We shouldn't forget those most vulnerable in our digital world

Posted by   Martijn Grooten on   Feb 9, 2017

The new UK government has passed a far-reaching surveillance law. The new US government has stripped privacy rights from non-citizens. Surely, those who have warned about the threat of Western intelligence agencies have a reason to feel vindicated.

In the post-Snowden era of IT security, many improvements to technology have made it a lot harder for the NSA and its allies to access our data and devices. "NSA-proof" has been an implicit (and sometimes explicit) goal of many new products and technologies, and that is a good thing: if we make something impenetrable by what is generally considered to be the most powerful possible adversary, we get protection against everyone else for free. And although Edward Snowden doesn't make the headlines very much these days, it is likely that recent events will further incentivise the drive for NSA-proof technology.

But we should make sure we don't forget that there are many very vulnerable groups and individuals who are concerned about very different kinds of attacks. Attacks that are at the same time both far more mundane and far more dangerous than anything the NSA could ever do.

One such group are political activists and NGOs in countries that use a rather (il)liberal interpretation of the rule of law. Last week, Citizen Lab wrote about an ongoing campaign of spear-phishing emails against Egyptian NGOs. Technically, there is nothing special about this campaign; in fact, the attackers used an open source tool for the phishing websites. It is several steps beneath what the NSA is capable of. But the targeted nature of the attack means the emails can be made to look very credible to the recipients. And falling for the scam could lead to long prison sentences.

 

nilephish_citizenlab.png

 

Another very vulnerable group consists of people dealing with abuse by an (ex-)partner. This is unfortunately a situation in which far too many people find themselves, and there is now often a digital component to this kind of abuse. The abuser often has physical access to the victim's devices and may be able to access the victim's online accounts, if not by knowing the password then by knowing enough information to allow them to reset it. This gives the victims a very different threat model from the one security experts tend to consider; consequently, the usual defences may not always work.

 

 

Thankfully, these issues have been acknowledged. A team of Google researchers are calling for the tech community to consider the unique threat of "intimate partner abuser". They recently presented their findings at the Enigma conference in Oakland.

The aforementioned Citizen Lab does great work writing about the threats that civil society around the world is chasing; for his work, Citizen Lab Director Ron Deibert was recently named by Vice Motherboard as one of its "Humans of the year". The Iran Threats project does the same, but focusing on one particular area, and recently, a group of volunteers set up Security Without Borders, a project that aims to assist "journalists, human rights defenders, and non-profit organizations with cyber security issues".

Of course we should make our technology such that even the NSA can't read the emails I send to my mother, because what I write is simply none of their business. But in doing so we shouldn't lose sight of those most vulnerable in our digital world, because they need our help more than ever.

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest posts:

VB2017 paper: Nine circles of Cerber

Cerber is one of the major names in the world of ransomware, and last year, Check Point released a decryption service for the malware. Today, we publish a VB2017 paper by Check Point's Stanislav Skuratovich describing how the Cerber decryption tool…

Attack on Fox-IT shows how a DNS hijack can break multiple layers of security

Dutch security firm Fox-IT deserves praise for being open about an attack on its client network. There are some important lessons to be learned about DNS security from its post-mortem.

Throwback Thursday: BGP - from route hijacking to RPKI: how vulnerable is the Internet?

For this week's Throwback Thursday, we look back at the video of a talk Level 3's Mike Benjamin gave at VB2016 in Denver, on BGP and BGP hijacks.

Security Planner gives security advice based on your threat model

Citizen Lab's Security Planner helps you improve your online safety, based on the specific threats you are facing.

VB2017 video: Spora: the saga continues a.k.a. how to ruin your research in a week

Today, we publish the video of the VB2017 presentation by Avast researcher Jakub Kroustek and his former colleague Előd Kironský, now at ESET, who told the story of Spora, one of of the most prominent ransomware families of 2017.