View
5
Download
0
Category
Tags:
Preview:
DESCRIPTION
Jonathan Stray, Columbia University, Fall 2015Syllabus at http://www.compjournalism.com/?p=133
Citation preview
FrontiersofComputationalJournalism
ColumbiaJournalismSchoolWeek12:PrivacyandSecurity
December11,2015
LaptopfallsintoSyriangovt.hands,sourcesforcedtoflee
APsourcebustedthroughphonelogs
.
.
.
OpenNetworkInitiativeglobal filteringmap-- opennet.net
FromProtectingConsumerPrivacyinanEraofRapidChange, FTC,2010
JournalismSecurityDisasters
• Hackedaccountsandsites– AP–WashingtonPost,NewYorkTimes,– etc.
• Sourcesexposed– VicerevealsJohnMcAfee’s location– APphonerecordssubpoena– Filmmaker’slaptopseizedinSyria
WhatAreWeProtecting?
• Commitmentstosources• Physicalsafety• Legalconcerns• Ourabilitytooperate• Ourreputation
Holisticsecurity(What“digitalsecurity”isn’t)Thepredominant digitalsecuritydiscoursetakeslittleornoheedoftheelementsofpersonal,organisational orpsychologicalsecurityinherent totheestablishmentofaneffectiveandcohesivesecuritystrategies.
Thetendency,aggravatedbytimeconstraintsandnecessarytechnicalskill-building, hasbeentotreatdigitalsecurityasatechnicalproblemwithtechnicalsolutions, andthereforetofocusonasoftwareortool-centricapproach,generallywithoutdueconsiderationofthewiderorganisational andpersonalnecessityorimpactthereof.
Meanwhile,practitionersfocusingonthepersonal,organisational,andpsycho-socialwell-beingofHRDsmustadapttotheimplicationsoftherapidproliferationofdigitaltoolsandICTsasanaspectofhumanrightsdefenders’workandpersonallives.
- TowardsHolisticSecurityforRightsAdvocates,TacticalTech
DigitalSecuritystrategies
• Basicsecuritypractice:simplethingsthatprotectagainstmanythreats.
• Threatmodeling:discoveranddefendagainstspecificthreats
• Recipes:howhandlespecificreportingsituations
LinkedInfrom June 2012 breach
Gawkerfrom Dec 2010 breach
Two-FactorAuthentication
•Somethingyouknow,plussomethingyouhave
GoodPasswordPractice
• Ifyouusethesamepasswordformultiple sites,yourpasswordisonlyasstrongasthesecurityon theweakestsite.
• Don'tuseacommonpassword.Avoidwordsinthedictionary.
• Usetwo-factorauthentication
• Considerpassphrases,andpasswordmanagementtoolslikeOnePass
PhishingByfarthemostcommonattack.Sendamessagetousertrickingthemintoentering theirpassword.
Typicallydirectsuserstoafakeloginpage.
Protection:bewarelinksthattakeyoutoaloginpage!AlwaysreadtheURLafterclickingalinkfromamessage.
APTwitterHackedbyPhishing
APPhishingEmail
The link didn’t really go to washingtonpost.com!
ReadtheURLBeforeYouClick!
SpearPhishing
Selectedtargets,personalizedmessages.
SyrianFacebookphishing
Arabictextreads:"Urgentandcritical..videoleakedbysecurityforcesandthugs..therevengeofAssad'sthugsagainstthefreemenandwomenofBabaAmr incaptivityandtakingturnsrapingoneofthewomenincaptivitybyAssad'sdogs..pleasespreadthis."
Chineseemailspear-phishing
FromFireEyeblogpost:“InAugust2015,thethreatactorssentspearphishingemailstoanumberofHongKong-basedmediaorganizations,includingnewspapers,radio,andtelevision.ThefirstemailreferencesthecreationofaChristiancivilsocietyorganizationtocoincidewiththeanniversaryofthe2014protests inHongKongknown astheUmbrellaMovement.ThesecondemailreferencesaHongKongUniversityalumniorganizationthatfearsvotes inareferendumtoappointaVice-Chancellorwillbeco-optedbypro-Beijinginterests”
DefendingAgainstPhishing
•Besuspiciousofgenericmessages
•ReadtheURLbeforeyouclick
•AlwaysreadtheURLbefore typinginapassword
•Reportsuspicious linkstoITsecurity
ThreatmodelingWhatdoIwanttokeepprivate?(Messages,locations,identities,networks...)
