The applications for the 2024 Digital Rights Summer School in Perast, Montenegro are now open!
The School takes place from 25 to 31 August 2024, and this year’s program is designed for enthusiasts based in Southeast Europe, who are passionate about digital rights and eager to learn more about the latest developments in this field.
During the school, we’ll explore the impact of new technologies on human rights through lectures and talks by regional and international digital rights experts. You’ll take part in workshops and discussions on digital markets and online content regulation, information warfare, online harassment, AI-enabled surveillance and policing, while exploring their potential effects on regional affairs and strategies for advocacy. As a participant, you will also have the opportunity to connect, share experiences and collaborate on digital rights initiatives across the region. These are just some of the topics you will hear about and gain both theoretical and practical knowledge!
This program is organised by SHARE Foundation, European Digital Rights (EDRi) and Digital Freedom Fund – it offers a unique opportunity to learn from leading experts and network with other professionals in the field. Join us for an engaging program in the beautiful setting of Perast. Accepted applicants will be provided with travel and accommodation during their stay.
Preliminary analysis of media content for the most visited online media in Serbia: 1 November – 17 December 2023
On Wednesday November 1, the President of the Serbian Parliament, Vladimir Orlić, announced local elections in 65 cities and municipalities in Serbia, including Belgrade. A few hours after Orlić’s traditional protocol of signing the Decision on calling for elections in the hall of the National Assembly, the message “Long live Serbia! Happy elections!” arrived from the digital address of the President of the Republic of Serbia. Aleksandar Vučić’s cyber address also announced snap parliamentary elections, which started the pre-election campaign that lasted until December 14 at midnight. Meanwhile, on November 16, provincial elections were announced.
Research shows that online media’s importance as sources of information keeps steadily increasing, both in the world and at home. Although television is still in the lead when it comes to sources of obtaining information, the role of online media, which is currently in third place, requires special research attention. Taking into account the importance of free, comprehensive and balanced information from the point of view of the level of democracy of the entire election process, this research focuses on digital media and the information environment they create. The aim of the research is to identify and explain the key features of the informational content published by the leading online media in Serbia, in order to determine to what extent and in what way citizens were informed about the elections in the pre-election period, but also about key social and political issues, and the ways in which the central themes were defined in the digital environment and specific forms of support to the ruling structures were shaped.
Late into the night on Friday, December 8, the lengthy negotiations on the final version of the EU artificial intelligence regulation (AI Act) were concluded, with the first of a dozen technical meetings expected this week to specify the details of the law’s implementation.
Among other things, it is mentioned that “predictive” systems will only be partially prohibited, meaning that not all applications of artificial intelligence systems in policing and “crime prediction” are classified as unacceptable risks – a significantly weaker protection than what members of the European Parliament voted for this summer. The final ban includes some predictive systems based on “personal traits and characteristics”, but not geographic crime prediction systems already used by police forces across Europe. Critics note that such a partial ban allows for the creation of additional exemptions in the future.
Of particular concern is the possibility that any application of artificial intelligence systems in the context of “national security” would be entirely exempt from the regulation’s scope, including bans on unacceptable risks and transparency requirements.
The most challenging part of the negotiations concerned the bans, that is the classification of AI systems as posing unacceptable risk. The adopted proposal, as reported by those with insight, bans real-time remote biometric identification (RBI) in publicly accessible places—except when used to search for specific suspects or victims of certain crimes, to prevent “specific, substantial, and imminent threats to the life or physical safety of natural persons or a specific, present threat of a terrorist attack,” as well as for the “targeted search for specific victims of abduction, trafficking in human beings and sexual exploitation of human beings as well as search for missing children.”
The use of RBI needs to be approved by a judicial or otherwise independent authority and is limited in time and space, and it cannot include constant comparisons of all people in the public spaces with full police or other databases. In urgent situations, the judicial authorisation has to be done ex-post within 24 hours.
Post-Remote Biometric Identification (not in real-time, but on video footage) is not banned, but now a high-risk category and only possible if there is a prior judicial authorisation, or if it is strictly necessary in an investigation for the targeted search of a person convicted or suspected of having committed a serious criminal offence that already took place. Member States may introduce more restrictive laws on the use of Post-RBI systems.
