O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

Cyber security for journalists

Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Cyber Security
For Journalists
What will you do if Edward Snowden reaches you?
You may not be currently reporting on sensitive topics involving governmen...
Password
We must also remember not to use the same passwords for different services, as well as to
choose a secure passwor...

Vídeos do YouTube não são mais aceitos pelo SlideShare

Visualizar original no YouTube

Vídeos do YouTube não são mais aceitos pelo SlideShare

Visualizar original no YouTube

Carregando em…3
×

Confira estes a seguir

1 de 20 Anúncio
Anúncio

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Semelhante a Cyber security for journalists (20)

Anúncio

Mais recentes (20)

Anúncio

Cyber security for journalists

  1. 1. Cyber Security For Journalists
  2. 2. What will you do if Edward Snowden reaches you? You may not be currently reporting on sensitive topics involving government leaks. But what if a source contacts you with the promise of a big story and insists on encrypted communication? It happened to Glenn Greenwald, Laura Poitras, and Barton Gellman, the team approached by Edward Snowden Tor for anonymous browsing, Adium (for Macs) and Pidgin (for PCs) for secure IM conversations, and then a combination of Thunderbird, Enigmail, and PGP/GPG keys for a good, basic start on sending and receiving encrypted email. Cryptocat, for encrypted group chats, TrueCrypt, which encodes and password-protects files on your computer, and CCleaner, which cleans up your computer by deleting temporary files and overwriting deleted files to make them harder to recover https://archives.cjr.org/behind_the_news/hacks_hackers_security_for_jou.php
  3. 3. Password We must also remember not to use the same passwords for different services, as well as to choose a secure password, which will not be fragments of words, and will be a combination of letters (large and small), numbers and special characters. Mnemonic technique is a good example. Select verses from your favorite songs and build password from it, for example: “My coat of many colors that mama made for me” converts to an easy to remember password “Mcomctmmfm.” Add a number in the middle and a special character on the end and you have a reasonable strong password: Mcomc5tmmfm&.
  4. 4. VPN virtual private network (VPN). Everyone must choose the one which suits him (a good price is approx. $ 2–5 per month, but there’s a variety of factors that influences the price—here list of over a hundred VPN‘s, and here, in turn, is the best VPN by PCMag for 2016). But you must note that some VPN services (eg. the popular “Hide My Ass”) are keeping logs in case they need to provide information to government agencies. We use CactusVPN (due to the combination of price, the ease of installation, as well as the availability of a mobile phone free of charge). we can also recommend VyprVPN or PureVPN.
  5. 5. Bitlocker (Windows) FileVault (MacOSX) BitLocker and FileVault are lazy solutions. A better alternative is the free and open-source program VeraCrypt (for Windows, MacOSX, Linux). When you’re using external disks, make sure to encrypt them as well. We know security experts who appreciate a paid Symantec Drive Encryption. For convenient encryption of individual files, you can use the free AxCrypt. Especially if you do not use encryption, you should use at least a program for secure deletion of data, for example Eraser. Note on the phone—iPhone users have enabled encryption by default, Android is doing that only on some phones (eg. Nexus 6 and later), so you need to check whether the option is enabled in
  6. 6. CryptoCat: Plug-in for Chrome, Safari, Firefox, Opera, iOS app. It allows you to transfer files in a secure way, in the future they will also offer integration with Facebook chat. SpiderOak: serves as a secure drive that uses cloud computing, but it is, unfortunately, a paid service since last year (60 days free, using 2GB) Viivo: a program to encrypt the files in the cloud Signal: This is a chat application similar to Whatsapp for Android and iOS. The app replaces the default program for SMS and enables a safe way for phone calls. Everything is encrypted on the client side, on your phone itself. In other words, as opposed to a regular phone, one can not easily overhear conversations or the content of text messages, as long as both parties have installed Signal. Signal is very easy to use, has a clean interface, the code is open-source and subject to audits—the only drawback is that they have a central server. You can avoid that risk by also using Orbot (see below) or VPN. The beta version is also available on desktop. Orbot: This is an app specially for Android. The program allows the channeling of some apps through the network Tor.
  7. 7. App Ops: Application for Android which allows you to downgrade rights for specific apps on your phone. AppLock: The application for Android that allows additional protection by locking apps with a password. Orfox (Android) or Onion Browser (iOS): This is a browser for android, directing traffic through the Tor network, blocking scripts and forcing https connection when possible. Definitely recommended, but still in the development phase (so it sometimes has annoying shortcomings). For iPhone owners: Onion Browser (iOS app paid $ 0.99.) https://medium.com/thoughts-on-journalism/defense-against-the-dark-arts-385aff5ed2f2
