SHARE Foundation warns of the disastrous impact of misuse of technology against the critical public in Serbia
On October 30, two members of civil society from Belgrade received an alert from Apple that they were potential targets of state-sponsored technical attacks. Thanks to good cooperation with civil society organisations in Serbia, they contacted the SHARE Foundation immediately after receiving the warning and asked to check the allegations to determine if their devices were attacked by any known spyware.
After the SHARE Foundation team, in cooperation with Internews, received confirmation from Apple representatives that the alerts were authentic, mobile devices were analysed to determine whether they had traces of spyware infection, among which the most well-known are Pegasus and Predator. For the final confirmation, the SHARE Foundation team turned to international organisations Access Now and Amnesty International, which have high expertise in the field of digital forensics.
Based on the reviewed data, these two respectable organisations confirmed that traces of an attack attempt that took place on 16 August 2023 were found on both mobile devices. Both expert organisations came to the same findings – that in the initial phase the attack was attempted via a vulnerability in the iPhone’s HomeKit functionality. The Pegasus spyware has previously been linked to multiple exploits targeting HomeKit, including PWNYOURHOME.
The SHARE Foundation warns that spyware attacks on representatives of the critical public have a disastrous impact on democracy and human rights, especially in the pre-election period. The use of spyware is illegal and incompatible with democratic values.
We remind the public that these and similar tools for technical attacks on mobile devices are used by non-democratic regimes around the world to spy on members of the opposition, civil society, independent media, dissidents and other actors working in the public interest. Such activities threaten the freedom of expression and association, as well as the right to privacy and secrecy of communication guaranteed by domestic and international law.
The SHARE Foundation invites media and civil society representatives who may have received the same message from Apple to contact the foundation to verify the warning.
NOTE: In accordance with the wishes of the members of civil society who were the target of the attack, as well as with security measures, SHARE Foundation will not provide additional details about this incident.
NOTE 2: The part of the text related to device analysis and vulnerabilities that were targeted was amended on 29 November 2023 at 12:38 for precision.
The second Digital Rights Summer School was held from July 23rd to 29th in Perast, Montenegro, with more than 50 participants and lecturers coming together to exchange and acquire knowledge about current issues at the intersection of society, technology, and human rights. The Digital Rights Summer School is organised by the SHARE Foundation in cooperation with the European Digital Rights (EDRi) and the Digital Freedom Fund (DFF).
The central theme of the School was artificial intelligence, considering the significant societal challenges in the context of using biometric surveillance in public spaces, border control and migration, or manipulative generated content. Participants also had the opportunity to learn more about practical aspects of researching phenomena such as networks for sharing intimate content and propaganda internet campaigns.
Some of the significant questions raised during the discussions included the environmental sustainability of digital infrastructure, which is expected to have an even greater demand due to the expansion of artificial intelligence. Additionally, the use of advanced software (such as Pegasus) for spying on journalists’ phones was discussed, along with maintaining a balance between freedom of expression and privacy in light of current and future regulations. Set at the site of the Old Austrian Prison in Kotor, an expert panel explored the perspectives of digital and European integration policies in the Western Balkans.
During the course of the School, an exhibition titled “Imagine Boka” by Andrija Kovač was opened in Perast. Blurring the lines between fact and fiction, this exhibition presents an intriguing collection of AI-generated photographs that explore an imaginable, alternative history of Boka Kotorska in the 1970s and 1980s – its people, places, customs, and traditions.
Many thanks to all participants, lecturers, and guests for the exciting week we spent together. We invite everyone to follow our website and social media channels and sign up next year!
We owe our gratitude for the support of the Summer School to the Gieskes-Strijbis Fonds, the Open Society Foundations Western Balkans. The Summer School was also supported by a core grant from the regional project SMART Balkans – Civil Society for a Connected Western Balkans, implemented by the Center for Civil Society Promotion (CPCD) in Bosnia and Herzegovina, the Center for Research and Policy Making (CRPM) in North Macedonia, and the Institute for Democracy and Mediation (IDM) in Albania, financially supported by the Ministry of Foreign Affairs of the Kingdom of Norway.
In today’s digital landscape, cybersecurity is of paramount importance to protect sensitive information from unauthorized access. Multi-Factor Authentication (MFA) has emerged as a powerful security measure, adding an extra layer of protection against account breaches.
MFA is an authentication approach that strengthens the login process by requiring users to provide multiple elements or “factors” from different categories. These factors encompass something you have, something you know, and something you are.