Biometric categorisation is banned “that categorise natural persons based on their biometric data to deduce their political opinions, trade union membership, religious or philosophical beliefs, sex or sexual orientation from this biometric data.”
Restrictions have been introduced regarding emotion recognition, some applications of high-risk AI systems in the private sector, while criteria for risk classification have been expanded. The publication of the adopted version of the regulation is expected in the coming months.
One of the most comprehensive studies on the use of biometric systems worldwide, the SHARE Foundation’s book “Beyond the Face: Biometrics and Society” was presented on Monday, December 4, in Berlin and on Wednesday, December 6, in Brussels.
The promotion brought together the community for the protection of digital rights and freedoms at the Tactical Tech premises in Berlin, where the authors and attendees discussed the legal and social consequences of mass biometric surveillance.
In Brussels, a discussion was organised in the European Parliament on the study’s key findings, with opening remarks given by Members of the European Parliament Viola von Cramon and Sergey Lagodinsky. As an urgent danger, the MEPs pointed to a potential precedent in Serbia with the application of biometric surveillance technology towards the creation of a dystopian surveillance society. Patrick Breyer, also a member of the European Parliament, took part in the discussion.
Coincidentally, the book promotion in Brussels took place during the final stages of the trilogue on the new European regulation on artificial intelligence (AI Act). In fact, after the event MEP Lagodinsky moved on to the negotiations on banning of unacceptably risky systems, carrying his own copy of the book. The impact of the AI Act will have far-reaching consequences for the regulation and use of biometric surveillance systems around the world. Thus the importance of such detailed analysis of the biometric surveillance application in different countries, contesting problematic provisions of the future European law that could legitimise these practices.
The study on the social consequences of mass biometric surveillance provides a detailed description of technologies from various manufacturers used by public and private actors for surveillance. It includes a comparative analysis of regulations governing this field in the US, the EU, and a range of countries in Africa, Asia, and Latin America. Additionally, it explores some practical cases of biometric surveillance application, from Myanmar and the United Kingdom to New York and Belgrade, for border control, public space monitoring in major cities, or suppression of opposition activities.
Spanning over 300 pages, divided into three main segments—Technology, Law, Practice—the book acquaints readers with the current global experience of the conflict between fundamental human rights and the profit-driven biometric surveillance industry. Despite abundant evidence, authorities worldwide still believe that these systems contribute to the security of society.
The book is freely available, currently only in English. The editors of the publication are Ella Jakubowska (EDRi) and Andrej Petrovski & Danilo Krivokapić (SHARE). The authors of the texts are Bojan Perkov (Technology), Jelena Adamović and Duje Kozomara (Law), Mila Bajić and Duje Prkut (Practice).
SHARE Foundation warns of the disastrous impact of misuse of technology against the critical public in Serbia
On October 30, two members of civil society from Belgrade received an alert from Apple that they were potential targets of state-sponsored technical attacks. Thanks to good cooperation with civil society organisations in Serbia, they contacted the SHARE Foundation immediately after receiving the warning and asked to check the allegations to determine if their devices were attacked by any known spyware.
After the SHARE Foundation team, in cooperation with Internews, received confirmation from Apple representatives that the alerts were authentic, mobile devices were analysed to determine whether they had traces of spyware infection, among which the most well-known are Pegasus and Predator. For the final confirmation, the SHARE Foundation team turned to international organisations Access Now and Amnesty International, which have high expertise in the field of digital forensics.
Based on the reviewed data, these two respectable organisations confirmed that traces of an attack attempt that took place on 16 August 2023 were found on both mobile devices. Both expert organisations came to the same findings – that in the initial phase the attack was attempted via a vulnerability in the iPhone’s HomeKit functionality. The Pegasus spyware has previously been linked to multiple exploits targeting HomeKit, including PWNYOURHOME.
The SHARE Foundation warns that spyware attacks on representatives of the critical public have a disastrous impact on democracy and human rights, especially in the pre-election period. The use of spyware is illegal and incompatible with democratic values.
