Watch on YouTube
Check out the show description
Check out the show description
How to speak securely with someone in Ukraine without putting them at more risk?
As requested by a listener, Michala Liavaag explains the difference between unencrypted and encrypted communications, and how using Virtual Private Networks (VPN) can help protect your privacy.
This episode follows on from our Cybility Alert covering the steps organisations can take to respond to the increasing cyber threat due to Russia's invasion of Ukraine.
We recommend this episode is viewed on our YouTube channel at cybility.tv
👉 Cited in this episode:
Proton VPN: https://bit.ly/cybility2proton
Tor project: https://bit.ly/cybility2tor
Surveillance Self-Defense with the Electronic Frontier Foundation (EFF): https://bit.ly/cybility2sdd
Telegram is not secure by default: https://bit.ly/cybility2efftelegram
⭐Found this useful? Please rate and review, as it helps reaching more people
👍You can also subscribe and share on social media
💬 Contribute to future episodes with your cyber security concerns and questions
🤝Connect with Michala and Cybility Savvy:
✍🏾Written and produced by Michala Liavaag
🎦Co-produced and edited by Ana Garner video
🎵Music by CFO Garner
Read the episode transcript
Read the episode transcript
Welcome to Cybility Savvy, the show that demystifies cyber security for not-for-profit boards and leaders
I’m your host Michala Liavaag, founder of Cybility consulting.
Today I’m going to answer a question from one of our listeners, which came about following the Cybility alert that we did on Russia’s invasion of Ukraine. So, if you haven't already listened to that episode, or watched it on YouTube, please go back and listen or watch to that episode. So I would like to say thank you to the individual who sent their question in. Because of the nature of these circumstances they would like to remain anonymous, and the question was: I need to speak with someone in the Ukraine. How can I do that safely without putting them and their family at more risk? Great question.
The first thing I would say is to avoid the use of mobile phones if you can. The standard conversations are not encrypted by default, and it's relatively trivial for people to intercept and eavesdrop on these communications. So you may be wondering what you need to be using instead. And the answer is online communications collaboration tools, where they are end to end encrypted.
So let's just take a look at what it means to be an unencrypted connection for a moment. Let's say I’m Elisa here in the UK, and I want to communicate with Robert in Ukraine. I might have a particular collaboration tool I like to use and that's hosted somewhere out on the internet with a third party provider. So when I connect to the internet I may have an encrypted connection that goes via my ISP, gets to the collaboration provider. Robert on his end does the same thing, but that might be an unencrypted connection, which means that hackers or others can intercept these connections and then see the information that's here, what's being said. The other thing to note is that there are governments who are known to eavesdrop in communications as well, and so some of this information again is going to be available to them. In particular of interest it's worth noting that there's something called metadata and that literally is just information that describes a particular thing. So in this case it will be information about the connection, so it will be where it's coming from in terms of the location, what time it is, who I’m communicating with on the other end, etc. And at the moment, because it's unencrypted, this is visible potentially to anyone that wants to eavesdrop.
So let's now take a look at encrypted communications. So here I am, Lisa in the UK, and now I’ve got my encrypted connection to the provider. All great right? I’m chatting away it's all fine encrypted. Hum.. not necessarily. Unless the other person who's partaking in the same conversation is also using an encrypted connection, then it could actually be reached on that side. So you can see this attacker here encrypted connection can't eavesdrop easily, whereas this one can. Other agencies can look at that metadata as well and gain some information that even though they perhaps don't know the content of the call coming from the left hand side here, they do know the location, and they could potentially go to the internet service provider and ask for who's connected at that particular time with that IP address.
Now, what do you then do about that? This is where VPNs come in: Virtual Private Networks. So what those do is they effectively create a sort of tunnel between your computer and the VPN provider that you select. It means that the people outside can't eavesdrop easily on that connection. Now in terms of the metadata, it also means that the people can't actually view all that as easily either, because what they're now going to see is the metadata of the VPN provider, instead of you and your machine or at least as in this case. And then one of the things that the VPN providers do as well as they often have servers all around the world, I could potentially connect to a server in another country and then people who are trying to sort of find out what's going on, would just see again the VPN provider not knowing where I was coming from. It's also a way that people used to bypass geographic restrictions and access tv shows and that sort of thing as well. The VPN you want to have that in place on both sides, so Robert really wants one as well, and once you've both got that in place, and then within that tunnel you're using an encrypted end-to-end service, then you should hopefully be minimizing the risk to the person that you're communicating with.
Now whilst I wouldn't normally recommend products on this channel and we don't do advertising at all either, in this particular circumstance for this individual, I did recommend the use of Proton VPN, it's well known for both security and privacy. So I’m happy to suggest that is one worth using. In general again, always go with something reputable, paid services. Sometimes, not always, may be better at not logging information, but everyone's use case is different, and so this may or may not be appropriate for your particular use, but in this particular case for this question, it was.
Some of the other things you might want to look at are the browsing privately, and the TOR browser, the onion router browser, is well known again for being able to browse privately, as long as you don't log into services whilst you're browsing with it, so that's something you might want to have a look at.
If you want to have more of a sort of anonymous trail in terms of the computer that you're actually using as well, then one of the things you would want to have a look at is called Tails. Now this is an Operating System that you can install on a USB drive with a small footprint, and plug it into a machine, boot up and do all your activity on that Operating System. Any files that you create, you would need to upload to a cloud service because once you turn it off all traces are gone, it's not there. So think of it as like a disposable pc.
And the final recommendation I’m going to give is around using the excellent resources from The Electronic Frontier Foundation. In particular for people who are out there at the moment and need to look after themselves, the surveillance self-defense section of their site has lots of guidance on what to do to keep yourself safe, so really strongly recommend that one.
Telegram: some of you may have been using that on your phones. It's not secured by default. If you want the security of the end to end encryption you need to enable that for individual chats, with a secret feature. So have a look at this link [ https://bit.ly/cybility2efftelegram], if that's something you are using. Otherwise there are other options available: Signal, WhatsApp etc, lots of other things out there as well.
I do hope this has been useful. If so, consider liking, sharing, and subscribing.