Upload
dangtruc
View
216
Download
2
Embed Size (px)
Citation preview
1
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
Published in 2017 by the United Nations Educational, Scientific and Cultural Organization
UNESCO GCC and Yemen Cluster Office
Doha, Qatar
© UNESCO 2017
This document is available in Open Access under the Attribution-ShareAlike 3.0 IGO (CC-BY-SA 3.0
IGO) license (http://creativecommons.org/licenses/by-sa/3.0/igo/). By using the content of this
publication, the users accept to be bound by the terms of use of the UNESCO Open Access
Repository (http://www.unesco.org/open-access/terms-useccbysa-en).
The designations employed and the presentation of material throughout this publication do not
imply the expression of any opinion whatsoever on the part of UNESCO concerning the legal status
of any country, territory, city or area or of its authorities, or concerning the delimitation of its
frontiers or boundaries.
The ideas and opinions expressed in this publication are those of the authors; they are not
necessarily those of UNESCO and do not commit the Organization.
This publication was made possible under a contribution by Finland.
2
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
Table of Contents
DIGITAL SAFETY ............................................................................................................................... 3
MANAGING THREATS AND LIMITING RISK ...................................................................................... 4
COMMON THREATS AND RISKS FACING JOURNALISTS WORLDWIDE .................................... 6
COMMON THREATS AND RISKS FACING YEMENI JOURNALISTS ................................................... 10
PREPARE TO BE SEARCHED ............................................................................................................ 11
HOW-TO CREATE & MAINTAIN SECURE PASSWORDS .................................................................. 12
TOOL: KEEPASS TO MANAGE YOUR PASSWORDS ................................................................ 14
HOW-TO KEEP SENSITIVE FILES SECURE: ENCRYPTION ................................................................. 15
HOW-TO DELETE DATA SAFELY ..................................................................................................... 17
BROWSING INTERNET SECURELY .................................................................................................. 18
RECOMMENDED VPNS: ........................................................................................................ 19
EMAIL ENCRYPTION: PROTECTING SENSITIVE COMMUNICATIONS.............................................. 20
HOW-TO SECURELY CHAT: INSTANT MESSAGING THE SAFE WAY ................................................ 21
HOW-TO HANDLE MALWARE ........................................................................................................ 22
HOW TO: AVOID PHISHING ATTACKS ............................................................................................ 24
HOW TO USE AN ANDROID SMARTPHONE SECURELY .................................................................. 25
GENDER DIMENSIONS IN THE DIGITAL AGE .................................................................................. 27
CONCLUSION ................................................................................................................................. 30
OTHER SOURCES AND REFERENCES .............................................................................................. 31
RECOMMENDED TOOLS AND APPS ............................................................................................... 32
3
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
DIGITAL SAFETY When we talk about digital safety, we
are talking about taking steps to
reduce access to information you
want to keep private, or only make
accessible to specific people. This
could be information stored locally on
an electronic device, or online. The
information could be related to your
personal life, your work or details
about your sources or colleagues.
There is no single solution for keeping
yourself safe online. Digital security is
not about which tools you use; rather,
it is about understanding the threats
you face and how you can counter
them. To become more secure, you
must determine what you need to
protect, and whom you need to
protect it from. Threats can change
depending on where you are located,
what you are doing, and whom you
are working with. Therefore, in order
to determine what solutions will be
best for you, you should conduct
a threat modeling assessment.
As conflicts and wars
continue, the risks
facing journalists are
increasing. Reports
show that several journalists have
been arrested, killed or abducted in
Yemen. The Committee to Protect
Journalists, amongst many other
organizations, has classified Yemen
one of the most dangerous places for
journalists. In a context where
violence against the media is on the
rise, there are specific implications
and risks for female journalists. These
guidelines address gender-specific
responses to these risks.
Multiple parties in the conflict are
using hacking and surveillance
techniques, and journalists are an all-
too-common target.
4
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
MANAGING THREATS AND LIMITING RISK
Our risk assessment and strategies for staying safe should not
just relate only to our 'digital lives' but should of course, also
include our personal, physical, organizational and emotional
security.
Your equipment and online activity can be great for getting work done. However,
they also bring risks. Digital security requires both advance planning and regular
assessment of what you are doing and why. Much of it has to do with habits and
simply thinking about what your tools do and how they handle the information you
are either sending or receiving.
When conducting an assessment,
there are six main questions you
should ask yourself:
What do you want to protect?
Who do you want to protect it from?
How likely is it that you will need to
protect it?
How bad are the consequences if
you fail?
How much trouble are you willing to
go through in order to try to prevent
those?
Are there specific risks if I am a
male or female journalist?
When we talk about the first question,
we often refer to assets, or the things
that you are trying to protect.
An asset is something you value and
want to protect. When we are talking
about digital security, the assets in
question are usually information. For
example, your emails, contact lists,
instant messages, and files are all
assets. Your devices are also assets.
Write down a list of data that you
keep, where it is kept, who has
access to it, and what stops others
from accessing it.
In order to answer the second
question, “Who do you want to
protect it from?” it is important to
understand who might want to target
you or your information, or who is
your adversary. An adversary is any
5
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
person or entity that poses a threat
against an asset or assets. Examples
of potential adversaries are your
boss, your government, or a hacker
on a public network.
