BY FAHMI ALBAHETH - UNESCO FAHMI ALBAHETH Recommendations from UNESCO’s safety workshops in Yemen...

0

Doha Office

مكتب الدوحة

BY FAHMI ALBAHETH

Recommendations from UNESCO’s

safety workshops in Yemen

1

DIGITAL SAFETY FOR JOURNALISTS IN YEMEN

Published in 2017 by the United Nations Educational, Scientific and Cultural Organization

UNESCO GCC and Yemen Cluster Office

Doha, Qatar

© UNESCO 2017

This document is available in Open Access under the Attribution-ShareAlike 3.0 IGO (CC-BY-SA 3.0

IGO) license (http://creativecommons.org/licenses/by-sa/3.0/igo/). By using the content of this

publication, the users accept to be bound by the terms of use of the UNESCO Open Access

Repository (http://www.unesco.org/open-access/terms-useccbysa-en).

The designations employed and the presentation of material throughout this publication do not

imply the expression of any opinion whatsoever on the part of UNESCO concerning the legal status

of any country, territory, city or area or of its authorities, or concerning the delimitation of its

frontiers or boundaries.

The ideas and opinions expressed in this publication are those of the authors; they are not

necessarily those of UNESCO and do not commit the Organization.

This publication was made possible under a contribution by Finland.

http://www.unesco.org/open-access/terms-useccbysa-en

2


Table of Contents

DIGITAL SAFETY ............................................................................................................................... 3

MANAGING THREATS AND LIMITING RISK ...................................................................................... 4

COMMON THREATS AND RISKS FACING JOURNALISTS WORLDWIDE .................................... 6

COMMON THREATS AND RISKS FACING YEMENI JOURNALISTS ................................................... 10

PREPARE TO BE SEARCHED ............................................................................................................ 11

HOW-TO CREATE & MAINTAIN SECURE PASSWORDS .................................................................. 12

TOOL: KEEPASS TO MANAGE YOUR PASSWORDS ................................................................ 14

HOW-TO KEEP SENSITIVE FILES SECURE: ENCRYPTION ................................................................. 15

HOW-TO DELETE DATA SAFELY ..................................................................................................... 17

BROWSING INTERNET SECURELY .................................................................................................. 18

RECOMMENDED VPNS: ........................................................................................................ 19

EMAIL ENCRYPTION: PROTECTING SENSITIVE COMMUNICATIONS.............................................. 20

HOW-TO SECURELY CHAT: INSTANT MESSAGING THE SAFE WAY ................................................ 21

HOW-TO HANDLE MALWARE ........................................................................................................ 22

HOW TO: AVOID PHISHING ATTACKS ............................................................................................ 24

HOW TO USE AN ANDROID SMARTPHONE SECURELY .................................................................. 25

GENDER DIMENSIONS IN THE DIGITAL AGE .................................................................................. 27

CONCLUSION ................................................................................................................................. 30

OTHER SOURCES AND REFERENCES .............................................................................................. 31

RECOMMENDED TOOLS AND APPS ............................................................................................... 32

3


DIGITAL SAFETY When we talk about digital safety, we

are talking about taking steps to

reduce access to information you

want to keep private, or only make

accessible to specific people. This

could be information stored locally on

an electronic device, or online. The

information could be related to your

personal life, your work or details

about your sources or colleagues.

There is no single solution for keeping

yourself safe online. Digital security is

not about which tools you use; rather,

it is about understanding the threats

you face and how you can counter

them. To become more secure, you

must determine what you need to

protect, and whom you need to

protect it from. Threats can change

depending on where you are located,

what you are doing, and whom you

are working with. Therefore, in order

to determine what solutions will be

best for you, you should conduct

a threat modeling assessment.

As conflicts and wars

continue, the risks

facing journalists are

increasing. Reports

show that several journalists have

been arrested, killed or abducted in

Yemen. The Committee to Protect

Journalists, amongst many other

organizations, has classified Yemen

one of the most dangerous places for

journalists. In a context where

violence against the media is on the

rise, there are specific implications

and risks for female journalists. These

guidelines address gender-specific

responses to these risks.

Multiple parties in the conflict are

using hacking and surveillance

techniques, and journalists are an all-

too-common target.

4


MANAGING THREATS AND LIMITING RISK

Our risk assessment and strategies for staying safe should not

just relate only to our 'digital lives' but should of course, also

include our personal, physical, organizational and emotional

security.

Your equipment and online activity can be great for getting work done. However,

they also bring risks. Digital security requires both advance planning and regular

assessment of what you are doing and why. Much of it has to do with habits and

simply thinking about what your tools do and how they handle the information you

are either sending or receiving.

When conducting an assessment,

there are six main questions you

should ask yourself:

What do you want to protect?

Who do you want to protect it from?

How likely is it that you will need to

protect it?

How bad are the consequences if

you fail?

How much trouble are you willing to

go through in order to try to prevent

those?

Are there specific risks if I am a

male or female journalist?

When we talk about the first question,

we often refer to assets, or the things

that you are trying to protect.

An asset is something you value and

want to protect. When we are talking

about digital security, the assets in

question are usually information. For

example, your emails, contact lists,

instant messages, and files are all

assets. Your devices are also assets.

Write down a list of data that you

keep, where it is kept, who has

access to it, and what stops others

from accessing it.

In order to answer the second

question, “Who do you want to

protect it from?” it is important to

understand who might want to target

you or your information, or who is

your adversary. An adversary is any

5


person or entity that poses a threat

against an asset or assets. Examples

of potential adversaries are your

boss, your government, or a hacker

on a public network.

