Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Digital Security for Journalists

Digital Security for Journalists

Arturo Filastò

July 17, 2014
Tweet

More Decks by Arturo Filastò

Other Decks in Technology

Transcript

  1. Password hygiene • It’s important to use strong password and

    to change them regularly. • Use a password manager to store your password and have a different one for every account. • If too lazy at least have a different password for your email.
  2. Spear phishing • Like phishing, but the attacker will also

    include in the message personal details about you • Generally more credible and harder to spot.
  3. Prevention • Verify that the link you see in an

    email points to what is says. • If the email looks suspicious avoid clicking on the link in your regular browser. • Report suspicious activity to IT security.
  4. Threat modelling • Assets. 
 What do I have to

    keep private? • Adversary.
 Who wants to know this information? • Capabilities.
 What can they do?" • Impact.
 What are the consequences of being compromised?
  5. Assets • What are the types of information? 
 Who

    I spoke to. What we said. Where I was. • Where is this data stored? On my machine. In the cloud. By the local phone operator.
  6. Capabilities • Technical • Hacking, communications interception, code breaking •

    Legal • Lawsuits, subpoenas, detention • Social • Phishing, social engineering, exploiting trust • Operational • Not using a secure communications channel. • Telling a person you should not have told. • Physical • Theft, installation of malware, network taps, torture
  7. Impact • What are the consequences? • The sources is

    compromised. • The story is blown. • Somebody gets killed. • Analyse the security/convenience tradeoff • How much security do you really need?
  8. Computer of journalist confiscated by Syrian government In October 2011,

    British journalist and filmmaker Sean McAllister was arrested by Syrian security agents. They seized his laptop, cell phone, camera, and the footage for his documentary--including images and contact information that could be used to identify the activists he interviewed. Some of them, as a result, had to flee the country.
  9. Tools • If it’s not Open Source it should not

    be trusted. • Other bad signs are: does not have a document explaining the threat model of the application, claiming to be “military grade”.
  10. Data at rest vs Data in motion • Data in

    motion is a means of communicating with other people or network devices. • Data at rest is a way to communicate with yourself over time.
  11. Data at rest • File Encryption • Truecrypt • PGP

    • Full disk encryption • LUKS (Linux) • FileValut (Mac OS X) • BitLocker (Windows 8)
  12. Data in motion • Communications • OTR • PGP •

    Tor • Specific applications • GlobaLeaks • TAILS
  13. OTR • Off the Record protocol. • Can be found

    inside of tools such as Adium and Pidgin. • Provides perfect forward secrecy
  14. PGP • Protects the content of email communications. • Allows

    you to verify that a certain email has been written by a certain person. • Does not provide perfect forward secrecy.
  15. Tor

  16. TAILS • Is a live distribution that comes with all

    the above mentioned tools. • Transparently Torifies all your internet connection. • By default, when you remove the USB drive, all traces of what you did is destroyed. • Can be configured to also make data persistent.
  17. Mobile security • It’s a nightmare. • Remember your location

    is being tracked. • If you have to meet an important source, leave your phone at home. • Switching off a phone can give out information.