Threats can also be environmental, or
structural in nature. Examples of such
threats may include data loss due to
a power outage, or natural disaster.
Make a list of who might want to
get ahold of your data or
communications. It might be an
individual, a government agency,
or a corporation.
A threat is something harmful that
can happen to an asset. There are
numerous ways that an adversary can
threaten your data. For example, an
adversary can read your private
communications as they pass through
the network, or they can delete or
corrupt your data. An adversary could
also disable your access to your own
data.
Write down what your adversary
might want to do with your
private data.
The capability of your attacker is also
an important thing to think about. For
example, your mobile phone provider
has access to all of your phone
records and therefore has the
capability to use that data against
you. A hacker on an open Wi-Fi
network can access your unencrypted
communications. Your government
might have stronger capabilities.
Be aware of gender-specific risks
you might be exposed to and
how to mitigate them.
While journalists may face the same
types of threats due to their
professions, there are gender-specific
online threats every journalist should
be aware of, in order to better protect
him or herself. Female journalists
may be faced with online harassment
which could, in turn, lead to physical
violence. Please refer to the chapter
“Gender Dimensions in the Digital
Age” on page 27 of these Guidelines
to learn more about risks and
mitigation strategies for female
journalists.
6
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
COMMON THREATS AND RISKS FACING JOURNALISTS WORLDWIDE
Digital attacks, as well as others,
occur at great cost to journalists and
their networks as well as to freedom
of expression, generally speaking. A
report prepared by UNESCO on
“Building Digital Safety for
Journalism1” identified 12 main (and
often overlapping) threats facing
media actors in today’s technological
environment:
Surveillance and mass
surveillance Surveillance, as the monitoring,
interception, collection, preservation
and retention of information that has
been generated, stored and relayed
over communications networks, is
one way actors seek to monitor
information.Surveillance technologies
are diverse and can include location
tracking, deep packet inspection,
facial recognition system and mass
monitoring. Bulk interception
methods for voice, SMS, MMS, email,
1 http://unesdoc.unesco.org/images/0023/002323/232358e.pdf
fax and satellite phone
communications also exist.
Software and hardware exploits
without the knowledge of the
target Surveillance technologies developed
by commercial entities have been
found on networks in many countries
and reportedly have been used to
target individual journalists and
activists. Entities can also target
journalists for surveillance by
installing a physical ‘bug’ or a hidden
microphone on a journalist’s
communications devices or person.
‘Pen registers,’ which record the
phone numbers made as outgoing
calls, and ‘trap and trace devices’ that
record numbers on incoming calls
could also be used to capture the
metadata of journalists’
communications. Other times,
journalists may be targeted via their
location data.
7
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
Phishing attacks Targeted ‘phishing’ or ‘spearphishing’
campaigns often use links or
attachments laden with malware that
are sent via email or social media. If
clicked on or downloaded, Remote
Access Trojans (RAT) allow the
attacker to gather anything they want
on the compromised computer. Other
times, these attacks take the guise of
a fake domain (website). The site
silently collects account information
that the journalist enters on the site,
thinking that it is legitimate.
Fake domain attacks
Fake domain attacks usually fall into
two categories: 1) they inject
malware, or 2) they provide fake
content that attacks the credibility of
the news organization or journalist. In
a fake domain malware attack, the
fake domain copies the existing
content from the targeted website
and serves injected malware to
visitors of the fake website.
2 A Man-in-the-Middle attack is the technical word given to define a specific type of digital attack. Though the term
isn’t gender-sensitive, it is the generally-accepted name to describe these types of attacks online.
Man-in-the-middle (MitM)
attacks2
A MitM occurs when attackers insert
themselves, or their technology, in
between a user and a target site.
During a MitM attack, the attacker can
silently obtain information from both
sides and even change the content
without either the user or the target
knowing. Their exchange continues
while the man in the middle watches.
Denial of Service (DoS) attacks &
DDoS – distributed denial of
service A DoS attack is when one computer
and one Internet connection is used
to flood a server with packets with the
intention to overwhelm the site and
make it inaccessible to others.
Another type of DoS attack is a
distributed denial of service attack
(DDoS), which utilizes a number of
computers and connections, often
distributed around the world to attack
a computer and overload websites to
make them inaccessible.
8
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
Website defacement A common tactic involves using Man-
in-the-Middle attacks to compromise
legitimate user accounts.
Alternatively, an attacker might
exploit vulnerabilities in the website’s
web server software.
Compromised user accounts User accounts, such as for email,
social media or Skype, can be
compromised in a variety of ways. A
phishing attack may install malware
on a journalist’s device that uses
keylogging software, which can
capture passwords as the journalist is
typing his or her login information. An
attacker can also use a fake website,
and after the user puts in his or her
login information, the attacker can
then use it to access the real website,
without alerting the user.
Intimidation, harassment and
forced exposure of online
networks Sometimes journalists are intimidated
into giving up their digital account
information. For example, authorities
might detain or threaten a journalist,
forcing him or her to divulge
passwords to their social media
and/or email accounts. Journalistic
actors sometimes share passwords
with colleagues so if they are
arrested, colleagues can log in and
remove information that might be
enough to detain someone under
strict freedom of expression laws.