Threats can also be environmental, or

structural in nature. Examples of such

threats may include data loss due to

a power outage, or natural disaster.

Make a list of who might want to

get ahold of your data or

communications. It might be an

individual, a government agency,

or a corporation.

A threat is something harmful that

can happen to an asset. There are

numerous ways that an adversary can

threaten your data. For example, an

adversary can read your private

communications as they pass through

the network, or they can delete or

corrupt your data. An adversary could

also disable your access to your own

data.

Write down what your adversary

might want to do with your

private data.

The capability of your attacker is also

an important thing to think about. For

example, your mobile phone provider

has access to all of your phone

records and therefore has the

capability to use that data against

you. A hacker on an open Wi-Fi

network can access your unencrypted

communications. Your government

might have stronger capabilities.

Be aware of gender-specific risks

you might be exposed to and

how to mitigate them.

While journalists may face the same

types of threats due to their

professions, there are gender-specific

online threats every journalist should

be aware of, in order to better protect

him or herself. Female journalists

may be faced with online harassment

which could, in turn, lead to physical

violence. Please refer to the chapter

“Gender Dimensions in the Digital

Age” on page 27 of these Guidelines

to learn more about risks and

mitigation strategies for female

journalists.

6


COMMON THREATS AND RISKS FACING JOURNALISTS WORLDWIDE

Digital attacks, as well as others,

occur at great cost to journalists and

their networks as well as to freedom

of expression, generally speaking. A

report prepared by UNESCO on

“Building Digital Safety for

Journalism1” identified 12 main (and

often overlapping) threats facing

media actors in today’s technological

environment:

Surveillance and mass

surveillance Surveillance, as the monitoring,

interception, collection, preservation

and retention of information that has

been generated, stored and relayed

over communications networks, is

one way actors seek to monitor

information.Surveillance technologies

are diverse and can include location

tracking, deep packet inspection,

facial recognition system and mass

monitoring. Bulk interception

methods for voice, SMS, MMS, email,

1 http://unesdoc.unesco.org/images/0023/002323/232358e.pdf

fax and satellite phone

communications also exist.

Software and hardware exploits

without the knowledge of the

target Surveillance technologies developed

by commercial entities have been

found on networks in many countries

and reportedly have been used to

target individual journalists and

activists. Entities can also target

journalists for surveillance by

installing a physical ‘bug’ or a hidden

microphone on a journalist’s

communications devices or person.

‘Pen registers,’ which record the

phone numbers made as outgoing

calls, and ‘trap and trace devices’ that

record numbers on incoming calls

could also be used to capture the

metadata of journalists’

communications. Other times,

journalists may be targeted via their

location data.

7


Phishing attacks Targeted ‘phishing’ or ‘spearphishing’

campaigns often use links or

attachments laden with malware that

are sent via email or social media. If

clicked on or downloaded, Remote

Access Trojans (RAT) allow the

attacker to gather anything they want

on the compromised computer. Other

times, these attacks take the guise of

a fake domain (website). The site

silently collects account information

that the journalist enters on the site,

thinking that it is legitimate.

Fake domain attacks

Fake domain attacks usually fall into

two categories: 1) they inject

malware, or 2) they provide fake

content that attacks the credibility of

the news organization or journalist. In

a fake domain malware attack, the

fake domain copies the existing

content from the targeted website

and serves injected malware to

visitors of the fake website.

2 A Man-in-the-Middle attack is the technical word given to define a specific type of digital attack. Though the term

isn’t gender-sensitive, it is the generally-accepted name to describe these types of attacks online.

Man-in-the-middle (MitM)

attacks2

A MitM occurs when attackers insert

themselves, or their technology, in

between a user and a target site.

During a MitM attack, the attacker can

silently obtain information from both

sides and even change the content

without either the user or the target

knowing. Their exchange continues

while the man in the middle watches.

Denial of Service (DoS) attacks &

DDoS – distributed denial of

service A DoS attack is when one computer

and one Internet connection is used

to flood a server with packets with the

intention to overwhelm the site and

make it inaccessible to others.

Another type of DoS attack is a

distributed denial of service attack

(DDoS), which utilizes a number of

computers and connections, often

distributed around the world to attack

a computer and overload websites to

make them inaccessible.

8


Website defacement A common tactic involves using Man-

in-the-Middle attacks to compromise

legitimate user accounts.

Alternatively, an attacker might

exploit vulnerabilities in the website’s

web server software.

Compromised user accounts User accounts, such as for email,

social media or Skype, can be

compromised in a variety of ways. A

phishing attack may install malware

on a journalist’s device that uses

keylogging software, which can

capture passwords as the journalist is

typing his or her login information. An

attacker can also use a fake website,

and after the user puts in his or her

login information, the attacker can

then use it to access the real website,

without alerting the user.

Intimidation, harassment and

forced exposure of online

networks Sometimes journalists are intimidated

into giving up their digital account

information. For example, authorities

might detain or threaten a journalist,

forcing him or her to divulge

passwords to their social media

and/or email accounts. Journalistic

actors sometimes share passwords

with colleagues so if they are

arrested, colleagues can log in and

remove information that might be

enough to detain someone under

strict freedom of expression laws.

Disinformation and smear

campaigns Smear campaigns involve many

different intimidation tactics that are

often both online and offline. Such

tactics include setting up fake

websites where disinformation can

live online, or intimidating a journalist

with compromising photos or videos

and then spreading them online.