MFA integrates two or more of these factors into the authentication flow. Examples include typing a password and responding to a push notification on a registered smartphone, entering a password and providing a one-time code from a hardware authentication device, or utilizing a biometric facial scan and/or passphrase to unlock a cryptographic credential stored on a registered device, such as a phone or hardware token.
However, it’s essential to understand that MFA is not foolproof and can be bypassed in certain scenarios, such as phishing attacks.
The Importance of Multi-Factor Authentication (MFA)
Many cybersecurity agencies in Europe and the United States have elaborated on the importance of MFA, which can be summarized in the following bullets:
Strengthening Authentication: MFA combines multiple authentication factors, such as passwords, physical tokens, and biometric data, significantly increasing the difficulty for attackers to gain unauthorized access. Even if one factor is compromised, the additional layers of security act as a barrier against unauthorized entry.
Protection Against Password-Based Attacks: MFA mitigates the risks associated with weak or compromised passwords by requiring an additional authentication factor, making it harder for attackers to exploit password vulnerabilities.
Safeguarding Remote Access: With the rise of remote work and cloud-based services, MFA plays a crucial role in securing remote logins, ensuring that only authorized users can access corporate resources or personal accounts from various locations.
Compliance and Regulatory Requirements: MFA is often required or strongly recommended by industry standards and regulations, demonstrating a commitment to protecting sensitive data and instilling customer confidence.
the biometric data calculated by MFA algorithms for personal IDs, such as thumbprints, are not always accurate and can create false positives or negatives
enables businesses to opt to restrict access for time of day or location
MFA verification can fail if there is a network or internet outage
has scalable cost, as there are expensive and highly sophisticated MFA tools but also more affordable ones for small businesses
MFA techniques must constantly be upgraded to protect against criminals who work incessantly to break them
Understanding How Phishing Bypasses MFA
Not all MFA methods offer equal levels of security. In the past two years, numerous attacks have exploited weaknesses in MFA implementations, enabling criminals to bypass MFA protection. It is crucial to note that not all MFA solutions provide the same level of defense against authentication attacks, and the security and usability of an MFA deployment can be influenced by critical implementation details.
Phishing Attacks: Phishing involves cybercriminals impersonating legitimate entities and tricking individuals into disclosing sensitive information. By exploiting human vulnerabilities, attackers can obtain usernames, passwords, and even MFA codes or tokens, compromising accounts.
Real-Time Phishing: Attackers conducting real-time phishing can quickly capture MFA codes or tokens immediately after victims enter them during login. By using the obtained codes before they expire, attackers can bypass MFA’s additional layer of security.
Man-in-the-Middle Attacks: In man-in-the-middle attacks, attackers intercept communication between users and legitimate services, collecting credentials, including MFA codes, without detection. The intercepted information is then used to gain unauthorized access.
Social Engineering and Impersonation: Phishing attacks heavily rely on social engineering, with attackers impersonating trusted entities to deceive victims. By creating convincing replicas of emails or websites, attackers increase the likelihood of victims disclosing MFA credentials.
Mitigating the Risks
To mitigate the risks of attacks against MFA, businesses should consider the following:
Security Awareness Education: Regular training programs can help individuals recognize phishing attempts and avoid falling victim to them, reducing the risk of disclosing MFA credentials.
Two-Way Authentication: setting number matching authentication adds an extra layer of security by utilizing a separate communication channel for verification prompts, making it harder for attackers to bypass MFA.
Advanced Phishing Protection: Utilizing advanced anti-phishing solutions that employ machine learning and threat intelligence can detect and block phishing attempts, reducing the chances of successful attacks.
Strong Passwords and MFA Settings: Emphasizing the use of strong, unique passwords and implementing phishing-resistant MFA helps minimize the impact of successful phishing attacks.
Multi-Factor Authentication (MFA) is a crucial security measure that significantly enhances authentication mechanisms. However, it is not impervious to phishing attacks. Understanding the importance of MFA and the tactics employed by cybercriminals is essential for strengthening overall cybersecurity. By combining phishing-resistant MFA with security awareness education, two-way authentication, advanced anti-phishing solutions, and strong password practices, individuals and organizations can bolster their security defenses and reduce the risk of falling victim to phishing attacks that aim to bypass MFA.
Ninoslava Bogdanović is an Information Security Specialist at SHARE Foundation. Her fields of work are analysis of the state of digital security and building security measures and procedures in organisations so they could defend against cyber attacks, as well as providing assistance with cyber incidents.