Disinformation and smear
campaigns Smear campaigns involve many
different intimidation tactics that are
often both online and offline. Such
tactics include setting up fake
websites where disinformation can
live online, or intimidating a journalist
with compromising photos or videos
and then spreading them online.
Other times, attackers choose to
clone a website to confuse readers
and threaten the credibility and
legitimacy of a news organization.
Acts of harassment and threats of
violence against women journalists
online are on the rise. Female sources
also face increased risks when acting
as whistleblowers or confidential
informants.
9
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
Confiscation of journalistic work
product In an increasingly digital environment
where journalists store vast amounts
of information on portable devices
such as laptops and mobile phones,
journalists’ confidential sources and
information are at risk. These devices
contain rich information and data that
can reveal sources’ names and
contact information and put people in
danger.
Data storage and mining The process of data mining is
understood as the practice of
searching through large amounts of
computerized data to find useful
patterns or trends. For example, it
can be used to pinpoint journalists’
probable sources. There are cases
where data, including mobile phone
locations and traffic data, stored
under a country’s data retention laws
have allegedly been accessed to
compile lists of high-profile
journalists’ sources.
* Text and visuals on this page are taken from UNESCO’s Building digital safety for journalism: a survey of
selected issues
*
10
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
COMMON THREATS AND RISKS FACING YEMENI JOURNALISTS
Arrest or being searched Digital security is not just something
that happens online. You carry
around with you devices full of data
about yourself, your work and your
contacts. These will be in your mobile,
laptop computer, camera, external
hard drives and USB sticks, SIM
cards, SD cards and so forth. Multiple
threats emerge should these be taken
from you. Manage the threat by
preparing for the possibility of being
searched or having your equipment
seized, and know how to encrypt,
hide and delete your sensitive data
safely.
Personal Accounts Hacking Social media websites can be popular
and fast ways to communicate, but
they are also heavily targeted by
hackers and adversaries interested in
learning more about you or some of
your contacts. It is important to know
how to create strong passwords, and
know the privacy and security setting
for every website you are using.
Malware As a journalist, you are in contact
with various individuals and groups
who themselves could be targets.
Various groups will also be interested
in accessing your communications or
digital files to find out your contacts
and networks and target them. They
may target you by multiple malware
including spyware. You have to know
how to protect your devices form
malware and phishing attacks.
Surveillance Anyone monitoring your online or
mobile traffic can access all the
information you are sending and
receiving, with who, and when? Do
you need to limit knowledge of the
content of your conversation or the
identities of the people having them?
Is it a conversation you should have
in person? Protect yourself, your
sources and your data by
understanding how to secure your
web browsing, e-mail encryption, and
chatting safely.
11
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
Geo-tracking Most likely, your mobile phone is (and
your computer could be) revealing
your location, which makes it easy to
target you physically later. The types
of physical attacks resulting from
online geo-tracking may vary for men
and women journalists, ranging from
(but not limited to) harassment and
sexual violence for women journalists
to kidnapping and assaults for male
reporters. Ensuring your computer or
mobile phone doesn’t reveal your
geographic location can help.
PREPARE TO BE SEARCHED
There are a lot of situations in which Yemeni journalists may find their digital
equipment searched or confiscated. So get rid of unnecessary content and encrypt
the important stuff.
If you go through a security or a military check point, you might be asked
to submit your mobile phone or laptop for inspection.
Always, backup your important data on an external storage device and do
not bring it with you. Delete any sensitive data from you mobile. It is better
to avoid keeping any multimedia files of this sort on your devices, especially
if it is unnecessary for your media work.
If you have a multimedia files (videos, pictures, etc.) in your devices about
only one side of the conflict, delete these files before travelling to the other
side area.
Several people have reported that they were asked by
security personnel to “access their Facebook accounts”
when passing checkpoints. If it is possible, let your life,
work, thoughts away from your Facebook account.
Secure communication defences are
particularly necessary for female
journalists and sources, to ensure
that their movements are not tracked
and their sources’ identity remains
confidential.
12
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
Consider, preparing a “harmless” Facebook account that does not contain
any sensitive content. Fill it with pictures of flowers, or any public data.
If the nature of your work, force you to carry a private information with
you, perform certain steps in order to hide the files in your devices, or save
them in unusual places. Remove the memory cards and replace them with
those safe. Move the files or images to a hidden folder inside the operating
system on your computer, and then change the file names.
If you do not want to keep files on your devices while moving, and does
not have an external hard drive, then encrypt the files on your computer
and upload them on the Internet in order to download and decrypt them
later.
Be ready to delete some materials. If you think you can do it securely, take
some time and delete your browsers’ history, favorites, and delete any
multimedia files or Applications on your mobile phone or other devices that
might reveal information you do not wish to be detected.
Here you have to recognize the situation in your surroundings. It is
better not to leave any data mainly on your devices.
HOW-TO CREATE & MAINTAIN SECURE PASSWORDS Strong passwords are probably the most
fundamental element of computer security. We
use passwords to protect our computers, online
accounts and encrypted data. A few simple
habits can protect and prevent your passwords
from being discovered.
Below are our recommended eleven tips for creating and maintaining
secure passwords:
13
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
1. Long:
Make your password at least 14
characters long, if possible. Short
passwords are easily broken by
readily available programs.
