Category Archives: Security

Pass the security cube (a.k.a. No Bullets Involved Part 3)

Posted on March 25, 2008 by | 2 Comments

Earlier this week, Paul noted that computer network attacks could have an impact on future relief efforts. In the early days of NATO’s Kosovo air war in 1999, I remember chirpy NATO spokesman Jamie Shea saying that the NATO website was under attack by Serbian hackers. Who knows whether it was true, or just a ruse of some sort, but was it the first government-acknowledged mention of cyber-warfare? There are a few more interesting things to note about that story: the BBC still had an “Internet Correspondent”, reporting on events in that far-off planet of “cyber-space”, and it was filed on 1 April 1999. Hmm …

Anyhow, back to the important business of digital security. I prefer the blander term information assurance because the work we’re discussing has so many angles to consider beyond ICT. To illustrate this, marvel at the McCumber Cube, designed by security guru John McCumber in 1991:

A McCumber Cube

[Graphic courtousy Munawar Hafiz, on Wikipedia]

Handy, eh? This clearly relates geeky technical and operational considerations to the purposes for which information is collected and used in the first place. There’s little point considering how to secure information before defining why it needs securing, which requires a consideration of who might gain/lose from possession of the information.

Likewise, as Kevin over at Patronus rightly pointed out, social engineering – or how an adversary relies on your politeness, habits and generally positive view of humanity to get you to hand over the jewels – is an effective way to break the most technically secure of systems. Commercial organisations have long been using external actors to test how vulnerable they are to theft of information. This penetration testing industry has become commonplace enough in the US to spawn its own reality television show. This service (and perhaps the reality TV show!) could easily be extended to NGO offices, should the need be demonstrated.

I wonder how McCumber’s information assurance model dovetails with common approaches to NGO security, and how current materials – like the ECHO Generic Security Guide – could be updated to take it into account.

Pass the cube around the office and start the discussion.

→ 2 Comments

Posted in Emergency Telecommunications, General, Security

No Bullets Involved Part 2

Posted on March 23, 2008 by | 4 Comments

I promise that this is going to be my last post in what has turned into “Digital Security Week” here at humanitarian.info. A lot of my thoughts on this have been brewing since the the cyber-assault on Estonia last year, which at least had the positive effect of bringing the issue to a much wider audience than ever before.

This is the flip-side of e-governance – increased government reliance on the internet creates more opportunities for abuse. However Estonia has learnt from its experiences, with the result that it’s now a far more difficult target for cyber-attacks, as well as successfully prosecuting at least one of the perpetrators.

Although the attack has not been tied to any specific institutions, suspicions that the Russian government may have been involved have persisted, which raises a critical question, posed at its simplest by a BBC report on digital Estonia:

As a member of NATO, a military attack on Estonia would be treated as an attack on all NATO states. So, how about a cyber-attack that cripples its information infra-structure for weeks?

If the Kosovo war were to happen today, I have no doubt that NATO and the UN would be subject to similar attacks, whether organised by another government or not. I wrote yesterday about the experience of the Save Darfur campaign, and with the recent unrest in Tibet, a number of Tibetan NGOs are reporting malicious emails with attachments that target client side vulnerabilities.

At the moment, most of our organisations are not vulnerable in the same way that Estonia was – I doubt most people working in the field would even notice if their organisation’s website went down. (Advocacy organisations who rely on the web for their organisational presence are far more exposed.) However our servers can still be overwhelmed, leading to the failure of key finance, admin, communication and logistics functions; and we grow more dependent on the internet for these functions every day.

The best time to address these issues is now – before they become problems. The humanitarian community needs to make sure that digital security receives the same attention as physical security, addressing skill gaps in our staffing at headquarters and the field, and making sure that our technology adoption prioritises security as a critical factor.

We haven’t even begun to discuss more basic aspects of digital security, such as encrypted communications or secure storage. Maybe Digital Security Week should turn into Digital Security Month…

Hat tip on the Tibet story: NGO Security.

→ 4 Comments

Posted in Emergency Telecommunications, Security, Web

I Dream of Security

Posted on March 22, 2008 by | Leave a comment

I should be careful – I’m going to give myself Blogger’s Wrist if I keep posting. However it seems like the issue of digital security is a vital one for the entire humanitarian community right now, in a variety of ways. Obviously security needs to be a consideration across the entire organisation, and there’s been significant improvements on that front in the last few years (the tragedy is that it took Iraq to bring the message home).

Digital security, though -  we’re behind the curve. Most security officers don’t know enough about technology, and most IT staff don’t know enough about security. When I wrote the initial post yesterday, I was scratching my head for practical steps that organisations can take – there are a lot of things that we can do, but where should we start?

