FrontiersofComputationalJournalism

ColumbiaJournalismSchoolWeek12:PrivacyandSecurity

December11,2015

LaptopfallsintoSyriangovt.hands,sourcesforcedtoflee

APsourcebustedthroughphonelogs

.

.

.

OpenNetworkInitiativeglobal filteringmap-- opennet.net

FromProtectingConsumerPrivacyinanEraofRapidChange, FTC,2010

JournalismSecurityDisasters

• Hackedaccountsandsites– AP–WashingtonPost,NewYorkTimes,– etc.

• Sourcesexposed– VicerevealsJohnMcAfee’s location– APphonerecordssubpoena– Filmmaker’slaptopseizedinSyria

WhatAreWeProtecting?

• Commitmentstosources• Physicalsafety• Legalconcerns• Ourabilitytooperate• Ourreputation

Holisticsecurity(What“digitalsecurity”isn’t)Thepredominant digitalsecuritydiscoursetakeslittleornoheedoftheelementsofpersonal,organisational orpsychologicalsecurityinherent totheestablishmentofaneffectiveandcohesivesecuritystrategies.

Thetendency,aggravatedbytimeconstraintsandnecessarytechnicalskill-building, hasbeentotreatdigitalsecurityasatechnicalproblemwithtechnicalsolutions, andthereforetofocusonasoftwareortool-centricapproach,generallywithoutdueconsiderationofthewiderorganisational andpersonalnecessityorimpactthereof.

Meanwhile,practitionersfocusingonthepersonal,organisational,andpsycho-socialwell-beingofHRDsmustadapttotheimplicationsoftherapidproliferationofdigitaltoolsandICTsasanaspectofhumanrightsdefenders’workandpersonallives.

- TowardsHolisticSecurityforRightsAdvocates,TacticalTech

DigitalSecuritystrategies

• Basicsecuritypractice:simplethingsthatprotectagainstmanythreats.

• Threatmodeling:discoveranddefendagainstspecificthreats

• Recipes:howhandlespecificreportingsituations

LinkedInfrom June 2012 breach

Gawkerfrom Dec 2010 breach

Two-FactorAuthentication

•Somethingyouknow,plussomethingyouhave

GoodPasswordPractice

• Ifyouusethesamepasswordformultiple sites,yourpasswordisonlyasstrongasthesecurityon theweakestsite.

• Don'tuseacommonpassword.Avoidwordsinthedictionary.

• Usetwo-factorauthentication

• Considerpassphrases,andpasswordmanagementtoolslikeOnePass

PhishingByfarthemostcommonattack.Sendamessagetousertrickingthemintoentering theirpassword.

Typicallydirectsuserstoafakeloginpage.

Protection:bewarelinksthattakeyoutoaloginpage!AlwaysreadtheURLafterclickingalinkfromamessage.

APTwitterHackedbyPhishing

APPhishingEmail

The link didn’t really go to washingtonpost.com!

ReadtheURLBeforeYouClick!

SpearPhishing

Selectedtargets,personalizedmessages.

SyrianFacebookphishing

Arabictextreads:"Urgentandcritical..videoleakedbysecurityforcesandthugs..therevengeofAssad'sthugsagainstthefreemenandwomenofBabaAmr incaptivityandtakingturnsrapingoneofthewomenincaptivitybyAssad'sdogs..pleasespreadthis."

Chineseemailspear-phishing

FromFireEyeblogpost:“InAugust2015,thethreatactorssentspearphishingemailstoanumberofHongKong-basedmediaorganizations,includingnewspapers,radio,andtelevision.ThefirstemailreferencesthecreationofaChristiancivilsocietyorganizationtocoincidewiththeanniversaryofthe2014protests inHongKongknown astheUmbrellaMovement.ThesecondemailreferencesaHongKongUniversityalumniorganizationthatfearsvotes inareferendumtoappointaVice-Chancellorwillbeco-optedbypro-Beijinginterests”

DefendingAgainstPhishing

•Besuspiciousofgenericmessages

•ReadtheURLbeforeyouclick

•AlwaysreadtheURLbefore typinginapassword

•Reportsuspicious linkstoITsecurity

ThreatmodelingWhatdoIwanttokeepprivate?(Messages,locations,identities,networks...)

Whowantstoknow?(storysubject,governments,lawenforcement,corporations...)

