Five things you should do to stay safe online

Digital security is important for everyone, but particularly for those who are connected to people in conflict zones or repressive countries. In these situations, intercepted communications, stolen passwords and hacked devices can contribute to people’s detention, torture, or even death. Critically, the weak security practices of one person, even someone on the other side of the world, can put people in their network in danger.

Consider the case of Mariam Hamou, in Naheed Mustafa’s article in this series. Hamou’s accounts were compromised after she divulged her password in a successful spear-phishing attack, raising fears that her attackers would use her to identify and hunt down opponents of the Assad regime within Syria.

This article offers tips and tactics to stay secure. In addition to general recommendations, it also provides snapshots of the digital threats that people in Syria currently face. These examples show how difficult it can be to protect one’s devices and communication when faced with determined opponents. The examples and tips come in part from conversations with members of the SecDev Foundation’s SalamaTech project, which has been working on issues of cyber-security for non-violent groups in Syria for nearly five years.  

To stay secure, the following tips and tactics are a good place to start. We do not suggest that these are sufficient to keep people safe in all circumstances, and certainly not for people in Syria or communicating with them.

It’s important to remember that threats to digital security evolve rapidly, as attackers and defenders learn from each other. Those who communicate regularly with individuals and organizations in places like Syria should think carefully about the threats they face, and the protective strategies they should employ. We therefore offer links to other resources at the bottom of this page, and encourage you to seek recent updates in security practices.

Digital threats in Syria

Threats to digital communications and digital devices are pervasive in Syria. Activists have been shown hundreds of pages of their own online communications after being arrested. Activists and civil society groups are regularly targeted for malware attacks, and the Syrian government maintains tight control over internet and telecommunication companies to monitor perceived threats.

But digital threats aren’t always clandestine. According to Freedom House, “activists and bloggers released from custody report being pressured by security agents to provide the passwords of their Facebook, Gmail, Skype, and other online accounts.” In territory controlled by the Islamic State, militants have frequently raided cybercafes and forced people to show them their browsing sessions and social media accounts. People are regularly stopped and forced to give up their mobile devices and passwords in both regime-controlled and ISIS-controlled areas, in order for security agents to search through their accounts. SalamaTech has testimony suggesting that ordinary people are detained for innocuous uses of social media, simply because security officials deem it to be suspicious.

As a result, if you’re communicating with someone in Syria or another area under high degrees of threat due to surveillance, you need to be careful about the risks that person faces.

There are two key steps for securing private conversations. First, you need to secure both ends of the conversation, devices and people, so that you can trust both of them. That means you need to be confident that the devices being used aren’t infected with malware (see tip #3) and the person on the other end is the one you mean to talk to (see tip #5).

Second, once you have both ends secured then you can use end-to-end encryption confidently. This is crucial in places like Syria, where the government is known to monitor most telephone and mobile phone communications within the country. But as we know from the Snowden leaks and other sources, government surveillance of citizens is widespread.

To address this risk, text messages and voice calls should be readable only in the devices of both the original sender and receiver. This is called end-to-end encryption. Standard landline, mobile calls and text messages are not end-to-end encrypted, but many apps offer this service.

Secure messaging apps differ in various ways, including their ease of use, strength of encryption and popularity. The Electronic Frontier Foundation (EFF) offers some useful tips, but it’s important to remember that apps are constantly being updated (for better or worse) so it’s wise to continuously keep yourself updated with what is secure.

Currently here are two good choices for accessible and secure messaging apps:

1. Signal: This free software app encrypts text and audio conversations. It has been recommended by Edward Snowden due to its use of strong encryption and minimization of data sharing. The latest version allows you to use it on both your mobile device and desktop. Available for Android and iOS.

2. WhatsApp: Earlier this year, WhatsApp rolled out an update that established end-to-end encryption as the default for its chats and calls. The Facebook-owned app is very popular, so it’s likely that most of your contacts already have it installed on their iOS and Android devices, making it a convenient choice for users looking for a secure messaging app. Although the app uses strong encryption, EFF notes four concerns with WhatsApp, including its decision to share users’ phone numbers and usage data with Facebook.

It’s important to keep in mind that encrypted messaging apps are not 100 percent secure, because they only prevent the content of the message from being intercepted from one device to another. If a device has been seized or has had malware installed on it, then the content of the messages could be read by the wrong people.

This happens regularly in Syria, where people are routinely forced to hand over their devices and divulge their account passwords. It is for this reason that SalamaTech advises people in Syria to, if possible, leave their smartphones (with access to social media accounts and large amounts of stored data) at home, and bring only a very basic mobile phone when out and about.

Furthermore, if you are texting with someone in Syria, you may wish to use a code to confirm that the person you want to communicate with is indeed on the other end of the line. (See tip # 5 below.)

Another problem in Syria is that people have had their Skype conversations and chats recorded. Security experts have some concerns about the safety of calls on Skype.

To protect emails from prying eyes that might intercept them, set up PGP. PGP, or Pretty Good Privacy, allows you to send a message that is encrypted in a way that can only be decrypted by the intended recipient. However, that means this only works if the other party is set up to use PGP as well—and many people are not.

It’s important to remember that only the content of your email will be encrypted. The sender and recipient information, along with the subject line, are not.

The EFF provides a useful how-to guide for setting up PGP for Windows, Mac and Linux.