Although cybersecurity may appear to be primarily a technological concern, it ultimately revolves around human beings. Humans play a pivotal role in cybersecurity, as they can unintentionally compromise sensitive information and systems through social engineering tactics or errors, emphasizing the need to empower individuals with appropriate technologies and awareness training.
In addition to the challenges posed by advanced attackers and the technical aspects of implementing multi-factor authentication (MFA), the true obstacle lies in inspiring individuals, both in personal and professional settings, to embrace this crucial security feature. Unfortunately, numerous reports suggest that businesses and individuals are not fully leveraging the potential of MFA.
While 56% of businesses claim to have implemented MFA. Shockingly, only 8% of C-suite executives utilize MFA across their various applications and devices. However, the issue extends beyond the corporate realm. Even social media users neglect best practices to safeguard their online accounts and personal information. For instance, a mere 2.6% of Twitter users have activated MFA for their accounts.
Several reasons contribute to this risky behavior:
Implementation and integration challenges: The complexity of incorporating MFA into daily business workflows makes it a daunting task.
Ineffective communication: The importance of implementing MFA fails to resonate effectively with businesses and society.
Misconceptions about cybersecurity: Some individuals hold beliefs such as “it won’t happen to me” or “I have nothing to hide,” undermining the perceived need for MFA.
Fear and uncertainty: The intimidating nature of cybersecurity alienates people from actively engaging in protective measures.
To address these concerns, it is vital to recognize that cybersecurity is not solely reliant on technology or processes. While technology can only offer a certain level of protection, employees can provide the contextual understanding necessary to detect and prevent attacks. By providing the right tools, knowledge, and support, organizations can unlock the full potential of their workforce and create a culture that embraces and maximizes the advantages of technology.
It is important to empower people in cybersecurity and identity protection to harness the benefits of digital technologies. Here are some strategies for achieving this goal:
Cultivating a Digital Mindset:
To empower individuals, it is crucial to foster a digital mindset within the organization. This involves developing an organizational culture that embraces technological advancements, encourages experimentation, and promotes continuous learning. By emphasizing the value of technology and its potential to drive positive change, employees are more likely to adopt new tools and approaches, becoming active participants in digital transformation.
To safeguard our digital identities in today’s interconnected world, empowering and engaging individuals in cybersecurity is paramount. Every organization possesses a security and organizational culture that should be transformed into a positive and proactive one. Blaming individuals for mistakes is counterproductive. Merely bombarding people with more technology exacerbates the situation by introducing unnecessary complexity. Instead, we should foster a culture that celebrates small victories. By focusing on all three domains of cybersecurity—people, processes, and technology—our businesses and societies can become safer and stronger.
Providing Training and Development Opportunities:
Investing in training and development is key to empowering employees to leverage technology effectively. This includes offering comprehensive training programs, workshops, and resources that equip individuals with the necessary skills to utilize technology tools and platforms efficiently. By providing ongoing learning opportunities, organizations enable employees to stay updated with the latest technological advancements and leverage them to enhance their work processes. Security awareness training should not solely focus on the “why” (the consequences of a breach), but also on the “why me?”. The “why me?” aspect, provides individuals with the context needed to comprehend the relevance of cybersecurity to their own lives. Without this understanding, it becomes challenging to influence people’s intrinsic motivation, which is key to driving behavioral change. Understanding the reasons behind certain behaviors, or the lack thereof, is crucial for impactful awareness training.
Tailoring Technology Solutions to Individual Needs:
Recognizing that each employee has unique requirements and preferences, organizations should strive to offer technology solutions that cater to individual needs. This can involve providing a range of tools and platforms to choose from, allowing employees to select the ones that align best with their work style and objectives. Customizable interfaces, flexible application integrations, and personalized user settings empower individuals to optimize their technology experience for enhanced productivity.
Empowering individuals to leverage the benefits of technology is a powerful strategy for organizations aiming to thrive in the digital age. By cultivating a digital mindset, cybersecurity mindset, providing training and development opportunities, tailoring technology solutions, encouraging collaboration, emphasizing automation benefits, and fostering innovation, organizations can create an environment where individuals feel empowered to harness technology to its fullest potential.
Ninoslava Bogdanović is an Information Security Specialist at SHARE Foundation. Her fields of work are analysis of the state of digital security and building security measures and procedures in organisations so they could defend against cyber attacks, as well as providing assistance with cyber incidents.
Corporate and personal data are being stored in distributed cloud platforms at a growing rate due to the acceleration of digital transformation across all industries and sectors, increased adoption of cloud-based technologies, and hybrid work norms. Many entities, including apps, organizations, people, devices, etc., have access to this data.
