Online Security: Verification and Validation

Standard

An overview of key points for activists to bear in mind for online security, or tactics to bring into play in case of an online incursion by members of anyone’s so-called “Cyber Army” – updated version of my December 2011 post “Battle Hardening Against Cyber Soldiers” for Cyber Security Awareness Month.

cyber-defences-security-370x229

When it comes to online security, your first responsibility is to yourself, and that has never been more clear than now, with the daily diet of revelations about the allegedly massive scale of global government spying and surveillance finally raising awareness. Of at least equal importance, is the need to stay alert to the risks your actions might create for others in your online network. Every time you share, tag, mention or otherwise connect someone else to your content, you are highlighting your relationship in the context of that content. A simple typing error, a hastily copied story, or unbridled haste to share without fact-checking, can alter that context dramatically, and potentially with rather more serious consequences that any of us previously imagined. Increase your personal security first, using the same logic as those flight safety rules about oxygen masks. Here’s a handy article from the New Scientist, about how to try and evade the NSA dragnet, to help you get started.

Being part of an online network means you need to be able to justify each of your online relationships, and pay attention to any unexpected changes. Harsh as it might seem, treat all former contacts, who reappear after an absence, with neutral (not hostile) caution. Accounts do get hacked, and occasionally, people do get recruited to “the other team” or put under pressure to reveal passwords. If you didn’t put a challenge/response protocol* in place with your trusted contact before they dropped off the grid, so you could verify their identity when they reappear at some future point, then you have to assume there is a 50% chance they are not the person you once knew until they can prove themselves to your satisfaction. Similarly, do not feel obliged to “follow back” or accept every friend request unless you feel confident about doing so. Set some standards for yourself about why and how you plan to grow your network. If you are simply feeling insecure, ego-driven, or lonely, be honest with yourself about your motivations, and try to keep them in check so that they don’t compromise your security.

*Establish a challenge/response protocol with your trusted contacts. This is an agreed question you can ask the other person and an agreed response they must give. Like a password reminder.

Tip: Do NOT use any of your existing password reminder Q&A’s

New accounts, especially breathlessly dramatic ones, should also be treated with measured caution. Wait for verification of all news, especially any that will have serious or long-term repercussions. We learned this the hard way when a very plausible fraud appeared on Twitter in the middle of protest and declared that bit.ly shortened links were blocked in Iran. The ensuing panic and last-minute changes caused a lot of people a great deal of unnecessary extra effort, and some of the suggested alternative link shortening sites are no longer operational, meaning that archived content which includes links using these now defunct services are effectively dead.

Breaking News” reports always seem to demand an urgent response, where in fact they should be treated as “unconfirmed news“. As we all know, a lie is halfway around the social network world before the truth has got its pants on. So, as always, wait and verify, verify, verify. Remember that even the most experienced social media users and big name mass media outlets like the BBC, MBC, CNN etc have all been fooled by fake news, or been too quick to rush to headlines without checking facts; at times, they are even revealed to be responsible for it . If you do happen to post a report in good faith, which later turns out to be false, you should be willing to spend at least as much time retracting it and letting everyone know, than the time you spent sharing it.

Mark unconfirmed status updates as UNCONFIRMED or UNCONF. Do not remove text that identifies news as unconfirmed when re-tweeting or re-posting.

did-the-world-s-nastiest-virus-try-to-self-destruct--49a5bfa353Be cautious with private message requests or emails containing sensational news, documents, image, videos etc. asking you to share news. Suggest to whoever sent it that they post it themselves and you (might) share their update. If they claim to be unable to use or create a social network account, suggest they use liveleak.com, where you can share images, documents, videos and post text updated using an alias. Run a search for the information being privately shared with you, to see if it can be verified, or if anyone is posting warnings about it.

Watch out for people re-using images from unrelated events. Use Google or Tin Eye to search for images by url or by uploading them. Try using Storyful’s Multisearch tool to help you verify news and look for more sources. What other tools do you know of? Add the best to your favorites, and share them often.

Check for images having been altered using special analysis tools like Image Metadata Manager or JPEGSnoop or the fotoforensics.com website.

As far as possible, try to stay transparent in your methods and analysis, and let your network help you by reaching out for help verifying reports, checking facts, or translating content.

ISERI Protests 12 Jan 2011 AlJAzeera cameraman hassledFake videos seem to be all the rage these days, while innocent cameramen are being murderedkidnapped or harassed, and citizen journalists – or indeed, anyone carrying a smart phone or camera – face increasing pressure from police and authorities. 