Other times, attackers choose to

clone a website to confuse readers

and threaten the credibility and

legitimacy of a news organization.

Acts of harassment and threats of

violence against women journalists

online are on the rise. Female sources

also face increased risks when acting

as whistleblowers or confidential

informants.

9


Confiscation of journalistic work

product In an increasingly digital environment

where journalists store vast amounts

of information on portable devices

such as laptops and mobile phones,

journalists’ confidential sources and

information are at risk. These devices

contain rich information and data that

can reveal sources’ names and

contact information and put people in

danger.

Data storage and mining The process of data mining is

understood as the practice of

searching through large amounts of

computerized data to find useful

patterns or trends. For example, it

can be used to pinpoint journalists’

probable sources. There are cases

where data, including mobile phone

locations and traffic data, stored

under a country’s data retention laws

have allegedly been accessed to

compile lists of high-profile

journalists’ sources.

* Text and visuals on this page are taken from UNESCO’s Building digital safety for journalism: a survey of

selected issues

*

http://www.unesco.org/new/fileadmin/MULTIMEDIA/HQ/CI/CI/pdf/publications/information_brochure_building_digital_safety.pdf


10


COMMON THREATS AND RISKS FACING YEMENI JOURNALISTS

Arrest or being searched Digital security is not just something

that happens online. You carry

around with you devices full of data

about yourself, your work and your

contacts. These will be in your mobile,

laptop computer, camera, external

hard drives and USB sticks, SIM

cards, SD cards and so forth. Multiple

threats emerge should these be taken

from you. Manage the threat by

preparing for the possibility of being

searched or having your equipment

seized, and know how to encrypt,

hide and delete your sensitive data

safely.

Personal Accounts Hacking Social media websites can be popular

and fast ways to communicate, but

they are also heavily targeted by

hackers and adversaries interested in

learning more about you or some of

your contacts. It is important to know

how to create strong passwords, and

know the privacy and security setting

for every website you are using.

Malware As a journalist, you are in contact

with various individuals and groups

who themselves could be targets.

Various groups will also be interested

in accessing your communications or

digital files to find out your contacts

and networks and target them. They

may target you by multiple malware

including spyware. You have to know

how to protect your devices form

malware and phishing attacks.

Surveillance Anyone monitoring your online or

mobile traffic can access all the

information you are sending and

receiving, with who, and when? Do

you need to limit knowledge of the

content of your conversation or the

identities of the people having them?

Is it a conversation you should have

in person? Protect yourself, your

sources and your data by

understanding how to secure your

web browsing, e-mail encryption, and

chatting safely.

11


Geo-tracking Most likely, your mobile phone is (and

your computer could be) revealing

your location, which makes it easy to

target you physically later. The types

of physical attacks resulting from

online geo-tracking may vary for men

and women journalists, ranging from

(but not limited to) harassment and

sexual violence for women journalists

to kidnapping and assaults for male

reporters. Ensuring your computer or

mobile phone doesn’t reveal your

geographic location can help.

PREPARE TO BE SEARCHED

There are a lot of situations in which Yemeni journalists may find their digital

equipment searched or confiscated. So get rid of unnecessary content and encrypt

the important stuff.

If you go through a security or a military check point, you might be asked

to submit your mobile phone or laptop for inspection.

Always, backup your important data on an external storage device and do

not bring it with you. Delete any sensitive data from you mobile. It is better

to avoid keeping any multimedia files of this sort on your devices, especially

if it is unnecessary for your media work.

If you have a multimedia files (videos, pictures, etc.) in your devices about

only one side of the conflict, delete these files before travelling to the other

side area.

Several people have reported that they were asked by

security personnel to “access their Facebook accounts”

when passing checkpoints. If it is possible, let your life,

work, thoughts away from your Facebook account.

Secure communication defences are

particularly necessary for female

journalists and sources, to ensure

that their movements are not tracked

and their sources’ identity remains

confidential.

12


Consider, preparing a “harmless” Facebook account that does not contain

any sensitive content. Fill it with pictures of flowers, or any public data.

If the nature of your work, force you to carry a private information with

you, perform certain steps in order to hide the files in your devices, or save

them in unusual places. Remove the memory cards and replace them with

those safe. Move the files or images to a hidden folder inside the operating

system on your computer, and then change the file names.

If you do not want to keep files on your devices while moving, and does

not have an external hard drive, then encrypt the files on your computer

and upload them on the Internet in order to download and decrypt them

later.

Be ready to delete some materials. If you think you can do it securely, take

some time and delete your browsers’ history, favorites, and delete any

multimedia files or Applications on your mobile phone or other devices that

might reveal information you do not wish to be detected.

Here you have to recognize the situation in your surroundings. It is

better not to leave any data mainly on your devices.

HOW-TO CREATE & MAINTAIN SECURE PASSWORDS Strong passwords are probably the most

fundamental element of computer security. We

use passwords to protect our computers, online

accounts and encrypted data. A few simple

habits can protect and prevent your passwords

from being discovered.

Below are our recommended eleven tips for creating and maintaining

secure passwords:

13


1. Long:

Make your password at least 14

characters long, if possible. Short

passwords are easily broken by

readily available programs.

2. Complex:

Use numbers, lower & upper case

letter, punctuation and special

characters. This significantly

increases the difficulty of breaking

your password.

3. Random:

Avoid common patterns and

dictionary words. Passwords

consisting of words are easier to

break, as are passwords with

numbers sequences like 1234.