Whowantstoknow?(storysubject,governments,lawenforcement,corporations...)
Whatcantheydo?(eavesdrop,subpoena...orexploit securitylapsesandaccidents!)
Whathappensiftheysucceed?(story'sblown,legalproblemsforasource,someonegetskilled...)
WhatMustBePrivate?
• Whichdata?– Emailsandothercommunications– Photos,footage,notes– Youraddressbook,travelitineraries,etc.
• Privacyvs.anonymity– EncryptionprotectscontentofanemailorIM– Nottheidentityofsenderandrecipient
WhoWantstoKnow?
•Mostofthetime,theNSAisnottheproblem•Youradversarycouldbethesubjectofastory,agovernment,anothernewsorganization,etc.
WhatCantheAdversaryDo?
• Technical– Hacking, interceptingcommunications, code-breaking
• Legal– Lawsuits,subpoenas, detention
• Social– Phishing, “socialengineering,” exploiting trust
• Operational– Theone timeyoudidn’tuseasecurechannel– Personyoushouldn’t havetold
• Physical– Theft,installationofmalware,networktaps,torture
Legalthreat:NYTreporterinvestigated
WhatAreYouRisking?
• Securityisneverfree– Itcoststime,money,andconvenience
• “Howmuch”securitydoyouneed?– Itdependsontherisk• Blownstory• Arrestedsource• Deadsource
ThreatModelingScenario#1
YouareaphotojournalistinSyriawithdigitalimagesyouwanttogetoutofthecountry.LimitedInternetaccessisavailableatacafé.Someoftheimagesmayidentifypeopleworkingwiththerebelswhocouldbetargetedbythegovernmentiftheiridentityisrevealed.
ThreatModelingScenario#2
Youarereportingoninsidertradingatalargebankandtalkingsecretlytotwowhistleblowerswhomaygiveyoudocuments.Ifthesesourcesareidentifiedbeforethestorycomesout,attheveryleastyouwillloseyoursources.
ThreatModelingScenario#3
Youarereportingastoryaboutlocalpolicemisconduct.Youhavetalkedtosourcesincludingpoliceofficersandvictims.Youwouldprefer thatthepolicecommissionernotknowofyourstorybeforeitispublished.
ThreatModelingScenario#4
YouarereportingondrugcartelsinCentralAmerica.Previoussourcesandjournalistshavebeenmurdered.
Encryptionvs.Anonymity
Encrypted message is like a sealed envelope.Anyone can still read the address (metadata)
DataatRest/DatainMotion
SecuringDataatRest• Howmanycopiesarethere?
– Theoriginal filemightbeonyourphone,cameraSDcard,etc.– Whataboutbackupsandcloudsyncing?– Usesecureeraseproducts
• Could"they"getacopy?– Hackintoyournetworkorcomputer– Walkintoyourofficeatlunch– Takeyourcameraattheborder
• Iftheyhadacopy,couldtheyreadit?– UseBitLocker(Windows), FileVault (Mac),LUKS(Linux)– Turnondeviceencryption forAndroid (iOSonbydefault)
Filemetadata
Photos,PDFs,documentsallhavehidden info inthefile
LegalSecurity
IntheU.S.,thePrivacyProtectionActpreventspolicefromseizingjournalists’datawithoutawarrant...ifyou'retheonestoringit.
Thirdpartydoctrine:ifit’sinthecloud,noprotection!
SurveillanceLaw:theU.S.situationDoyouneedawarranttoseewhoIcalled?Nope.Supremecourt,Smithvs.Maryland,1979controls"metadata."
Doyouneedawarranttoreadmyemail(orIM,etc.)?Electronic CommunicationsPrivacyAct(1986):Notifit'solderthan180daysDepartmentofJusticemanual:no,ifithasbeen"opened"U.S.v.Warshak,sixthcircuit (2010):yesProposedbill incongress(Dec2015)wouldrequirewarrant
Doyouneedawarranttotracksomeonethroughtheirphone?ACLUFOIAof200policedepartments:somesayyes,somesaynoU.S.v.Jones(2012),SupremeCourt:can'tputaGPSonsomeonewithoutawarrant.Butdoesn'tmentiontheGPSinourphones.
Doyouneedawarranttolookatthedataonmyphoneafteranarrest?Yes.Supremecourtsaidsoin2014,Rileyvs.California.