Here is my current list of suggestions, ideas and wishes for video checking and verification:

  1. Time and Date – video camera clocks can be changed of course, but we used to encourage activists in Iran or elsewhere to show us that day’s newspaper, social media status updates on a screen, or a live TV broadcast in the background of their video.
  2. Incentifying crowdsourced verification by rewarding the crowd. Not necessarily restricted to financial rewards, there are many different ways to motivate using more humanitarian methods, media coverage, thanking helpers with mentions, gamified social media decals etc – see this video for an example (at 10m42s) : 
    Digital Humanitarians: Patrick Meier at TEDxTraverseCity 2013
  3. Patience. There is often no good reason for the rush to post unverified news. This sense of urgency was more relevant four or five years ago, when mainstream media was thumbing its nose at “irrelevant, pointless” social media and users felt driven to prove their worth and expose the slow-footed traditional press. Now social media has gained almost universal acceptance, we should adjust the idea of competition to be first to break “all” news – at the cost of validity – and only apply it where it adds value, such as disaster relief.
  4. Details. We need to encourage those posting video to take the time to add important details – names, dates, locations, background facts, and tagging – for example, while also blurring faces of vulnerable subjects.
  5. Communication – it’s a 2-way street. We need to understand the importance of leaving comments of encouragement, feedback, guidance. At present, too much video is being posted and consumed in a communication vacuum.
  6. Archiving. Too many videos get pulled offline, and any video exposing serious abuse by authorities is at risk of being censored either formally or informally. There are sites that will save text or image content, but I don’t know of any reliable, consistent, centralised effort to preserve video or audio. It’s left to quick-thinking people to save these items privately.
  7. Translation. Really, this should be first on the list. The lack of organised, consistent volunteer efforts to crowdsource translation beggars belief. If you know anyone who can build an app for this, I have a rough design outline that’s been gathering dust for the past 4 years.
  8. Gratuitous violence and shock tactics are on the increase (and being pushed by Facebook and major news outlets when it suits them) and little good has come of it, if any.  People are being traumatised, becoming immune to it, or turning away. This is very damaging to the prospects of crowdsourced verification, because the gore factor is a deterrent to many potential helpers. I resist sharing the 18+ content being posted as relevant to human rights abuse, in the hope that, if we don’t encourage the trend by reacting, rewarding, or promoting, it will fall out of favour.
  9. We need an open source tool for video that works like JPEG Snoop, to extract information about the video, camera, settings, GPS etc.

Your comments and suggestions are very welcome on these subjects – drop me an email through the contact form or leave a comment below.

Take responsibility for your online safety and security

  • Change to a strong password and keep changing it, if not daily then as often as you can.
  • Scan your computer to check for intrusions, keyloggers, rootkits, malware, and trojans and keep your security software up to date.
  • Make sure that your recovery details for websites like Twitter, FaceBook & blogs etc are accurate and up to date.
  • Protect the email accounts you use to register with websites and services.
  • Use https to access websites and services, so that when you do connect, the information you send is encrypted.
  • Copy and paste login names and passwords rather than type them.
  • Do not store unencrypted user names and passwords on your computer.
  • Protect files on your computer or on external storage devices or removable storage like flash drives, SD cards or USB sticks using encryption, such as TrueCrypt.
  • Use a password on all your devices.

Be alert for apparently innocent requests for information about your own or anyone else’s details, such as location, online activity, other connections, friends or contacts.

Advertisements

On pointlessness

Standard
Image: Keystone/Zuma Rex Features

Image: Keystone/Zuma Rex Features

Saturday we heard about several kilos of drugs in UN diplomatic pouches shipped from Mexico via DHL that “weren’t intended for the UN”. Then why did DHL try to deliver them to the UN regardless of a complete lack of paperwork, or even an address label; surely that is against the law? Certainly it makes for failed and pointless security policies designed to prevent parcel-bombs.

Sunday saw Kofi Annan sounding off about the huge threat that the drugs trade presents to Africa’s fragile post-conflict countries. I suppose the doesn’t have the stomach to talk about the mid-conflict countries. The comments section is lit up like a Christmas Tree with pointed remarks about the failed and massively expensive War on Drugs. It also mentions Kofi’s less than sparkling reputation after the accusations against him in 2005 that damaged the UN’s reputation, leaving stains that are still visible today.

On Monday BBC Newsnight interviewed Wael “Mission Accomplished” Ghonim about Egypt’s restarted revolution or “his Revolution 2.0” as the BBC titled the segment (they are actually referring to the title of the book he just wrote. At least, I hope they are). Enough said. Almost. But a comment on the BBC blog, suggesting (tongue in cheek) that Mrs Ghonim might be his “CIA handler” did make me smile. Pointless aside: Wael also created the website for former election candidate Mohamed ElBaradei.

