to malware attacks;
Spam and prevention
2.10 Identity Theft and Profiling 82
What makes up your digital profile;
How cookies are used;
Authenticity and Anonymity;
3. Changes to legislation on Internet privacy and freedom
of expression affecting work and safety of Human
Rights Defenders around the world 88
3.1 Censorship of online content and Online publishing 92
3.2 Website Filtering 98
3.3 Communications Surveillance 101
3.4 Cryptology and Circumvention 104
4.1 Case Study1 - Creating a Security Policy 106
Drafting a security plan;
Components of the plan;
Case Study - developing a security plan for a human rights NGO
4.2 Case Study 2 - Communication channels 110
A human rights NGO is researching and documenting cases of torture in their country. They need to store this information securely and communicate it to the headquarters in a different country
4.3 Case Study 3 - Securing and Archiving Data 116
A human rights NGO wishes to transfer its large collection of paper documents to a computer and secure it from loss, theft and unauthorised access
4.4 Case Study 4 - Secure Email and Blogging 121
A journalist reporting on human rights violations by email and blogging fears that her messages are being censored and tampered with. She wishes to secure her online identity and communications, anonymise her Internet presence and adopt good password techniques
Appendix A. Computers explained 127
History and modernity;
How computers work;
Proprietary vs free and open source software
Appendix B. Internet explained 132
History of the World Wide Web; Internet Today;
Basic Internet infrastructure;
How email works;
Appendix C. Internet Program settings 139
How to secure your Internet browser settings;
Internet Explorer - basic security settings, deleting temporary files;
Mozilla Firefox - basic security settings, deleting temporary files
Appendix D. How long should my password be? 146
How long does a computer or Internet password need to be in view of today's brute force attacks
A proposal for the Internet Rights Charter 148