2. Complex:
Use numbers, lower & upper case
letter, punctuation and special
characters. This significantly
increases the difficulty of breaking
your password.
3. Random:
Avoid common patterns and
dictionary words. Passwords
consisting of words are easier to
break, as are passwords with
numbers sequences like 1234.
4. Impersonal:
Avoid using personal information in
the password. Do not use phone
numbers, birthdays, hometowns, etc.
These passwords can be broken by
people who have your personal
information. Also, a discovered
password that is personal could
reveal your identity.
5. Memorable:
Create a password you can
remember. Writing a password on a
piece of paper or in a computer file
creates a security risk. Use a
Mnemonic to make long and complex
passwords that are easy to
remember:
Example: [email protected]?
You Get 3 wishes today at 4PM.What
are your 3 wishes?
6. Secret:
Passwords should not be given out
easily. In general,
passwords should not
be shared. However,
in the case of arrest,
it is a good idea to have someone
(optimally outside of the country)
14
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
who is able to change your passwords
quickly.
7. Unique:
Do not use the same password for
multiple accounts. Reduce potential
damage of password discovery, by
using different passwords for
different accounts. This way, if your
Facebook password is discovered, the
perpetrator will still not have access
to your email, computer, etc.
8. Changing:
Create new passwords regularly.
Reduce your risk by changing your
passwords regularly, particularly if
you use internet cafes or computers
other than your own. However, fresh
but easily breakable passwords are
more dangerous than a very secure
password that you maintain.
9. Hidden:
10.
Never send your password in plain
text. Only use your password with a
secure protocol. Make sure it is never
being sent over a network as plain
text.
11. Check the password
recovery method:
Many sites use password recovery
tools-- make sure this recovery is
secure. An easy recovery question is
as a bad as an easy password.
12. Be wary of directly typing
your passwords on a public
computer.
Keyloggers record anything typed on
the computer and passwords are
easily retrieved. Keyloggers are
common in internet cafes, but can
also be installed on your computer by
a virus.
TOOL: KEEPASS TO MANAGE YOUR PASSWORDS
Keepass is a trusted, open-source software that stores your passwords for you
in a single secure location behind one password. You remember one very long,
very secure password, and Keepass will securely remember all of your
passwords. This allows you to create long, complex passwords and change them
frequently. Keepass will also generate random passwords for you.
15
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
HOW-TO KEEP SENSITIVE FILES SECURE: ENCRYPTION
When storing or transporting data, there are several risks that require attention:
interception, theft, loss, and incrimination. Interception usually means a data copy
has been covertly made while theft would suggest the storage device containing
the data, or the original data, has been taken. The latter case would be detectable,
whereas the former might not be.
If sensitive data falls into the hands of adversaries, there may be severe
consequences for sources or the journalist.
To protect digital files there are several options. Simply storing the material on a
small device (USB drive, memory card or external hard disk) and hiding it may be
effective in certain cases. In such a scenario, the entire security of the material is
dependent on the hidden device not being found.
To protect your data from unauthorized access, many programs offer password
protection schemes for documents or hard disks, however you cannot rely on
these programs to protect your data; they are easily bypassed.
We suggest using VeraCrypt, as it is available across different
operating systems, is highly trusted and easy to use. Using
VeraCrypt you can encrypt entire hard drives, files, folders or
external devices:
For more information and download: http://keepass.info/index.html
Article and video about using Keepass from Cyber Arabs: https://www.cyber-arabs.com/?p=760
16
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
1. Encrypt your entire hard drive
A user password on your computer is
not enough to ensure the security of
your data. If
the files on
your computer
are sensitive, it is a good idea to
encrypt your hard-drive. With a good
password, this will prevent anyone
from retrieving your data, even if they
physically gain access to your
computer.
2. Keep an encrypted volume
for sensitive files
Sensitive files can be kept in an
encrypted volume (like a folder). This
will keep these files secure even when
you are logged into the computer. If
you keep this folder the size of a DVD
or your USB drive, it can easily be
backed-up.
3. Hidden volume encryption
Veracrypt can also create a hidden
volume encryption, which provides
the additional security of being able
to open the encrypted file, if
demanded by the authorities, but
maintain the encryption of the
sensitive files. In a hidden volume,
one password will decrypt non-
sensitive files you place in one part of
the volume; the other password will
decrypt your sensitive files. If you are
ever forced to reveal the password,
you can choose to reveal the non-
sensitive files.
Additional instructions and
download:
https://veracrypt.codeplex.com
Due to threats of physical attacks, in
conflict zones or when reporting on
dangerous topics, women journalists
should be able to also rely on secure
non-physical means of
communication with their sources.
17
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
HOW-TO DELETE DATA SAFELY
Deleting files on a computer, in the standard way, is very much like putting a paper
document in the trash. Someone willing to dig through the trash may recover the
document or fragments of the document. This is true even when the trash
emptied.
Fortunately, it is relatively easy to clean your computer's hard disk and other
storage devices.
For Windows, we recommend using Eraser and CCleaner as described below.
To ensure that sensitive information is not accidentally recoverable:
1. Make sure your files are saved,
nothing can be recovered after you
complete this process.