Traditional security measures are no longer sufficient to safeguard our data because traditional brick-and-mortar company borders have shrunk. Identity has become the new castle to guard, yet new security issues are associated with identity protection. To counter this tendency, businesses are investing in enhancing their access controls, switching to a zero-trust cybersecurity approach, and maximizing the effectiveness of multi-factor authentication (MFA).
What is MFA?
A solid access management policy must include MFA as a critical component. MFA is essential in limiting attackers’ ability to steal our digital identities and access our systems. MFA demands one or more extra verification elements in addition to a username and password, which lessens the possibility of a successful cyber-attack.
What is MFA fatigue?
There are crucial implementation elements that can affect the security and usability of an MFA deployment, and it is essential to remember that not all MFA solutions offer equal protection against authentication attacks. Due to flaws in the MFA implementation, we have seen numerous attacks over the previous two years when thieves could get around the MFA protection.
In such attacks, also known as push bombing or MFA fatigue, cybercriminals bombard unsuspecting targets with mobile push alerts requesting them to accept attempts to enter their corporate accounts using stolen credentials. The victims often give in to the malicious MFA push requests sent repeatedly, either unintentionally or in an effort to stop receiving what seems like an endless stream of alerts, allowing the attackers to log into their accounts.
What are the latest developments in access control?
To mitigate the MFA attacks, tech giants Google and Microsoft have recently announced two initiatives that push toward a more secure and even passwordless future. Let’s examine what these developments are.
Google takes a step toward a passwordless future
The tech giant recently launched passkeys, a type of digital credential, as an option to generate and use in place of passwords as a safer, more practical alternative.
What are passkeys?
Passkeys are created using public-key cryptography, also known as asymmetric encryption, which uses a set of private and public keys. The private key, a crucial part of the passkey, is kept on the device, while the public key is held on the side of the app or website. The passkey’s value is not accessible to websites. Google determines whether a website’s public key corresponds to the passkey the user uses to log into their account.
Unlike a password, this authentication approach dramatically increases the resilience of accounts because the key cannot be stolen from the website it is stored on, phished, or intercepted in transit. Additionally, the account cannot be attacked due to a weak password or password reuse since there is no password.
Figure 1: Google Passkeys (Source: Google)
As Google noted in their announcement:
“Using passwords puts a lot of responsibility on users. Choosing strong passwords and remembering them across various accounts can be hard. In addition, even the most savvy users are often misled into giving them up during phishing attempts. 2SV (2FA/MFA) helps, but again puts strain on the user with additional, unwanted friction and still doesn’t fully protect against phishing attacks and targeted attacks like ‘SIM swaps’ for SMS verification. Passkeys help address all these issues.”
Passkeys utilize the three forms of information that are used frequently in MFA: something you have (such as a smartphone), something you are (such as your biometrics), or something you know (such as a PIN or pattern). Although passkeys qualify as a type of MFA, the FIDO Alliance claims that several regulatory organizations still need to acknowledge this, even though they are actively striving to do so.
It would be best not to create a passkey on the shared computer at your place of business since passkeys should only be established on devices you individually control. Google stated that passkeys for employee sign-ins would be enabled by Workspace account managers “soon.” As anyone using the device could access your Google account, you shouldn’t create one on shared devices like your family computer. Once a passkey is generated on that device, anyone who can unlock it can sign back into your account using the passkey, even if you have logged out.
Microsoft hardens MFA with number matching
Microsoft announced they would start enforcing number matching for Microsoft Authenticator MFA alerts to block MFA fatigue attack attempts.
“Beginning May 8, 2023, number matching is enabled for all Authenticator push notifications. As relevant services deploy, users worldwide who are enabled for Authenticator push notifications will begin to see number matching in their approval requests,” reads the company’s announcement.
What is number matching?
Number matching is a setting that forces the user to enter numbers displayed in the platform where they try to authenticate into their authenticator app to approve the request, explains the US Cybersecurity and Infrastructure Security Agency (CISA).
Figure 2: Number Matching. Source: Microsoft
The number-matching requirement reduces MFA fatigue by needing access to the login screen to authorize requests. When users use Microsoft Authenticator to respond to an MFA push message, they will see a number. To complete the approval, they must enter that number into the app. Users cannot approve requests without the numbers being entered on the login screen.
“Number matching is a key security upgrade to traditional second-factor notifications in Microsoft Authenticator. We will remove the admin controls and enforce the number match experience tenant-wide for all Microsoft Authenticator push notifications users starting May 8, 2023,” Microsoft says.