Another common risk is that attackers will gain access to your email accounts, such as Gmail. This can occur through a spear-phishing attack, or the forcible extraction of passwords from people, or by hackers taking advantage of weak passwords. If the people you are emailing in Syria are using very insecure methods of communication don’t send them emails that might contain any information likely to cause them trouble.   

• Use very long passwords for your accounts and for accessing your devices. You should use different passwords for different accounts, so that if one password is compromised, the attacker can’t then use it for your other accounts. As counterintuitive as it may seem, it’s actually better if you can’t remember them all and need to use a password manager.

• Use two-factor authentication. Two-factor authentication (2FA), also known as   two-step authentication, makes it harder for hackers to access your accounts by requiring a second step when logging in or changing passwords. For example, Gmail can send a code to your mobile device that you use along with your password to prove you are who you are. You can think of 2FA as “something you know and something you have.” For example when you go to the bank you need your physical card and your PIN to access your account. 2FA is the same principle. (To set-up two-factor authentication for Gmail go here, for Facebook go here, for Twitter go here.) Whenever possible, enable a second factor that is not SMS, like an e-mail or a trusted device. SMS is not secure and an attacker can spoof your SIM.

• Keep your apps updated. Software companies are scared of hackers as well. That’s why they’re constantly pushing software updates that patch security holes. However, this work is useless unless you keep your software updated. If any of your providers offers you the chance to automate this process, do it!

• Install a good antivirus program on your device. Remember that it is essential that this software is updated regularly.

• Use secure connections (HTTPS) to help avoid Man-in-the-Middle attacks, especially when transmitting private information. If no secure site is available, use a plugin like HTTPS Everywhere. Click here to learn how to check if you are using a secure connection.

• Use ad-blockers, which can help by hiding malicious advertisements.

• Use Virtual Private Networks (VPNs), particularly when using public wifi networks, such as at cafes and hotels. (Opera Browser gives you a free VPN and has a built-in feature that blocks ads.)

In Syria, the SalamaTech has found that one of the common tricks these days is to hide malware in links on Facebook and elsewhere that say things like “look at this video of ISIS atrocities” or “this video of regime atrocities.” When people click on that link they download malware at the same time as the image. This is regularly done with files on filesharing sites like FileHippo, Gulf-Up and MediaFire. SalamaTech researchers therefore say:

Hacked accounts and hacked devices are different things, but if a device has been hacked it’s best to assume the accounts on it have been jeopardized.

If you think your computer is infected you need to disconnect from the internet, because that is the channel hackers used to control your computer. Access your accounts from a different secure device and change your passwords. Any password that you typed on your computer while it was infected should be considered compromised. If your Facebook, Gmail, Yahoo, Youtube or Twitter account has been hacked, those companies do offer support.

Sometimes, it will be necessary to reinstall your operating system, although there can be circumstances when even this is not enough.

Most countries have their own Computer Security Incident Response Team (CSIRT) and you can find yours here. Companies and institutions should work with national CSIRTs to keep on top of cyber-incidents. In Canada, cyber crimes or technological crimes —such as hacking, mischief to data, network intrusions, denial of service attacks, computer viruses or trojans— should also be reported to Public Safety or the RCMP. However, the police lack the capacity to investigate or take action on many digital attacks, so you may also want to get in touch with local cyber-security firms, either paying them or seeking pro bono service.  

1. Immediately disconnect from the internet.

2. On a different, safe device, change your account passwords.

3. Back up important data from the suspect device onto an external drive or USB.

4. Re-format the suspect device (i.e. erase all data and reinstall the operating system)

5. Wait for more than five days (in case it was a new virus, to give time for that virus to be added to antivirus databases).

6. Scan the data on the external drive with the antivirus software. If it’s clean, download the data back on to the reformatted drive.

Most security guidelines assume that users can secure their devices on both ends. Neither end-to-end encryption nor multi-factor authentication will keep communications secure if someone else physically controls a device, or has installed malware that monitors its activities. Unfortunately, both of these problems are common in Syria.

In territory controlled by the Syrian government or the Islamic State, mobile phones have been randomly seized and checked. Therefore, we suggest a method that has been in use for ages: deception. One can imagine deception as an encryption tool that works only in the minds of users.

A common technique is to use phrases that seem completely casual but really entail meaningful information. For example, one could say “the wind is calm” to mean that no security forces are present, and “there are no clouds” when there hadn’t been any bombing.

Another useful deceptive technique is to create alter egos for your accounts (Facebook, Gmail, etc.) to have sensitive discussions. This creates a level of separation between your personal, identifiable account, and any potentially compromising conversations you may want to have. However, you should not save the login details for these accounts anywhere.

Remember deceptive techniques are ones that only you, and those whom you would trust with your life, should know.

• Digital Security Helpline and Information Guides, Access Now
• Surveillance Self-Defense, Electronic Frontier Foundation (EFF)
• Digital Security Low-Hanging Fruit, John Scott Railton (Citizen Lab)
• Smart CyberSecurity Network – Tips, Canadian government
• Digital First Aid Kit, Digital Defenders Partnership
• Security in a box, Tactical Technology Collective and Front Line Defenders

Arabic Language Resources

• EFF’s Surveillance Self-Defense in Arabic: https://ssd.eff.org/ar
• SalamaTech Wiki: https://salamatechwiki.org/wiki/الصفحة_الرئيسية
• SalamaTech’s Be Heard is an online portal that provides Syrian civilian actors with step-by-step guidance on how to make their voices heard – safely and effectively.
• Cyber Arabs
• The Syrian Revolution Technical Guide