As I write this, it’s Tuesday, and we have just heard from the Arab League at the UN after their extended, then aborted, mission to Syria. Arab League as usual saying nothing of value, and certainly nothing that will help stop Syrian bloodshed or save Syria from a bitter civil war. Surely the biggest exercise in pointlessness of all.

16 Dec 2011 Protests in Cairo #Egypt

Standard

UPDATE 3 – 01:15 GMT 17 Dec 2011 – 7 martyrs reported now, including 16 year-old Ashraf Amr Ahmed Ali, shot in the heart correction: from a head injury. Ahmed Mansour from the April 6 movement is also confirmed among those killed. A tragic night, not only for activists and the opposition movement but for all of Egypt.

Martyr 16Dec2011 Ahmed Mansour

Ahmed Mansour

UPDATE 2 – 23:45 GMT – Live streaming video from @AlexanderPageSY who is exiled in Cairo after being forced to leave Syria recently showed ongoing tension, many head injuries from rocks being thrown onto protesters by army personnel on the roof of the Cabinet Building. Only about 1 in 50 people are wearing “hard hat” type safety helmets. The broadcast had to halt temporarily at 23:45 GMT, but will hopefully resume soon. Death Toll reported to have reached 5 by @Repent11 who says injured still steadily arriving at makeshift clinic near the protest area.

You can watch also live reports from Al Jazeera Mubasher in Arabic

UPDATE 1– 22:45 GMT – Still chaotic scenes in Cairo outside the Cabinet Offices as midnight approaches. Stones and firebombs raining down on protesters from the roof of the building, apparently to prevent a rather large crowd from joining the main protest group. 2 more deaths are being reported, one is named as Mohamed Abdullah Mohamed, 30 years old, who died from a gunshot wound to the head.

———

After the second round of elections, with the small but orderly occupation protest in Cairo outside the cabinet office that began after the first round of voting continuing, two of the activists were detained and severely beaten, provoking an angry response. The provocation is clearly intentional.  For added effect, plain clothed attackers in the ranks of the security forces can be seen in images and video from the events.

Interestingly, after much negative publicity about the use of tear gas on 19 November, for the first several hours only rocks, firebombs and water hoses were used by security forces against protesters. Apart from taking the heat off US and UK suppliers of tear gas, this has the added benefit of allowing SCAF and state media to claim that it is protesters doing all the damage and hurling rocks, and will help justify later use of tear gas. The reprive didn’t last into the night, with tear gas used from around 7pm GMT.

Asteris MasourasSee also tweets from Thursday 15th Dec 2011 and earlier on Friday 16th on storify via @asteris

Egyptocracy

AJM: Dr. Moh. Shehab: Dead body arrives at Kasr Al Aini Hospital with gun shot to the head, 18 cases injured by live rounds being treated. Dr. Sherif Abo El Nasr, field hospital: we are receiving injured by live rounds, some of which in critical condition.

via @Egyptocracy

People on the scene reported two deaths. Egypt Ministry of Health confirmed one death around 6pm GMT and a second an hour later. The two dead are Sheikh Emad Effat and Alaa Abd ElHady.

Clashes in Egyptian capital Cairo – BBC

Bloodied hand belonging to a protester who helped an injured friend

16 December 2011 at 16:24

Clashes are taking place in the Egyptian capital, Cairo, after troops moved in to try to remove demonstrators staging a sit-in protest outside the parliament building.

Security forces have reportedly been throwing rocks from the top of buildings, angering the protesters below.

The latest protests began three weeks ago, following the appointment of a new prime minister by the military government.

via BBC News

salma saidThe air smells like natural gas and they started throwing molotov from inside the building, at least we can see this!

via  Twitter / @salmasaid

violence against unarmed citizens

Men and women, young or old, faced extreme violence from security forces

Ąhmed Єl Mąssяy #OccupyCabinet attacks is a cover up on #EgyArmy beating some of the judges who were overseeing the #EgyElections pollings Last night.

via Twitter / @AElMassry

Activists, security forces clash in Egypt – CNN

From Mohamed Fadel Fahmy – @Repent11

Pro-democracy activists clashed with soldiers after protests outside parliamentDecember 16, 2011 — Updated 16:55 GMT

Pro-democracy activists clashed with soldiers after protests outside parliament

STORY HIGHLIGHTS

  • Around 100 are injured, the Health Ministry says
  • Water cannons and warning shots are used to disperse the crowd
  • Glass, rocks and Molotov cocktails are being thrown
  • The beating of an activist sparks the violence, other activists say

Cairo (CNN) — Dozens of people were injured on Friday, a government spokesman said, when violence between pro-democracy activists and Egyptian security forces escalated in central Cairo.