Luckily Bruce Schneier‘s article in Wired this week, Inside the Twisted Mind of a Security Professional, is absolutely right – we start by thinking differently about the world.

Security requires a particular mindset. Security professionals — at least the good ones — see the world differently. They can’t walk into a store without noticing how they might shoplift. They can’t use a computer without wondering about the security vulnerabilities…

This kind of thinking is not natural for most people. It’s not natural for engineers. Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail.

This points to the reason why most UN or NGO staff make such terrible security officers – project staff in those organisations are generally problem-solvers, sent in to a situation to fix something that’s not working properly. Security awareness training is critical for these staff, particularly as part of their induction, but you can’t expect them to change their orientation entirely.

More pertinently for us, this is also the reason why neither IT or security staff should be solely responsible for IT security – it takes both side of the fail / fix equation to build resilient IT infrastructure. So: the first practical step that you can take is to bring those two groups within your organisation closer together, so that they can bounce problems and solutions off each other. It’s that simple.

→ Leave a comment

Posted in Security

NGOs under fire (no bullets involved)

Posted on March 22, 2008 by | 1 Comment

No sooner had I written yesterday’s post about digital security than the New York Times has a piece by Nicholas Kristol on how the Save Darfur campaign website has been under attack recently – from Chinese IP addresses.

As the coalition’s China advocacy campaign has intensified, officials have noticed increasingly sophisticated and subversive attempts to intercept emails and infect computers with malicious programs.

Kristol relies mainly on innuendo to suggest that the Chinese government might be behind the attacks, with very little evidence to support the accusation. From a technology point of view, though, it’s irrelevant who’s responsible – this is a cautionary tale for NGOs and other organisations. We can enjoy the benefits that technology brings – but we also need to guard against the dangers. The price of liberty, and all that…

→ 1 Comment

Posted in Human Rights, Media, NGO, Security, Software, Sudan, Web

Human Rights on the Buses

Posted on March 21, 2008 by | 1 Comment

Public transport doesn’t often provide pointers for the humanitarian community. The recent cracking of the London OysterCard (following hot on the heels of the earlier crack of the Dutch transit card system) came as no surprise to digital security experts, but it should teach us fundamental lessons about information security and personal privacy issues.

Security researchers say they’ve found a way to crack the encryption used to protect a widely-used smartcard in a matter of minutes, making it possible for them to quickly and cheaply clone the cards that are used to secure office buildings and automate the collection of mass transportation fares.

No electronic identification scheme is secure. It doesn’t matter how good your technology is, any system which is built by humans can be cracked, and the only defense is to make the cost of cracking it as prohibitive as possible. (The kicker is that you never know if you’ve successfully achieved that – until somebody cracks it and it becomes embarrassingly obvious that you haven’t.) On top of that, the more complex and expensive a system is, the more difficult it is to fix it when something like this happens.

In themselves, these obstacles aren’t insurmountable – largely because they’re technical in nature – but you see the real issues when you look at how these schemes are implemented. Governmental (and intergovernmental) organisations are notorious for a) thinking that technology can fix problems which are not technical in nature (for example, running a public transport system) and b) frequently mismanaging technology projects, often with the assistance of the vendor.

In a public transport system, this is not a life-and-death issue. What if this was a tracking system for food aid, though, where RFID has begun to be introduced as the solution to our logistics inefficiencies? Or a refugee registration database in a country where human rights abuses are endemic? Or an employee identity card scheme in a country where terrorists are targeting UN and NGO offices? You start to see where this might be going…

There was also related news that MI5 have requested “full automated access” to the OysterCard database. In a liberal democracy where the rule of law holds, that might not be too worrying – but there are a number of countries in the world that don’t fit that description, and where giving access to this sort of information to the government might not be in the best interests of the beneficiaries.

The fear of cyber-warfare has climbed Whitehall’s agenda since last year’s attack on the Baltic nation of Estonia, in which Russian hackers swamped state servers with millions of electronic messages until they collapsed. The Estonian defence and foreign ministries and major banks were paralysed, while even its emergency services call system was temporarily knocked out: the attack was seen as a warning that battles once fought by invading armies or aerial bombardment could soon be replaced by virtual, but equally deadly, wars in cyberspace.

It’s only a matter of time before humanitarian organisations come under similar attack – and we’re not prepared for it in the least. None of this means that this technology shouldn’t be used – it absolutely should be. What it means is that we need to be a lot more savvy not just about the technology issues but about the entire range of processes – procurement of the system, implementation within the organisation, sensitivity to the situation (including security concerns), and so forth – in order to make sure that we’re prepared to address these situations when they arise.