The applications for the 2023 Digital Rights Summer School in Perast, Montenegro are now open!
The School takes place from 23 to 29 July, and the program for 2023 is designed for enthusiasts based in Southeast Europe, who are passionate about digital rights and eager to learn more about the latest developments in this field.
During the School, we will explore the impact of emerging technologies on human rights with the help of expert lecturers. You will have an opportunity to delve deeper into the issues and dilemmas posed by artificial intelligence, especially in the context of new advanced AI models which are increasingly causing public attention. If you become a participant, you will also get to learn about protecting female journalists from online harassment, information warfare and the link between migration policies and data exploitation. These are just some of the topics you will hear about, gaining both theoretical and practical knowledge!
This program is organised by SHARE Foundation, European Digital Rights (EDRi) and Digital Freedom Fund – it offers a unique opportunity to learn from leading experts and network with other professionals in the field. Join us for an engaging program in the beautiful setting of Perast. Accepted applicants will be provided with travel, accommodation and full board during their stay.
A two-day international conference dedicated to the consequences that the dizzying development of technology has on the environment, citizens and society, will be held from May 14 to 16 in Belgrade.
The conference organized by the leading regional organization for digital rights SHARE Foundation, will take place in the KC Grad. The full program with line-up is available here. Due to limited space, it is necessary to register for a seat.
Despite significant achievements in science and social activism, new digital technologies have brought us closer to the horizon of dystopia thanks to the unprecedented and uncontrolled exploitation of natural resources. At the same time, various applications of advanced technologies such as artificial intelligence, the Internet of Things or robotics, transform people – their features, behavior, mutual relationships and interactions with the environment – into data (datafication) that is increasingly easier to manage.
What exactly are the new types of political system such as extractive capitalism and surveillance capitalism? In what way is it possible to analyze their key elements and establish a new social critique? What do you know about the life cycle of your smartphone, from the cobalt pit in the Congo, to a landfill in your city – and at which of these stages do you recognize your personal responsibility? What are the new, greener policies that we need to truly bear that responsibility? These are just some of the issues the participants will reflect upon during the event.
Conference Digital | Green | Society is developed as a platform for discussing the existing and opening new questions from the intersection of politics, human rights and technology. In addition to lectures and presentations, the program includes the local premiere of a documentary on the expansion of surveillance in China (as part of the Beldocs festival), various workshops, as well as professional guidance through public spaces in Belgrade of importance for human rights and freedoms.
The issues of climate crises and the rapid development of information technologies are closely related, although the public generally does not discuss it enough. The processes of exploitation of natural resources for the purpose of creating and maintaining the global digital infrastructure have an increasing influence on socio-political relations.
If you are an environmental or digital rights activist, a researcher, involved in green policies, or just concerned about these issues, join us for the event where we will discuss current challenges and potential advocacy plans for the future at the intersection of green policies, human rights and technology.
Please register for the event at this link, the full conference program will be announced by mid-April.
The controversial Draft Law on Internal Affairs was withdrawn from the procedure on Monday, December 26. The decision to withdraw followed two sessions of the public discussion, which was initially open for three weeks and then extended at the request of civic organisations.
At the same time, the Government announced “broad consultations” in further work on the draft of this regulation, with the aim “to clarify all doubts in the public and for everyone to understand the intention of the law, which is of particular importance for the safety of all citizens of the Republic of Serbia.”
In a little more than a year, this is the second attempt to reform one of the key areas of regulation that was abandoned during the public discussion. Unlike the first one, the work on the second draft went on in parallel with a series of consultative meetings with the expert community. However, both experts and the general public contested a number of proposed provisions regulating the powers of the police and the competent minister.
As an organisation dedicated to protecting digital rights and freedoms, SHARE Foundation focused on those articles of the Draft which deal with mass, indiscriminate processing of citizens’ biometric data through a smart video-surveillance system. We remain on the position that indiscriminate biometric surveillance of public spaces is contrary to the Constitution of Serbia and international conventions on the rights and freedoms of citizens.
SHARE Foundation advocates for the introduction of a moratorium on the use of intrusive technologies that involve mass, indiscriminate processing of the most sensitive personal data of citizens. From the first announcements of the acquisition of the smart surveillance system from the Chinese company Huawei, we have been warning the public and the authorities that such measures have no basis in the Constitution and laws of Serbia, and that its use would grossly violate the principles of necessity and proportionality, embedded in the national and international regulation of police powers.
We would like to thank the activists, collaborators and all partner organisations with whom we won this victory.