A Thoughtful, Analytical Approach to NGO Security

Technology

A HELP! button for aid workers

If you are an aid worker and you have an iPhone you need the Safety Button Assault Alarm iPhone application. Although it is Billed by its makers, Sillens AB, as an assault alarm for women its good for a myriad of situations in which aid workers can suddenly find themselves. Whether it’s a simple traffic accident on a remote road or the sudden realization that your new ‘friend’ intends to kidnap you, the safety button can help.

safety_button_screenshot

The Safety Button application is extremely easy to use. First, install it on your iPhone and fill in the email, phone, and SMS details of a reliable colleague or your organization’s radio room. Safety Button can then be set to do any combination of the following:

  • text your position
  • email your position
  • make an emergency call
  • sound an alarm

start_guide

When you find yourself in a situation of impending danger simply start Safety Button. Your location data will be sent to the Sillens AB servers in Sweden and updated every 20 seconds. As long as you keep the application running your position will be tracked.

At this point, if your fears turn out to be unfounded, you can simply turn off the application. No emergency messages will have been sent and you won’t have bothered anyone. However, if your instincts were right, simply press the big red button and Sillens’s servers will notify your contact.

You can buy Safety Button from the iTunes store for $2.99. The price includes three alerts. You can buy additional messages from the Sillens website.

Twitter and disinformation in Iran

Over the past week there has been a lot of media coverage of the relationship between Twitter, the hybrid online/mobile communication service, and its impact on post election events in Iran. The argument that Twitter service in Iran is a critical opposition activist tool is already over-hyped so I won’t rehash them here. Rather, I think its worth shedding some light on how Twitter is being used to spread disinformation and who is doing it.

Twitspam has a continually updated list of suspected fake accounts that may have connections with Iranian security. I used some of these account names as a starting point for a quick and dirty analysis of their networks.

Suspected AlJazeera English producer impersonator “AJE_Producer” appears to be trying to lure Twitter users in Iran into communicating with him directly through email or telephone with the intent of entrapping them. The diagram below illustrates how easily the suspected impostor was able to disseminate his requests for contacts. It shows only recent ‘active’ direct connections between AJE_Producer and twenty Twitter users and the recent active connections between those twenty users and their contacts. It does not show retweets nor does it reflect how many people may have simply read a message from AJE_Producer.

AJE Producer Twitter connections
AJE_Producer network

Although some of the connections are from people trying to challenge AJE_Producer’s methods there were a surprising number of people who took AJE_Producer at face value including some who actually appeared to be residing in Iran. Given the current level of violence in Iran this is alarming to say the least.

Expanding the network of connections one iteration further gives a somewhat rosier picture. The chart below shows AJE_Producer’s (center of chart) deception being overshadowed by a number of well connected Twitter users (top of chart) who appear to be trying to out AJE_Producer and other fake Iran election Tweeters.

AJE Producer tertiary connections
AJE_Producer extended network

Analysing the Twitter networks of other disinformation purveyors from Twitspam’s list highlights some developing tactics. Iransource and iransource45 are likely the same person. The content of the tweet streams is remarkably similar and composed mostly of overt propoganda. These two entities dominate the chart below because they send tweets directly to other Twitter users and reply to queries. Their relatively innocuous names may be an attempt to reassure potential followers. It is interesting to see the cluster of five anti-spammers trying to counter them.

Centrality view of Iranian Twitter disinformation network
Iranian Twitter disinformation network overview

If we take a closer look at the network on the bottom left we can see a different tactic developing. Ebrahim Ansari (AKA Persian_Guy) uses fake retweets to spread disinformation and confusion. Essentially he is putting his words in the mouths of other users, both real and imagined. The AhmediNej accounts are primarily used to retweet Ebrahim’s content, probably in an attempt to bypass users trying to block obvious proganda. They don’t have a lot of active connections, likely because the account names themselves are so obviously inflammatory.

Twitter disinformation closeup view
Close-up view showing AhmedNej and Ebrahim Ansari networks

For the moment it appears that activists in Iran have the edge when it comes to making use of Twitter to get their message out . However the propagandists are trying to close the gap. They hope to trap gullible users, spread disinformation, and create distrust.