2. Close all programs
and disconnect
from the internet.
3. Empty the trash.
4. Use CCleaner to erase
temporary files.
5. Erase the free space
on your computer and
external storage devices with
Eraser.
Tactical Technology Collection Guide to Eraser:
https://securityinabox.org/ar/eraser_main
Tactical Technology Collection Guide to CCleaner:
https://securityinabox.org/ar/eraser_main
Cyber Arabs Guide for Eraser
https://www.cyber-arabs.com/?p=7794
18
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
BROWSING INTERNET SECURELY
In sensitive settings, the monitoring and censorship of internet traffic poses a
major challenge to journalists. Internet traffic moves from your computer to the
internet service provider (ISP), through a national gateway, and across a series
of servers outside of the originating country before finally reaching the server that
is responding to your request. Governments and ISPs have the ability to monitor
and censor this traffic. Armed with a basic knowledge and good tools, it is possible
to evade watchful eyes and bypass censorship.
1. Use encrypted communication with the target server wherever
possible.
By default, messages transmitted across the network sent as
plain text. These unencrypted, plain text messages can be
read by anyone able to observe the network, such as an ISP
or government gateway. However, it is possible to encrypt messages across the
network. Encrypted communication on the internet occurs over the Secure Sockets
Layer (SSL) and can only be read by the intended receiver of the message.
Browsing, email and chat can be conducted using encryption across the network.
HTTPS-Everywhere for browsers: https://www.eff.org/https-everywhere
2. Protect your internet communication from ISP and government
monitoring and censorship using a secure proxy or VPN.
VPN will automatically encrypt all your network traffic. A VPN will encrypt and
route all network communications to the virtual private network, which will handle
all your network requests and responses.
Note: persons with bad intentions can manage some virtual private networks,
even with perfect privacy policies. Do not use a virtual private network you do
not trust.
19
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
RECOMMENDED VPNS:
Tor
Tor provides anonymous proxy
by routing traffic through a
global network of servers. Tor
designed to protect user locations
and identities on the internet. Tor is
not designed to provide security
through encryption, as
communications are not encrypted
from the last node in the network
to the target server. However, when
the primary concern is protecting
yourself from government
surveillance and censorship, Tor is a
secure option. Because Tor relies on
a worldwide network of servers, it is
difficult to block, and therefore is
often more robust than other
techniques when other services are
blocked. For download and more info:
http://www.torproject.org
In case the website is blocked, send
an empty e-mail to the following
address: [email protected]
Guide on using Tor from EFF
http://bit.ly/28Tfkcr
Security in a box Guide for using Tor
https://securityinabox.org/ar/tor
Psiphon
Psiphon is a circumvention
tool from Psiphon Inc. that
utilizes VPN, SSH and HTTP
Proxy technology to provide you with
uncensored access to Internet
content. Your Psiphon client will
automatically learn about new access
points to maximize
your chances of
bypassing censorship.
For download and more information
https://s3.amazonaws.com/psiphon/
web/qmxu-ee8n-
ujx4/en/download.html
In case the website is blocked, send
an empty e-mail to the following
address:
You can also Visit Asl19 organization
for more recommended VPNs
https://asl19.org/ar
20
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
EMAIL ENCRYPTION: PROTECTING SENSITIVE COMMUNICATIONS
Pretty Good Privacy (PGP) is a way to
protect your email communications
from being read by anyone
except their intended
recipients. It can protect
against companies,
governments, or criminals
spying on your Internet
connection, and, to a lesser extent, it
can save your email from being read
if the computer on which they are
stored is stolen or broken into.
It can also be used to prove that an
email came from a particular person,
instead of being a fake message sent
by another sender (it is otherwise
very easy for email to be fabricated).
Both of these are important defenses
if you are being targeted for
surveillance or misinformation
The private key is what you will use
to decrypt emails sent to you, and to
digitally sign emails that you send to
show they truly came from you.
Your public key a small chunk of
information that others will need to
know before they can send you
encrypted mail, and that they can use
to verify emails you send.
Both sender and
receiver need to use
public key encryption,
but few people are in the
practice of using it, so you
may need to encourage others to
learn how to use the system
before you can communicate
with them.
When you want to send a private
email, you can encrypt the message
with the recipient's public key. The
message is then only readable when
decrypted with the recipient's private
key. Thereby, you guarantee the
message can only be read by the
intended recipient. To respond to
your email, the receiver encrypts the
response with your public key, which
only you will be able to decrypt. The
subject line of emails is NOT
encrypted, so the subject line should
not contain sensitive information.
21
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
Guide From EFF: How to Use PGP for
Windows
http://bit.ly/28YHt3h
Encryption using GPG4USB from
CyberArabs
http://bit.ly/28TyZXx
Security in a box Guide: using
portable GPG4USB
https://securityinabox.org/ar/gpg4us
b_portable
HOW-TO SECURELY CHAT: INSTANT MESSAGING THE SAFE WAY
Telecommunication networks and the Internet have made communicating with
people easier than ever, but have also made surveillance more prevalent than it
has ever been in human history. Without taking extra steps to protect your privacy,
every phone call, text message, email, instant message, voice over IP (VoIP) call,
video chat, and social media message may be vulnerable to eavesdroppers.
