With so many of us now working from home, a key question we cover in this post is how to practice good security and best practices around privacy at home. At Tibet Action, our team works remotely, so we’ve learned a thing or two about building a foundation of security that relies on individuals rather than an office-wide security network.
Also, the video conferencing app Zoom has been in the news a lot recently due to it’s sudden surge in popularity and use. This has opened it up to more scrutiny, including by our partners at The Citizen Lab, who released an informative and excellent report this past Friday. The report uncovered insecurities in Zoom’s code—as well as its operations—revealing that a large part of the company’s research and development team is based in China. So, while we have used Zoom at Tibet Action, moving forward, we will restrict its use to public trainings and online briefings only. For group video conferencing, we’re moving to an open source tool called Jitsi Meet. Listen to an informative podcast on the issue by Nathan Freitas, Tibet Action’s Director of Technology and Founder & Director at the Guardian Project.
- Your home network is now your work network, so it’s critical to secure yourself through software updates and by turning on Windows Default or Mac
- Beware of phishing links and malicious attachments. The risk of receiving these is higher than ever.
- In terms of open source, totally secure communications tools, Signal is the best option for encrypted, private calling and one-to-one video chat. Zoom is not a secure private communications tool. See below for more details on the various options available for group video calling.
- Beware of apps being developed to help with the pandemic response that track your personal location and contacts. Only use known, trusted solutions and don’t grant permissions without considering what you’re sharing.
The first step to your home office security is treating each machine or each device as being at risk. Security, therefore, relies on each individual instead of relying on firewalls or an enterprise-level, corporate security network. This model of realizing that each machine is vulnerable is practical for everyone now working on a home network or sharing a network with family devices. Remember, your device is also vulnerable if you’re directly connected to an infected machine on the network.
The first step in securing yourself is (as always!) to ensure your software is up to date and that your Windows Default or Mac Firewall is always turned on. This will protect your computer from other devices on the network.
Secondly, Think Before you Click: We can’t reiterate enough that, especially at this time when you’re likely to receive an increase in email attachments (e.g., from your children’s teachers) and the sharing of unexpected documents (e.g., health info from your doctor’s office), you need to Think Before you Click and proceed with caution when clicking on any links or opening any attachments. If you’re using a Google account, for example, remember to save all the attachments you receive in Google Drive and open them there rather than opening them on your machine. Also, all of the usual concerns and risks surrounding sharing links and invites remain. Be aware, too, that fake Zoom invites and other phishing attacks are also on the rise as trolls try to access your data.
Another tip: If you’re working within the Google environment, a Google Chromebook is a pretty good option right now to ensure you have a system that’s secure and up-to-date. Chromebooks remain the best simple solution for that. Alternatively, Windows 10 and Mac OS can be secure if you’re keeping them up to date. However, if you’re downloading a lot of attachments on your computer, you’re still opening yourself up to threats.
Thirdly, Think Before you Share: Be cautious about sharing articles and “facts” you come across, whether related to technology or coronavirus in general. Read Lobsang’s blog post about how misinformation is spreading in the Tibetan community.
Finally, a recent report on targeted Tibetan waterhole attacks was published by the cyber security company Kaspersky. It points out the risk you open yourself up to by visiting websites that might be compromised. Kaspersky highlights a number of high profile Tibetan websites that have been compromised on and off since May, 2019. The question here is what can a user do in these circumstances. Again, Don’t Wait, Update and Think Before you Click are your best defenses. For example, if a website you’re visiting is asking you to download a Flash plugin or an update, before you click on it, you need to ask yourself why would this be necessary if you’ve never needed to download a plugin to visit this site before? So back to the mantra, “Keep your computer updated and think before you click.”
Now to the question of the day: What about Zoom and other communication tools like Slack, which we know many groups in the Tibetan community are using (and likely using even more) right now?
You may have followed the recent news coverage about whether Zoom provides end-to-end encryption for video conferencing. Our conclusion, based on The Citizen Lab’s report, is that Zoom provides good quality and reliable video messaging but is about as secure as a traditional telephone conference call – that is, not very secure. It’s a good way to get a lot of people on video calls that does not require participants to register or log their information, which provides a level of security. However, Zoom’s claim that it provides end-to-end encryption is not really true.
As Nathan explains in his podcast: Zoom’s E2E encryption relies on centralized key management and distribution such that any skilled attacker or legal order that could work from their infrastructure could intercept and compromise the E2E because there is no way [for an individual] to verify keys or verify the security of a session.
This means Zoom is not recording everything you say because the content of your conversation is encrypted, but there isn’t encryption between the two devices, as offered by Signal (one-to-one video messaging) and WhatsApp (for up to 4-people video messaging). In Signal, for example, everything is encrypted between each of the phones and/or computers and the Signal servers can’t access anything you’re saying.
FaceTime does offer encryption, but you need to be on an Apple device and it’s a closed source, proprietary, for profit software like Zoom or Slack, so it’s hard to tell for sure. Open source communication services like Jitsi Meet and Matrix (and its free app Riot) are transparent with their code and operations, and like a website, can be run by anyone who knows how to set up a server. You can hear more about the issues and options for open source video and audio conferencing on the most recent episode of the Guardian Project’s podcast.
To summarize: If you need privacy, use Signal for your voice calls and one-to-one video conferencing. For secure, small group calling or video messaging, then we’d suggest moving to an open source option such as Jitsi Meet or Riot on the Matrix Network.
Tibet Action, through the Tibetan Computer Emergency Response Team (TibCERT) and in partnership with the Guardian Project, is currently working on setting up a Jitsi Meet Instance. This means we’ll be able to run—and lockdown—a server to run Jitsi on and can therefore guarantee its security. If you’d like to know more about this and how you can set up your own Jitsi Instance, please contact the Tibetan Computer Emergency Response Team (TibCERT) at: [email protected]. We are also looking to extend our service slowly to verified users and, in the coming days, we will be in touch about this service with various Tibet groups that we know require a secure video platform to continue their critical work.
Our final tech tip: Be aware of a new category of apps that are meant to be helping public health officials track you or your location in case you fall sick. They are meant to gain valuable information about outbreaks in your area. However, these apps are coming online very quickly, without a lot of scrutiny, and at this point it’s unclear how beneficial they are, despite various governments asking people to use them.
The main point to remember is be wary of permissions you grant any app to track your location or to access your contacts. Obviously, we want to prioritize public health right now but not at the cost of privacy.
One actual positive example of a “tracking” app being used at this time is an app put out by the government of Singapore called Trace Together. While keeping all data offline, it uses Bluetooth to detect who you’re around if they’re also running the app. So, if everyone’s running the Trace Together app, you can gather a list of people near you and then, if you test positive for COVID-19, you can find that list of people and notify them that they may have been exposed to the virus. To learn more about this and other more secure tracking options being developed, again please listen to Nathan’s podcast.
Overall, whether you’re staying at home to work or looking to technology to get critical information to protect your safety and the safety of your family, remember to consider privacy and security at the core. From a digital security and communications perspective, this will help us come out of this pandemic even stronger than before.
From our end, we’ll keep providing updates for you here at Tibet Action.
Stay safe, both in the world and online.