If you want to counter them I suggest you go to Twitspam and block the those on the “
Obvious Disinfo” list. Certainly you should not retweet anything from these people.

Red Cross Website Hacked to Steal Quake Relief Donations

A section of the Chinese Red Cross website has reportedly been hacked. Apparently the hacker gained access to the website and created four fraudulent bank accounts to steal earthquake relief funding. If you can read Chinese you can read the report here. Otherwise check out the link attached to the graphic below. Read the full report from The Dark Visitor.



Crossing Borders with your Laptop

Recent media coverage of the Ninth U.S. Circuit Court of Appeals' decision to allow border agents to search travellers laptops without cause has inspired a lot of coverage in tech media circles. However, as an aid worker it is important to remember that the US border is not the only place where your laptop can be searched. Aid workers have reported having their laptops searched by authorities in Sudan, and Pakistan. Sri Lankan security forces frequently demand access to aid worker's laptops when they are entering LTTE controlled areas or travelling by to or from Jaffna. In one case they even seized the computer of the Executive Director of an NGO.

So how do you keep prying eyes from accessing your sensitive files while travelling? The EFF has some good advice for protecting your laptop from arbitrary searches. Bruce Schneier has his take as well. Finally you shouldn't overlook Front Line's "Digital Security and Privacy for Human Rights Defenders".

Sending GPS Coordinates from your Thuraya to Twitter

Aid Worker Daily has instructions for sending GPS co-ordinates from your Thuraya satellite phone to Twitter via an SMS message. This might come in handy if you get into trouble and need help like James Karl Buck.

Humanitarian Mapping on Mobile Phones?

Hmmm. This video looks interesting. It purports to be of an Android mobile phone application called MapMaker for creating maps in disaster zones. Here is what the person who posted the video on YouTube says about the application:

Map Maker is an Android application for creating maps in a disaster zone. It is designed to allow aid workers to quickly and easily create a map of the area they are working in. After a disaster such as a hurricane or earthquake the landscape can change so fundamentally that existing maps are rendered out of date. Knowing things like which roads are passable, where field hospitals are and suitable aircraft landing areas makes it far easier to manage an emergency.


Unfortunately the video has no audio and there are very few details. If this turns out to be more than vapourware I'd like to see some additions to support NGO security. Labels and tags for minefields, no-go areas, checkpoints, safety hazards etc. would be very nice.



If the creator of this program is out there listening I'd love to beta test this!

More on Espionage Against Pro-Tibet NGOs

You might recall that a couple of weeks ago NGO Security and humanitarian.info covered cyber attacks on NGO's in Tibet. Now Wired magazine has a more mainstream follow up article on the issue. Most alarming perhaps is that some of the malware used in the attacks was designed to steal PGP encryption keys. PGP is used by many human rights groups to secure their email from prying eyes.




If you'd like to know more about how to protect your organization's information from prying eyes be sure and check out "Digital Security and Privacy for Human Rights Defenders".

Saving Sri Lankan Websites at Risk

Inspired by the demise of the Sri Lanka Monitoring Mission (SLMM) website, government censorship of sites like Tamilnet, and the demise of websites like Tafern, Sanjana Hattotuwa has set up Websites at Risk. His intent is to archive civil society and NGO websites that are at risk of being closed down with little or no notice. These websites are valuable sources of information and lessons learned for humanitarians, researchers and NGO security practitioners.

Sanjana deserves a big round of applause for this initiative.

Breaking NGO IT with Low Tech - Suggested Readings

Discussion (here and here) regarding Bruce Schneier’s recent post on security mindset combined with recent interesting posts from friends regarding NGO IT security issues (here, here and here) has me thinking. It seems to me that social engineering, rather than a purely technological attack, is still the easiest route into most NGO’s networks. There is no need for anything too complicated. Most aid workers are somewhat trusting and helpful by nature making them easy targets for even relatively inexperienced social engineers.

Kevin Mitnick’s book, “The Art of Deception - Controlling the Human Element of Security” is a great introduction to social engineering. Kevin Mitnick was one of the world’s greatest hackers. He gained great notoriety for his ability to penetrate telephone and computer networks seemingly at will. What surprised many is that it wasn’t sophisticated technology that allowed him to do it. It was his ability to con or ‘pretext’ people into giving him the information he needed to access their systems. As he explains in the book the human factor was security’s weakest link.