  8. 8. The basics 1. Install anti-virus software on your computer. If you have a new computer, install the anti-virus before connecting online to minimise your chance of catching a virus. 2. Firewall – Installing anti-virus software is not enough. The firewall is a stronger layer of security that you need to protect. Install software to reinforce your firewall protection. 3. Don’t use pirated software. If you cannot afford licenced software, there is a lot of open-source software out there that you can download and use safely. 4. If you are using a public computer or cannot gurantee that the computer is virus-free, you can opt for a USB flash drive. You will not leave any trace of your work on the computer. 5. Use secured password. The longer and more complicated the password, the harder it is for hacker to break in. Use at least 12 figures in your password with letters, symbols and different characters. Don’t use the same password for everything. If you don’t have an elephant memory, you can use KeePass to store passwords securely. But remember to keep your master password strong for KeePass. 6. DETEKT who has been spying on you. If you want to know whether you are being spied, you can download the free tool “Detekt” to scans your Windows computer for traces of (common spywares such as) FinFisher and Hacking Team RCS, commercial surveillance spyware that has been identified to be also used to target and monitor human rights defenders and journalists around the world.
  9. 9. Data management – How to delete, recover & encrypt your data? 1. Deleting your data – You think by clicking the “delete” button, your file will be deleted forever? The answer is “no”. The file you deleted can still be recovered even though it may no longer be visible. It is still somewhere in your computer or usb stick. In order to delete your file permanently, you can download free software (such as CC Cleaner) that allows you to delete your file permanently. 2. Recovering your data – However, journalists can use this to their advantage. If you are ever forced to delete your photograph by the authority, you can do so with the assurance that you can retrieve your photo when you get back to the office or home. All you need is the software (such as Recuva) to do that. But if the hard drive is damage severely (by fire), the data inside may not be recovered. 3. Delete / manage your metadata because it tells people a lot about you and how the file is being created. If you do not want to remain anonymous or protect your sources, keep the meta data for yourself.
  10. 10. Data management – How to delete, recover & encrypt your data? 1. Create a secured data back-up. You should always have a back-up of your important data but use a secured back-up. If you don’t want to carry sensitive data around when travelling, you should store your data in a secured drive (such as Mega.co.nz) that you can have access to wherever you go. Before storing your data, take one more security step to encrypt your data before storing them in a remote drive or cloud. 2. Encrypting your data. You can download free software (such as Boxcryptor) that encrypt data before you send it or store it in a cloud. To encrypt your file and prevent others to have access to your file on your computer, you can use TrueCrypt to encrypt your files. This allows you to create a “secret vault” in your computer which is only visible to you who knows the password and location of the file in your computer. You don’t need to know about encryption or coding, all you need to do is to follow the simple steps of the software. 3. What if I am forced to give away my password for the encrypted file? If you are ever in an extreme situation in which you have to reveal your password to the authority, you should take this last but important step to protect your sources or sensitive data. You can create “a hidden vault” within the “secret vault” in TrueCrypt. So your “secret vault” becomes a disguise in case you ever need to reveal your password for this “secret vault”. In this case, you can reveal the password to the authority to have access to your “secret vault”, but the real secret or sensitive data are stored in the “hidden file” within the “secret vault” which you have a different password to access that. Put the real sensitive content in the “hidden vault” but be aware that you should put the seemingly sensitive content in the “secret vault” which you will give the access to the authority so that they don’t suspect you and start looking for something else.
  11. 11. Protection measures about communications on the internet… 1. Encrypt your email messages. You can download web-based softwares (such as Mailvelope) to encrypt your emails so that no one (apart from yourself and your recipient) can read your messages. But this will require the recipient of your email to take the same measure. This software is only for web-based emails and it cannot encrypt your attached files in the email. For step-by-step tutorial of how Mailvelope works, please watch the video HERE. To encrypt files, you can use GPG encryption programme. 2. Securing instant messaging and audio/video conversations. Most popular instant messaging and audio/video platforms (such as Skype, Facebook chat, Google Hangout, etc.) that are owned by big corporations no longer provide the absolute privacy and anonymity you want. If you want to communicate sensitive information, you should use peer-to-peer online instant messaging and audio/video conferencing plateforms (such as Cryptocat, meet.jit.si, talky.io, Whispersystems, etc.). If you want to find out more secure messaging plateform, you can visit the Electronic Frontier Foundation which has enlisted all the latest secure messaging or audio/video conferencing platforms. (see below list of resources) 3. If you think that it is only in science fiction that you have to put your mobile phone in the fridge in order to prevent prying ears, then you are wrong. Our mobile devices can be switched on remotely and used as spying tools. We cannot remain anonymous using our mobile phones because the same network that provides you with internet access also provides you with the mobile communications. The ISP can locate you even though your mobile phone is not switched on. In many countries, you are required to provide your ID in order to buy a SIM card. What happen if you want to use your mobile phone and remain anonymous? There are some devices and applications (see below resources) out there which provide you with certain degree of security for your mobile commucations. For example, WhisperSystems is an application for smartphone users to make private call without their identities or location being revealed.