4. Impersonal:

Avoid using personal information in

the password. Do not use phone

numbers, birthdays, hometowns, etc.

These passwords can be broken by

people who have your personal

information. Also, a discovered

password that is personal could

reveal your identity.

5. Memorable:

Create a password you can

remember. Writing a password on a

piece of paper or in a computer file

creates a security risk. Use a

Mnemonic to make long and complex

passwords that are easy to

remember:

Example: [email protected]?

You Get 3 wishes today at 4PM.What

are your 3 wishes?

6. Secret:

Passwords should not be given out

easily. In general,

passwords should not

be shared. However,

in the case of arrest,

it is a good idea to have someone

(optimally outside of the country)

mailto:[email protected]

14


who is able to change your passwords

quickly.

7. Unique:

Do not use the same password for

multiple accounts. Reduce potential

damage of password discovery, by

using different passwords for

different accounts. This way, if your

Facebook password is discovered, the

perpetrator will still not have access

to your email, computer, etc.

8. Changing:

Create new passwords regularly.

Reduce your risk by changing your

passwords regularly, particularly if

you use internet cafes or computers

other than your own. However, fresh

but easily breakable passwords are

more dangerous than a very secure

password that you maintain.

9. Hidden:

10.

Never send your password in plain

text. Only use your password with a

secure protocol. Make sure it is never

being sent over a network as plain

text.

11. Check the password

recovery method:

Many sites use password recovery

tools-- make sure this recovery is

secure. An easy recovery question is

as a bad as an easy password.

12. Be wary of directly typing

your passwords on a public

computer.

Keyloggers record anything typed on

the computer and passwords are

easily retrieved. Keyloggers are

common in internet cafes, but can

also be installed on your computer by

a virus.

TOOL: KEEPASS TO MANAGE YOUR PASSWORDS

Keepass is a trusted, open-source software that stores your passwords for you

in a single secure location behind one password. You remember one very long,

very secure password, and Keepass will securely remember all of your

passwords. This allows you to create long, complex passwords and change them

frequently. Keepass will also generate random passwords for you.

15


HOW-TO KEEP SENSITIVE FILES SECURE: ENCRYPTION

When storing or transporting data, there are several risks that require attention:

interception, theft, loss, and incrimination. Interception usually means a data copy

has been covertly made while theft would suggest the storage device containing

the data, or the original data, has been taken. The latter case would be detectable,

whereas the former might not be.

If sensitive data falls into the hands of adversaries, there may be severe

consequences for sources or the journalist.

To protect digital files there are several options. Simply storing the material on a

small device (USB drive, memory card or external hard disk) and hiding it may be

effective in certain cases. In such a scenario, the entire security of the material is

dependent on the hidden device not being found.

To protect your data from unauthorized access, many programs offer password

protection schemes for documents or hard disks, however you cannot rely on

these programs to protect your data; they are easily bypassed.

We suggest using VeraCrypt, as it is available across different

operating systems, is highly trusted and easy to use. Using

VeraCrypt you can encrypt entire hard drives, files, folders or

external devices:

For more information and download: http://keepass.info/index.html

Article and video about using Keepass from Cyber Arabs: https://www.cyber-arabs.com/?p=760

http://keepass.info/index.html

https://www.cyber-arabs.com/?p=760

16


1. Encrypt your entire hard drive

A user password on your computer is

not enough to ensure the security of

your data. If

the files on

your computer

are sensitive, it is a good idea to

encrypt your hard-drive. With a good

password, this will prevent anyone

from retrieving your data, even if they

physically gain access to your

computer.

2. Keep an encrypted volume

for sensitive files

Sensitive files can be kept in an

encrypted volume (like a folder). This

will keep these files secure even when

you are logged into the computer. If

you keep this folder the size of a DVD

or your USB drive, it can easily be

backed-up.

3. Hidden volume encryption

Veracrypt can also create a hidden

volume encryption, which provides

the additional security of being able

to open the encrypted file, if

demanded by the authorities, but

maintain the encryption of the

sensitive files. In a hidden volume,

one password will decrypt non-

sensitive files you place in one part of

the volume; the other password will

decrypt your sensitive files. If you are

ever forced to reveal the password,

you can choose to reveal the non-

sensitive files.

Additional instructions and

download:

https://veracrypt.codeplex.com

Due to threats of physical attacks, in

conflict zones or when reporting on

dangerous topics, women journalists

should be able to also rely on secure

non-physical means of

communication with their sources.

https://veracrypt.codeplex.com/

17


HOW-TO DELETE DATA SAFELY

Deleting files on a computer, in the standard way, is very much like putting a paper

document in the trash. Someone willing to dig through the trash may recover the

document or fragments of the document. This is true even when the trash

emptied.

Fortunately, it is relatively easy to clean your computer's hard disk and other

storage devices.

For Windows, we recommend using Eraser and CCleaner as described below.

To ensure that sensitive information is not accidentally recoverable:

1. Make sure your files are saved,

nothing can be recovered after you

complete this process.

2. Close all programs

and disconnect

from the internet.

3. Empty the trash.

4. Use CCleaner to erase

temporary files.

5. Erase the free space

on your computer and

external storage devices with

Eraser.

Tactical Technology Collection Guide to Eraser:

https://securityinabox.org/ar/eraser_main

Tactical Technology Collection Guide to CCleaner:


Cyber Arabs Guide for Eraser





18


BROWSING INTERNET SECURELY

In sensitive settings, the monitoring and censorship of internet traffic poses a

major challenge to journalists. Internet traffic moves from your computer to the

internet service provider (ISP), through a national gateway, and across a series

of servers outside of the originating country before finally reaching the server that

is responding to your request. Governments and ISPs have the ability to monitor

and censor this traffic. Armed with a basic knowledge and good tools, it is possible

to evade watchful eyes and bypass censorship.

