Boosting human rights defenders' digital security against targeted hacking

On 7 March, Wikileaks published a trove of documents showing the United States Central Intelligence Agency’s (CIA) capabilities to remotely hack devices running Android, iOS, Windows, Mac OS X and others. These leaks demonstrate how the CIA and, very likely, other intelligence services, are able to exploit software and operating systems’ vulnerabilities.

Since the leaks were published, however, a number of news agencies have inaccurately reported that the CIA was capable of bypassing end-to-end encryption built into widely used messengers, such as Signal, WhatsApp, as well as other secure chat tools.

This reporting has created a false impression that encryption is vulnerable to hacking.

In reality, the leaks showed that to bypass encryption on a computer or a phone, agencies have to directly hack a targeted device, which then allows to intercept and record messages before they are encrypted and sent.

Quite the opposite of how it has been reported, the leaks, in fact, demonstrate the reliability of encryption, proving that tools such as secure messengers work as advertised, and that, due to increased use of encryption, mass surveillance of the Internet is becoming more difficult. At the same time, the revelations also underscore the critical importance of protecting software and especially operating systems against vulnerabilities.

For those working in human rights, the leaks serve as a reminder that human rights defenders, journalists, and activists may be at risk of targeted hacking by governments, state intelligence agencies, or third parties looking to undermine their work.

Human rights defenders need to continually maximise security of their devices, especially when they have reasons to believe that they are or could be targeted.

Phishing attacks are the most common way to hack devices remotely. Therefore, it is important to be extremely cautious when receiving messages (via email or messaging apps) or downloading files, before clicking on received links or responding to messages or emails. It is always important to carefully check validity of email addresses, user names and other credentials of people you communicate with, name extensions of files you are about to open, exact spelling of addresses of links you are about to click, etc. It is best to avoid opening any files or links received from unknown sources, and independently confirm with a source when you think that something is wrong with the communication you received.

Immediately updating the operating system and all software (including apps) on your computer and smartphone when updates are available is a must to make your devices more resistant to attack.

Consider buying phones and computers capable of running the latest version of the operating systems (currently Android 7, iOS 10.2, Mac Sierra 10.12, Windows 10, Ubuntu 16.04 LTS / Ubuntu 17.04). This will ensure your device is most protected and will allow you to keep up-to-date with the software and phone applications.

Switch to end-to-end encrypted messaging app like Signal, Wire or even WhatsApp.

Create and maintain secure passwords. Consider using a password manager (like KeePassX, KeePassDroid or MiniKeePass), so you can generate a unique password for each account without having to remember them all. Also turn on two-factor authentication for applications and services that support it.

If you suspect that your device has been hacked, you can reinstall the operating system on your computer or do a factory reset on your phone and change passwords for your accounts. These are not definitive solutions to the problem; however, they often can help remove spying software, viruses and malware. If you require technical support, seek help from others who are more experienced rather then totally abandoning these tactics for protecting your devices.

These are some of the main steps you can take to boost the security of your devices. For more, check out Security-in-a-Box and Surveillance Self-Defense, online digital security guides for human rights defenders at risk.

P.S. Finally, an advanced recommendation for HRDs at greater risk would be to use Virtual Machine when opening suspicious files or links, or to consider using Tails or Qubes operating systems. These recommendations are not easy to implement and may require considerable effort and some technical assistance. However, they offer greater protection of your computer.