This action might not be possible to undo. Are you sure you want to continue?
Jonathan Stray NICAR 2014
Laptop falls into Syrian govt. hands, sources forced to flee
Journalism Security Disasters
•! Hacked accounts and sites •! AP •! The Washington Post •! The New York Times •! Etc. •! Sources exposed •! Vice reveals John McAfee’s location •! AP phone records subpoena •! Filmmaker’s laptop seized in Syria
What Are We Protecting?
•! Commitments to sources •! Physical safety •! Legal concerns •! Our ability to operate •! Our reputation
Three Important Messages
•!Journalism is a high-risk profession •!Even if you’re not working on a sensitive story, you are a
target •!For sensitive stories, you need a plan
WHAT EVERYONE IN THE NEWSROOM NEEDS TO KNOW
LinkedIn from June 2012 breach
Gawker from Dec 2010 breach
•!Something you know, plus something you have
•! Don’t use a common password •! Avoid words in the dictionary •! Use two-factor authentication •!Consider password management tools like 1Password
•!By far the most common attack against journalists (or
•! Relies on getting the user to visit a site under false premises
•!Typically directs users to a fake login page to trick them
into entering passwords
•! But more sophisticated attacks exist that work when users just view
AP Twitter Hacked by Phishing
AP Phishing Email
The link didn’t really go to washingtonpost.com!
Read the URL Before You Click!
•! Becoming increasingly sophisticated •! Spear phishing = selected targets, personalized messages
All Is Not Lost — If You Are Alert
Defending Against Phishing
•!Be suspicious of generic messages •!Read the URL before you click •!Always read the URL before typing in a password •!Report suspicious links to IT security
THREAT MODELING FOR YOUR STORY
•! What do I want to keep private?
•! Messages, locations, identities, networks, etc.
•! Who wants to know?
•! Story subject, governments, law enforcement,
•! What can they do?
•! Eavesdrop, subpoena, exploit security lapses and
•! What happens if they succeed?
•! Story's blown, legal problems for a source, someone
What Must Be Private?
•! Which data? •! Emails and other communications •! Photos, footage, notes •! Your address book, travel itineraries, etc. •! Privacy vs. anonymity •! Encryption protects content of an email or IM •! Not the identity of sender and recipient
Threat Modeling Scenario #1
You are a photojournalist in Syria with digital images you want to get out of the country. Limited Internet access is available at a café. Some of the images may identify people working with the rebels who could be targeted by the government if their identity is revealed.
Photos, PDFs, documents all have hidden info in the file
Who Wants to Know?
•!Most of the time, the NSA is not the problem •!Your adversary could be a government, the subject of a
story, another news organization, etc.
Threat Modeling Scenario #2
You are reporting on insider trading at a large bank and talking secretly to two whistleblowers who may give you documents. If these sources are identified before the story comes out, at the very least you will lose your sources.
What Can the Adversary Do?
•! Technical •! Hacking, intercepting communications, code-breaking •! Legal •! Lawsuits, subpoenas, detention •! Social •! Phishing, “social engineering,” exploiting trust •! Operational •! The one time you didn’t use a secure channel •! Person you shouldn’t have told •! Physical •! Theft, installation of malware, network taps, torture
Threat Modeling Scenario #3
You are reporting a story about local police misconduct. You have talked to sources including police officers and victims. You would prefer that the police commissioner not know of your story before it is published.
What Are You Risking?
•! Security is never free •! It costs time, money, and convenience •! “How much” security do you need? •! It depends on the risk
•! Blown story •! Arrested source •! Dead source
Threat Modeling Scenario #4
You are working in Europe, assisting a Chinese human rights activist. The activist is working inside China with other activists, but so far the Chinese government does not know he/she is an activist — and the activist would like to keep it this way.
DIGITAL SECURITY TOOLS
Data at Rest / Data in Motion
•!We’re assuming you have some “data” you want to protect •! Documents, notes, photos, interviews, video, etc. •!But also: stored passwords, information about your
colleagues, ability to impersonate you (e.g., fake emails)
Laptop falls into Syrian govt. hands, sources forced to flee
Securing Data at Rest
•! How many copies are there? •! The original file might be on your phone, camera SD card, etc. •! What about backups and cloud syncing? •! Use secure erase products •! Could "they" get a copy? •! Steal your laptop •! Walk into your office at lunch •! Take your camera at the border •! If they had a copy, could they read it? •! Encrypt your whole disk! •! Use TrueCrypt (Windows), FileVault (Mac), LUKS (Linux)
Securing Data in Motion
•! Tools you should know •! PGP — Secure email •! OTR — Off-the-record messaging protocol •! CryptoCat — Easy OTR through your browser •! Tor — Anonymity •! SecureDrop — Anonymous submission
•! Not an app •! A protocol for encrypted communication, supported by several apps. •! Does not hide your identity! •! Many chat programs can speak OTR •! Confusing and important •! Google Chat’s “off the record” option does not use OTR •! Google can read your messages
Starting OTR in Pidgin
Starting OTR in Adium
Crypto.cat — Easy OTR
Am I Really Talking to You?
•!“Man-in-the-middle” pretends to be someone else
•!Contact your source over a different channel;
verify he/she sees the same fingerprint you see
Encryption vs. Anonymity
Encrypted message is like a sealed envelope. Anyone can still read the address (metadata)
Tor Browser Bundle
•! Your phone •! Is a location tracking device •! Contains all your contacts •! Is used for every form of communication •! Stores a lot of information
Tell-All Telephone (zeit.de)
The Guardian Project
•! Commercial service •! Secure mobile calls, video, texts •! Can hand prepaid cards to sources
•!In the U.S., the Privacy Protection Act prevents police from
seizing journalists’ data without a warrant
•! If the data is on your premises
•! If it’s in the cloud, no protection!
Committee to Protect Journalists information security guide
Jen Valentino’s Encryption and Operational Security for Journalists Hacks/Hackers presentation
Threat modeling exercise