Whatcantheydo?(eavesdrop,subpoena...orexploit securitylapsesandaccidents!)

Whathappensiftheysucceed?(story'sblown,legalproblemsforasource,someonegetskilled...)

WhatMustBePrivate?

• Whichdata?– Emailsandothercommunications– Photos,footage,notes– Youraddressbook,travelitineraries,etc.

• Privacyvs.anonymity– EncryptionprotectscontentofanemailorIM– Nottheidentityofsenderandrecipient

WhoWantstoKnow?

•Mostofthetime,theNSAisnottheproblem•Youradversarycouldbethesubjectofastory,agovernment,anothernewsorganization,etc.

WhatCantheAdversaryDo?

• Technical– Hacking, interceptingcommunications, code-breaking

• Legal– Lawsuits,subpoenas, detention

• Social– Phishing, “socialengineering,” exploiting trust

• Operational– Theone timeyoudidn’tuseasecurechannel– Personyoushouldn’t havetold

• Physical– Theft,installationofmalware,networktaps,torture

Legalthreat:NYTreporterinvestigated

WhatAreYouRisking?

• Securityisneverfree– Itcoststime,money,andconvenience

• “Howmuch”securitydoyouneed?– Itdependsontherisk• Blownstory• Arrestedsource• Deadsource

ThreatModelingScenario#1

YouareaphotojournalistinSyriawithdigitalimagesyouwanttogetoutofthecountry.LimitedInternetaccessisavailableatacafé.Someoftheimagesmayidentifypeopleworkingwiththerebelswhocouldbetargetedbythegovernmentiftheiridentityisrevealed.

ThreatModelingScenario#2

Youarereportingoninsidertradingatalargebankandtalkingsecretlytotwowhistleblowerswhomaygiveyoudocuments.Ifthesesourcesareidentifiedbeforethestorycomesout,attheveryleastyouwillloseyoursources.

ThreatModelingScenario#3

Youarereportingastoryaboutlocalpolicemisconduct.Youhavetalkedtosourcesincludingpoliceofficersandvictims.Youwouldprefer thatthepolicecommissionernotknowofyourstorybeforeitispublished.

ThreatModelingScenario#4

YouarereportingondrugcartelsinCentralAmerica.Previoussourcesandjournalistshavebeenmurdered.

Encryptionvs.Anonymity

Encrypted message is like a sealed envelope.Anyone can still read the address (metadata)

DataatRest/DatainMotion

SecuringDataatRest• Howmanycopiesarethere?

– Theoriginal filemightbeonyourphone,cameraSDcard,etc.– Whataboutbackupsandcloudsyncing?– Usesecureeraseproducts

• Could"they"getacopy?– Hackintoyournetworkorcomputer– Walkintoyourofficeatlunch– Takeyourcameraattheborder

• Iftheyhadacopy,couldtheyreadit?– UseBitLocker(Windows), FileVault (Mac),LUKS(Linux)– Turnondeviceencryption forAndroid (iOSonbydefault)

Filemetadata

Photos,PDFs,documentsallhavehidden info inthefile

LegalSecurity

IntheU.S.,thePrivacyProtectionActpreventspolicefromseizingjournalists’datawithoutawarrant...ifyou'retheonestoringit.

Thirdpartydoctrine:ifit’sinthecloud,noprotection!

SurveillanceLaw:theU.S.situationDoyouneedawarranttoseewhoIcalled?Nope.Supremecourt,Smithvs.Maryland,1979controls"metadata."

Doyouneedawarranttoreadmyemail(orIM,etc.)?Electronic CommunicationsPrivacyAct(1986):Notifit'solderthan180daysDepartmentofJusticemanual:no,ifithasbeen"opened"U.S.v.Warshak,sixthcircuit (2010):yesProposedbill incongress(Dec2015)wouldrequirewarrant

Doyouneedawarranttotracksomeonethroughtheirphone?ACLUFOIAof200policedepartments:somesayyes,somesaynoU.S.v.Jones(2012),SupremeCourt:can'tputaGPSonsomeonewithoutawarrant.Butdoesn'tmentiontheGPSinourphones.

Doyouneedawarranttolookatthedataonmyphoneafteranarrest?Yes.Supremecourtsaidsoin2014,Rileyvs.California.

