Practical Digital Security for Journalists

7/27/2019 Practical Digital Security for Journalists

1/40

PRACTICAL DIGITAL SECURITY

FOR JOURNALISTSor, what everyone in the newsroom should know

Jonathan Stray

Columbia Journalism School

ONA 2013


2/40

Journalism Security Disasters

Hacked accounts and sites

AP

Washington Post

New York Times

...

Sources exposed

Vice reveals John McAfee's location

AP phone records subpoena

Filmmaker's laptop seized in Syria

...

Data leaked

Wikileaks cables archive was not meant to be public

...


3/40

What are we protecting?

There are basically two things we want to protect:

information and computers.

Information not protected someone reads your secret email source identity exposed story draft leaked

Computer not protected someone erases your hard drive Twitter account hacked site down


4/40

Different kinds of attacks

Technicalinsecure communications

revealing metadata

"classic" hacking

Legalyour data vs. a subpoena

Physicalreporter detained

laptop stolen

Social

maybe you shouldn't have told them that

inside jobs


5/40

Today's topics

Stuffeveryone needs to know. Especially things that mightcompromise your colleagues!

Passwords

Phishing Malware Secure storage Secure communicationand...

Threat modeling intro


6/40

1. Don't use a common password. Avoid words in thedictionary.

2. Consider passphrases, and password management toolslike OnePass

3. If you use the same password for multiple sites, your

password is only as strong as the security on the weakestsite.

Passwords


7/40

LinkedInfrom June 2012 breach

Gawkerfrom Dec 2010 breach


8/40


9/40

Phishing

By far the most common attack against journalists (ormaybe anyone.) Relies on getting the user to visit a site

under false premises.

Typically directs users to a fake login page to trick them intoentering passwords. But: more sophisticated attacks exist

that work just by viewing page.

Protection: beware suspicious links! Especially those thattake you to a login page!

Read the URL before clicking a link from a message.

Always read the URL before typing a password.


10/40


11/40


12/40


13/40

AP Twitter hacked by phishing


14/40

AP phishing email

The link didn't really go to washingtonpost.com!


15/40

Read the URL before you click!


16/40

Washington Post hacked by phishing

Fake login page on webmail.washpost.site88.net


17/40

SyrianFacebook

phishing attack

Arabic text reads:

"Urgent and critical..video leaked by

security forces and

thugs.. the revenge ofAssad's thugs against

the free men andwomen of Baba Amr

in captivity and takingturns raping one of

the women in captivity

by Assad's dogs..please spread this."


18/40

Read the URL before you login!


19/40

Increasingly sophisticated phishing

Spear phishing = selected targets, personalized messages


20/40

But all is not lost, if you are alert


21/40

Defending against phishing

Be suspicious of generic emails

Read the URL before you click

Always read the URL before typing in a password

Report suspicious links to your security people


22/40

Malware

If someone can run a program on your computer, all is lost.E.g. they can get all your passwords with a keystroke

logger.

Some types can be installed just by visiting a page. Keep your software up to date. Don't run random programs downloaded from the net. Be suspicious when software asks for your admin

password.

Protecting against a determined attacker is very hard. In

such cases, consider an air gap a computer not on the

network.


23/40

Secure storage

We're assuming you have some "data" you want to protect.Documents, notes, photos, interviews, video...

1. How many copies are there?

2. Could they get a copy?

3. If I they had a copy, could they read it?


24/40

Laptop falls into Syrian govt hands,

sources forced to flee


25/40

How many copies?

The original file might be on your phone, camera SD card,etc.

You probably copied it to your laptop Have you ever given it to anyone else? What about backups of your computer or other devices? Consider secure erase products to keep the number of

copies down.


26/40

Could they get a copy?

I can always steal your laptop.

...or your camera equipment could be seized at customs.Or your office could be broken into. Or someone could wait

until you go to lunch and then use your computer.


27/40

If they had a copy, could they read it?

Encrypt that shiznit! Easiest and most reliable method:whole disk encryption.

TrueCrypt is open-source and widely used... security auditpending.

MacOS FileVault is ok, but don't let it give your passwordto Apple!

Remember to encrypt allcopies. Memory cards and thumb

drives too!


28/40

The mud-puddle security test

How to tell if a secure storage product really is secure:

Imagine you slip on a muddy puddle, fall and crack yourhead against the pavement, and permanently lose all

memory of your passwords.

You call the vendor, explain the situation, verify youridentity, and ask them to help you recover your information.

If they can help you get your data back, it's not secure.


29/40

The point of the mud-puddle test

"trust" is not a substitute

for "security"

Well-designed security means trusting as few people aspossible.


30/40

Secure communication

Two things you might want:

Privacy: get a file from A to B, without C reading it too.

Anonymity: get a file from A to B, without C discoveringwho A is.

Not the same thing at all. Anonymity is much harder thanprivacy.


31/40

AP source busted through phone logs

.

.

.


32/40

Data trails

When you use an electronic device, what data is created?

Who has access to this data?

When you communicate electronically, where do the bits

physically go?

Who can intercept them?


33/40

Phones are tracking devices


34/40

M FOO M

[email protected]@bar.org

ISP BARTelco ISP

M M

Dozens of organizations must process your email in plain text. Many of them store it. There's the possibility of unauthorized access at any point. Also subject to warrants and subpoenas.

Email is totally insecure!


35/40

Secure communication

Secure email can be done with PGP but not very userfriendly.

Secure chat is easier.

cryptocat.org Chrome plugin. Very easy to use, but stillrelatively immature.

OTR ("off the record") instant messaging. Plugin forpopular IM clients. Mature, vetted, professional strength.


36/40

For sensitive stories, have a plan

Security doesn't just happen. It requires careful planningand meticulous habits.

What you have learned in this session is not enough!

To learn how to make a security plan, come to the threatmodeling session.


37/40

Threat modeling

What do I want to keep private?

(Messages, locations, identities, networks...)

Who wants to know?

(story subject, governments, law enforcement, corporations...)

What can they do?

(eavesdrop, subpoena... or exploit security lapses and accidents)

What happens if they succeed?

(story's blown, legal problems for a source, someone gets killed...)


38/40

In short

Use real passwords

Understand and be alert for phishing

Keep your software up to date

Know where your data and where it goes

For sensitive stories, have a plan


39/40

If you only learn one thing from this

talk, make it phishing

Don't click on suspicious links.

This is everyone's responsibility.

That means you, even if you never work

on sensitive stories.

This alone might foil 90% of attacks.


40/40

Resources

Committee to Protect Journalists information security guidehttp://www.cpj.org/reports/2012/04/information-security.php

Jen Valentino's Encryption and Operational Security for

Journalists Hacks/Hackers presentationhttps://gist.github.com/vaguity/6594731

http://www.cjr.org/behind_the_news/hacks_hackers_security_for_jou.php?page=all

Threat modeling exercisehttp://jmsc.hku.hk/courses/jmsc6041spring2013/2013/02/08/assignment-6-threat-

modeling-and-security-planning/

Practical Digital Security for Journalists

Documents

Transcript of Practical Digital Security for Journalists