Practical Digital Security for Journalists
-
Upload
jonathan-stray -
Category
Documents
-
view
224 -
download
0
Transcript of Practical Digital Security for Journalists
-
7/27/2019 Practical Digital Security for Journalists
1/40
PRACTICAL DIGITAL SECURITY
FOR JOURNALISTSor, what everyone in the newsroom should know
Jonathan Stray
Columbia Journalism School
ONA 2013
-
7/27/2019 Practical Digital Security for Journalists
2/40
Journalism Security Disasters
Hacked accounts and sites
AP
Washington Post
New York Times
...
Sources exposed
Vice reveals John McAfee's location
AP phone records subpoena
Filmmaker's laptop seized in Syria
...
Data leaked
Wikileaks cables archive was not meant to be public
...
-
7/27/2019 Practical Digital Security for Journalists
3/40
What are we protecting?
There are basically two things we want to protect:
information and computers.
Information not protected someone reads your secret email source identity exposed story draft leaked
Computer not protected someone erases your hard drive Twitter account hacked site down
-
7/27/2019 Practical Digital Security for Journalists
4/40
Different kinds of attacks
Technicalinsecure communications
revealing metadata
"classic" hacking
Legalyour data vs. a subpoena
Physicalreporter detained
laptop stolen
Social
maybe you shouldn't have told them that
inside jobs
-
7/27/2019 Practical Digital Security for Journalists
5/40
Today's topics
Stuffeveryone needs to know. Especially things that mightcompromise your colleagues!
Passwords
Phishing Malware Secure storage Secure communicationand...
Threat modeling intro
-
7/27/2019 Practical Digital Security for Journalists
6/40
1. Don't use a common password. Avoid words in thedictionary.
2. Consider passphrases, and password management toolslike OnePass
3. If you use the same password for multiple sites, your
password is only as strong as the security on the weakestsite.
Passwords
-
7/27/2019 Practical Digital Security for Journalists
7/40
LinkedInfrom June 2012 breach
Gawkerfrom Dec 2010 breach
-
7/27/2019 Practical Digital Security for Journalists
8/40
-
7/27/2019 Practical Digital Security for Journalists
9/40
Phishing
By far the most common attack against journalists (ormaybe anyone.) Relies on getting the user to visit a site
under false premises.
Typically directs users to a fake login page to trick them intoentering passwords. But: more sophisticated attacks exist
that work just by viewing page.
Protection: beware suspicious links! Especially those thattake you to a login page!
Read the URL before clicking a link from a message.
Always read the URL before typing a password.
-
7/27/2019 Practical Digital Security for Journalists
10/40
-
7/27/2019 Practical Digital Security for Journalists
11/40
-
7/27/2019 Practical Digital Security for Journalists
12/40
-
7/27/2019 Practical Digital Security for Journalists
13/40
AP Twitter hacked by phishing
-
7/27/2019 Practical Digital Security for Journalists
14/40
AP phishing email
The link didn't really go to washingtonpost.com!
-
7/27/2019 Practical Digital Security for Journalists
15/40
Read the URL before you click!
-
7/27/2019 Practical Digital Security for Journalists
16/40
Washington Post hacked by phishing
Fake login page on webmail.washpost.site88.net
-
7/27/2019 Practical Digital Security for Journalists
17/40
SyrianFacebook
phishing attack
Arabic text reads:
"Urgent and critical..video leaked by
security forces and
thugs.. the revenge ofAssad's thugs against
the free men andwomen of Baba Amr
in captivity and takingturns raping one of
the women in captivity
by Assad's dogs..please spread this."
-
7/27/2019 Practical Digital Security for Journalists
18/40
Read the URL before you login!
-
7/27/2019 Practical Digital Security for Journalists
19/40
Increasingly sophisticated phishing
Spear phishing = selected targets, personalized messages
-
7/27/2019 Practical Digital Security for Journalists
20/40
But all is not lost, if you are alert
-
7/27/2019 Practical Digital Security for Journalists
21/40
Defending against phishing
Be suspicious of generic emails
Read the URL before you click
Always read the URL before typing in a password
Report suspicious links to your security people
-
7/27/2019 Practical Digital Security for Journalists
22/40
Malware
If someone can run a program on your computer, all is lost.E.g. they can get all your passwords with a keystroke
logger.
Some types can be installed just by visiting a page. Keep your software up to date. Don't run random programs downloaded from the net. Be suspicious when software asks for your admin
password.
Protecting against a determined attacker is very hard. In
such cases, consider an air gap a computer not on the
network.
-
7/27/2019 Practical Digital Security for Journalists
23/40
Secure storage
We're assuming you have some "data" you want to protect.Documents, notes, photos, interviews, video...