We remind the public that these and similar tools for technical attacks on mobile devices are used by non-democratic regimes around the world to spy on members of the opposition, civil society, independent media, dissidents and other actors working in the public interest. Such activities threaten the freedom of expression and association, as well as the right to privacy and secrecy of communication guaranteed by domestic and international law.
The SHARE Foundation invites media and civil society representatives who may have received the same message from Apple to contact the foundation to verify the warning.
NOTE: In accordance with the wishes of the members of civil society who were the target of the attack, as well as with security measures, SHARE Foundation will not provide additional details about this incident.
NOTE 2: The part of the text related to device analysis and vulnerabilities that were targeted was amended on 29 November 2023 at 12:38 for precision.
The second Digital Rights Summer School was held from July 23rd to 29th in Perast, Montenegro, with more than 50 participants and lecturers coming together to exchange and acquire knowledge about current issues at the intersection of society, technology, and human rights. The Digital Rights Summer School is organised by the SHARE Foundation in cooperation with the European Digital Rights (EDRi) and the Digital Freedom Fund (DFF).
The central theme of the School was artificial intelligence, considering the significant societal challenges in the context of using biometric surveillance in public spaces, border control and migration, or manipulative generated content. Participants also had the opportunity to learn more about practical aspects of researching phenomena such as networks for sharing intimate content and propaganda internet campaigns.
Some of the significant questions raised during the discussions included the environmental sustainability of digital infrastructure, which is expected to have an even greater demand due to the expansion of artificial intelligence. Additionally, the use of advanced software (such as Pegasus) for spying on journalists’ phones was discussed, along with maintaining a balance between freedom of expression and privacy in light of current and future regulations. Set at the site of the Old Austrian Prison in Kotor, an expert panel explored the perspectives of digital and European integration policies in the Western Balkans.
During the course of the School, an exhibition titled “Imagine Boka” by Andrija Kovač was opened in Perast. Blurring the lines between fact and fiction, this exhibition presents an intriguing collection of AI-generated photographs that explore an imaginable, alternative history of Boka Kotorska in the 1970s and 1980s – its people, places, customs, and traditions.
Many thanks to all participants, lecturers, and guests for the exciting week we spent together. We invite everyone to follow our website and social media channels and sign up next year!
We owe our gratitude for the support of the Summer School to the Gieskes-Strijbis Fonds, the Open Society Foundations Western Balkans. The Summer School was also supported by a core grant from the regional project SMART Balkans – Civil Society for a Connected Western Balkans, implemented by the Center for Civil Society Promotion (CPCD) in Bosnia and Herzegovina, the Center for Research and Policy Making (CRPM) in North Macedonia, and the Institute for Democracy and Mediation (IDM) in Albania, financially supported by the Ministry of Foreign Affairs of the Kingdom of Norway.
In today’s digital landscape, cybersecurity is of paramount importance to protect sensitive information from unauthorized access. Multi-Factor Authentication (MFA) has emerged as a powerful security measure, adding an extra layer of protection against account breaches.
MFA is an authentication approach that strengthens the login process by requiring users to provide multiple elements or “factors” from different categories. These factors encompass something you have, something you know, and something you are.
MFA integrates two or more of these factors into the authentication flow. Examples include typing a password and responding to a push notification on a registered smartphone, entering a password and providing a one-time code from a hardware authentication device, or utilizing a biometric facial scan and/or passphrase to unlock a cryptographic credential stored on a registered device, such as a phone or hardware token.
However, it’s essential to understand that MFA is not foolproof and can be bypassed in certain scenarios, such as phishing attacks.
The Importance of Multi-Factor Authentication (MFA)
Many cybersecurity agencies in Europe and the United States have elaborated on the importance of MFA, which can be summarized in the following bullets:
Strengthening Authentication: MFA combines multiple authentication factors, such as passwords, physical tokens, and biometric data, significantly increasing the difficulty for attackers to gain unauthorized access. Even if one factor is compromised, the additional layers of security act as a barrier against unauthorized entry.
Protection Against Password-Based Attacks: MFA mitigates the risks associated with weak or compromised passwords by requiring an additional authentication factor, making it harder for attackers to exploit password vulnerabilities.
Safeguarding Remote Access: With the rise of remote work and cloud-based services, MFA plays a crucial role in securing remote logins, ensuring that only authorized users can access corporate resources or personal accounts from various locations.