→ 1 Comment

Posted in Data Collection, Databases, Human Rights, Logistics, Private Sector, Security, Software

Asking the right questions about Ushaidi

Posted on March 19, 2008 by | Leave a comment

The White African faces a quandary:

Global tools that have real time read/write access are extremely powerful. Depending on ones motives, your impact can be good or bad. Even if your motives are good, your tool can be used for bad. How’s that for a quandry?

It’s certainly a quandary, but not a new one. It’s the same question that’s been asked about humanitarian aid since at least the 1970s, and has been one of the motors behind the humanitarian reform process. What’s more interesting is the assumption behind that question, an assumption that he describes quite clearly:

Just decades ago those who were not in close enough proximity to an event were unable to do much, if anything about it. Today, we can successfully effect change through digital tools and be thousands of miles away.

As I wrote in the comments, neither of these statements is quite true. Decades ago you could have joined Amnesty International campaign, or given money to a relief agency, or written to your MP; these options are still available, and will make a difference. The problem we have today is that many people feel that such actions don’t make enough of a difference – that they don’t have a big enough impact, or they don’t bring change quickly enough.

We have to start being honest, though; just because the internet works reliably and at high speeds, it doesn’t mean that humans work at similarly high speeds or with similar reliability. The impact of our actions will almost never be immediate, and will frequently lead to outcomes that we didn’t predict. Our expectations have been raised by the relentless cheerleading for the information revolution, and we need to lower those expectations or risk alienating people who want to get involved.

The real questions are the same ones that I ask myself in my own work whenever I approach a new project. What decision or action will this information inform, and who is responsible for making that decision or taking that action? The answers to those questions determine a) whether it’s worth collecting the information in the first place, and b) what we will do with the information once we’ve collected it. Unless we answer those questions clearly, and build our systems around them, we’re unlikely to effect any significant change, no matter how powerful our tools are.

(For a bit more on Ushaidi, Sanjana has a great interview with Ory Okollah, in which she explains clearly that the site has been used as an information-gathering tool, rather than a resource for conflict mitigation or resolution. Just to be clear, I think Ushaidi is absolutely worthwhile – but I’m looking forward to what comes next.)

→ Leave a comment

Posted in Conflict, Digital Divide, GIS, Human Rights, Kenya, M&E, Security, Web

Quickbits January 2008

Posted on January 21, 2008 by | Leave a comment
  • Following the collapse of the political process in Kenya, bloggers White African and Kenyan Pundit – both of whom are worth reading, by the way – have developed a Google Maps mash-up which deals with electoral violence in the country.  Called Ushaidi (‘witness’ in Swahili, I think?), it enables people to report events either online or via SMS.  It’s not the first time something like this has been tried, but this an interesting organic attempt to pin down exactly what’s happening in the country.  As anybody working in human rights knows, gathering this sort of information is extremely difficult – particularly later on when it might be needed.  More explanation from White African in this blog post, coverage at Global Voices (with an interesting article on cyber activism in Africa) and the BBC.
  • There’s been a fair amount of discussion about how the media and responders can work more effectively together in the last couple of years, and of course a whole heap of blogs and similar about how the new technology is going to change the face of disaster response, etc, etc.  So far, not much has happened, but TVE Asia and the UNDP Regional Centre in Bangkok have just published a free resource called Communicating Disasters.  It’s an interesting but disjointed read – I’m not exactly sure who it’s targeted at, to be honest…
  • There was a brief flurry of blogging around Nathan Eagle’s article, The Mobile Web is NOT helping the Developing World – and what we can do about it, mainly because it burst the bubble of optimism around bringing the internet to the poorest through the Miracle of Mobile Telephony (TM).  Of course, Nathan’s position is not that it isn’t possible, just that we’re not doing it right at the moment.  Personally, I’m still waiting for some hard evidence that these efforts benefit the poor rather than the relatively well-off – but that might just be splitting hairs.
  • Witness have launched The Hub, their online platform for human rights-related videos and media, after a long incubation period. Cutting through the bumf, it’s intended to connect individuals and organizations who are working on human rights around the world. It’s an interesting lunge at building global connectivity in a sector (human rights) that is notoriously factional, and the focus on media is potentially powerful – particularly new media forms, such as mobile phone content, which are incredibly powerful tools for mobilizing support. You can register at http://hub.witness.org/login.

