PRACTICAL DIGITAL SECURITY

FOR JOURNALISTS
Jonathan Stray
Kiplinger Fellowship 2017
Columbus, Ohio
PRACTICAL DIGITAL SECURITY
FOR JOURNALISTS*

*No one can learn all of this in an hour.

Sources revealed through digital records
Federal investigators trying to find out who leaked information about a
CIA attempt to disrupt Irans nuclear program obtained a New York
Times reporters three private credit reports, examined his personal
bank records and obtained information about his phone calls and travel,
according to a new court filing.

- Feds spy on reporter in leak probe, Politico, 2/24/11

(regarding reporter James Risen)
Laptop falls into Syrian govt. hands, sources
forced to flee
Two ways to look at security

Security reduces risk for ourselves, our sources, and our organization.

Security allows us to do work that would otherwise be too dangerous.

PART ONE: SECURITY BASICS
What everyone in the organization needs to do
Passwords and 2-step login
Dont fall for phishing
Encrypt your devices
Check your social media and cloud storage permissions
Logging in Securely
LinkedIn
from June 2012 breach

Gawker
from Dec 2010 breach
Two-Factor Authentication
Something you know, plus something you have
Passwords
Dont use a common password. Avoid dictionary words

Use two-factor authentication

Consider password management tools like LastPass

Dont ever tell anyone your password!

Phishing
Phishing
Tricks the user into visiting a fake site or opening a dangerous attachment.

By far the most common way that journalists are compromised.

If you learn nothing else today

AP Phishing Email

The link didnt really go to washingtonpost.com!

John Podesta hacked by phishing
Syrian Facebook
phishing attack

Arabic text reads:

"Urgent and critical..
video leaked by security
forces and thugs.. the
revenge of Assad's thugs
against the free men and
women of Baba Amr in
captivity and taking turns
raping one of the women
in captivity by Assad's
dogs.. please spread
this."
Read the URL Before You Click!
Spear Phishing
Defending Against Phishing
Be suspicious of generic messages
Read the URL before you click
Always read the URL before typing in a password
Report suspicious links to IT security
Disk Encryption
Encrypt your storage

Turn on disk encryption! Its built in.

Use BitLocker (Windows), FileVault (Mac)
Encrypt external drives and your phone too!
Encrypt your storage

Really

Phones and USB sticks too.

On by default for iPhone, turn it

on in Android.
Sharing Settings
Forgotten permissions are a major hazard
Know what social media reveals: background yourself!

Use someone elses computer (or an Incognito window) and research

yourself. See if you can find your home address, date of birth, or childs
school.
Social media privacy settings

Have you thought about how you want to use Facebook?

SECURITY TUNE-UP
Turn on 2FA for your Email
Turn on Disk Encryption
Check your social media sharing settings
Check your cloud storage sharing settings
INTERLUDE: THREAT MODELING
Threat Modeling: how to plan for a sensitive story
What do I want to keep private?
Messages, locations, identities, networks, etc.

Who wants to know?

Story subject, governments, law enforcement, corporations,
etc.

What can they do?

Eavesdrop, subpoena, exploit security lapses and accidents

What happens if they succeed?

Story's blown, legal problems for a source, someone gets killed
What must be private?
Which data?
Emails and other communications
Photos, footage, notes
Your address book, travel itineraries, etc.

Privacy vs. anonymity

Encryption protects content of an email or IM
Not the identity of sender and recipient
Who wants to know?
Most of the time, the NSA is not the problem

Your adversary could be the subject of a story, a government,

organized crime, a government agency, another news organization, etc.
What Can the Adversary Do?
Technical
Hacking, intercepting communications, code-breaking

Legal
Lawsuits, subpoenas, arrests and detention

Social
Phishing, social engineering, exploiting trust

Physical
Theft, installation of malware, intimidation and violence
What Are You Risking?
Security is never free. It costs time, money, and convenience

How much are you willing to pay to avoid:

Blown story
Arrested source
Dead source
SECURITY TUNE-UP
Pick a current or recent story.
What is your threat model?
PART TWO: REPORTING RECIPES
Reporting Recipes

Legal protections for data

Secure communication
Sharing and storing data
Protecting your location
Anonymous Sources
Anonymous Browsing
Handling Leaks
Crossing borders
Legal protections for data
The problem: third party doctrine in privacy law

Smith v. Maryland, Supreme Court, 1979

Facebook,
Skype, Slack, etc.
can be monitored
by parent
company.

And requested by
law enforcement.

Pictured: Facebook
requests, Q1-Q2 2015
Slack (etc.) lives forever and killed Gawker
Secure Communication
Text messages
Standard text messages (SMS) are incredibly insecure.

Facebook, Slack, WeChat, etc. are logged by the parent company

and can be subpoenaed.

WhatsApp is end-to-end encrypted, but Facebook may still reveal who

you talk to.

Use iMessage or Signal when possible.

SMS is not encrypted! The phone
company logs them, and devices exist to
read all SMS text messages sent by
nearby phones.
iMessage is quite secure, but
automatically switches to the
least secure method when no
data connection is available
unless you turn off Send as
SMS

Correctly encrypted messages

are blue.
Signal is the free,
secure messaging
app.

Android (pictured),
iPhone, Desktop.
Signal vs. Law Enforcement
Email
Email is difficult to secure. Avoid it if you can.

Limited security if both ends of the conversation always use Gmail,

Hushmail, or ProtonMail. Still subject to subpeona.

