The networks of people and groups defending human rights and civil liberties have connected much faster than they have secured themselves. The outcome is predictable: the powerful interests that these people challenge are striking back by sponsoring digital operations against them. This presentation will provide an overview of the resulting epidemic of digital threats. Some of these threats are sophisticated, and include zero-day exploits, custom kits, and government-exclusive spyware sold for millions of dollars. However, we will highlight research that shows that the majority of these threats don't advance far beyond the minimum necessary technical sophistication to get the job done. Phishing and Commodity Off The Shelf (COTS) malware, in other words, are the norm. These basic threats are successful, because they exploit human behaviour, and are the original 'forever day' vulnerability.
Regardless of the level of sophistication, these threats can lead to very real harm to individuals, organizations, and social movements. We will draw from a decade of research on threats against civil society to show how the most damaging threats do not come from the most sophisticated threat actors. The security community has a tendency to focus on the newest, most sophisticated, and exotic threats. Phishing and RATs are 'boring'. Yet boring threats can do far more harm, on a much larger scale. Public health models can help us better frame our thinking on threats. Some of the biggest killers in the world are not exotic, high-profile diseases, but mundane illnesses, like malaria, and intestinal ailments. Through this talk we will argue that the threats to civil society groups are the canary in the coalmine, and encourage the security industry to re-calibrate the attention we give to the real, everyday killers.