"Inthefirstpublicaccountingofitskind,cellphonecarriersreported thattheyresponded toastartling1.3milliondemands forsubscriberinformation lastyearfromlawenforcementagenciesseekingtextmessages,callerlocationsandotherinformation inthecourseofinvestigations."
-WirelessFirmsAreFloodedbyRequeststoAidSurveillance,NewYorkTimes,July82012
GoogleTransparencyReport
Twitter,Facebookhavesimilar.ButwhataboutSnapchat?Sina?
SecuringDatainMotion
• Wheredoesyourdataphysicallygobetweensourceanddestination?
• Whichlinksareencrypted?• Toolsyoushouldknow– iMessage,Signal:securetext,calls– CryptoCat — EasyOTRthroughyourbrowser– Tor— Anonymity– SecureDrop — Anonymoussubmission– PGP— Secureemail– OTR—Off-the-recordmessagingprotocol
SSL
Aka,HTTPS.
Dependsonasystemof rootcertificateauthorities (CAs)thatgeneratecertificates(cryptographically signkeys)forsitesthatuseHTTPS.
BrowsershaveCAkeysbuiltin,sotheycanverifythatasitehasavalidsignedkey.
Worksgreat,exceptthatcertificateauthoritiescanbehacked,andwemustexpectthatmoststatescaneasilysignacertificatethrough aproxy.
RealMITMattacks
MobileSecurity
• Yourphone– Isalocationtrackingdevice– Containsallyourcontacts– Isusedforeveryformofcommunication– Storesalotofinformation
Tell-AllTelephone(zeit.de)
Somedigitalsecuritytools
iMessage
End-to-endencrypted.Encryptedonthedevice.Appleclaimstheydonothaveabackdoor.
Ongoingcourtcasevs.FBI
Signal(OpenWhisperSystems)
FreeappforiOSandAndroidEnd-to-endencryptedchat,voice.OWSclaimsserverdoesnotsaveyouraddressbook.
Torproject.org
TorBrowserBundle
TheGuardianProject
SilentCircle
• Commercialservice– Securemobilecalls,video,texts– Canhandprepaidcardstosources
Securingyourcomputer
Reallyonlytwochoicesagainstanadvancedadversary:
• Buyanewcomputer,neverputitonanynetwork
• UseasecureoperatingsystemlikeTAILS
Bothapproachesassumenoonehastamperedwiththehardware(perhapsinstallingahardwarekeylogger?)
Security=Model+Tools+HabitsThereisnotoolintheworldthatwillsaveyoufrom:
• notprotectingagainsttherightthreats• badpasswords• gullibility(phishingscams,socialengineering)• misunderstandingthesecuritymodelthatyourpracticedependson.• notdoingthesecurethingeverytime.
• offlinesecuritybreaches/physicalcoercion
FromAllenDulles'73RulesofSpycraft
Casestudy:leakedCables
JulianAssange gaveapasswordandatemporaryURLtoGuardianreporterDavidLeigh.
LeighdownloadedthefileinencryptedformfromthetemporaryURL.
Leighdecryptedthefileandreportedonthecontents.
...butlater,allthecableswereavailablepublicly,whichisnotwhateitherAssange orLeighintended.
ThePlan
M Epassword URL
passwordE
E M
Assange Leigh
WhatAssange wasthinking
E ???
M Epassword URL
passwordE
E M
Assange Leigh
WhatLeighwasthinking
???
M Epassword URL
passwordE
E M
Assange Leigh
Whatactuallyhappened
!!!
M Epassword URL
passwordE
E M
Assange Leigh
passwordWLArchive
E
M
Basicsecuritypractice,inshortUserealpasswords
Understandandbealertforphishing
Knowwhereyourdataisandwhereitgoes
Keepyoursoftwareup todate
Understandtechnical,legal,social,physicalthreats
Haveaplan,makesecurityapractice
Resources
Threatmodelingforjournalistshttps://source.opennews.org/en-US/learning/security-journalists-part-two-threat-modeling/
Digitalsecuritytrainingbestpractices,suggestedcurriculumhttps://www.level-up.cc/about
CommitteetoProtectJournalistsinformationsecurityguidehttp://www.cpj.org/reports/2012/04/information-security.php
EncryptionandOperationalSecurityforJournalistsHacks/Hackerspresentationhttps://gist.github.com/vaguity/6594731http://www.cjr.org/behind_the_news/hacks_hackers_security_for_jou.php?page=all
Recommended