1. Use encrypted communication with the target server wherever

possible.

By default, messages transmitted across the network sent as

plain text. These unencrypted, plain text messages can be

read by anyone able to observe the network, such as an ISP

or government gateway. However, it is possible to encrypt messages across the

network. Encrypted communication on the internet occurs over the Secure Sockets

Layer (SSL) and can only be read by the intended receiver of the message.

Browsing, email and chat can be conducted using encryption across the network.

HTTPS-Everywhere for browsers: https://www.eff.org/https-everywhere

2. Protect your internet communication from ISP and government

monitoring and censorship using a secure proxy or VPN.

VPN will automatically encrypt all your network traffic. A VPN will encrypt and

route all network communications to the virtual private network, which will handle

all your network requests and responses.

Note: persons with bad intentions can manage some virtual private networks,

even with perfect privacy policies. Do not use a virtual private network you do

not trust.

https://www.eff.org/https-everywhere

19


RECOMMENDED VPNS:

Tor

Tor provides anonymous proxy

by routing traffic through a

global network of servers. Tor

designed to protect user locations

and identities on the internet. Tor is

not designed to provide security

through encryption, as

communications are not encrypted

from the last node in the network

to the target server. However, when

the primary concern is protecting

yourself from government

surveillance and censorship, Tor is a

secure option. Because Tor relies on

a worldwide network of servers, it is

difficult to block, and therefore is

often more robust than other

techniques when other services are

blocked. For download and more info:

http://www.torproject.org

In case the website is blocked, send

an empty e-mail to the following

address: [email protected]

Guide on using Tor from EFF

http://bit.ly/28Tfkcr

Security in a box Guide for using Tor

https://securityinabox.org/ar/tor

Psiphon

Psiphon is a circumvention

tool from Psiphon Inc. that

utilizes VPN, SSH and HTTP

Proxy technology to provide you with

uncensored access to Internet

content. Your Psiphon client will

automatically learn about new access

points to maximize

your chances of

bypassing censorship.

For download and more information

https://s3.amazonaws.com/psiphon/

web/qmxu-ee8n-

ujx4/en/download.html

In case the website is blocked, send

an empty e-mail to the following

address:

[email protected]

You can also Visit Asl19 organization

for more recommended VPNs

https://asl19.org/ar

http://www.torproject.org/


http://bit.ly/28Tfkcr

https://securityinabox.org/ar/tor

https://s3.amazonaws.com/psiphon/web/qmxu-ee8n-ujx4/en/download.html




https://asl19.org/ar

20


EMAIL ENCRYPTION: PROTECTING SENSITIVE COMMUNICATIONS

Pretty Good Privacy (PGP) is a way to

protect your email communications

from being read by anyone

except their intended

recipients. It can protect

against companies,

governments, or criminals

spying on your Internet

connection, and, to a lesser extent, it

can save your email from being read

if the computer on which they are

stored is stolen or broken into.

It can also be used to prove that an

email came from a particular person,

instead of being a fake message sent

by another sender (it is otherwise

very easy for email to be fabricated).

Both of these are important defenses

if you are being targeted for

surveillance or misinformation

The private key is what you will use

to decrypt emails sent to you, and to

digitally sign emails that you send to

show they truly came from you.

Your public key a small chunk of

information that others will need to

know before they can send you

encrypted mail, and that they can use

to verify emails you send.

Both sender and

receiver need to use

public key encryption,

but few people are in the

practice of using it, so you

may need to encourage others to

learn how to use the system

before you can communicate

with them.

When you want to send a private

email, you can encrypt the message

with the recipient's public key. The

message is then only readable when

decrypted with the recipient's private

key. Thereby, you guarantee the

message can only be read by the

intended recipient. To respond to

your email, the receiver encrypts the

response with your public key, which

only you will be able to decrypt. The

subject line of emails is NOT

encrypted, so the subject line should

not contain sensitive information.

21


Guide From EFF: How to Use PGP for

Windows

http://bit.ly/28YHt3h

Encryption using GPG4USB from

CyberArabs

http://bit.ly/28TyZXx

Security in a box Guide: using

portable GPG4USB

https://securityinabox.org/ar/gpg4us

b_portable

HOW-TO SECURELY CHAT: INSTANT MESSAGING THE SAFE WAY

Telecommunication networks and the Internet have made communicating with

people easier than ever, but have also made surveillance more prevalent than it

has ever been in human history. Without taking extra steps to protect your privacy,

every phone call, text message, email, instant message, voice over IP (VoIP) call,

video chat, and social media message may be vulnerable to eavesdroppers.

Often the safest way to communicate with others is in

person, without computers or phones being involved at all.

Because this is not always possible, the next best thing is

to use end-to-end encryption while communicating over a

network if you need to protect the content of your

communications.

Voice Calls

When you make a call from a landline or a mobile phone, your call is not end-to-

end encrypted. If you are using a mobile phone, your call may be (weakly)

encrypted between your handset and the cell phone towers. However as your

conversation travels through the phone network, it is vulnerable to interception by

Secure digital communications can be

an enabler for women’s participation

in public interest journalism. That’s

why female sources should use secure

contact with reporters to ensure

stories affecting women are told.

http://bit.ly/28YHt3h

http://bit.ly/28TyZXx

https://securityinabox.org/ar/gpg4usb_portable

https://securityinabox.org/ar/gpg4usb_portable

22


your phone company and, by extension, any governments or organizations that

have power over your phone company.

