Security for Rights Defense Sites Project
The Security for Rights Defenders Sites project was designed to reduce the vulnerability of organizations / movements / rights advocacy sites. These sites are, in Brazil, the main communication network that effectively defends human rights – a task not fulfilled by the great communication vehicles, on the Internet or outside.
These sites suffer targeted attacks to silence their demands as well as generic attacks on the network. Their owners are not technically prepared nor do they have the resources to hire commercial tools or digital security companies to project themselves. In addition, the culture of information security is not widespread in these organizations. We believe that in order to guarantee their freedom of expression, we must share knowledge about how to use free security tools and encourage the exchange of experiences between them.
Part of this project involved the making of ‘Digital Diagnostics’, analysis of external vulnerability of websites and servers using OWASP-based free tools and methodologies (SAFETAG, OpenVAS, WPscan, nmap, etc.), as well as public information regarding Users of these systems, their e-mails, addresses and legal functions.
We also held two workshops, on February 12 and 18, with six hours each. The workshops were designed to broaden the understanding of websites and security; Share the experience of less vulnerable sites that have learned from previous attacks; Bring people who deal directly with security to share their technical expertise and broaden the dialogue between these parties. 23 organizations, movements and advocacy groups of segments such as fight
against slave labor, independent media, democratization of communication, feminism and fight against racism participated in the workshops.
We invited two profiles of people: non-technical media creators who update the content of their sites on a day-to-day basis, and people with more technical experience that either work or support these groups. On the first day we talked about fundamentals of how the internet works, components of a website, their characteristics and did a practical exercise where each group installed a WordPress with database on a physical server. On the second day we talked about the most common vulnerabilities and threats, we opened with a case of the attacks suffered by the NGO Repórter Brasil and a presentation, via streaming, of Deflect, a free tool from equalit.ie to protect against DdoS attacks.
Our focus was the use of free security tools in the various layers of the system and the need to create a security culture that considers broader and more basic themes (such as the need to fight for a secure and open internet, control over the data itself), the required security routines (secure passwords, backups) and tools like wpscan, wordfence, let’s encrypt (free https) and DDOS mitigation tools such as deflect and cloudflare.
On may 6 we presented some of the results of this project at Cryptorave 2017
Booklet and infographic:
As support for the correct interpretation of the diagnostics we produced a full booklet with general information about the importance of digital security.
This booklet details and consolidate links and other information for the participants’ continuous learning. As we developed this material, we realized that an infographic would be a more intuitive way to introduce the main concepts of the booklet. Thus, we produced an infographic with 11 illustrations, aimed at all audiences.
Both materials use free Creative Commons license and can be downloaded from our website in the urls:
Booklet (portuguese only): //actantes.org.br/wp-content/uploads/2015/09/Seguran%C3%A7a-de-Sites-Apostila-V.1.0.compressed.pdf