Digital Security Risks Human Rights NGOs were Exposed to during COVID-19 Pandemic Lockdowns
A week after the World Health Organisation (WHO) declared COVID 19 a global pandemic, Uganda registered its first case. A month later, the disease was widespread across the country, prompting the operationalization of WHO-recommended and Government-imposed emergency measures to contain the spread of the virus. These included partial and eventually total lockdowns, a ban on social gatherings of more than five people, the shutdown of public transport, air travel, and the closure of businesses except for vital sectors like food and health.
To ensure continuity of operations, NGOs, much like other businesses/organizations across the globe, had to heavily depend on digital tools to continue operations which led to the “Zoom-Era.” The era of working from home/remotely aided by digital applications like conferencing platforms like Zoom, which allows for up to 500 participants, voice, and video, messaging apps, and digital collaborative workspaces in the absence of offices and physical engagement.
For the highly tech-driven economies from the developed world, this transition was undoubtedly an inconvenient adjustment; unfortunately for developing countries like Uganda, with substantial deficiencies in ICT infrastructure, where only a sixth (1/6) of the population has access to the internet, and 36% of the non-internet users are digitally illiterate, it was nothing short of a catastrophe.
The Not-for-profit sector was one of those hardest hit by this transformation since the bulk of their work entails awareness and capacity building engagements, socio-civic advocacy/activism, community meetings, and outreach.
The Digital Security Alliance (DSA), a coordinated digital security support mechanism for human rights defenders, activists, and journalists in Uganda, that is led by Defenders Protection Initiative, with funding from the Collaboration on International ICT Policy in East and Southern Africa (CIPESA) under the African Digital Rights Fund, undertook the study, to Assessing the Levels of digital security risk to which Human Rights NGOs were Exposed to after the adoption of technology tools for business continuity during the COVID-19 Pandemic Lockdowns in Uganda.
This study, therefore, sought to investigate the digital security risks associated with the adoption of technological tools given the human rights landscape in Uganda and against the backdrop of the COVID pandemic.
The main objective of the research was; To identify gaps and vulnerabilities that are exposing human rights organizations to digital security risks to develop strategies to build capacity to mitigate any future threats of cyber-attacks, privacy & data breaches.
The study targeted 50 NGOs across Uganda. To obtain comprehensive data sets, it necessitated the selection of respondents from both frontline officers involved in implementing day-to-day activities of human rights NGOs and critical decision-makers such as Executive Directors, Program Managers, Department Heads and Advocacy Officers.
Guided by the research questions; “Did the adoption of digital platforms expose NGO to any cybersecurity-related challenges? Was the adoption of digital platforms effective in NGOs’ business continuity?” we were able to obtain the following evidence.
Level of Exposure to Digital Tools Prior COVID 19
The research revealed that 50% of the respondents were moderately exposed to digital security tools before the COVID 19 lockdown. Frontline offices pointed out that their work primarily constituted physical engagements with their partners and beneficiaries, which limited the number of tech tools and frequency. The most commonly used digital tools were voice conferencing call facilities, voice over internet services like Skype, digital collaboration tools like Google Suite, Gmail, Google Drive, Google Meet, and Google Docs. Social media platforms including Facebook, Twitter, and YouTube. However, with the outbreak of COVID 19 and subsequent lockdown, NGOs had to adopt “new” ICT tools and depend on the ones already in use more heavily to ensure
business continuity. Respondents reported to have adopted video conferencing and collaboration platforms; Zoom, BlueJeans, Google Meet, Jitsi, KumoSpace, Microsoft Teams, and GoTo Meetings. These are mainly used to facilitate internal communication/conducting staff meetings (19%), communicate with participants (18%), conducting workshops (15%), communicating and liaising with donors (14%), and providing support to beneficiaries (14%).
Challenges Faced During and as a Result of Adopting ICT Tools
Facilitating business continuity, increasing efficiency, improving time management, and other benefits of information and communication technology (ICT) mainstreaming notwithstanding, the adoption of tech tools was not without challenges. NGO heads reported internet interruptions as their biggest challenge. Interruptions were either unstable or, for the case of rural areas, non-existent networks—slow internet connections due to the minimal broadband coverage. 3G covers only 65% of the population, and LTE/4G covers only 17%.
NGO staff in urban areas with access to 4G speeds that could support data-intensive apps like video conferencing tools were affected by the high cost of data. Individuals reported having spent on average 127,500 UGX per month purchasing internet data packages—a stretch for most middle seized NGOs without an internet budget big enough to cover 127,000 worth of data for each staff.
The above interferences are compounded by frequent power cuts, which affect enabling ICT hardware and infrastructure such as the cell towers, desktops, MiFis, and modems.
Exposure to Digital Security Risks
Much like the COVID 19 pandemic, the adoption of tech tools and mainstreaming of ICT were novel. The timing and abrupt nature of the circumstances also did not allow for adequate preparation and training on using the digital tools and digital security concerns. These, therefore, paused unprecedented risks. 98% of the respondents reported having been exposed to some sort of digital security risk. Of the reported cases, we deduced that 52% of these were exposed to digital threats while using personal computers as opposed to the 48% who faced threats while using organization-provided computers.