→ Leave a comment

Posted in Blogs, Cellphone, Conflict, Digital Divide, Human Rights, Kenya, Media, Security, Web

The trouble with mobile phones when a bomb goes off…

Posted on November 29, 2007 by | Leave a comment

If you’ve been reading this blog for a while, you’ll know that I’m not convinced that cellphones are secure and stable enough to rely on in an emergency. Yesterday, a bomb went off just down the road from Sanjana’s home, killing 17 people and injuring 30. Sure enough, the mobile network went down immediately after the explosion:

However, for around two hours after the bomb went off in Nugegoda, not a single SMS went out from my phone. Also from 6pm to 8pm, not a single call (to mobile as well as land lines) I tried was patched through. While I was able to sporadically get messages, incoming and outgoing voice and outgoing SMS communications were completely off the air.

→ Leave a comment

Posted in Cellphone, Security

Security Reporting, Accessible Maps and GeoRSS

Posted on August 19, 2007 by | 21 Comments

In response to an enquiry by Kevin Toomer about how to integrate GeoRSS into security reporting as a means of producing more accessible security maps for the humanitarian community, I sent a request to a few colleagues for advice. The result was a very rich email discussion, which I am now transferring onto the blog for anybody else to contribute to or benefit from. The people contributing to the discussion have an amazing range of experience (interestingly, almost all of that experience is outside the world of “classical” GIS) and my thanks go to everybody who’s contributed. Kevin’s original question is quoted here in the post, and the discussion continues in the comments below:

I’ve been trying to figure out how to easily get news items from an RSS reader unto a map that can be easily distributed. So far I’ve got that idea that I should be linking the RSS items to the Geonames database to produce a GeoRSS stream. I’m thinking the next step would be to do a mashup of the data with Google Earth or a similar service. Users could then go to the mashup site for updates rather than waiting for someone to send out a week old powerpoint showing where last weeks incidents took place. Yesterday I came across Popfly and I think that might work for at least part of the process.

→ 21 Comments

Posted in GIS, Security, Web

Blogging for NGO security – no more!

Posted on April 18, 2007 by | 3 Comments

Earlier this year, the NGO Security Blog closed its doors (wrong metaphorical device, I know), but its mysterious creator JM left an interesting note that provides an insight into the rationale and methodology of the site:

Thirteen months ago the blog started out as an experiment in providing information about humanitarian safety and security incidents from public and open sources. The methodology was to consult a number of different online news sources each day, select articles of interest, and then summarize them including a link to the original source. The information would be made available in a public Internet forum that anyone with an interest in humanitarian security issues could access.

I personally consider the experiment a success. Around 100 people a day currently read the blog (sometimes a little more, other times a little less) with repeated visits from UN and government agencies, large and small NGOs, educational institutions and news organizations. There’s also been a considerable amount of positive feedback from readers on how the blog helps them stay current on what’s happening in the world and exposes them to concepts and tools outside the traditional NGO security box.

I hope that since the concept has been proven, similar projects will spring up elsewhere. Using Google’s Blogger or other blogging tools is extremely simple and I’d encourage humanitarian organizations to consider using this technology to internally publicize safety and security incidents and provide information (either on their intranets or with non-public Internet blogs that can only be viewed by selected people).

I believe that humanitarian organizations as a whole generally don’t do a good job of sharing security information with each other (especially at the field level) and it would be nice to one day see InterAction or a collective of large NGOs get together and host something like the NGO Security Blog for their members to contribute to and use. The technology is available, the readers are out there, and from running this blog I think the benefit is apparent.

A couple of points. First, this was definitely a worthwhile experiment – before JM started it, nobody had tried to use blogging as a security tool. This was largely due to lack of imagination, I think, as well as unfamiliarity with the technology. Blogging is now officially mainstream, and every week at AWN we get notices of new aid blogs, a number of which are official or semi-official organisation blogs.

Second, that experiment was a success within its own parameters. JM pointed out the positive feedback the blog had received, but I don’t think that will convince other security officers or organisations of its utility. Measuring success is always tricky, but much easier to do internally, when you can identify who is reading your material and where they are. If you’re writing a security blog for Afghanistan and most of your readers are in the New York office, it’s probably not working that well.

Third, JM makes the point that this would probably be done best by a group of organisations, rather than a single organisation, and I agree completely. If blogs are about sharing information, then it makes sense to maximise the network. Even if it starts out as a way for security officers to share information with each other more effectively, that should be a strong enough argument to give it a try.

Fourth, the concept needs to be extended to make it really “sticky“. The possibilities of GeoRSS open up a security blog to the interesting possibility of automated map sharing for security information, in a secure format if necessary. It’s not just a high-tech glamour – it could be the factor that makes security blogging really come to life for both the contributors and users. Simple and effective.

The NGO Security blog is now defunct (and we’ve removed it from AWN Aidblogs) but there are still related resources on the NGO Security Page. Thanks to JM and others for their hard work – let’s hope we see more in the future.

→ 3 Comments

Posted in NGO, Security