Security for Journalists, Part One: The Basics
Jonathan Stray on what every single person in your news org should be doing to secure the newsroom
Journalism can be a risky business. Reporters covering violence necessarily work in unsafe circumstances, and news organizations have to worry about getting sued for defamation or sanctioned by one government or another. But there are less dramatic but equally grave risks created by the ubiquitous use of digital communications technology, from email to camera phones.
Just as you can take steps to reduce the physical or legal risks of journalism, it’s possible to protect yourself in the digital realm. This two-part post will cover the basics of digital security for journalists. It’s impossible to learn everything you need to know from a couple of articles, but my hope is to give you enough of the basics that you understand what to study next.
Even if you’re not working on a sensitive story yourself, you need to understand digital security because an attacker can harm other people by going through you. This post contains generic security advice that everyone in journalism should heed, with specific advice about simple things you can do right now to improve your security. In the next post we’ll talk about how to plan security for a story with some particularly risky aspect, such as working with anonymous whistleblowers or situations where a security breach might lead to physical harm.
What Are We Protecting?
You probably have quite a few digital accounts: email, servers at work, your phone, social media accounts, and so on. We’ll get to those, but let’s start by stepping back for a moment and talking about the purpose of security.
The goal of security is to prevent some sort of harm. That harm might come to us, as in the case of a reporter working in a dangerous area. It might come to our colleagues, if someone breaks into our email and uses it to send fake messages under our name. A news organization might be harmed by damage to its reputation or facilities. Worst of all, harm might come to a source who we have promised to protect.
Here’s a case where someone obtained the password to a news organization’s Twitter account.
The stock market briefly crashed due to automated trading systems that read the news, but recovered minutes later because it was obvious to humans that this tweet was bogus. There was little long term consequence. Things don’t always turn out so well. Here’s a case where lives may have been lost due to a digital security failure.
The Syrians had interrogated McAllister about his activities, and seized his laptop, mobile phone, camera, and footage. All of McAllister’s research was now at the disposal of Syrian intelligence. When Kardokh heard that McAllister had been arrested, he didn’t hesitate—he turned off his mobile phone, packed his bag, and fled Damascus, staying with relatives in a nearby town before escaping to Lebanon. He said that other activists who had been in touch with McAllister fled the country as well, and several of those who didn’t were arrested. “I was happy that I hadn’t put him in contact with more people,” Kardokh said.
Although these are dramatic stories, they illustrate everyday risks. In both cases, the attackers had no special technical skill. They appear to have used phishing to get a social media password, probably by first compromising the email password of a co-worker—someone just like you. And while you may not be in a war zone, I bet your computer has confidential information on it, files that you have a moral or legal obligation to protect. What happens if your laptop is stolen?
How to Password
You have probably heard all about passwords before. But have you actually taken the steps to secure your passwords? Passwords are the backbone of digital security, upon which almost everything else rests.
Choosing good passwords
To begin with, lots of people still choose terrible passwords, as we know from previously hacked password databases.
Two decades after passwords became a part of daily experience, the most common password is still
123456. How far we’ve come. For some reason many people think
shadow are clever passwords too. For the record, they are not. Nothing that appears in a dictionary is a good password…because you can give a dictionary to a computer and have it guess passwords, tirelessly, day after day, millions of guesses per second. This is why some sites require numbers and punctuation or especially long passwords.
Weird passwords can be hard to remember, so consider pass-phrases instead—simple combinations of multiple words.
It’s also important to use different passwords on different systems. Otherwise, anyone who is able to hack into the password database of your favorite artisanal cat toy supplier will also be able to get into your email. And if someone can get into your email, they can get into pretty much every other online service you use, because most services let you reset your password via email. Also, anyone who can get into your email can see all the messages you exchange with everyone else, which means your bad email security compromises other people. Not good.
Using a different password for each application is easier said than done, because no one can remember that many passwords. Consider password management tools like 1Password or Lastpass that store all of your passwords for different applications, unlocked by a single master password that never leaves your computer or mobile device.
Do you have good passwords? Are you using the same weak word for your email account and everything else? Before going on to the next section, take a few minutes to reset critical passwords to something more secure, like a passphrase.
Even good passwords can still be compromised in a variety of ways. If you really need to protect an account, you need 2-step verification, also known as 2-factor authentication. 2-step schemes vary, but all of them rely on the same principle: to log in, you need a combination of something you know (like a password) and something you have (like your phone).
Google’s 2-step system sends a short code to your phone each time you log in, which you then enter into the login prompt after your password. You can also print out a set of pre-defined codes to keep in your wallet, so you can log in even if you don’t have your phone or it isn’t working. (In that case, the paper in your wallet becomes the “something you have.”) Facebook offers a similar system, while Twitter’s version of 2-step verification still relies on your phone but you don’t have to enter a code manually. Many other online services now offer 2-step verification, including consumer applications like Dropbox and business service vendors like Amazon Web Services.
You can worry about someone discovering your password and using it without your knowledge—maybe for months or years—or you can use 2-step verification and never wonder about it again.
I can’t recommend 2-step verification highly enough. It’s minimally inconvenient (how often do you actually type your email password?), widely available, and offers excellent protection against unauthorized access. Aside from making it difficult for someone to log in without stealing your phone, you’ll know if someone has obtained your password because you’ll get a text message when they try to log in. There’s really no excuse not to use 2-step verification, at least for your all-important email account.
