Digital Security for Journalists

Transcript

1. Digital Security for Journalists

2. Agenda • Security 101 • Threat modelling • Real world

   cases of security failures • Tools

3. Security 101

4. Most common attack vectors • Weak passwords • Phishing/Spear phishing

   attacks

5. Password hygiene • It’s important to use strong password and

   to change them regularly. • Use a password manager to store your password and have a different one for every account. • If too lazy at least have a different password for your email.

6. Phishing Does not link to Facebook

7. Spear phishing • Like phishing, but the attacker will also

   include in the message personal details about you • Generally more credible and harder to spot.

8. Prevention • Verify that the link you see in an

   email points to what is says. • If the email looks suspicious avoid clicking on the link in your regular browser. • Report suspicious activity to IT security.

9. Threat modelling • Assets. 
 What do I have to

   keep private? • Adversary.
 Who wants to know this information? • Capabilities.
 What can they do?" • Impact.
 What are the consequences of being compromised?

10. Assets • What are the types of information? 
 Who

    I spoke to. What we said. Where I was. • Where is this data stored? On my machine. In the cloud. By the local phone operator.

11. Adversary • Government, private company, etc. • Different adversaries will

    have different capabilities and resources.

12. Capabilities • Technical • Hacking, communications interception, code breaking •

    Legal • Lawsuits, subpoenas, detention • Social • Phishing, social engineering, exploiting trust • Operational • Not using a secure communications channel. • Telling a person you should not have told. • Physical • Theft, installation of malware, network taps, torture

13. Impact • What are the consequences? • The sources is

    compromised. • The story is blown. • Somebody gets killed. • Analyse the security/convenience tradeoff • How much security do you really need?

14. Journalist security epic fails

15. Vice leaked location of McCafe

16. AP twitter hack

17. Computer of journalist confiscated by Syrian government In October 2011,

    British journalist and filmmaker Sean McAllister was arrested by Syrian security agents. They seized his laptop, cell phone, camera, and the footage for his documentary--including images and contact information that could be used to identify the activists he interviewed. Some of them, as a result, had to flee the country.

18. Tools • If it’s not Open Source it should not

    be trusted. • Other bad signs are: does not have a document explaining the threat model of the application, claiming to be “military grade”.

19. Data at rest vs Data in motion • Data in

    motion is a means of communicating with other people or network devices. • Data at rest is a way to communicate with yourself over time.

20. Data at rest • File Encryption • Truecrypt • PGP

    • Full disk encryption • LUKS (Linux) • FileValut (Mac OS X) • BitLocker (Windows 8)

21. Data in motion • Communications • OTR • PGP •

    Tor • Specific applications • GlobaLeaks • TAILS

22. OTR • Off the Record protocol. • Can be found

    inside of tools such as Adium and Pidgin. • Provides perfect forward secrecy

23. PGP • Protects the content of email communications. • Allows

    you to verify that a certain email has been written by a certain person. • Does not provide perfect forward secrecy.

24. Tor

25. GlobaLeaks

26. TAILS • Is a live distribution that comes with all

    the above mentioned tools. • Transparently Torifies all your internet connection. • By default, when you remove the USB drive, all traces of what you did is destroyed. • Can be configured to also make data persistent.

27. Mobile security • It’s a nightmare. • Remember your location

    is being tracked. • If you have to meet an important source, leave your phone at home. • Switching off a phone can give out information.

28. Mobile applications • Guardian project • ORBot • GibberBot •

    TextSecure

29. Questions?