Hint: If you search for “Kevin Mitnick The Art of Deception.pdf” Google you just might be able to find a free copy of Kevin’s book floating around the net.

To further develop your security mindset check out "No-Tech Hacking" by Johnny Long. Its a sample chapter from "Techno Security's Guide to Managing Risks for IT Managers, Auditors and Investigators". Johnny has since turned the chapter into a book in its own right. In the freely available sample chapter he covers tailgating, faking ID cards, lock bumping, shoulder surfing, dumpster diving and other low tech means of gaining forbidden access.

Happy reading and don't blame me if it keeps you up at night.

In Case of Emergency - ICE



In Case of Emergency (ICE) is a program that encourages people to enter emergency contacts in their cell phone address book under the name "ICE". This enables first responders, (paramedics, firefighters, police officers, and of course NGO security officers) to quickly search an unresponsive victims phone for the ICE contact who can identify the victim, provide emergency medical information, and next of kin details.

Of course this is not a panacea. It comes with the usual caveat; you'll need to adapt the system to your local context and your organization's methodologies. For instance it might not be appropriate in Afghanistan where Taliban supporters have been known to search the phones of passers by for foreign names. However, with a little bit of adjustment you should be able to use this idea to help ensure the safety and security of your staff.

If you want additional videos like the one above W. David Stephenson has done a number of videos at least one of which I have used before. You can find out more at his website or at his YouTube channel. Don't be put off by the Homeland Security 2.0 label he uses. His short videos are intended help empower ordinary people during times of emergency or disaster.

Trunk Monkey Security System

Thanks to Sources and Methods for pointing out the Trunk Monkey Vehicle Security System. Hopefully they'll develop a ruggedized version for NGO use. Just imagine how useful it could be at militia checkpoints or when the police want to search your vehicle for the fifth time that day.



For more about Trunk Monkey go to trunkmonkey.com.

SIPRI, ISN and FIRST - Open Source Data at its Best

I believe that publicly funded data (data from governments, the UN and other world bodies, and INGOs) should be truly public. By this I mean that anyone can easily, and without cost, access the data in a non-propietary format. No locked pdf files. No password protected databases. No one-query-at-a-time, one-answer-at-a-time forms. Just the data in a simple user accessible format.

The Stockholm International Peace Research Institute (SIPRI) and the International Relations and Security Network (ISN) understand. They have teamed up to provide an integrated database known as FIRST . FIRST contains free, open source, clearly documented information from research institutes around the world. The databases filled with hard facts on armed conflict, peace keeping, arms production and trade, military expenditure, armed forces and conventional weapons holding, nuclear weapons, security, international relations, human rights, and health statistics. Most of the data can be exported in comma-seperated value (.csv) or Excel (.xls) formats. These formats are easily imported by many analytical tools allowing the user to carry out their own processing and analysis.



As an excellent example of what can be done with data from FIRST check out Jeffrey Warren's Vestal Design interactive data visualization of world-wide arms transactions. You can view the full Java-based visualization at ARMSFLOW. I love this kind of thing. Effective data visualization allows you to quickly present complex data to senior level decision makers without overwhelming them.

World Wide Arms Flow Chart 1981

Now if only there was a way to get NGOs to share security incident data in the same way!

An Invisible Security Barrier for NGO's?

NGO compounds can be very vulnerable to civil disturbance, especially when they become the focus an angry crowd’s attention. Walls, fences and gates will only slow determined rioters and not for very long at that. Even armed guards are of little use. Guards from a reputable private security company are unlikely to be willing to fire upon a crowd of their fellow countrymen, nor would humanitarian organizations want them to. So the question is, how does one slow the advancing crowd long enough for staff to seek safety?

The Inferno invisible security barrier might be a solution worthy of consideration for at risk humanitarian organizations. The modules look like sleek high tech stereo speakers but they emit a wall of sound so unpleasant that it forces most people to leave the area immediately. Any intruder who doesn’t leave immediately faces the unpleasant prospects of vertigo and nausea and will have difficulty concentrating on the task at hand.