"Inthefirstpublicaccountingofitskind,cellphonecarriersreported thattheyresponded toastartling1.3milliondemands forsubscriberinformation lastyearfromlawenforcementagenciesseekingtextmessages,callerlocationsandotherinformation inthecourseofinvestigations."

-WirelessFirmsAreFloodedbyRequeststoAidSurveillance,NewYorkTimes,July82012

GoogleTransparencyReport

Twitter,Facebookhavesimilar.ButwhataboutSnapchat?Sina?

SecuringDatainMotion

• Wheredoesyourdataphysicallygobetweensourceanddestination?

• Whichlinksareencrypted?• Toolsyoushouldknow– iMessage,Signal:securetext,calls– CryptoCat — EasyOTRthroughyourbrowser– Tor— Anonymity– SecureDrop — Anonymoussubmission– PGP— Secureemail– OTR—Off-the-recordmessagingprotocol

SSL

Aka,HTTPS.

Dependsonasystemof rootcertificateauthorities (CAs)thatgeneratecertificates(cryptographically signkeys)forsitesthatuseHTTPS.

BrowsershaveCAkeysbuiltin,sotheycanverifythatasitehasavalidsignedkey.

Worksgreat,exceptthatcertificateauthoritiescanbehacked,andwemustexpectthatmoststatescaneasilysignacertificatethrough aproxy.

RealMITMattacks

MobileSecurity

• Yourphone– Isalocationtrackingdevice– Containsallyourcontacts– Isusedforeveryformofcommunication– Storesalotofinformation

Tell-AllTelephone(zeit.de)

Somedigitalsecuritytools

iMessage

End-to-endencrypted.Encryptedonthedevice.Appleclaimstheydonothaveabackdoor.

Ongoingcourtcasevs.FBI

Signal(OpenWhisperSystems)

FreeappforiOSandAndroidEnd-to-endencryptedchat,voice.OWSclaimsserverdoesnotsaveyouraddressbook.

Torproject.org

TorBrowserBundle

TheGuardianProject

SilentCircle

• Commercialservice– Securemobilecalls,video,texts– Canhandprepaidcardstosources

Securingyourcomputer

Reallyonlytwochoicesagainstanadvancedadversary:

• Buyanewcomputer,neverputitonanynetwork

• UseasecureoperatingsystemlikeTAILS

Bothapproachesassumenoonehastamperedwiththehardware(perhapsinstallingahardwarekeylogger?)

Security=Model+Tools+HabitsThereisnotoolintheworldthatwillsaveyoufrom:

• notprotectingagainsttherightthreats• badpasswords• gullibility(phishingscams,socialengineering)• misunderstandingthesecuritymodelthatyourpracticedependson.• notdoingthesecurethingeverytime.

• offlinesecuritybreaches/physicalcoercion

FromAllenDulles'73RulesofSpycraft

Casestudy:leakedCables

JulianAssange gaveapasswordandatemporaryURLtoGuardianreporterDavidLeigh.

LeighdownloadedthefileinencryptedformfromthetemporaryURL.

Leighdecryptedthefileandreportedonthecontents.

...butlater,allthecableswereavailablepublicly,whichisnotwhateitherAssange orLeighintended.

ThePlan

M Epassword URL

passwordE

E M

Assange Leigh

WhatAssange wasthinking

E ???

M Epassword URL

passwordE

E M

Assange Leigh

WhatLeighwasthinking

???

M Epassword URL

passwordE

E M

Assange Leigh

Whatactuallyhappened

!!!

M Epassword URL

passwordE

E M

Assange Leigh

passwordWLArchive

E

M

Basicsecuritypractice,inshortUserealpasswords

Understandandbealertforphishing

Knowwhereyourdataisandwhereitgoes

Keepyoursoftwareup todate

Understandtechnical,legal,social,physicalthreats

Haveaplan,makesecurityapractice

Resources

Threatmodelingforjournalistshttps://source.opennews.org/en-US/learning/security-journalists-part-two-threat-modeling/

Digitalsecuritytrainingbestpractices,suggestedcurriculumhttps://www.level-up.cc/about

CommitteetoProtectJournalistsinformationsecurityguidehttp://www.cpj.org/reports/2012/04/information-security.php

EncryptionandOperationalSecurityforJournalistsHacks/Hackerspresentationhttps://gist.github.com/vaguity/6594731http://www.cjr.org/behind_the_news/hacks_hackers_security_for_jou.php?page=all