Often the safest way to communicate with others is in
person, without computers or phones being involved at all.
Because this is not always possible, the next best thing is
to use end-to-end encryption while communicating over a
network if you need to protect the content of your
communications.
Voice Calls
When you make a call from a landline or a mobile phone, your call is not end-to-
end encrypted. If you are using a mobile phone, your call may be (weakly)
encrypted between your handset and the cell phone towers. However as your
conversation travels through the phone network, it is vulnerable to interception by
Secure digital communications can be
an enabler for women’s participation
in public interest journalism. That’s
why female sources should use secure
contact with reporters to ensure
stories affecting women are told.
22
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
your phone company and, by extension, any governments or organizations that
have power over your phone company.
Tools we recommend Pidgin
Pidgin is a free,
open-source chat
program that will
allow you to integrate many different
instant messaging accounts.
Security in a box Guide: Pidgin
https://securityinabox.org/ar/pidgin_
main
How to: Use OTR for Windows from
EFF: http://bit.ly/28TA0in
Signal Private Messenger
Guide from EFF: How to
use Signal (for Mobile)
https://ssd.eff.org/ar/node/93
More info about Communicating with
Others from EFF:
http://bit.ly/28TlWaI
HOW-TO HANDLE MALWARE
Malware spreads over the internet or through removable
media (like USB sticks). It may damage your computer and
may compromise your security. For example, keylogger
malware records your key strokes and can be used to
capture passwords and monitor your internet usage. Good
practices and software can protect you.
Update your operating system
(Windows, OSX, or Linux)
regularly to patch security
vulnerabilities. This can be done
automatically using the built-in
automatic updates function.
Use a non-administrator account
for your daily use to prevent the
unintentional installation of
programs or malware. When using
an administrator account, be
extra-cautious by ensuring you
23
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
install programs only from trusted
sources.
Use strong passwords for your
operating system login to prevent
others from gaining access to your
computer.
Always use an antivirus program
to protect against malware. Avast
is a free reliable antivirus program
for Windows and Mac. Only
download the software from the
company’s website.
Enable automatic updates and
once-a-week full system scans to
maximize the software’s ability to
detect malware.
Enable USB scanning to ensure
that when you plug in a USB stick,
it gets scanned for malware that
could infect your computer.
Never click on links or open
attachments in emails unless you
know who sent it and what it is.
Use VirusTotal.com to scan and
check software or files if it is
necessary to download software
from an unknown URL.
Never download and install
applications from untrusted
sources on the web or from
removable media (e.g. CDs, USBs,
other hard drives).
Verify online sources by closely
examining their URL. It should
exactly match the site. If the file
does not come from the
publisher’s webpage, try to locate
their webpage, and download
directly from it.
Always lock your computer when
leaving it to prevent unauthorized
access.
Immediately contact a reputable
specialist if you suspect that your
computer is infected to mitigate
the damage done by
malware/spyware. Also,
disconnect from the internet
(remove the LAN cable, or turn off
your Wifi), and turn off the PC.
Guide: protect your devices from
Malware
https://securityinabox.org/ar/chapte
r_01
24
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
HOW TO: AVOID PHISHING ATTACKS
When an attacker sends an email or link that looks innocent, but is actually
malicious, it is called phishing. Phishing attacks are a common way that users get
infected with malware—programs that hide on your computer and can be used to
remotely control it, steal information, or spy on you.
In a phishing email, the attacker may encourage you to click on or open a link or
an attachment that may contain malware. Phishing can also occur via Internet
chat. It’s important to double-check links that are sent to you via email or chat.
The best way to protect yourself from phishing attacks is to never
click on any links or open any attachments sent to your email: this
is unrealistic for most people. But how do we differentiate
between the malicious attachments and links and the non-malicious ones?
Verify Emails with Senders
One way to determine if an email is a
phishing attack is to actually check
with the person who sent it via a
different channel. If the email was
purportedly sent from your friend,
instead of opening an attachment,
you could call your friend on the
phone and ask if he actually sent you
pictures of his kids. The same if the
links sent through Facebook
messenger, whatsApp, or any other
application.
Use VirusTotal.com to scan and
check software or files if it is
necessary to download software
from an unknown URL.
Be Careful of Emailed
Instructions
Some phishing emails will claim to be
from a computer support department
or technology company and ask you
to reply with your passwords, or to
give a “computer repair person”
access to your computer remotely, or
to disable some security feature on
your device, or to install a new
application. Be especially careful
before giving anyone technical data
or following technical instructions
25
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
unless you can be absolutely certain
that the request's source is genuine.
Use Email Authentication
Guide from EFF: How to Avoid
Phishing Attacks
http://bit.ly/292DapS
Information Phishing (Cyber Arabs)
http://bit.ly/28XTh8g
HOW TO USE AN ANDROID SMARTPHONE SECURELY
A smartphone is a mobile phone built on a mobile operating system, with more
advanced computing capability and connectivity than
simple mobile phones. Android-based phones are a
common example of these devices. These phones are
often used to access the internet and services like
Facebook. They also constantly communicate with mobile
phone towers that reveal the location of the handset. To
enhance your smartphone security, you need to take some basic security steps.
Use a passcode to lock your phone
to prevent others from gaining
access to it. Using more than the
minimum four digits will increase
the security of your phone. Never
use a pattern to lock your phone.