Tools we recommend Pidgin

Pidgin is a free,

open-source chat

program that will

allow you to integrate many different

instant messaging accounts.

Security in a box Guide: Pidgin

https://securityinabox.org/ar/pidgin_

main

How to: Use OTR for Windows from

EFF: http://bit.ly/28TA0in

Signal Private Messenger

Guide from EFF: How to

use Signal (for Mobile)

https://ssd.eff.org/ar/node/93

More info about Communicating with

Others from EFF:

http://bit.ly/28TlWaI

HOW-TO HANDLE MALWARE

Malware spreads over the internet or through removable

media (like USB sticks). It may damage your computer and

may compromise your security. For example, keylogger

malware records your key strokes and can be used to

capture passwords and monitor your internet usage. Good

practices and software can protect you.

Update your operating system

(Windows, OSX, or Linux)

regularly to patch security

vulnerabilities. This can be done

automatically using the built-in

automatic updates function.

Use a non-administrator account

for your daily use to prevent the

unintentional installation of

programs or malware. When using

an administrator account, be

extra-cautious by ensuring you

https://securityinabox.org/ar/pidgin_main

https://securityinabox.org/ar/pidgin_main

http://bit.ly/28TA0in

https://ssd.eff.org/ar/node/93

http://bit.ly/28TlWaI

23


install programs only from trusted

sources.

Use strong passwords for your

operating system login to prevent

others from gaining access to your

computer.

Always use an antivirus program

to protect against malware. Avast

is a free reliable antivirus program

for Windows and Mac. Only

download the software from the

company’s website.

Enable automatic updates and

once-a-week full system scans to

maximize the software’s ability to

detect malware.

Enable USB scanning to ensure

that when you plug in a USB stick,

it gets scanned for malware that

could infect your computer.

Never click on links or open

attachments in emails unless you

know who sent it and what it is.

Use VirusTotal.com to scan and

check software or files if it is

necessary to download software

from an unknown URL.

Never download and install

applications from untrusted

sources on the web or from

removable media (e.g. CDs, USBs,

other hard drives).

Verify online sources by closely

examining their URL. It should

exactly match the site. If the file

does not come from the

publisher’s webpage, try to locate

their webpage, and download

directly from it.

Always lock your computer when

leaving it to prevent unauthorized

access.

Immediately contact a reputable

specialist if you suspect that your

computer is infected to mitigate

the damage done by

malware/spyware. Also,

disconnect from the internet

(remove the LAN cable, or turn off

your Wifi), and turn off the PC.

Guide: protect your devices from

Malware

https://securityinabox.org/ar/chapte

r_01

https://securityinabox.org/ar/chapter_01


24


HOW TO: AVOID PHISHING ATTACKS

When an attacker sends an email or link that looks innocent, but is actually

malicious, it is called phishing. Phishing attacks are a common way that users get

infected with malware—programs that hide on your computer and can be used to

remotely control it, steal information, or spy on you.

In a phishing email, the attacker may encourage you to click on or open a link or

an attachment that may contain malware. Phishing can also occur via Internet

chat. It’s important to double-check links that are sent to you via email or chat.

The best way to protect yourself from phishing attacks is to never

click on any links or open any attachments sent to your email: this

is unrealistic for most people. But how do we differentiate

between the malicious attachments and links and the non-malicious ones?

Verify Emails with Senders

One way to determine if an email is a

phishing attack is to actually check

with the person who sent it via a

different channel. If the email was

purportedly sent from your friend,

instead of opening an attachment,

you could call your friend on the

phone and ask if he actually sent you

pictures of his kids. The same if the

links sent through Facebook

messenger, whatsApp, or any other

application.

Use VirusTotal.com to scan and

check software or files if it is

necessary to download software

from an unknown URL.

Be Careful of Emailed

Instructions

Some phishing emails will claim to be

from a computer support department

or technology company and ask you

to reply with your passwords, or to

give a “computer repair person”

access to your computer remotely, or

to disable some security feature on

your device, or to install a new

application. Be especially careful

before giving anyone technical data

or following technical instructions

25


unless you can be absolutely certain

that the request's source is genuine.

Use Email Authentication

Guide from EFF: How to Avoid

Phishing Attacks

http://bit.ly/292DapS

Information Phishing (Cyber Arabs)

http://bit.ly/28XTh8g

HOW TO USE AN ANDROID SMARTPHONE SECURELY

A smartphone is a mobile phone built on a mobile operating system, with more

advanced computing capability and connectivity than

simple mobile phones. Android-based phones are a

common example of these devices. These phones are

often used to access the internet and services like

Facebook. They also constantly communicate with mobile

phone towers that reveal the location of the handset. To

enhance your smartphone security, you need to take some basic security steps.

Use a passcode to lock your phone

to prevent others from gaining

access to it. Using more than the

minimum four digits will increase

the security of your phone. Never

use a pattern to lock your phone.

These can be copied easily.

Install antivirus (e.g. Avast)

software on your smartphone to

help identify insecure phone

settings, help you locate your phone

if lost, and stop malware from

infecting your phone from malicious

links, text messages, apps, or when

you plug your phone into your

computer.

Never leave your phone unattended

in a public place as its contents

could be accessed, your information

stolen, or malware/spyware

installed on it.

