Advanced digital security for journalists
Digital security should be a concern for all journalists regardless of whether you’re working in print, broadcast or online because we all rely on email and other digital tools. We’ve already covered some of the basic digital security tips for journalists, but Stuart Thomas, a senior reporter for the South African tech and media site Memeburn, takes it to the next level with some more advanced ways to keep you and your sources safe from cyber-snooping from Nico Sell, the co-founder of the famous DEF CON hacking conference.
With cyber-security issues, it is worth sorting through common sense precautions for day-to-day security in the article and those precautions that you’ll only need in circumstances when you think your security is under threat, so I’ll break down Sell’s recommendations into what I think you will need to stay safe everyday and those techniques that you’ll need if you have heightened security concerns. At the end, security is all about assessing your risk and balancing the risks you’re willing to take with the efforts you will need to maintain your security. Safeguarding your security takes some effort, but it’s important not to wait until you fear for your safety to take precautions.
Common sense, everyday precautions
We’ll start by looking at the security precautions every journalist needs to worry about.
1. Keep an eye on your apps – One bit of everyday security that you’ll want to practice is to be very careful when downloading tablet or smartphone apps that want access to your contacts. Last year, one study of the Android platform in Germany found that of 13,500 apps, 8 percent did not protect bank accounts or social media logins. Security firm Bit9 went even further saying that 100,000 Android apps engaged in “suspicious” or “questionable” activity, such as tracking the location of a device, accessing contacts or even “harvesting the contents of e-mail messages”, according to a report in Bloomberg.
Of course, apps running on Google’s Android are not the only privacy and security threats. Last year, Twitter admitted that its “Find Friends” feature on its Apple iOS app stored users’ contacts on their servers.
It’s this kind of activity that you’ll want to watch out for. iOS 6, the newest version of the Apple mobile operating system allows you to set privacy settings for each application. Apps now require permission to access private data such as your location, contacts, calendar, reminders and photos. If that seems like a lot of work, fortunately there are some apps that will help you monitor the kind of information that your apps are able to access. Tech site Lifehacker recommends Ben the Bodyguard, a paid app, or the free Private Data app.
2. Beware of public wifi – In 2008 while I was on assignment covering the US elections, a thief was able to make $1,800 worth of purchases using my PayPal account, and I’m almost certain that the thieves stole my password while I was using a public hotspot. I expect it was a compromised router that might have had a security flaw introduced by its installers. The entire ordeal was a monumental hassle that took time and attention away from doing my job. Fortunately, PayPal provided excellent support in resolving the situation and also making sure it didn’t happen again.
In my case, it was just a run-of-the-mill thief, but similar techniques can be used by repressive states or hackers who deal in black market security information such as journalists’ details.
Sell recommends encrypting all of your instant messages and making sure that you’re connecting securely to important accounts such as email or bank accounts. I go one step further and use VPN – virtual private networking – when I’m connecting to wifi. I use Boingo mobile, which allows me to connect to 600,000 hotspots around the world, and when connecting to a hotspot, it gives me the option to use a VPN connection to add another layer of security.
3. If you’re not using it, turn it off – You don’t need to turn off your device, but do turn off things like Bluetooth, file sharing and even wifi, if you’re not using it. This s good not only for security, but it can also save power, which can be important if you won’t be able to charge your devices regularly.
4. Create a password strategy – I’m still shocked at the simple passwords that people use. The most common mistake is to use a word or a name as a password. The first thing that an attacker will do when trying to break into your computer or smartphone will be to try guess your password using dictionary attacks, checking your password against common words and names.
I personally use a simple formula of letters and three numbers. The last three numbers relate to letters in the web address of the site that I’m using. For instance, if I were to use M4th351 for the formula, then the last three letters of the password would be the third, fifth and first letters of the account. So, for a Google account it would be M4th351olg. However, on Yahoo, the password would be M4th351hoy. The passwords are different for each site, but I only have to remember the formula. I change the formula often, and I use a different formula for sites that need an extra level of security, such as banking sites, than passwords for media sites, where I’m not as concerned about my security.
Sell also reminds you not to use security questions, questions you are asked to provide for banking security or to recover your password, where the answers might be gained from social media sites. It’s really important not to post so much information on social media sites that an attacker can easily steal your identity.
Higher risk, higher security
Sell also had some other recommendations that you might not need every day, but if you are working in a high-risk area or have reason to believe someone is targeting you, you might want to consider these measures as well.
1. Learn about encryption – I personally think that it is worthwhile for all journalists to learn about encryption, how to digitally scramble your instant messages and your emails to make it impossible for others to read them. Email is only as secure as a postcard. Anyone intercepting your message can read it unless you encrypt it. However, from a practical standpoint, encryption still requires effort that both sender and receiver aren’t always willing to take.
If you suddenly find that you need encryption, it is better to know how to use it instead of having to move quickly to start using it. In the future, we’ll have a guide to encrypted communications. If you want to start researching now, I’d suggest reading up on PGP security for your email and also learning about mobile apps such as Silent Circle.
2. Beware of public USB charging stations – This is a suggestion from Sell, and while I think there is definitely a threat here, I’m just not sure how big it is. He’s right. Plugging your smartphone into a public USB charging station could open up your device to being read, and I can think of some places in the world where this would definitely be an easy way to steal your personal data, but I remain to be convinced that this is a widespread threat.
That being said, I would agree with Sell, for a number of reasons, that it’s a good idea to carry around a mobile charger. If you’re on assignment and your smartphone is running flat, it will keep you working longer.
I’m sure that many of you will have had to develop digital security strategies. What are some of the steps that you’ve taken to keep you and your sources safe?
Article by Kevin Anderson