These can be copied easily.
Install antivirus (e.g. Avast)
software on your smartphone to
help identify insecure phone
settings, help you locate your phone
if lost, and stop malware from
infecting your phone from malicious
links, text messages, apps, or when
you plug your phone into your
computer.
Never leave your phone unattended
in a public place as its contents
could be accessed, your information
stolen, or malware/spyware
installed on it.
Use Psiphon3, or other secure
communications tools (e.g. Orbot)
to encrypt your browsing and
prevent unwanted surveillance of
your online activities.
26
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
Do not respond to, or click on, links
in text messages or emails from
unknown people. These messages
could be attempts to access your
device or infect it with malware.
Never save your passwords on your
device to prevent hackers from
getting access to them. Instead,
store your account credentials in a
password manager (e.g
KeePassDroid for Android).
Encrypt your phone and external SD
card to protect the information on
your phone.
Enable the SIM Card Lock on your
phone to prevent it from being used
by others.
Save contacts on your Google
cloud-based account only to safely
store your contacts outside of your
phone’s physical memory. This
should prevent your contacts list
from being accessed if your phone
is stolen.
Only install software from trusted
sources to avoid infecting your
device with malware/spyware.
Be sure to check who created the
app you download to ensure it was
posted by the app’s known
developer.
Check what permissions an app will
request before you install it. If an
app wants to access something
unusual, like your contacts, when
you do not think it should, do not
install it.
Keep Wifi and Bluetooth off by
default to prevent your phone from
connecting to the internet or other
devices without your consent.
Turn off Location Services to help
prevent tracking of your location.
Only turn on location settings as you
need them. Note that as long as
your phone is on,
telecommunications companies can
track where you are. To completely
prevent tracking of your location,
remove the battery from your
phone.
Do not connect to open or untrusted
wifi networks using your
smartphone as hackers on these
networks may be able to monitor
your activity. If you have to, use a
VPN, Tor, or Psiphon3 to encrypt
your connectivity.
27
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
For more info about Mobile risks:
https://www.cyber-arabs.com/?cat=14
How to use Mobile phones securely
https://securityinabox.org/ar/chapter_10
How to use Smart Mobile phones
securely
https://securityinabox.org/ar/chapter_11
GENDER DIMENSIONS IN THE DIGITAL AGE*
(*Text from this chapter is taken from UNESCO’s Building digital safety for journalism: a survey of selected issues)
Women journalists face additional risks in the course of their work – on and offline.
In the physical realm, these risks can include sexual harassment, physical assault
and rape. In the digital sphere, acts of harassment and threats of violence are
rampant. Similarly, female sources face increased risks when acting as
whistleblowers or confidential informants. These issues manifest in several ways
as regards the issue of source protection in the digital era:
1) Women journalists face greater risks in dealing with confidential sources
2) Women sources face greater physical risks in encounters with journalists and in
revealing confidential information
3) The physical risks confronted by women journalists and sources in the course
of confidential communications may require reliance on digital communications
4) Secure digital communications defences, including encryption, are arguably
even more necessary for female journalists and sources.
Specific factors for consideration
1) Female journalists and sources need to be able to communicate digitally
Female journalists working in the context of reporting conflict and organised crime
are particularly vulnerable to physical attacks, including sexual assault, and
harassment. In some contexts, their physical mobility may be restricted due to
overt threats to their safety, or as a result of cultural prohibitions on women’s
28
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
conduct in public, including meeting privately with male sources. Therefore,
women journalists need to be able to rely on secure non-physical means of
communication with their sources. Women sources may face the same physical
risks outlined above – especially if their journalistic contact is male and/or they
experience cultural restrictions, or they are working in conflict zones.
Additionally, female confidential sources who are domestic abuse victims may be
physically unable to leave their homes, and therefore be reliant on digital
communications. These factors present additional challenges for women
journalists and sources, in regard to maintaining confidentiality in the digital era.
2) Digital safety and security are paramount for both female journalists and
sources
Women journalists need to be able to rely on secure digital communications to
ensure that they are not at increased risk in conflict zones, or when working on
dangerous stories, such as those about corruption and crime. The ability to covertly
intercept and analyse journalistic communications with sources increases the
physical risk to both women journalists and their sources in such contexts.
Encrypted communications and other defensive measures are therefore of great
importance to ensure that their movements are not tracked and the identity of the
source remains confidential. Therefore, they need to be able to have access to
secure digital communications methods to ensure that they are at minimum risk
of detection and unmasking. They also need to have confidence in the ability to
make secure contact with journalists to ensure that stories affecting women are
told – secure digital communications can be an enabler for women’s participation
in public interest journalism. They can also help to avoid magnifying the ‘chilling’
of investigative journalism dependent upon female confidential sources. Also
needed are strong legal protections for confidentiality, which are applied in a
gender-sensitive manner -especially in regard to judicial orders compelling
disclosure.
29
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
3) Online harassment and threats
Journalists and sources using the Internet or mobile apps to communicate face
greater risk of gendered harassment and threats of violence. These risks need to
be understood and mitigated to avoid further chilling women’s involvement in
journalism – as practitioners or sources.