Use Psiphon3, or other secure

communications tools (e.g. Orbot)

to encrypt your browsing and

prevent unwanted surveillance of

your online activities.

http://bit.ly/292DapS

http://bit.ly/28XTh8g

26


Do not respond to, or click on, links

in text messages or emails from

unknown people. These messages

could be attempts to access your

device or infect it with malware.

Never save your passwords on your

device to prevent hackers from

getting access to them. Instead,

store your account credentials in a

password manager (e.g

KeePassDroid for Android).

Encrypt your phone and external SD

card to protect the information on

your phone.

Enable the SIM Card Lock on your

phone to prevent it from being used

by others.

Save contacts on your Google

cloud-based account only to safely

store your contacts outside of your

phone’s physical memory. This

should prevent your contacts list

from being accessed if your phone

is stolen.

Only install software from trusted

sources to avoid infecting your

device with malware/spyware.

Be sure to check who created the

app you download to ensure it was

posted by the app’s known

developer.

Check what permissions an app will

request before you install it. If an

app wants to access something

unusual, like your contacts, when

you do not think it should, do not

install it.

Keep Wifi and Bluetooth off by

default to prevent your phone from

connecting to the internet or other

devices without your consent.

Turn off Location Services to help

prevent tracking of your location.

Only turn on location settings as you

need them. Note that as long as

your phone is on,

telecommunications companies can

track where you are. To completely

prevent tracking of your location,

remove the battery from your

phone.

Do not connect to open or untrusted

wifi networks using your

smartphone as hackers on these

networks may be able to monitor

your activity. If you have to, use a

VPN, Tor, or Psiphon3 to encrypt

your connectivity.

27


For more info about Mobile risks:

https://www.cyber-arabs.com/?cat=14

How to use Mobile phones securely


How to use Smart Mobile phones

securely


GENDER DIMENSIONS IN THE DIGITAL AGE*

(*Text from this chapter is taken from UNESCO’s Building digital safety for journalism: a survey of selected issues)

Women journalists face additional risks in the course of their work – on and offline.

In the physical realm, these risks can include sexual harassment, physical assault

and rape. In the digital sphere, acts of harassment and threats of violence are

rampant. Similarly, female sources face increased risks when acting as

whistleblowers or confidential informants. These issues manifest in several ways

as regards the issue of source protection in the digital era:

1) Women journalists face greater risks in dealing with confidential sources

2) Women sources face greater physical risks in encounters with journalists and in

revealing confidential information

3) The physical risks confronted by women journalists and sources in the course

of confidential communications may require reliance on digital communications

4) Secure digital communications defences, including encryption, are arguably

even more necessary for female journalists and sources.

Specific factors for consideration

1) Female journalists and sources need to be able to communicate digitally

Female journalists working in the context of reporting conflict and organised crime

are particularly vulnerable to physical attacks, including sexual assault, and

harassment. In some contexts, their physical mobility may be restricted due to

overt threats to their safety, or as a result of cultural prohibitions on women’s

https://www.cyber-arabs.com/?cat=14




28


conduct in public, including meeting privately with male sources. Therefore,

women journalists need to be able to rely on secure non-physical means of

communication with their sources. Women sources may face the same physical

risks outlined above – especially if their journalistic contact is male and/or they

experience cultural restrictions, or they are working in conflict zones.

Additionally, female confidential sources who are domestic abuse victims may be

physically unable to leave their homes, and therefore be reliant on digital

communications. These factors present additional challenges for women

journalists and sources, in regard to maintaining confidentiality in the digital era.

2) Digital safety and security are paramount for both female journalists and

sources

Women journalists need to be able to rely on secure digital communications to

ensure that they are not at increased risk in conflict zones, or when working on

dangerous stories, such as those about corruption and crime. The ability to covertly

intercept and analyse journalistic communications with sources increases the

physical risk to both women journalists and their sources in such contexts.

Encrypted communications and other defensive measures are therefore of great

importance to ensure that their movements are not tracked and the identity of the

source remains confidential. Therefore, they need to be able to have access to

secure digital communications methods to ensure that they are at minimum risk

of detection and unmasking. They also need to have confidence in the ability to

make secure contact with journalists to ensure that stories affecting women are

told – secure digital communications can be an enabler for women’s participation

in public interest journalism. They can also help to avoid magnifying the ‘chilling’

of investigative journalism dependent upon female confidential sources. Also

needed are strong legal protections for confidentiality, which are applied in a

gender-sensitive manner -especially in regard to judicial orders compelling

disclosure.

29


3) Online harassment and threats

Journalists and sources using the Internet or mobile apps to communicate face

greater risk of gendered harassment and threats of violence. These risks need to

be understood and mitigated to avoid further chilling women’s involvement in

journalism – as practitioners or sources.

30


CONCLUSION

Security is never perfect and always involves trade-offs. Only you can determine

the balance between efficiently conducting your work and protecting against

attacks. When considering solutions, be honest about your capabilities and don’t

impose impossible security protocols on yourself. Encrypting your email, securely

deleting files, and using long passwords won’t help if, realistically, you won’t follow

those habits in the field. Think instead about fundamental steps that you will

actually do. If you are more worried about technical attacks than physical seizure,

for example, consider writing notes in a paper notebook instead of a Word

document.

If you are facing sophisticated technical attacks, the best approach may be simple

and minimal. Only you can judge the pros and cons. It’s not a “cybercrime” to

keep your long passwords written down on a note in a safe place. At least if

somebody steals that, you’ll know it’s time to change them. Just don’t put those

passwords on a Post-it note stuck to your office wall.