Compliance and Regulatory Requirements: MFA is often required or strongly recommended by industry standards and regulations, demonstrating a commitment to protecting sensitive data and instilling customer confidence.
the biometric data calculated by MFA algorithms for personal IDs, such as thumbprints, are not always accurate and can create false positives or negatives
enables businesses to opt to restrict access for time of day or location
MFA verification can fail if there is a network or internet outage
has scalable cost, as there are expensive and highly sophisticated MFA tools but also more affordable ones for small businesses
MFA techniques must constantly be upgraded to protect against criminals who work incessantly to break them
Understanding How Phishing Bypasses MFA
Not all MFA methods offer equal levels of security. In the past two years, numerous attacks have exploited weaknesses in MFA implementations, enabling criminals to bypass MFA protection. It is crucial to note that not all MFA solutions provide the same level of defense against authentication attacks, and the security and usability of an MFA deployment can be influenced by critical implementation details.
Phishing Attacks: Phishing involves cybercriminals impersonating legitimate entities and tricking individuals into disclosing sensitive information. By exploiting human vulnerabilities, attackers can obtain usernames, passwords, and even MFA codes or tokens, compromising accounts.
Real-Time Phishing: Attackers conducting real-time phishing can quickly capture MFA codes or tokens immediately after victims enter them during login. By using the obtained codes before they expire, attackers can bypass MFA’s additional layer of security.
Man-in-the-Middle Attacks: In man-in-the-middle attacks, attackers intercept communication between users and legitimate services, collecting credentials, including MFA codes, without detection. The intercepted information is then used to gain unauthorized access.
Social Engineering and Impersonation: Phishing attacks heavily rely on social engineering, with attackers impersonating trusted entities to deceive victims. By creating convincing replicas of emails or websites, attackers increase the likelihood of victims disclosing MFA credentials.
Mitigating the Risks
To mitigate the risks of attacks against MFA, businesses should consider the following:
Security Awareness Education: Regular training programs can help individuals recognize phishing attempts and avoid falling victim to them, reducing the risk of disclosing MFA credentials.
Two-Way Authentication: setting number matching authentication adds an extra layer of security by utilizing a separate communication channel for verification prompts, making it harder for attackers to bypass MFA.
Advanced Phishing Protection: Utilizing advanced anti-phishing solutions that employ machine learning and threat intelligence can detect and block phishing attempts, reducing the chances of successful attacks.
Strong Passwords and MFA Settings: Emphasizing the use of strong, unique passwords and implementing phishing-resistant MFA helps minimize the impact of successful phishing attacks.
Multi-Factor Authentication (MFA) is a crucial security measure that significantly enhances authentication mechanisms. However, it is not impervious to phishing attacks. Understanding the importance of MFA and the tactics employed by cybercriminals is essential for strengthening overall cybersecurity. By combining phishing-resistant MFA with security awareness education, two-way authentication, advanced anti-phishing solutions, and strong password practices, individuals and organizations can bolster their security defenses and reduce the risk of falling victim to phishing attacks that aim to bypass MFA.
Ninoslava Bogdanović is an Information Security Specialist at SHARE Foundation. Her fields of work are analysis of the state of digital security and building security measures and procedures in organisations so they could defend against cyber attacks, as well as providing assistance with cyber incidents.
Although cybersecurity may appear to be primarily a technological concern, it ultimately revolves around human beings. Humans play a pivotal role in cybersecurity, as they can unintentionally compromise sensitive information and systems through social engineering tactics or errors, emphasizing the need to empower individuals with appropriate technologies and awareness training.
In addition to the challenges posed by advanced attackers and the technical aspects of implementing multi-factor authentication (MFA), the true obstacle lies in inspiring individuals, both in personal and professional settings, to embrace this crucial security feature. Unfortunately, numerous reports suggest that businesses and individuals are not fully leveraging the potential of MFA.
While 56% of businesses claim to have implemented MFA. Shockingly, only 8% of C-suite executives utilize MFA across their various applications and devices. However, the issue extends beyond the corporate realm. Even social media users neglect best practices to safeguard their online accounts and personal information. For instance, a mere 2.6% of Twitter users have activated MFA for their accounts.