Inferno Screenshot

The system works by emitting a combination of sound frequencies from 2 to 5 kHz. Unlike the comparably loud scream of a regular siren the inferno’s unique frequency combinations have a disturbing but non-permanent effects on human physiology. The system won’t even cause hearing loss without repeated exposure.

Yes, a determined intruder could still get in, perhaps covering his ears, but recall that the intent is not to prevent entry. Rather, the intent is to delay the intruders long enough for staff to seek safety and for assistance to arrive. Like walls and fences you'll need to leave an escape route for staff.

Gadget Roundup

NGO security is really about people... but a few gadgets can't hurt either.

MOGO Wireless Signal Booster

We've all worked in areas where mobile phone coverage is spotty at best. MOGO Wireless has a wireless signal booster for mobile phones that claims to reduce dropped calls and boost signal strength. There is a home version that plugs into the USB port of your laptop and also a mobile version that plugs into the power port in your car. The only down side is it seems they only do 800/1900MHz so globe trotting aid workers might want to wait until other antennas are available.


ATP GPS Photo Finder

I've been experimenting with geotagging lately. Its very useful for keeping track of where you took your facility security, post-incident , and other photos. Most systems are still a little kludgey but a friend pointed me to the GPS Photo Finder. Simply carry it around while you take your pictures. Later, put your camera's memory card into the GPS Photo Finder and all the location data is merged with the digital photos. Your photos can then be used GPS compatible photo software or sites such as Google Maps and Flickr.


Solio Universal Solar Battery Charger

Better Energy Systems has introduced a couple of new models of their universal solar battery charger known as the Solio. I've used the original model for a couple of years. It comes in really handy for keeping your mobile phone and gadgets charged when you are working in areas without reliable electricity. All of the models are small enough to fit into your field bag. It only takes about four hours of tropical sun to charge fully... longer at more temperate latitudes.

The only thing I don't like about the Solio is having to carry all the little adaptors needed to support my various phones, iPods and other gadgets. Of course that's really not Solio's problem. I pray for the day when gadgets come with standardized ports.

Beware Barbara Moratek of the Ivete Foundation

According to Sunbelt, a security software company, there is a new email scam going around where small non-profit organizations are being targeted by a “Barbara Moratek” of the “Ivete Foundation“. Not only does the email seem to be a scam but Googling either name can take you to sites with fake codec Trojans and other potentially damaging sites. NGOs, especially smaller ones eager for donors, should also be aware of this potential threat.

Go to their site to read the whole post.

BGAN Explorer 500 - Final Thoughts and Lessons Learned

Earlier I wrote about the new BGAN Explorer 500 we were fielding. Well I’m back from the field and the unit is set up and running so I thought I’d share a few lessons learned and give my revised impressions of the unit.

Lessons Learned

  • Ensure you completely set up your account before you go to the field. Some service providers (like ours) want you to log in to their website to activate your account before they’ll allow the BGAN to make a data or voice connection. This is going to be difficult if you are already in the field and have no other reliable connection. I learned that the hard way.

  • Make sure the IT section either removes all proxy settings on the computer you’ll attach to the BGAN or that they give you administrator privileges.

  • Take lots of extra cable. Ten-meter lengths of CAT 5 and telephone cable, plus a similarly sized outdoor power cable should suffice. This might seem like a lot but if you need to use it from inside a bunker you’ll be glad of the extra length.

  • Take backup cables. You never know whose dog will decide to chew through them.

  • It’s also a good idea to have a compass. There is one built in to the unit but it is rather fiddly and, depending on the angle you need to adjust the BGAN to, it can be difficult to read.

Impressions

Software:

Both the OS X and Windows versions of the connection software, called LaunchPad, are easy to install and intuitive to use. Tip: Ignore the installation guide and just follow the installer defaults. The documentation doesn’t seem to be current and you’ll end up with files scattered everywhere.

You can also access the BGAN via your regular browser. It gives you the functionality of LaunchPad plus allows you to make more advanced settings. Be warned though, most users it will find it to be a little more intimidating.

Hardware:

The Explorer 500 itself is pretty much ‘bomb proof’. It held up well to baking sun, monsoon rains, bouncing around the back of the truck, the attentions of a flock of hungry chickens, and a curious mutt named Max.

