Embed Size (px)
DESCRIPTION
Talk video at https://vimeo.com/87957065There is no one-size fits all security, and no one tool will make you secure. Security threats can come from a variety of different actors, and attacks can be technical, social, physical, or legal. Threat modeling is an integrated approach to security based on an assessment of your specific situation. You will learn the basic questions you need to answer to determine your security needs, how security threats vary depending on what you’re working on and where you’re working on it, and how to design a security plan including determining which tools and services you should use.
Citation preview
DIGITAL SECURITY FOR YOUR STORY Jonathan Stray NICAR 2014
Laptop falls into Syrian govt. hands, sources forced to flee
Journalism Security Disasters • Hacked accounts and sites
• AP • The Washington Post • The New York Times • Etc.
• Sources exposed • Vice reveals John McAfee’s location • AP phone records subpoena • Filmmaker’s laptop seized in Syria
What Are We Protecting? • Commitments to sources • Physical safety • Legal concerns • Our ability to operate • Our reputation
Three Important Messages • Journalism is a high-risk profession • Even if you’re not working on a sensitive story, you are a target • For sensitive stories, you need a plan
WHAT EVERYONE IN THE NEWSROOM NEEDS TO KNOW
LinkedIn from June 2012 breach
Gawker from Dec 2010 breach
Two-Factor Authentication • Something you know, plus something you have
Passwords • Don’t use a common password
• Avoid words in the dictionary
• Use two-factor authentication • Consider password management tools like 1Password
Phishing • By far the most common attack against journalists (or maybe anyone)
• Relies on getting the user to visit a site under false premises
• Typically directs users to a fake login page to trick them into entering passwords
• But more sophisticated attacks exist that work when users just view page
AP Twitter Hacked by Phishing
AP Phishing Email
The link didn’t really go to washingtonpost.com!
Read the URL Before You Click!
Phishing • Becoming increasingly sophisticated
• Spear phishing = selected targets, personalized messages
All Is Not Lost — If You Are Alert
Defending Against Phishing • Be suspicious of generic messages • Read the URL before you click • Always read the URL before typing in a password • Report suspicious links to IT security
THREAT MODELING FOR YOUR STORY
Threat Modeling • What do I want to keep private?
• Messages, locations, identities, networks, etc.
• Who wants to know? • Story subject, governments, law enforcement,
corporations, etc.
• What can they do? • Eavesdrop, subpoena, exploit security lapses and
accidents
• What happens if they succeed? • Story's blown, legal problems for a source, someone
gets killed
What Must Be Private? • Which data?
• Emails and other communications • Photos, footage, notes • Your address book, travel itineraries, etc.
• Privacy vs. anonymity • Encryption protects content of an email or IM • Not the identity of sender and recipient
Threat Modeling Scenario #1 You are a photojournalist in Syria with digital images you want to get out of the country. Limited Internet access is available at a café. Some of the images may identify people working with the rebels who could be targeted by the government if their identity is revealed.
File metadata
Photos, PDFs, documents all have hidden info in the file
Who Wants to Know? • Most of the time, the NSA is not the problem • Your adversary could be a government, the subject of a story, another news organization, etc.
Threat Modeling Scenario #2 You are reporting on insider trading at a large bank and talking secretly to two whistleblowers who may give you documents. If these sources are identified before the story comes out, at the very least you will lose your sources.
What Can the Adversary Do? • Technical
• Hacking, intercepting communications, code-breaking
• Legal • Lawsuits, subpoenas, detention
• Social • Phishing, “social engineering,” exploiting trust
• Operational • The one time you didn’t use a secure channel • Person you shouldn’t have told
• Physical • Theft, installation of malware, network taps, torture
Threat Modeling Scenario #3 You are reporting a story about local police misconduct. You have talked to sources including police officers and victims. You would prefer that the police commissioner not know of your story before it is published.
What Are You Risking? • Security is never free
• It costs time, money, and convenience
• “How much” security do you need? • It depends on the risk
• Blown story • Arrested source • Dead source
Threat Modeling Scenario #4 You are working in Europe, assisting a Chinese human rights activist. The activist is working inside China with other activists, but so far the Chinese government does not know he/she is an activist — and the activist would like to keep it this way.
DIGITAL SECURITY TOOLS
Data at Rest / Data in Motion
Secure Storage • We’re assuming you have some “data” you want to protect
• Documents, notes, photos, interviews, video, etc.
• But also: stored passwords, information about your colleagues, ability to impersonate you (e.g., fake emails)
Laptop falls into Syrian govt. hands, sources forced to flee
Securing Data at Rest • How many copies are there?
• The original file might be on your phone, camera SD card, etc. • What about backups and cloud syncing? • Use secure erase products
• Could "they" get a copy? • Steal your laptop • Walk into your office at lunch • Take your camera at the border
• If they had a copy, could they read it? • Encrypt your whole disk! • Use TrueCrypt (Windows), FileVault (Mac), LUKS (Linux)
Securing Data in Motion • Tools you should know
• PGP — Secure email • OTR — Off-the-record messaging protocol • CryptoCat — Easy OTR through your browser • Tor — Anonymity • SecureDrop — Anonymous submission
OTR • Not an app
• A protocol for encrypted communication, supported by several apps.
• Does not hide your identity! • Many chat programs can speak OTR • Confusing and important
• Google Chat’s “off the record” option does not use OTR • Google can read your messages
Starting OTR in Pidgin
Starting OTR in Adium
Crypto.cat — Easy OTR
Am I Really Talking to You? • “Man-in-the-middle” pretends to be someone else
Solution: Fingerprints
• Contact your source over a different channel; verify he/she sees the same fingerprint you see
Encryption vs. Anonymity
Encrypted message is like a sealed envelope. Anyone can still read the address (metadata)
Torproject.org
Tor Browser Bundle
Mobile Security • Your phone
• Is a location tracking device • Contains all your contacts • Is used for every form of communication • Stores a lot of information
Tell-All Telephone (zeit.de)
The Guardian Project
Silent Circle • Commercial service
• Secure mobile calls, video, texts • Can hand prepaid cards to sources
Legal Security • In the U.S., the Privacy Protection Act prevents police from seizing journalists’ data without a warrant
• If the data is on your premises
• If it’s in the cloud, no protection!
Resources Committee to Protect Journalists information security guide http://www.cpj.org/reports/2012/04/information-security.php
Jen Valentino’s Encryption and Operational Security for Journalists Hacks/Hackers presentation https://gist.github.com/vaguity/6594731 http://www.cjr.org/behind_the_news/hacks_hackers_security_for_jou.php?page=all
Threat modeling exercise http://jmsc.hku.hk/courses/jmsc6041spring2013/2013/02/08/assignment-6-threat-modeling-and-security-planning/