  12. 12. 1. How to bypass internet censorship? In countries where internet censorship is a common practice to oppress the media or critical voices, access to information or communication can be a problem for journalists and human rights activities. There are ways to bypass internet censorship that come at a very small price. You can rent a virtual private network (VPN) that will encrypt and redirect all your traffic from your computer to that VPN. However, this does not prevent your ISP or the government from noticing that you are using a VPN that is located in the other end of the world. But what they cannot do (thus far) is to block the VPN connections. 2. Using temporary email service to remain anonymous.If you want to avoid spam or don’t want to give your real email address to strangers, you can use temporary email service (such as GuerrillaMail or Mailinator) to remain anonymous. The service provides you with an unique email address that you can dispose. 3. Private browsing. Cleaning your cookie and internet history is not enough. If you want to minimise the chance for internet surveillance, you can use Tor Browser so that no one can see what sites you have visited or track down your location. It will also allows access to websites not available for normal browsers.
  13. 13. General guide on cyber security 1. https://securityinabox.org 2. https://www.level-up.cc 3. http://saferjourno.internews.org/pdf/SaferJourno_Guide.pdf 4. https://learn.equalit.ie 5. Passwords storage software http://keepass.info 6. Secured back-up server http://mega.co.nz 7. Email encryption https://www.mailvelope.com/ 8. Electronic Frontier Foundation https://www.eff.org (you can check out the EFF secure messaging scorecard with a list of secured platforms) 9. Secured mobile communications application https://whispersystems.org/ 10. https://europeanjournalists.org/blog/2015/01/22/cyber-security-training-for-journalists/
  14. 14. Investigative Journalists Email ● If you travel to a country known for spying on the media, don’t rely on an email provider based there. ● At home, use a secure provider – you can tell if your email is secured by looking for the “https” in the address bar. Gmail is secure by default, while Yahoo and Facebook settings can be adjusted. Why? If you use a free wireless network, anyone can tap into your screen with a simple and free software program. That’s a problem if you’re communicating with a source. It’s as if you were in a busy public place having a conversation with a confidential source, Guerra explained, “but you’re both screaming.” ● Don’t assume your employer is protecting your account. Ask your technology desk about what precautions it takes, and consider getting a personal account from Google or Yahoo over which you have control.
  15. 15. Passwords and the Two-Factor Login If you have Gmail, everyone knows your User Name. So a hacker only needs your password. An obvious first step is using a more complex password. There are guides to creating stronger passwords listed below. Also, for more sensitive interactions, Gmail, Twitter, and Facebook have added an additional – optional – layer of protection – the two-factor login. When you activate the two-factor login, and enter your password, the account sends a text message to your phone, providing you a unique authentication code you must enter before accessing the account.
  16. 16. Log In Settings Establish multiple user accounts on your computer, including at least one user account in addition to the default administrator account. Making sure the second account has no administrative privileges, then use that login for your daily work. Then if malware tries to install automatically, the computer will alert you with a message requiring the administrator password.
  17. 17. MalWare ● Beware of suspicious attachments, keep your programs updated, and install a good antivirus program. Usually programs you buy will provide greater protection. ● Watch for emails from groups or people you might know, but which seem slightly off – small grammar changes or odd punctuation. ● Mac users, avoid being lulled into a false sense of security. ● Outdated computers without security patches can put you on greater risk. Guerra describes some useful specific tools here (English and Spanish).
  18. 18. When Something Goes Wrong Make noise if your computer starts acting wacky. Reach out to one of the nonprofit groups dedicated to detecting and tracking attacks and training users. They include: ● Access Now runs a 24/7 Digital Security Helpline available in seven languages. ● The Committee to Protect Journalists, based in New York, advocates on behalf of reporters around the world and fields requests for assistance. ● Reporters Without Borders, based in Paris, does similar advocacy as CPJ. ● The Citizen Lab at the University of Toronto, researches Internet security and human rights. ● https://gijn.org/digital-security/

×