30
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
CONCLUSION
Security is never perfect and always involves trade-offs. Only you can determine
the balance between efficiently conducting your work and protecting against
attacks. When considering solutions, be honest about your capabilities and don’t
impose impossible security protocols on yourself. Encrypting your email, securely
deleting files, and using long passwords won’t help if, realistically, you won’t follow
those habits in the field. Think instead about fundamental steps that you will
actually do. If you are more worried about technical attacks than physical seizure,
for example, consider writing notes in a paper notebook instead of a Word
document.
If you are facing sophisticated technical attacks, the best approach may be simple
and minimal. Only you can judge the pros and cons. It’s not a “cybercrime” to
keep your long passwords written down on a note in a safe place. At least if
somebody steals that, you’ll know it’s time to change them. Just don’t put those
passwords on a Post-it note stuck to your office wall.
31
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
OTHER SOURCES AND REFERENCES
Cyber Arabs academy
https://www.cyber-arabs.com
Committee to Protect Journalists
https://www.cpj.org/ar
Surveillance Self-Defense Kit from EFF
https://ssd.eff.org/ar
Security in a Box Guide
https://securityinabox.org/ar /
Reporters without Borders
http://ar.rsf.org
Front Line Defenders
http://www.frontlinedefenders.org
Rory Peck Trust
https://rorypecktrust.org/
Salamatech Syria Project
https://www.salamatech.org/
Internews organization
https://www.internews.org
IWPR
https://iwpr.net
Asl19 organization
https://asl19.org/
Digital Defender Partnership
https://www.digitaldefenders.org/
32
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
RECOMMENDED TOOLS AND APPS App Store
F-Droid Alternative to the Google Play app store for Android. Android
https://f-droid.org/
Riseup Secure communication tools for people working on liberatory social change. Web Services
https://riseup.net/
K-9 Mail Email application for Android devices with built-in PGP support. Android
https://github.com/k9mail/k-9
Mozilla Thunderbird Multi-platform email application with mail encryption through the Enigmail add-on. GNU/Linux OS X BSD Windows
https://www.mozilla.org/en-US/thunderbird/
GPG4win Email and file encryption for Windows. Windows
http://www.gpg4win.org/
Mailvelope OpenPGP email encryption tool for major webmail services. GNU/Linux OS X BSD Windows
https://www.mozilla.org/en-US/thunderbird/
GPGTools OpenPGP add-on for Apple OS X Mail. OS X
https://gpgtools.org/
OpenKeychain OpenPGP implementation for Android. Android
http://www.openkeychain.org/
Enigmail OpenPGP email encryption add-on for Thunderbird and Icedove. GNU/Linux OS X BSD Windows
https://www.enigmail.net/
Instant Messaging
Jitsi Encrypted text, voice, and video messaging for multiple platforms. GNU/Linux OS X Windows
https://jitsi.org/
Pidgin
Free universal instant messaging client. GNU/Linux BSD Windows
https://www.pidgin.im/
ChatSecure OTR-encrypted IM for Android and iOS.
33
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
Android OS X
https://chatsecure.org/
Signal Private Messenger provides end-to-end encrypted instant messaging OS X Android
https://whispersystems.org/
Silence Silence encrypts your text messages over the air and on your phone. Android
https://silence.im/
Password Managers
KeePass Silence encrypts your text messages over the air and on your phone. Windows
http://keepass.info/
KeePassDroid KeePassDroid is an implementation of the KeePass Password Safe for Android. Android
http://www.keepassdroid.com/
KeePassX Application for people with extremely high demands on secure personal data management. Saves many different types of information such as usernames, passwords, urls, attachments and comments in one single database. GNU/Linux OS X BSD Windows
https://www.keepassx.org/
VPN, Proxy, And Web browsing add-ons
Tor Free software for enabling online anonymity. GNU/Linux OS X BSD Windows
https://www.torproject.org/
Orweb Proxy-capable and Privacy-aware Web Browser for use with Orbot's localhost 8118 proxy, or any HTTP proxy server. Android
https://guardianproject.info/apps/orweb/
Onion Browser Surf the web through the Tor network with this browser for iOS. OS X
https://mike.tig.as/onionbrowser/
Alkasir is a computer program that works with proxy servers to allow users to circumvent censorship of URLs in countries where there is censorship of political content. GNU/Linux OS X Windows
https://alkasir.com/
Psiphon Psiphon is a circumvention tool that utilizes VPN, SSH and HTTP Proxy technology to provide you with uncensored access to Internet content Android Windows
https://psiphon.ca/
34
DIGITAL SAFETY FOR JOURNALISTS IN YEMEN
HTTPS Everywhere Encrypts your communications from thousands of websites by enforcing HTTPS everywhere. GNU/Linux OS X Windows Android
https://www.eff.org/https-everywhere
NoScript Only enable JavaScript, Java, and Flash for sites you trust.
GNU/Linux OS X BSD Windows
http://noscript.net/
Adblock Plus Adblock Plus is a free extension that allows you to - among other things - block annoying ads, disable tracking and block domains known to spread malware GNU/Linux OS X BSD Windows Android
https://adblockplus.org/
File Encryption
VeraCrypt free disk encryption software GNU/Linux OS X BSD Windows
https://veracrypt.codeplex.com/