Knowledge Bridge

Global Intelligence for the Digital Transition

//Kevin Anderson /August 23 / 2012

Common sense digital security for journalists

We’ve all seen the emails in our inbox purportedly from our bank, credit card company or favourite e-commerce site telling us that we need to reset our password or email our security details. These attacks, known as ‘phishing’ in security circles, are now so common that most people have learned to spot the warning signs, such as fake website addresses. Phishing attacks have been largely carried out by criminal groups looking to make a fast buck on the unwary. However, similar but much more sophisticated attacks are now being carried out by governments or groups trading in black-market information, and are targeting business executives, human rights campaigners and journalists.

The threat

Several high-profile attacks have targeted journalists in the past few years.

• In 2009 and again in 2011, Google revealed that hackers had been targeting journalists and their assistants in China, often gaining access to their Gmail accounts. These were not random attacks but targeted attempts to gain information from government officials, human rights campaigners, journalists and those who had worked with journalists.

• More recently, the Mamfakinch.com citizen media project in Morocco saw an attempt to infect its computers with  sophisticated spywareSpywareComputer software that is installed surreptitiously to intercept or take…//read more  normally used by governments and law-enforcement agencies. Staff received an email that claimed to have information about a political scandal but the document contained a “hidden file that was designed to download a Trojan that could secretly take screenshots, intercept e-mail, record Skype chats, and covertly capture data using a computer’s microphone and webcam, all while bypassing virus detection”, according to US news site Slate.

• Individual journalists are not the only targets and, as cyber-attacks become more common around major stories such as Syria, large news organisations are also facing attacks. Reuters recently saw its Twitter account compromised as well as its WordPress blogging platform twice hacked, resulting in the posting of false articles. A group calling itself the Syrian Electronic Army, which supports the government of Bashar al-Assad, has claimed responsibility for a number of similar attacks, but the BBC reports that it is unclear who was behind the attacks on Reuters.

These attacks are getting increasingly sophisticated, using malware designed to evade anti-virus applications. Instead of mass email campaigns used by criminals to con the unwary into handing over their bank details, these hackers are using ‘spear phishing’ techniques which target specific people using a range of psychological tricks to get you to clickClickA click can denote several different things. It can be a metric that…//read more  on infected attachments or links to infected sites which can download malware onto your computer without your knowledge.

It’s definitely time to sharpen your and your employees’ digital security skills, and not leave security to your IT department.

Securing your email

IJNet recently had an excellent article on how journalists can keep themselves safe online, based on a two-hour webinar by data privacy expert Robert Guerra.

After Google uncovered the attacks on Gmail users it has implemented a number of tools to help you keep your email safe. These include enabling secure connections between you and Google using SSL, or ‘secure socket layer’, the same technology you use when you connect to your bank or an e-commerce site. In most browsers, you’ll know if you’re using this secure connection by seeing the web address change from HTTPHTTP (Hyper-Text Transfer Protocol)The format most commonly used to transfer documents on the World Wide Web.//read more  to HTTPS. Many browsers also have a key or lock icon either in the address bar of your browserBrowserA software program that can request, download, cache and display documents…//read more  or in the lower right hand corner in the status bar. Beware websites which only show you a lock icon on the web pagePageA document having a specific URL and comprised of a set of associated files. A…//read more  itself, because that is no guarantee that they have implemented proper security measures.

Google has enabled HTTPS connections to Gmail by default and now also offers a two-step verification process that requires not only your password but also a verification code in order for you to access your email. That can either be sent to your mobile phone or, if you don’t have mobile phone access, they give you a list of codes to print out. You can also generate specific passwords for applications that use your Google user credentials but which are not set up to allow you to enter the verification code. The initial set-up can be time consuming, as can the constant re-authentication that you had to do every thirty days, but Google now allows you to set up trusted access on your personal computer so that, on that machine only, you don’t have to keep logging in. To set up two-step access, go to your Google Account settings and click on the Security link on the left side of the page. While you are there, you might also want to take a look at the Privacy settings, which allow you to control how you appear in search results and manage your personal data.

Securing your social media

Many of the major social media services have, like Google, also provided the option to secure their sites with HTTPS. In Twitter for instance, you’ll need to go to your account settings, accessible by clicking on the profile link in the upper right-hand corner, next to the search box. Then look for the option always use HTTPS and make sure that this box is ticked.

Facebook has a number of options to keep you and your news organisation secure. Go to your account settings and the options you need are the second group of security settings. To enable HTTPS, enable what Facebook calls Secure Browsing. Facebook can also alert you when a login attempt is made on a device that hasn’t been used before, under the option Login Notification, and also provides two-step authentication, which can be accessed under login approval. If you are using a public computer, you can also request a one-time password by sending a text message with “otp” to a short code in your country or the country where you’re travelling. A list of short-codes is available on Facebook.

Securing your browsing

As we saw in example of the citizen media project attacked in Morocco, security agencies or groups attacking journalists are also looking to collect a wide range of information. Spyware can collect your surfing habits, usernames and passwords, but in cyber-cafés and via public wi-fi hotspots, you can also be prone to surveillance. If you are using your own computer, you can install a secure browsing tool like “HTTPS Everywhere” which encrypts all of your web traffic, not just access to specific sites such as Gmail, Facebook or Twitter. As IJNet explains, this is only available for the Firefox and Chrome browsers.

Travelling journalists often find themselves using public wifi. If you’re using a Windows computer, make sure you choose the Public network option when connecting to public wifi, as that helps protect your computer. However, it is worth consider using a virtual private network, or VPN, via software such as HotSpot Shield to protect your connection.

Securing your mobile phone 

Journalists are increasingly using smartphones or mobile phones for their work. It’s important to have a lock-code on your device so that if it is lost or stolen, your contacts are still safe. For iOS devices such as iPhones and iPods, consider turning off the simple passcode, which is only a four-digit number, and enabling a longer password. The setting is under the General system settings, under passcode lock. You can also have the device erase all data if more than 10 failed attempts are made to access your device.

Android devices have a number of options to secure the phone. Many people prefer to use pattern unlock app, rather than a passcode or password, and PCWorld has this bit of sound advice when creating a pattern: “If you decide to go with the pattern unlock, create a complex one that crosses over itself, or someone might deduce your pattern from the repeated smudge marks on your screen.”

Taking security precautions can seem like a bit of a hassle, but it is nothing like the problems that can be caused if your security or the security of your organisation is compromised. Journalists are now the targets of increasingly sophisticated and directed attacks by governments, government-aligned groups and hackers-for-hire who do a brisk trade in secrets. Taking these precautions is the first step towards preventing more hassles later and they will help ensure that you, your colleagues and your sources stay safe.

Article by Kevin Anderson

Leave your comment