Overall: I’d recommend the Explorer 500 to anyone looking for a rugged, easily deployed voice and data system.

Pros:

Rugged
Portable
Easy to set up

Cons:

Lengthy and confusing documentation
Most NGOs will find it somewhat expensive

Front Line: Accessible Security for Human Rights Defenders

I like Front Line more and more as time goes on. They get it. They put a lot of effort into making their security related materials accessible and understandable. Their newly updated website is clean, easy to navigate, and full of valuable resources. They have a good primer on security for human rights workers, and a great manual titled "Digital Security and Privacy for Human Rights Defenders".

Even their site licence is a breath of fresh air. They have a nice simple Creative Commons licence. Front Line understands that its job is protecting people not content. Try comparing their licence to the pages of unfriendly legalese found on the websites of some large NGOs.

Front Line is also making good use of internet video as these two examples released on YouTube demonstrate.


Video: Front Line - Protection of Human Rights Defenders


Video: NGO in a Box - Security Edition

Widgets, Advocacy, and Human Security

John Bell’s post, “Nonprofit Widgets in the Age of OpenSocial” got me thinking about how to use widgets to support advocacy for human security, humanitarian access, and the security of aid workers. I’m not a coder but luckily many websites can help generate widgets based on content selected by the user. The “Selected News” sidebar on this page is an example of such a widget.

The people search engine Spock lets you create similar Flash and JavaScript widgets based on the search results you use. On my Demo page you can see three widgets based on the search terms “death by firearm”, “murdered aid worker” and “murdered journalist”. The content is a little sparse for the last two terms but I’m hoping to work with Spock to change this. These ideas only scratch the surface. How about a widget that rotates images of detained activists... missing persons... great humanitarians,,, kidnapping victims? The possibilities seem endless.

Of course there are other widget options. If you’re looking to do some fundraising organizations like the Network for Good can help you create a custom widget. They call them badges. Beth Kanter used one to help her raise funds to send young Cambodians to university. If you go to her blog and scroll down a little you can see the widget in the sidebar.

If you have any ideas you want to share please leave a comment.

Smart Clothes for Disaster Relief

Disaster relief workers may soon benefit from a new 'smart' suit being developed by I-Garment. The suit is intended to help remedy safety and communications problems faced by fire fighters but I can see its utility for humanitarian disaster response as well.

project_objective_image_2_404

The suit is intended to address three familiar problems;

1. the unavailability of standard communications means during disasters,
2. the lack of information as to the whereabouts and safety of relief workers during emergency efforts, and
3. the problem of acquiring and distributing timely geospatial data during an emergency.

Features_hi-res

If one were to combine the suit with CSIRO’s proposed power generating shirts it could even be self powered.

BGAN Explorer 500 Unboxing

The BGAN Explorer 500 is tiny! That is the first thing that struck me when I unpacked it. In fact it is only about half the size of my MacBook Pro. At 21cm by 21 cm and weighing in at 1.3kg it is truly portable.

For those who might not be aware BGAN stands for Broadband Global Area Network. Essentially it allows Internet and telephone connections via an INMARSAT satellite. The portability of this type of equipment makes it popular amongst journalists, disaster response worker, soldiers, and others working in remote areas or areas where the communications infrastructure has been destroyed.

BGAN Explorer 500


The Explorer 500 package I received included the following:

  • EXPLORER 500 BGAN terminal
    • Battery
    • AC/DC power cable
    • Vehicle accessory power adaptor cable
    • Bluetooth handset
    • Handset charging cable
    • CAT-5 LAN cable
    • USB cable
    • CD-ROMs with software and manual
    • “Quick Guide” and “Getting Started” pamphlets

You can connect your laptop to the terminal via USB, Ethernet, or Bluetooth. There are two power jacks, one to charge the terminal itself and one to charge the Bluetooth handset. You can also plug in a regular landline telephone if need be.

My one small quibble with the hardware is with the power cable for charging the USB handset. The terminal end seems quite delicate. I foresee it becoming easily clogged with dust or simply broken off with repeated use.