It was inferred from the findings that the organizations whose works centres on social development, justice, law and order, health, education, ICT, and accountability reported digital threats more frequently. However, this comes as no surprise, especially in the Ugandan context, whose civic environment is marred by intimidation, torture, and killing of social justice leaders, illegal detentions and evictions, and a restrictive legal framework, among others. However, the research findings highlighted the varying degree in threat level exposure as experienced by different genders and reaffirmed the disproportionate impact of COVID 19 on women and children. This is evidenced by NGOs operating in the thematic area of Women’s rights and reporting the most frequent (26%) exposure to digital security risks from using technology tools adopted during COVID-19 lockdown.
Top Ways Businesses get Hacked
Bait and Switch Attack
Using trusted marketing methods such as paid-for advertising on websites, attackers can trick you into visiting malicious sites. When websites sell advertising space, it can be purchased by rogue attackers. The bona fide advertisement can be replaced with a ‘bad’ link that can be used to download malware, lock up your browser, or compromise your systems.
Alternatively, the advertisement may link to a legitimate website, but it will be programmed to redirect you to a harmful site
Key Logger
A key logger is a small piece of software that, when downloaded into your computer, will record every keystroke. The key logger will capture every keystroke on the keyboard, every username, password and credit card number, etc., exposing all of your data and personal information
Denial of Service (DoS\DDoS) Attacks
A Denial of Service attack is a hacking technique designed to flood your web server with a myriad of requests to the point that it overloads the web server resulting in a website crash.
To do this, hackers will deploy botnets or zombie computers that have a single task, flood your web site with data requests
ClickJacking Attacks
This method tricks you into clicking on something different from what you thought you were clicking. The clickjacking element could be a button on a web page that, when clicked, performs another function, allowing others to take control of the computer. The host website may not be aware of the existence of the clickjacking element.
Fake W.A.P.
A hacker can use software to impersonate a wireless access point (W.A.P.), which can connect to the ‘official’ public place W.A.P. that you are using. Once you get connected to the fake W.A.P., a hacker can access your data.
To fool you, the hacker will give the fake W.A.P. an apparent genuine name such as ’T.F. Green Aiport Free WiFi.’
Cookie Theft
The cookies in your web browsers (Chrome, Safari, etc.) store personal data such as browsing history, username, and passwords for different sites we access. Hackers will send I.P. (data) packets that pass through your computer, and they can do that if the website you are browsing doesn’t have an SSL (Secure Socket Layer) certificate. Websites that begin with HTTPS:// are secure, whereas sites that start with HTTP:// (no ‘S’) do not have SSL and are NOT considered secure.
Viruses and Trojans
Viruses or Trojans are malicious software programs that, when installed on your computer, will send your data to the hacker. They can also lock your files, spread to all the computers connected to your network, and perform many other nasty actions.
Seek for a Security Check
As you can see, it is all too easy to have your business systems inadvertently compromised, you can seek for a security check to secure to protect your business. It is tailored to the needs of each business. click here
WhatsApp 2FA: Secure Yourself From This Simple Hack
Imagine someone has taken over your account, what would happen to you and the people who contact you on WhatsApp?
Just as it is easy to fresh install of WhatsApp for your new phone is also how easy an attacker would gain access to your WhatsApp and possibly start a conversation with your friends claiming it is you.
Most times, the direct risk is not to you if you’re attacked, but to your contacts. They can expect to receive requests for data or even emergency funds. This is social engineering at its best. We would trust an end-to-end encrypted platform, a message from a trusted friend and so are coded to have our guards down and rather feel pity in these circumstances.
The repercussions of this happening are beyond imagination. This can even further spread to more of your contacts having there WhatsApp accounts taken over.
With the account taken over, the attackers could then message contacts in the groups you are in as if from the account holder (you), as well as any other contacts whose WhatsApp messages were received after the take over. No legacy data is compromised. The target device remains untouched. WhatsApp has simply been ghosted onto an illegitimate device.
It is surprising how many people have not yet enabled the Two-step verification PIN in WhatsApp—almost everyone we have asked has yet to set it up. If you’re the same, then please take that minute and set it up now.
The Question now is, How do we prevent this from happening to you for the first time or again?
WhatsApp introduced a feature where you can set a PIN of your own choice and even an email address just in case you forget your PIN. The PIN is your own verification to confirm that it is you even after inputting the SMS verification so you do not otherwise have to share your PIN with anyone.
You can find this feature in your WhatsApp setting > Account > Two-step verification: There you will be prompted to enable your PIN and confirm it, then you will also be asked to type in an email address to use to recover your account in case you forget your PIN
What you need to know about Delayed Phishing/ Post-Delivery Weaponized URL
Truth is, most of us have ever been a victim of phishing before and with the abundant resources online and trainings that we have so far had, we have become sort of immune to phishing.
