PRACTICAL DIGITAL SECURITY FOR JOURNALISTS

or, what everyone in the newsroom should know Jonathan Stray Columbia Journalism School ONA 2013

Journalism Security Disasters

Hacked accounts and sites
AP Washington Post New York Times ...

Sources exposed
Vice reveals John McAfee's location AP phone records subpoena Filmmaker's laptop seized in Syria ...

Data leaked
Wikileaks cables archive was not meant to be public ...

What are we protecting?

There are basically two things we want to protect: information and computers. Information not protected
someone reads your secret email source identity exposed story draft leaked

Computer not protected

someone erases your hard drive Twitter account hacked site down

Different kinds of attacks

Technical insecure communications revealing metadata "classic" hacking Legal your data vs. a subpoena Physical reporter detained laptop stolen

Social
maybe you shouldn't have told them that inside jobs

Today's topics
Stuff everyone needs to know. Especially things that might compromise your colleagues!
Passwords Phishing Malware Secure storage Secure communication

and... Threat modeling intro

Passwords
1. Don't use a common password. Avoid words in the dictionary. 2. Consider passphrases, and password management tools like OnePass 3. If you use the same password for multiple sites, your password is only as strong as the security on the weakest site.

LinkedIn from June 2012 breach

Gawker from Dec 2010 breach

Phishing
By far the most common attack against journalists (or maybe anyone.) Relies on getting the user to visit a site under false premises. Typically directs users to a fake login page to trick them into entering passwords. But: more sophisticated attacks exist that work just by viewing page. Protection: beware suspicious links! Especially those that take you to a login page! Read the URL before clicking a link from a message. Always read the URL before typing a password.

AP Twitter hacked by phishing

AP phishing email

The link didn't really go to washingtonpost.com!

Read the URL before you click!

Washington Post hacked by phishing

Fake login page on webmail.washpost.site88.net

Syrian Facebook phishing attack

Arabic text reads: "Urgent and critical.. video leaked by security forces and thugs.. the revenge of Assad's thugs against the free men and women of Baba Amr in captivity and taking turns raping one of the women in captivity by Assad's dogs.. please spread this."

Read the URL before you login!

Increasingly sophisticated phishing

Spear phishing = selected targets, personalized messages

But all is not lost, if you are alert

Defending against phishing

Be suspicious of generic emails Read the URL before you click Always read the URL before typing in a password Report suspicious links to your security people

Malware
If someone can run a program on your computer, all is lost. E.g. they can get all your passwords with a keystroke logger.
Some types can be installed just by visiting a page. Keep your software up to date. Don't run random programs downloaded from the net. Be suspicious when software asks for your admin

password. Protecting against a determined attacker is very hard. In such cases, consider an air gap a computer not on the network.

Secure storage
We're assuming you have some "data" you want to protect. Documents, notes, photos, interviews, video... 1. How many copies are there? 2. Could they get a copy? 3. If I they had a copy, could they read it?

Laptop falls into Syrian govt hands, sources forced to flee

How many copies?

The original file might be on your phone, camera SD card,

etc. You probably copied it to your laptop Have you ever given it to anyone else? What about backups of your computer or other devices? Consider secure erase products to keep the number of copies down.

Could they get a copy?

I can always steal your laptop. ...or your camera equipment could be seized at customs. Or your office could be broken into. Or someone could wait until you go to lunch and then use your computer.

If they had a copy, could they read it?

Encrypt that shiznit! Easiest and most reliable method: whole disk encryption.
TrueCrypt is open-source and widely used... security audit

pending. MacOS FileVault is ok, but don't let it give your password to Apple! Remember to encrypt all copies. Memory cards and thumb drives too!

The mud-puddle security test

How to tell if a secure storage product really is secure: Imagine you slip on a muddy puddle, fall and crack your head against the pavement, and permanently lose all memory of your passwords. You call the vendor, explain the situation, verify your identity, and ask them to help you recover your information. If they can help you get your data back, it's not secure.

The point of the mud-puddle test "trust" is not a substitute for "security"
Well-designed security means trusting as few people as possible.

Secure communication
Two things you might want:
Privacy: get a file from A to B, without C reading it too. Anonymity: get a file from A to B, without C discovering

who A is. Not the same thing at all. Anonymity is much harder than privacy.

AP source busted through phone logs

. . .

Data trails
When you use an electronic device, what data is created? Who has access to this data? When you communicate electronically, where do the bits physically go? Who can intercept them?

Phones are tracking devices

Email is totally insecure!

Alice@foo.com Bob@bar.org

M M ISP
FOO

M Telco
BAR

ISP

Dozens of organizations must process your email in plain text. Many of them store it. There's the possibility of unauthorized access at any point. Also subject to warrants and subpoenas.

Secure communication
Secure email can be done with PGP but not very user friendly. Secure chat is easier. cryptocat.org Chrome plugin. Very easy to use, but still relatively immature. OTR ("off the record") instant messaging. Plugin for popular IM clients. Mature, vetted, professional strength.

For sensitive stories, have a plan

Security doesn't just happen. It requires careful planning and meticulous habits. What you have learned in this session is not enough! To learn how to make a security plan, come to the threat modeling session.

Threat modeling
What do I want to keep private? (Messages, locations, identities, networks...) Who wants to know? (story subject, governments, law enforcement, corporations...) What can they do? (eavesdrop, subpoena... or exploit security lapses and accidents) What happens if they succeed? (story's blown, legal problems for a source, someone gets killed...)

In short
Use real passwords Understand and be alert for phishing Keep your software up to date Know where your data and where it goes For sensitive stories, have a plan

If you only learn one thing from this talk, make it phishing
Don't click on suspicious links. This is everyone's responsibility. That means you, even if you never work on sensitive stories. This alone might foil 90% of attacks.

Resources
Committee to Protect Journalists information security guide
http://www.cpj.org/reports/2012/04/information-security.php

Jen Valentino's Encryption and Operational Security for Journalists Hacks/Hackers presentation
https://gist.github.com/vaguity/6594731 http://www.cjr.org/behind_the_news/hacks_hackers_security_for_jou.php?page=all

Threat modeling exercise

http://jmsc.hku.hk/courses/jmsc6041spring2013/2013/02/08/assignment-6-threatmodeling-and-security-planning/