Twenty one out of the world’s top 25 news organisations were subjected to attacks from state-sponsored hackers, Google research carried out earlier this year has revealed.
A hacker who has access to a user’s computer will also have access to contact details, evidence of a user’s habits, and personal information, thus potentially facilitating a physical attack.
If journalists are not suitably protected, “It is not only the information that is at risk,” Jorge Luis Sierra, director of the Knight International Journalism Fellowships Program told the World Editors Forum. “The digital risk is sometimes the first step in a plan to attack a journalist.”
Sierra is an award winning investigative reporter who spent four years in Mexico mapping crime and developing digital tools to prevent attacks on journalists and bloggers. He recently hosted a WAN-IFRA Webinar on digital and mobile security in which we participated. We’ve curated lists of his cyber and mobile security tips and his recommended tools, backed up by independent review.
1. Create an easy to remember (but hard to crack) password
Creating passwords is the first and often most important step in establishing online security.
According to research recently published by Microsoft, internet users who are sick of memorising long lists of passwords should reuse weak passwords for websites that don’t possess important information. Instead, users should save their strong passwords for sites holding sensitive information.
But what is a strong password and how can users remember it? Websites like StrongPasswordGenerator can be helpful in building passwords that tick the boxes as far as numbers, upper and lowercase letters and symbols go but are less helpful for users who want to be able to remember their passwords with relative ease.
Microsoft suggests fashioning those characters into an acronym, word or phrase that is easily remembered. For example, “I love journalism” could become “iLuvJ0urnal1sm!.”
2. Install antivirus software
There are multiple software programs users can install. Sierra encourages users to simply find the best fit for their needs. Columbia Journalism School recommends McAfee, Norton and Computer Associates among others.
3. Store files on different devices
It might seem obvious, but storing everything in one place is generally not a good idea. If that device crashes, everything is lost. Also, using only one device to store files makes it an easy target for hackers. If they hack that device, users will potentially lose everything.
When it comes to organising users’ files, Sierra suggests dividing sensitive and non-sensitive information. “You have to have your information well organised in order to be accessible at any time,” he says. “The idea is that if you eventually lose your computer or your mobile phone or your tablet, you don’t lose all of your information.”
He also stressed the importance of having sensitive information encrypted (see section below on encryption), especially when travelling with a device.
4. Only access websites using “HTTPS”
Mike Shema, the author of Hack Notes: Web Application Security, describes using websites without “HTTPS,” as the same as giving your laptop to a stranger for 20 minutes. In his article for Mashable, he wrote, “The encryption within HTTPS is intended to provide benefits like confidentiality, integrity and identity. Your information remains confidential from prying eyes because only your browser and the server can decrypt the traffic.”
5. Log out
Leaving a device or website logged in without the user present is a quick and easy way to get hacked. As Paul Bradshaw for The Online Journalism Blog said, even if users don’t think they’re interesting enough to warrant an attack – hackers aren’t always after them. Often they’re after the user’s sources, their colleagues, their audience or their access.
6. Be aware of the GPS function
The GPS function on any device can be a means of security but also a security risk. Whether a journalist should enable the GPS function depends greatly on the investigation and the specific reporting process, Sierra cautions.
Journalists reporting in areas of conflict may find it prudent to enable the GPS function. Javier Garza Ramos, the World Editors Forum special advisor on newsroom safety says, “Having colleagues know the location of a reporter can save valuable minutes in emergency situations.”
However if a journalist is unaware that their GPS is enabled, they can be put at risk. Attackers conducting surveillance are able to identify where the journalist is, putting not only the journalist in danger but potentially their sources, friends and colleagues too.
(Note: Emergency Journalism has reviewed several GPS devices that could be employed by journalists. For more information on safety apps for journalists see the World Editors Forum piece on recent tech innovations.)
7. Use secure browsers.
The way you access the internet can also be made more secure. “Avoid Internet Explorer,” Sierra says. Up until recently, Internet Explorer was the most popular web browser, Mashable reports, and so attracted the majority of bugs and was exploited by hackers the most regularly. The browser still attracts over 30% of browser usage.
Sierra instead recommends using Mozilla Firefox or Google Chrome as they have added security features. It takes 10 minutes at most to download Google Chrome and even less for Mozilla Firefox. Alternatively, users can download TOR. Though slower than Firefox and Google Chrome, Tor incorporates encryption and directs user traffic through thousands of networks, making it one of the safest browsers to use .
(See below for more on TOR).
8. Make sure your apps and programs use encryption
In the Post-Snowden era, journalists are looking beyond the basic methods of online and computer security and seeking stronger protection.
“Any reasonable intelligence agency is capable of tapping phones, intercepting email and following our every move – both online and in the real world,” journalist and author of Deep Web for Journalists, Alan Pearce says.
While online communications are never entirely secure, by encrypting data, documents and conversations, journalists have a greater ability to shield their work and protect the privacy of their sources from third parties.
Using complex mathematical algorithms, encryption helps to secure a user’s privacy by scrambling data, making it indecipherable to hackers and outside sources.
The technique can be used on a number of devices including PC, tablet PC and smartphones.