Click here to as well look at our blog post about phishing and what you need to know
Our immunity against phishing has so far been boosted by e-mail service providers, mail gateways and even browsers that we use which has all embedded in their systems anti-phishing filters and malicious address scanners.
With all these above, cybercriminals are constantly inventing new, and refining old, circumvention methods. One such method is delayed phishing.
Delayed phishing is an attempt to lure a victim to a malicious or fake site using a technique known as Post-Delivery Weaponized URL.
“As the name suggests, the technique essentially replaces online content with a malicious version after the delivery of an e-mail linking to it. In other words, the potential victim receives an e-mail with a link that points either nowhere or to a legitimate resource that may already be compromised but that at that point has no malicious content. As a result, the message sails through any filters. The protection algorithms find the URL in the text, scan the linked site, see nothing dangerous there, and allow the message through.”
Effecting the malicious link
Attackers operate on the assumption that their victim is a normal worker who sleeps at night. Therefore, delayed phishing messages are sent after midnight (in the victim’s time zone), and become malicious a few hours later, closer to dawn.
If cybercriminals find a specific person to attack, they can study their victim’s daily routine and activate the malicious link depending on when that person checks mail.
Technology behind Delayed Phishing
For delayed phishing to be effective, hackers use at least one of these 2 common methods:
- Simple link: In this case, the hackers are the ones who are controlling the target site in that at the time of delivery, the site is safe so it can go through the several security levels it is scanned before it is delivered to your mailbox. At the time of delivery, the link leads to either a meaningless stub or (more commonly) a page with an error 404 message and the malicious version of the site is activated after delivery.
- Short-link switcheroo: Several sites offer link shortening services to the world, with this you can get alternative links that are easy to remember and short instead of long and boring links. However, some of this services allow you to alternate the link behind these short links. So the cybercriminals take advantage of this in that, by the time they are sending the email, the short link it pointing to a legitimate site and is swapped to the malicious site after delivery.
Although there is a third technology that is not so common which includes a randomized and short link where there is a probabilistic redirection. That is, the link has a 50% chance of leading to google.com and a 50% chance of opening a phishing site. The possibility of landing on a legitimate site apparently can confuse crawlers (programs for automatic information collection).
– Spotting & fighting Delayed Phishing
Ideally, there is need to prevent the phishing link from getting to the user, so rescanning the inbox would seem to be the best strategy.
In some cases, that is doable: for example, if your organization uses a Microsoft Exchange mail server. Kaspersky Security for Microsoft Exchange Server is also included in our Kaspersky Security for Mail Servers and Kaspersky Total Security for Business solutions.
Difference between Identification, Authentication & Authorization
We all have been identified, authenticated and authorized almost everyday of our online life.
What we do not know most of the time is where each of this comes in while accessing our online platforms and we end up confusing the 3 words often using the terms identification or authorization when, in fact, they are talking about authentication.
But as long as we are able to understand what we are talking about, it has not mattered to us to get the meanings of these 3 words.
It is always better to know the meaning of the words you use, though, and sooner or later, you will run into a geek who will drive you crazy with clarifications, whether it’s authorization versus authentication, fewer or less, which or that, and so on & to be honest, you could even catch an attitude!
So what do these 3 words actually mean?
- Identification occurs when a subject claims an identity (such as with a username)
- Authentication occurs when a subject proves their identity such as with a password (for example, by comparing the password entered with the password stored in the database)
- Authorization techniques can grant or block access to objects based on their proven. This is the function of specifying access rights/privileges to resources.”
🙂
So, now you know in what ways identification is different from authentication and authorization. One more important point: Authentication is perhaps the key process in terms of the security of your account. If you are using a weak password for authentication, your account could easily be hijacked. Therefore:
- Create strong and unique passwords for all of your accounts.
- If you have trouble remembering your passwords, a password manager has your back. It can help with generating passwords, too.
- Activate two-factor authentication, with one-time verification codes in text messages or an authenticator application, for every service that supports it. Otherwise, some anonymous raccoon that got its paws on your password will be able to read your secret correspondence or do something even nastier.
The 3 words are so easy to confused and people always get mixed up using them. Hope this article has made it clearer now!
Toxicity Online
I am one of those people who usually go online, most specifically, YouTube for content but very many a time, I go there just for the comments.
And over the years I have had a good laugh, but of late, the comment section fills me with dread. Take for example Tati Westbrook, A lifestyle guru who reviews beauty products. She reviewed a particular makeup palette and her view of things didn’t go down well with a section of the YouTube beauty community and the comment section became so vile she had to disable comments for that particular video.
Digital Security Tips for Women
An unfortunate number of women are becoming victims of cyber crimes. According to a recent study, more women are known to use the Internet to enrich their relationships compared to men. Young women, those 18-24, experience certain severe types of harassment at disproportionately high levels: 26% of these young women have been stalked online, and 25% were the target of online sexual harassment. The growing reach of the Internet and the rapid spread of information through mobile devices has presented new opportunities that could put some women at risk, so it’s important to be mindful of the dangers.