People threw Molotov cocktails, rocks and glass at each other. Bricks and cement blocks rained down on protesters as men wearing what appeared to be military uniforms tossed them off the top of a six-story building. Nearby, a Ministry of Transportation building burned and tents in an activist encampment in front of the parliament building also caught fire.

The military fired warning shots in the air and sprayed water cannons to disperse the crowd.

Hisham Shiha, Health Ministry spokesman, said nearly 100 people were injured, including nine from live ammunition. Adel Saeed, the spokesman of the general prosecutor’s office, said 12 people had been detained and charged with destroying public property

A Ministry of Interior official denied any police involvement.

“This situation has nothing to do with the police or the Ministry of Interior and we do not have forces at the site of the clashes,” said Gen. Marwan Mustapha, a ministry spokesman.

A doctor at a makeshift clinic said he has treated dozens of protesters for cuts and injuries caused by glass and rocks.

“It all started when the military arrested one man, and then an hour later he emerged from building barely able to walk from the beating,” said activist and video blogger Walid Nada. “His face and body and clothes (were) blotched with blood as the protesters carried him to makeshift hospital.”

Activist Mona Seif identified the beaten man as Aboudi Ibrahim.

He “has no broken bones, but major bruises to the face, cuts, and harsh burns from electric shockers. We are filling a police report soon,” she said.

via Activists, security forces clash in Egypt – CNN.com.

The last word on this post from @SherineT:

Sherine TadrosProtesters injured by soldiers go to military hospital? protesters killed get comp from martyrs ministry set up by #scaf? Bizarre.

Battle Hardening Against Cyber Soldiers

Standard

An overview of key points to bear in mind or tactics to bring into play in case of an online incursion by members of anyone’s so-called “Cyber Army”

Harsh as it might seem, treat all former contacts that reappear after an absence with neutral (not hostile) caution. Accounts do get hacked, and occasionally, people do get recruited to “the other team”. If you had a really trusted contact and you didn’t put a challenge/response protocol* in place so you could verify their identity, then you have to assume there is a 50% chance they are not the person you once knew until they can prove themselves.

*Establish a challenge/response protocol with your trusted contacts. This is an agreed question you can ask the other person and an agreed response they must give. Like a password reminder. Tip: Do NOT use any of your existing password reminder Q&A’s!!

New accounts, especially breathlessly dramatic ones, should also be treated with measured caution. Wait for verification of all news, especially any that will have serious or long term repercussions. We learned this the hard way when a very plausible fraud appeared on Twitter in the middle of protest and declared that bit.ly shortened links were blocked in Iran. The ensuing panic and last minute changes caused a lot of people a lot of unneccessary extra effort.

Breaking News” reports always seem to demand an urgent response, where in fact they should be treated as “unconfirmed news“. As we all know, a lie is halfway around the social network world before the truth has got its pants on. So, as always, wait and verify, verify, verify. Remember that even the most experienced social media users and big name mass media outlets like the BBC, CNN etc have all been fooled by fake news. If you do happen to post a false report in good faith, you should be prepared to spend at least as much time retracting it and letting everyone know, than the time you spent sharing it.

Mark unconfirmed status updates as UNCONFIRMED or UNCONF. Do not remove text that identifies news as unconfirmed when re-tweeting or re-posting.

Watch out for private message requests or emails containing sensational news, documents, image, videos etc. asking you to share news. Suggest to whoever sent it that they post it themselves and you (might) share their update. If they claim to be unable to use or create a social network account, suggest they use posterous.com. Any text emailed to mail@posterous.com is instantly posted as a blog that can be activated and shared. Look for the information being shared with you privately using search to see if it can be verified, or if anyone is posting warnings about it.

Watch out for people re-using images from unrelated events. Use Google or Tin Eye to search for images by url or by uploading them.

Check for images having been altered using special analysis tools like Image Metadata Manager or JPEGSnoop

Take responsibility for your online safety and security.

  • Change to a strong password and keep changing it, if not daily then as often as you can.
  • Scan your computer to check for intrusions, keyloggers, rootkits, malware, and trojans and keep your security software up to date.
  • Make sure that your recovery details for websites like Twitter, FaceBook & blogs etc are accurate and up to date.
  • Protect the email accounts you use to register with websites and services.
  • Use https to acces websites and services, so that when you do connect, the information you send is encrypted.
  • Copy and paste log in names and passwords rather than type them.
  • Do no store unencrypted user names and passwords on your computer.
  • Protect files on you computer or on external storage devices or removab le storage like flash drives, SD cards or USB sticks using encryption, such as TrueCrypt.
  • Use a password on all your devices.

Be alert for apparently innocent requests for information about your own or anyone else’s details, such as location, online activity, other connections, friends or contacts.