31


OTHER SOURCES AND REFERENCES

Cyber Arabs academy

https://www.cyber-arabs.com

Committee to Protect Journalists

https://www.cpj.org/ar

Surveillance Self-Defense Kit from EFF

https://ssd.eff.org/ar

Security in a Box Guide

https://securityinabox.org/ar /

Reporters without Borders

http://ar.rsf.org

Front Line Defenders

http://www.frontlinedefenders.org

Rory Peck Trust

https://rorypecktrust.org/

Salamatech Syria Project

https://www.salamatech.org/

Internews organization

https://www.internews.org

IWPR

https://iwpr.net

Asl19 organization

https://asl19.org/

Digital Defender Partnership

https://www.digitaldefenders.org/

https://www.cyber-arabs.com/

https://www.cpj.org/ar

https://ssd.eff.org/ar

https://securityinabox.org/ar/

https://securityinabox.org/ar/

http://ar.rsf.org/

http://www.frontlinedefenders.org/

https://rorypecktrust.org/

https://www.salamatech.org/

https://www.internews.org/

https://iwpr.net/

https://asl19.org/

https://www.digitaldefenders.org/

32


RECOMMENDED TOOLS AND APPS App Store

F-Droid Alternative to the Google Play app store for Android. Android

https://f-droid.org/

Email

Riseup Secure communication tools for people working on liberatory social change. Web Services

https://riseup.net/

K-9 Mail Email application for Android devices with built-in PGP support. Android

https://github.com/k9mail/k-9

Mozilla Thunderbird Multi-platform email application with mail encryption through the Enigmail add-on. GNU/Linux OS X BSD Windows

https://www.mozilla.org/en-US/thunderbird/

GPG4win Email and file encryption for Windows. Windows

http://www.gpg4win.org/

Mailvelope OpenPGP email encryption tool for major webmail services. GNU/Linux OS X BSD Windows


GPGTools OpenPGP add-on for Apple OS X Mail. OS X

https://gpgtools.org/

OpenKeychain OpenPGP implementation for Android. Android

http://www.openkeychain.org/

Enigmail OpenPGP email encryption add-on for Thunderbird and Icedove. GNU/Linux OS X BSD Windows

https://www.enigmail.net/

Instant Messaging

Jitsi Encrypted text, voice, and video messaging for multiple platforms. GNU/Linux OS X Windows

https://jitsi.org/

Pidgin

Free universal instant messaging client. GNU/Linux BSD Windows

https://www.pidgin.im/

ChatSecure OTR-encrypted IM for Android and iOS.

https://f-droid.org/

https://riseup.net/





http://www.gpg4win.org/



https://gpgtools.org/



https://www.enigmail.net/

https://jitsi.org/

https://www.pidgin.im/

33


Android OS X

https://chatsecure.org/

Signal Private Messenger provides end-to-end encrypted instant messaging OS X Android

https://whispersystems.org/

Silence Silence encrypts your text messages over the air and on your phone. Android

https://silence.im/

Password Managers

KeePass Silence encrypts your text messages over the air and on your phone. Windows

http://keepass.info/

KeePassDroid KeePassDroid is an implementation of the KeePass Password Safe for Android. Android

http://www.keepassdroid.com/

KeePassX Application for people with extremely high demands on secure personal data management. Saves many different types of information such as usernames, passwords, urls, attachments and comments in one single database. GNU/Linux OS X BSD Windows

https://www.keepassx.org/

VPN, Proxy, And Web browsing add-ons

Tor Free software for enabling online anonymity. GNU/Linux OS X BSD Windows

https://www.torproject.org/

Orweb Proxy-capable and Privacy-aware Web Browser for use with Orbot's localhost 8118 proxy, or any HTTP proxy server. Android

https://guardianproject.info/apps/orweb/

Onion Browser Surf the web through the Tor network with this browser for iOS. OS X

https://mike.tig.as/onionbrowser/

Alkasir is a computer program that works with proxy servers to allow users to circumvent censorship of URLs in countries where there is censorship of political content. GNU/Linux OS X Windows

https://alkasir.com/

Psiphon Psiphon is a circumvention tool that utilizes VPN, SSH and HTTP Proxy technology to provide you with uncensored access to Internet content Android Windows

https://psiphon.ca/

https://chatsecure.org/

https://whispersystems.org/

https://silence.im/

http://keepass.info/



https://www.keepassx.org/

https://www.torproject.org/





https://alkasir.com/

https://psiphon.ca/

34


HTTPS Everywhere Encrypts your communications from thousands of websites by enforcing HTTPS everywhere. GNU/Linux OS X Windows Android


NoScript Only enable JavaScript, Java, and Flash for sites you trust.

GNU/Linux OS X BSD Windows

http://noscript.net/

Adblock Plus Adblock Plus is a free extension that allows you to - among other things - block annoying ads, disable tracking and block domains known to spread malware GNU/Linux OS X BSD Windows Android

https://adblockplus.org/

File Encryption

VeraCrypt free disk encryption software GNU/Linux OS X BSD Windows




http://noscript.net/

https://adblockplus.org/


BY FAHMI ALBAHETH - UNESCO FAHMI ALBAHETH Recommendations from UNESCO’s safety workshops in Yemen...

Documents

Transcript of BY FAHMI ALBAHETH - UNESCO FAHMI ALBAHETH Recommendations from UNESCO’s safety workshops in Yemen...