Several reasons contribute to this risky behavior:
Implementation and integration challenges: The complexity of incorporating MFA into daily business workflows makes it a daunting task.
Ineffective communication: The importance of implementing MFA fails to resonate effectively with businesses and society.
Misconceptions about cybersecurity: Some individuals hold beliefs such as “it won’t happen to me” or “I have nothing to hide,” undermining the perceived need for MFA.
Fear and uncertainty: The intimidating nature of cybersecurity alienates people from actively engaging in protective measures.
To address these concerns, it is vital to recognize that cybersecurity is not solely reliant on technology or processes. While technology can only offer a certain level of protection, employees can provide the contextual understanding necessary to detect and prevent attacks. By providing the right tools, knowledge, and support, organizations can unlock the full potential of their workforce and create a culture that embraces and maximizes the advantages of technology.
It is important to empower people in cybersecurity and identity protection to harness the benefits of digital technologies. Here are some strategies for achieving this goal:
Cultivating a Digital Mindset:
To empower individuals, it is crucial to foster a digital mindset within the organization. This involves developing an organizational culture that embraces technological advancements, encourages experimentation, and promotes continuous learning. By emphasizing the value of technology and its potential to drive positive change, employees are more likely to adopt new tools and approaches, becoming active participants in digital transformation.
To safeguard our digital identities in today’s interconnected world, empowering and engaging individuals in cybersecurity is paramount. Every organization possesses a security and organizational culture that should be transformed into a positive and proactive one. Blaming individuals for mistakes is counterproductive. Merely bombarding people with more technology exacerbates the situation by introducing unnecessary complexity. Instead, we should foster a culture that celebrates small victories. By focusing on all three domains of cybersecurity—people, processes, and technology—our businesses and societies can become safer and stronger.
Providing Training and Development Opportunities:
Investing in training and development is key to empowering employees to leverage technology effectively. This includes offering comprehensive training programs, workshops, and resources that equip individuals with the necessary skills to utilize technology tools and platforms efficiently. By providing ongoing learning opportunities, organizations enable employees to stay updated with the latest technological advancements and leverage them to enhance their work processes. Security awareness training should not solely focus on the “why” (the consequences of a breach), but also on the “why me?”. The “why me?” aspect, provides individuals with the context needed to comprehend the relevance of cybersecurity to their own lives. Without this understanding, it becomes challenging to influence people’s intrinsic motivation, which is key to driving behavioral change. Understanding the reasons behind certain behaviors, or the lack thereof, is crucial for impactful awareness training.
Tailoring Technology Solutions to Individual Needs:
Recognizing that each employee has unique requirements and preferences, organizations should strive to offer technology solutions that cater to individual needs. This can involve providing a range of tools and platforms to choose from, allowing employees to select the ones that align best with their work style and objectives. Customizable interfaces, flexible application integrations, and personalized user settings empower individuals to optimize their technology experience for enhanced productivity.
Empowering individuals to leverage the benefits of technology is a powerful strategy for organizations aiming to thrive in the digital age. By cultivating a digital mindset, cybersecurity mindset, providing training and development opportunities, tailoring technology solutions, encouraging collaboration, emphasizing automation benefits, and fostering innovation, organizations can create an environment where individuals feel empowered to harness technology to its fullest potential.
Ninoslava Bogdanović is an Information Security Specialist at SHARE Foundation. Her fields of work are analysis of the state of digital security and building security measures and procedures in organisations so they could defend against cyber attacks, as well as providing assistance with cyber incidents.
Corporate and personal data are being stored in distributed cloud platforms at a growing rate due to the acceleration of digital transformation across all industries and sectors, increased adoption of cloud-based technologies, and hybrid work norms. Many entities, including apps, organizations, people, devices, etc., have access to this data.
Traditional security measures are no longer sufficient to safeguard our data because traditional brick-and-mortar company borders have shrunk. Identity has become the new castle to guard, yet new security issues are associated with identity protection. To counter this tendency, businesses are investing in enhancing their access controls, switching to a zero-trust cybersecurity approach, and maximizing the effectiveness of multi-factor authentication (MFA).