Software Setup

BGAN LaunchPad software for PCs (Windows XP) is included with the system. Despite the fact that some of the documentation suggests that it is PC only I was able to find a Mac OS X version (and an update) on a hand labelled CD. The documentation also suggests that the system is LINUX compatible but I have no way of testing this so we’ll just have to take their word for it.

Installing the OS X software was a little fiddly. The installer is very Windows like and installed bits and pieces all over the place. Unfortunately where the installer said it was going to install things was not where they were actually installed. When I ran the updater it generated an error that required me to find and open the install log. Come on! If I wanted to do that kind of stuff I’d buy a PC! Luckily the LaunchPad software seems to work fine despite the reported error.

I tried to test the system earlier today without success. Unfortunately the area around my office is cluttered with buildings and trees,not to mention nervous security forces. I wasn't able to get a good line of sight to the satellite so I’ll post more once I suitable open area and really put the system through its paces.

Twitter in Emergencies

This morning I came across Luis Suarez’s very informative post about micro-blogging in emergencies at elsua.net. His post led me to a great YouTube video by W David Stephenson.


David’s video led me to the American Red Cross’s twitter feed and their Safe and Well feed. Ike Pigott at Occam’s RazR has a great post that explains how Twitter can be used to keep the Safe and Well database up to date.

I left a comment on Ike’s site wondering about how to get the word out to the general public. After all most people wont be reading blogs like this before an emergency. While I was writing this post it occurred to me that Red Cross t-shirts would be the ideal medium. Just include the instructions for how to SMS the Safe and Well feed on the back of the shirt.

IT Security and NGOs - A Little Knowledge?

The other night I was having dinner with some NGO friends when the subject of government eavesdropping on NGOs came up. One of the people at the table said that in the past they had used an email trick to allow sharing sensitive information amongst team members. Essentially the premise was that one could sign up for a free web mail account and share the account password amongst team members. Members would draft emails as usual but rather than sending them they would simply leave them as drafts. Other team members would then read them by going to the account.

The idea was that as long as the email wasn’t sent it couldn’t be monitored. Unfortunately it is just not true as Nart Villeneuve points out here.

I recalled the conversation a few days later and wondered what the problem was. It is not that my friends weren’t aware of the potential risks, and they are certainly not unintelligent. I think the issue is that most aid workers already have more than enough work to do without trying to keep up with the latest developments in IT security. So the problem becomes one of learning about IT security in small, manageable, easily absorbed bits.

Fortunately there are resources that can help. Thanks to Bruce Schneier at Schneier on Security for pointing out securitycartoon.com. I don’t think it is meant to be funny but it does present IT security in a straightforward and comprehensible manner. Subscribe to the RSS feed to make it even easier.

Privaterra is a good resource that covers data privacy, secure communications, and information security for Human Rights NGOs.

Over course you shouldn’t miss Nart’s blog. It isn’t NGO specific but it covers Internet privacy, freedom of expression, censor-ware, security, surveillance and anonymity. Whether you are interested in "Cyber-Cafe Monitoring in India" or need to know how to avoid internet filtering Nart’s blog is a good place to start.

The Economist on Tech, Response, and NGOs

The economist has an interesting article on how technology is changing the power dynamics between NGOs and their beneficiaries. There are even a couple of paragraphs covering concern about how mobile phones and similar technologies might impact on NGO security.

NGO in a Box - Security Edition

NGO in a Box has a Security Edition that includes Free and Open Source Software (FOSS) to aid NGOs in securing and protecting their data and online activities. The package seems ideally suited to human rights, anti-corruption, and womens groups, as well as independent media outlets. Any other group that wants to protect their data from abuse, misuse, and vandalism might want to check it out as well.

Other Stuff

Subscribe to Patronus in a feedreader
Subscribe to Patronus Analytical RSS Feed by Email

Low on bandwidth? Try this low graphics version


Lijit Search

Bloggers' Rights at EFF Global Voices: The World is Talking, Are You Listening?



Support CC - 2007

Creative Commons License
This work by Kevin Toomer is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 2.5 Canada License.
Jun 2008
May 2008
Apr 2008
Mar 2008
Feb 2008
Jan 2008
Dec 2007
Nov 2007
Oct 2007
Sep 2007
Aug 2007
Jul 2007