“Journalists must be able to rely on the privacy, security and anonymity of their communications,” UN Special Rapporteur, Frank la Rue commented.
Cyber security expert, Sierra warns however, that it is not only journalists who should be concerned about privacy and security invasions, but it should be a concern for “every citizen; every person.”
APPS AND PROGRAMS THAT USE ENCRYPTION
Originally produced to protect the privacy and security of the U.S naval communications, Tor is now used by millions of direct users every day. The Tor network conceals the identity of its users by directing their traffic across thousands of Tor servers, increasing the difficulty for outside sources to identify the Tor user and their location.
Although Tor is not completely secure, The Intercept’s technology analyst, and author of Encryption Works Micah Lee notes that “…even if some Tor circuits can be defeated by a global adversary, if enough people are getting their traffic routed through the same Tor nodes at the same time, it might be difficult for the adversary to tell which traffic belongs to which circuits”.
Strong encryption of users content and searches
Free to download and to use
Once Tor is on a user’s USB they are able to run it on any computer without installation
Available on multiple platforms including Mac, Windows and Linux as well as iOs and android devices
Allows users to access blocked websites
Researchers have recently found a weakness in the system which allows hackers to deanonymise Tor users. Tor is reportedly working with the researchers on the problem and are close to fixing the fault
Plug-ins such as Flash and Quicktime (used for viewing videos) are blocked
Browser experience is slow
Reviewers claim it is difficult to set up
According its namesake website, Hushmail is a browser-based email serviceprovider offering secure and encrypted email and file storage. Founded in 1998, it encrypts email content when it is sent and automatically restores the email to its original form when received by other Hushmail recipients.
Great basic security and privacy for individuals sending and receiving low risk content
Strong encryption of users’ emails and files
Unlike many other encrypted email sites, the Hushmail site is easy to navigate and simple to use
Eliminates need for user to deal with the difficulty of OpenPGP (the world’s most widely=used email encryption standard)
It is free to sign up and to use (there is however, a paid option with added benefits)
It automatically scans for viruses
Different versions of Hushmail offered (for a fee) – ‘Hushmail for Individuals’, ‘Hushmail for Business’, ‘Hushmail for HIPAA’ and ‘Hushmail for Resellers’
No third party advertising
Those using other email service providers are still able to receive encrypted emails from Hushmail users. Those using other service providers will need to answer a secret question (created by the sender) in order for the message to be decrypted.
Hushmail is subject to Canadian law and in the past they have handed over user data in response to a subpoena
You cannot use your existing email address. Users must create a Hushmail account in order to use the service.
The free service account must be used regularly in order to remain active
If you forget your password, you will never be able to recover it. To provide user protection and eliminate the possibility of its employees accessing your emails, Hushmail does not store your password in its system.
Hushmail does not currently have an app available
While Sierra recommends the use of Hushmail, Micah Lee instead recommends that journalists use their own ‘keys’ through OpenGnuGP (the software applied to OpenPGP). “If your newsroom is hosting its email with Gmail or Microsoft, you and your editors won’t even know when those third party companies get subpoenaed for your email during a leak investigation. If you host your email service yourself, you’ll be the first to know and you’ll have a chance to fight it,” Lee says.
“We’re still a long way from having software that journalists should use that’s both very secure and very usable.. (but) There is a lot of work going into making PGP easier to use, such as the Mailpile project.”
Redphone, an app developed by privacy and security software company, Whisper Systems, encrypts phone calls made on android devices, adding security to calls made by its users. Runa Sandvik, technical advisor to the Freedom of the Press Foundation, recommends RedPhone, along with Micah Lee and Jorge Luis Sierra.
Free secured phone calls that run off data and Wi-Fi, not talk minutes
Easy to use and navigate
Connection and call quality is generally good among reviewers
Users do not need to create an account in order to use the app
Service providers are not able to access to the metadata on calls made
Includes a mechanism that verifies that encryption is not being attacked
Both parties engaged in phone call need to have the app installed in order for the app to function correctly and securely.
No missed call or voicemail notification
Currently only available to Android users, however Whispers Systems are developing the app for iOS users
Sicher, a private messaging app created by SHAPE, offers end-to-end encryption on smartphones and tablets. Users are able not only to send encrypted messages, but also files including PDFs, Word documents, photos, and videos.
Easy to set up and to use
Sicher site claims that all features of Sicher 1.0 are free of charge and will remain so
Available on most devices
Contains an automatic destruction timer set by the user that erases communications between the sender and receiver (on both users devices)
Does not send usage statistics and crash logs
No personal data is stored on the server
Group chat option
Push notifications are anonymous
Sicher messages can only be sent to and received by other Sicher users
It is not possible to recover your password if you forget it. You must uninstall the app and sign up again.
Currently only available in English and German
Like Sicher, TextSecure sends end-to-end encrypted text messages. The Whispers System app is recommended by Sierra, Lee and Sandvik but it is currently only available on android devices.
Note: You can view our full list of primary and secondary sources for this article here
Picture: Perspecsys Photos (Creative Commons/Flickr)