What is MFA?
A solid access management policy must include MFA as a critical component. MFA is essential in limiting attackers’ ability to steal our digital identities and access our systems. MFA demands one or more extra verification elements in addition to a username and password, which lessens the possibility of a successful cyber-attack.
What is MFA fatigue?
There are crucial implementation elements that can affect the security and usability of an MFA deployment, and it is essential to remember that not all MFA solutions offer equal protection against authentication attacks. Due to flaws in the MFA implementation, we have seen numerous attacks over the previous two years when thieves could get around the MFA protection.
In such attacks, also known as push bombing or MFA fatigue, cybercriminals bombard unsuspecting targets with mobile push alerts requesting them to accept attempts to enter their corporate accounts using stolen credentials. The victims often give in to the malicious MFA push requests sent repeatedly, either unintentionally or in an effort to stop receiving what seems like an endless stream of alerts, allowing the attackers to log into their accounts.
What are the latest developments in access control?
To mitigate the MFA attacks, tech giants Google and Microsoft have recently announced two initiatives that push toward a more secure and even passwordless future. Let’s examine what these developments are.
Google takes a step toward a passwordless future
The tech giant recently launched passkeys, a type of digital credential, as an option to generate and use in place of passwords as a safer, more practical alternative.
What are passkeys?
Passkeys are created using public-key cryptography, also known as asymmetric encryption, which uses a set of private and public keys. The private key, a crucial part of the passkey, is kept on the device, while the public key is held on the side of the app or website. The passkey’s value is not accessible to websites. Google determines whether a website’s public key corresponds to the passkey the user uses to log into their account.
Unlike a password, this authentication approach dramatically increases the resilience of accounts because the key cannot be stolen from the website it is stored on, phished, or intercepted in transit. Additionally, the account cannot be attacked due to a weak password or password reuse since there is no password.
Figure 1: Google Passkeys (Source: Google)
As Google noted in their announcement:
“Using passwords puts a lot of responsibility on users. Choosing strong passwords and remembering them across various accounts can be hard. In addition, even the most savvy users are often misled into giving them up during phishing attempts. 2SV (2FA/MFA) helps, but again puts strain on the user with additional, unwanted friction and still doesn’t fully protect against phishing attacks and targeted attacks like ‘SIM swaps’ for SMS verification. Passkeys help address all these issues.”
Passkeys utilize the three forms of information that are used frequently in MFA: something you have (such as a smartphone), something you are (such as your biometrics), or something you know (such as a PIN or pattern). Although passkeys qualify as a type of MFA, the FIDO Alliance claims that several regulatory organizations still need to acknowledge this, even though they are actively striving to do so.
It would be best not to create a passkey on the shared computer at your place of business since passkeys should only be established on devices you individually control. Google stated that passkeys for employee sign-ins would be enabled by Workspace account managers “soon.” As anyone using the device could access your Google account, you shouldn’t create one on shared devices like your family computer. Once a passkey is generated on that device, anyone who can unlock it can sign back into your account using the passkey, even if you have logged out.
Microsoft hardens MFA with number matching
Microsoft announced they would start enforcing number matching for Microsoft Authenticator MFA alerts to block MFA fatigue attack attempts.
“Beginning May 8, 2023, number matching is enabled for all Authenticator push notifications. As relevant services deploy, users worldwide who are enabled for Authenticator push notifications will begin to see number matching in their approval requests,” reads the company’s announcement.
What is number matching?
Number matching is a setting that forces the user to enter numbers displayed in the platform where they try to authenticate into their authenticator app to approve the request, explains the US Cybersecurity and Infrastructure Security Agency (CISA).
Figure 2: Number Matching. Source: Microsoft
The number-matching requirement reduces MFA fatigue by needing access to the login screen to authorize requests. When users use Microsoft Authenticator to respond to an MFA push message, they will see a number. To complete the approval, they must enter that number into the app. Users cannot approve requests without the numbers being entered on the login screen.
“Number matching is a key security upgrade to traditional second-factor notifications in Microsoft Authenticator. We will remove the admin controls and enforce the number match experience tenant-wide for all Microsoft Authenticator push notifications users starting May 8, 2023,” Microsoft says.