1. How many copies are there?
2. Could they get a copy?
3. If I they had a copy, could they read it?
-
7/27/2019 Practical Digital Security for Journalists
24/40
Laptop falls into Syrian govt hands,
sources forced to flee
-
7/27/2019 Practical Digital Security for Journalists
25/40
How many copies?
The original file might be on your phone, camera SD card,etc.
You probably copied it to your laptop Have you ever given it to anyone else? What about backups of your computer or other devices? Consider secure erase products to keep the number of
copies down.
-
7/27/2019 Practical Digital Security for Journalists
26/40
Could they get a copy?
I can always steal your laptop.
...or your camera equipment could be seized at customs.Or your office could be broken into. Or someone could wait
until you go to lunch and then use your computer.
-
7/27/2019 Practical Digital Security for Journalists
27/40
If they had a copy, could they read it?
Encrypt that shiznit! Easiest and most reliable method:whole disk encryption.
TrueCrypt is open-source and widely used... security auditpending.
MacOS FileVault is ok, but don't let it give your passwordto Apple!
Remember to encrypt allcopies. Memory cards and thumb
drives too!
-
7/27/2019 Practical Digital Security for Journalists
28/40
The mud-puddle security test
How to tell if a secure storage product really is secure:
Imagine you slip on a muddy puddle, fall and crack yourhead against the pavement, and permanently lose all
memory of your passwords.
You call the vendor, explain the situation, verify youridentity, and ask them to help you recover your information.
If they can help you get your data back, it's not secure.
-
7/27/2019 Practical Digital Security for Journalists
29/40
The point of the mud-puddle test
"trust" is not a substitute
for "security"
Well-designed security means trusting as few people aspossible.
-
7/27/2019 Practical Digital Security for Journalists
30/40
Secure communication
Two things you might want:
Privacy: get a file from A to B, without C reading it too.
Anonymity: get a file from A to B, without C discoveringwho A is.
Not the same thing at all. Anonymity is much harder thanprivacy.
-
7/27/2019 Practical Digital Security for Journalists
31/40
AP source busted through phone logs
.
.
.
-
7/27/2019 Practical Digital Security for Journalists
32/40
Data trails
When you use an electronic device, what data is created?
Who has access to this data?
When you communicate electronically, where do the bits
physically go?
Who can intercept them?
-
7/27/2019 Practical Digital Security for Journalists
33/40
Phones are tracking devices
-
7/27/2019 Practical Digital Security for Journalists
34/40
M FOO M
[email protected]@bar.org
ISP BARTelco ISP
M M
Dozens of organizations must process your email in plain text. Many of them store it. There's the possibility of unauthorized access at any point. Also subject to warrants and subpoenas.
Email is totally insecure!
-
7/27/2019 Practical Digital Security for Journalists
35/40
Secure communication
Secure email can be done with PGP but not very userfriendly.
Secure chat is easier.
cryptocat.org Chrome plugin. Very easy to use, but stillrelatively immature.
OTR ("off the record") instant messaging. Plugin forpopular IM clients. Mature, vetted, professional strength.
-
7/27/2019 Practical Digital Security for Journalists
36/40
For sensitive stories, have a plan
Security doesn't just happen. It requires careful planningand meticulous habits.
What you have learned in this session is not enough!
To learn how to make a security plan, come to the threatmodeling session.
-
7/27/2019 Practical Digital Security for Journalists
37/40
Threat modeling
What do I want to keep private?
(Messages, locations, identities, networks...)
Who wants to know?
(story subject, governments, law enforcement, corporations...)
What can they do?
(eavesdrop, subpoena... or exploit security lapses and accidents)
What happens if they succeed?
(story's blown, legal problems for a source, someone gets killed...)
-
7/27/2019 Practical Digital Security for Journalists
38/40
In short
Use real passwords
Understand and be alert for phishing
Keep your software up to date
Know where your data and where it goes
For sensitive stories, have a plan
-
7/27/2019 Practical Digital Security for Journalists
39/40
If you only learn one thing from this
talk, make it phishing
Don't click on suspicious links.
This is everyone's responsibility.
That means you, even if you never work
on sensitive stories.
This alone might foil 90% of attacks.
-
7/27/2019 Practical Digital Security for Journalists
40/40
Resources
Committee to Protect Journalists information security guidehttp://www.cpj.org/reports/2012/04/information-security.php
Jen Valentino's Encryption and Operational Security for
Journalists Hacks/Hackers presentationhttps://gist.github.com/vaguity/6594731
http://www.cjr.org/behind_the_news/hacks_hackers_security_for_jou.php?page=all
Threat modeling exercisehttp://jmsc.hku.hk/courses/jmsc6041spring2013/2013/02/08/assignment-6-threat-
modeling-and-security-planning/