Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Digital Security for Journalists

Digital Security for Journalists


Arturo Filastò

July 17, 2014


  1. Digital Security for Journalists

  2. Agenda • Security 101 • Threat modelling • Real world

    cases of security failures • Tools
  3. Security 101

  4. Most common attack vectors • Weak passwords • Phishing/Spear phishing

  5. Password hygiene • It’s important to use strong password and

    to change them regularly. • Use a password manager to store your password and have a different one for every account. • If too lazy at least have a different password for your email.
  6. Phishing Does not link to Facebook

  7. Spear phishing • Like phishing, but the attacker will also

    include in the message personal details about you • Generally more credible and harder to spot.
  8. Prevention • Verify that the link you see in an

    email points to what is says. • If the email looks suspicious avoid clicking on the link in your regular browser. • Report suspicious activity to IT security.
  9. Threat modelling • Assets. 
 What do I have to

    keep private? • Adversary.
 Who wants to know this information? • Capabilities.
 What can they do?" • Impact.
 What are the consequences of being compromised?
  10. Assets • What are the types of information? 

    I spoke to. What we said. Where I was. • Where is this data stored? On my machine. In the cloud. By the local phone operator.
  11. Adversary • Government, private company, etc. • Different adversaries will

    have different capabilities and resources.
  12. Capabilities • Technical • Hacking, communications interception, code breaking •

    Legal • Lawsuits, subpoenas, detention • Social • Phishing, social engineering, exploiting trust • Operational • Not using a secure communications channel. • Telling a person you should not have told. • Physical • Theft, installation of malware, network taps, torture
  13. Impact • What are the consequences? • The sources is

    compromised. • The story is blown. • Somebody gets killed. • Analyse the security/convenience tradeoff • How much security do you really need?
  14. Journalist security epic fails

  15. Vice leaked location of McCafe

  16. AP twitter hack

  17. Computer of journalist confiscated by Syrian government In October 2011,

    British journalist and filmmaker Sean McAllister was arrested by Syrian security agents. They seized his laptop, cell phone, camera, and the footage for his documentary--including images and contact information that could be used to identify the activists he interviewed. Some of them, as a result, had to flee the country.
  18. Tools • If it’s not Open Source it should not

    be trusted. • Other bad signs are: does not have a document explaining the threat model of the application, claiming to be “military grade”.
  19. Data at rest vs Data in motion • Data in

    motion is a means of communicating with other people or network devices. • Data at rest is a way to communicate with yourself over time.
  20. Data at rest • File Encryption • Truecrypt • PGP

    • Full disk encryption • LUKS (Linux) • FileValut (Mac OS X) • BitLocker (Windows 8)
  21. Data in motion • Communications • OTR • PGP •

    Tor • Specific applications • GlobaLeaks • TAILS
  22. OTR • Off the Record protocol. • Can be found

    inside of tools such as Adium and Pidgin. • Provides perfect forward secrecy
  23. PGP • Protects the content of email communications. • Allows

    you to verify that a certain email has been written by a certain person. • Does not provide perfect forward secrecy.
  24. Tor

  25. GlobaLeaks

  26. TAILS • Is a live distribution that comes with all

    the above mentioned tools. • Transparently Torifies all your internet connection. • By default, when you remove the USB drive, all traces of what you did is destroyed. • Can be configured to also make data persistent.
  27. Mobile security • It’s a nightmare. • Remember your location

    is being tracked. • If you have to meet an important source, leave your phone at home. • Switching off a phone can give out information.
  28. Mobile applications • Guardian project • ORBot • GibberBot •

  29. Questions?