I do not recommend PGP/GPG, hard to get right.

Also, email is usually archived! Bad for secure communications.

Phone calls
Standard phone calls leave metadata at phone company. Who you
called, when, how long you talked, where you were.

Who can access this?

Definitely law enforcement.

Phone records get a source busted
The AP phone records were sought after interviews of more than 550
people turned up insufficient evidence of who leaked the information
about the Al Qaeda of the Arabian Peninsula plot, officials said.

Only after the AP phone records pointed to Sachtleben as a suspect in

the leak was the computer checked for classified information, setting in
motion the leak charges, the official added.

- Ex-FBI agent admits to AP leak, Politico, 9/23/13

Signal app once again!
Sharing and Storing Data
Sharing sensitive files
Do not share sensitive files by email.

PLEASE do not share sensitive files by email?

Google Drive, Dropbox, etc. are okay unless someone gets a court
order.

If youre on Mac or iPhone, share through Messages.

Storing sensitive files
You have some "data" you want to protect. Documents, notes, photos,
interviews, video...

1. How many copies are there? Where are they?

2. Encrypt your storage (phones, computers, drives)

3. Physical and legal security of storage devices

How many copies?

The original file might be on your phone, camera SD card, etc.

What about backups and cloud syncing? Email attachments?

Consider secure erase products but there may still be traces

(temporary files, filenames in recently used lists, etc.)
Physical data security
Who could steal your laptop?

Keep drives, papers, etc. locked up.

If someone else can access your

computer, they can install spyware.
Legal protection, maybe
In the U.S., the Privacy Protection Act prevents police from seizing
journalists data without a warrant if the data is on your premises.

If its in the cloud, no protection!

Anonymous Sources
Anonymous sources
Anonymity is not the same as privacy

It is much harder.

There are many ways to accidentally reveal someones identity, or for

adversaries to discover it after the fact.
Private but not anonymous

Encrypted message is like a sealed envelope.

Anyone can still read the address (metadata)
Communicating with sources
So I meet employee X, and we have a cup of coffee even, and we
want to exchange contacts. And if I pull him aside and say, all right,
from now on youll call me Popeye, and heres where you download
TAILS and well set up secret, spooky accounts and encryption, its as if
I was saying, here let me have your phone number, and by the way can
you show me any recent STD tests, and which brand of condom do you
like? Its sort of who are you, what are you talking about, I didnt agree
to anything like this.

- Barton Gelman of the Washington Post, at the HOPE X conference

The only practical answer
Dont give the source any way to communicate with you that is not
secure.

If they have a gmail address, and you have a gmail address, and
Google is unlikely to cooperate with your adversary, use gmail.

Otherwise iMessage or help them install Signal?

Anonymous Browsing
IP address reveals location and identity

From whatismyip.com
Private browsing mode still connects from same IP

It only affects cookies (saved logins and site tracking codes) and browser history.
Torproject.org
Tor Browser Bundle
IP address in web server logs reveals story in progress

- US vs Skelos S1 15. Cr. 317 (KMW)

Handling Leaks
Receiving Leaks
Prevent the adversary from knowing who leaked keep the source
anonymous.

Corporate networks are monitored. Personal devices are associated

with identifying information. Most secure method for transferring
sensitive files is still a face to face meeting.

If you want to accept secure leaks online, use SecureDrop.

Corporate networks are monitored
Document Metadata
Documents are more than what you see. They have hidden metadata
in the files.

This might include document author, which computer created it,

location a photo was taken, even when the document was created.

There are tools to remove metadata, but easiest and most reliable: take
a screen shot on your computer (not the sources!)
File metadata

Word documents, PDFs, etc. all have hidden info in the

file, including author name, creation date.
Location in photo metadata

Many phones and cameras store time and location in image files
(EXIF data). There are online tools to check and edit.
Location Privacy
Protecting your location
Social media posts are often geo-tagged.

Phones are security disaster. Your location is continuously recorded.

Some apps allow continuous monitoring. Are any running?

Phones and cameras often save GPS coordinates in the photo file.
Tell-All Telephone (zeit.de)
Geo-tagged posts
Get familiar with your location privacy settings
Crossing Borders
Crossing borders
Prepare to be searched. Encrypt your devices. But realize that you
may have to give up your password.

Prepare to have equipment seized. Have backups.

Best plan is to carry as little data as possible across the border. Try to
send sensitive data home over the network.
US Border crossing guide

EFFs Digital Privacy at the US Border: Protecting Data on Your

Devices and in the Cloud
https://www.eff.org/wp/digital-privacy-us-border-2017
SECURITY TUNE-UP
Have a Secure Chat
Send a file securely
Make a list of all your sensitive data
including where its stored
Digital security for journalists in one slide
Use real passwords + 2 step login. Recognize phishing. Encrypt your devices.
Check up on your sharing settings.

Use threat modeling to make a plan for your story. Know what you are
protecting from whom. Integrate digital with physical, legal, operational security.

Avoid email. Use iMessage, WhatsApp or Signal. Give sources a secure

channel from the start.

Source anonymity requires extensive planning, both online and offline.

Know exactly what data is sensitive, how many copies there are, and where.
Resources

Tinfoil.press online discussion forum for journosec

http://tinfoil.press

Defending accounts against common attacks

https://source.opennews.org/guides/defending-accounts/

Current digital security resources regularly updated

https://medium.com/@mshelton/current-digital-security-resources-5c88ba40ce5c