Turn on 2-step verification now for your email now. Do it right now. If you use GMail, click here. You work in a high-risk profession, and this is super easy and free. If you don’t, you are not only putting yourself at risk, but everyone you ever email because your account and address book may be used to send fake messages.
Done? Good. You now have way better email security than almost everyone else.
Finally, it should go without saying that you should never tell anyone your password. You shouldn’t even tell a system administrator who claims they need it—no competent system administrator will ask. It is astonishing how often you can break into a network by calling someone, telling the right story, and simply asking for someone’s password. It’s also worth noting that asking for passwords was apparently one of the ways Edward Snowden gained access to so many classified NSA documents.
Phishing is the practice of obtaining access by sending a message that entices the user to do something insecure. Hard numbers are impossible to come by, but I suspect that the majority of successful attacks on journalists involve phishing.
The classic phishing scam is an email asking the user to go to a site and enter their password for some reason.
This looks like a PayPal login screen. In fact it looks exactly like a PayPal login screen, because it’s incredibly easy to make an exact copy of any web page. But it’s very much harder to fake the URL. Notice that this page is at the address
paypal.com. Only the part of the address immediately before the
.com identifies the actual owner of a site. Also, a genuine login page will use the secure
https protocol and not the insecure
http. Here are some other non-Paypal URLs that someone might use to try to trick you into giving up your password:
Like all phishing, a fake login screen relies on tricking the user. Phishing is a social technique, not a technical trick. It’s fundamentally a con, relying on trust and laziness. Always manually check the URL before you enter your password on a web page.
Note that the URL you see in an email isn’t necessarily the URL you will reach if you click the link. Here is the phishing email sent to AP employees shortly before the AP Twitter account was hacked.
It looks like the link goes to washingtonpost.com, but it actually went to a fake login page. This is because the text of a link has no necessary necessary relation to the URL—just like the link in the previous sentence does not go to the URL
went to a fake login page.
Internet Explorer, FireFox and Chrome show you where a link goes when you hover over it—before you click on it—by displaying the actual destination URL the bottom of the browser window. It’s possible to turn on link previews for Safari. Unfortunately this won’t help if you view your email in Outlook or on a mobile browser.
This AP attack email appears to come from another AP staff member, but it doesn’t. Email is not a secure protocol and it is notoriously easy to fake the “from” field and other header information. Or the attackers may have gained access to one AP account and used it to send legitimate-seeming emails to other people. This is why it is so important to secure your accounts even if you yourself are not a target: you don’t want your credentials used to help fool someone else.
Plenty of phish in the sea
The phishing attacks we’ve looked at so far rely on spamming many users with the same email in the hopes that at least a few of them will give up a password. But phishing doesn’t rely on any one technique. It’s really about convincing the user to do something insecure, and an attack can come on any communication channel and could be sent to everyone or targeted specifically to you.
Here’s a Twitter phishing attack:
This particular phishing attack exploited social trust by sending private messages from compromised accounts. If you fell for the scam, your account would be used to send similar messages to your friends in turn. But note that the message is completely generic—it could apply to anyone—and seems designed to get you to click the link. That’s exactly what you should be suspicious of, on any message on any communication channel. You can’t assume any message is from who it claims to be from unless you have specifically taken steps to communicate securely.
Other types of phishing will try to get you to download a program or open a document file. Running any sort of software on your computer invites exploitation; it’s like opening your front door and asking someone inside. That’s fine if you know where the software came from and trust the source, but it’s a really, really bad idea to install software that is unknown or shady.
Email attachments are particularly suspicious. They might obviously be applications, for example files ending with “.exe” on Windows (short for “executable”) or “.app” on Mac. Don’t ever run a program that someone sends to you by email, or any other insecure communication channel!
Other attachments are less obviously runnable programs. Common tricks are naming executable programs to look like document files and embedding scripts inside of documents. The bottom line is that attachments must be considered suspicious, especially attachments you were not expecting, or when attached to a suspicious message. If you’re using GMail, you can open attachments inside the GMail document viewer to avoid ever having to download them to your computer.
It is even possible to attack someone’s computer just by getting them to visit a web site, though this is slowly getting harder as browsers become more secure. The principle, as always, is tricking the user into doing something insecure. Technology can reduce the risk of phishing in various ways, but technology alone will never completely eliminate phishing because it is fundamentally about exploiting people, not technology.
Encrypt Your Drive
You have to assume that you’ll lose your laptop, the same way you have to assume that someone will eventually try to open your unlocked front door. The only question is what happens next.
You probably have a login password on your computer. This is important, as it prevents anyone from opening your files…as long as they restrict themselves to using your computer in the normal way. It only takes a screwdriver to remove your drive and install it in an external case, so that it can be connected to any other computer. Then your login password means nothing, because the attacker never needs to log in.
The solution is to encrypt the entire drive so that it cannot be read without that login password. Modern operating systems make this very easy: both Windows and Mac have built-in whole disk encryption. You only need to turn it on. When disk encryption is on, the operating system automatically encrypts your data when you save it to disk, and decrypts it when you re-open your files, using a secret key derived from your login password.
Whoever ends up with your laptop gets only gibberish.
Whole disk encryption is another one of those easy things that dramatically improves security. Once again, it’s free and convenient and there is really no reason not to use it. Go turn it on right now. It may take a few hours to encrypt all your existing files, but you can use your computer while it’s happening.
It’s also possible to encrypt external hard drives and removable media like USB sticks—and you should definitely do this for any storage device that contains information you don’t want someone else to see.
Protecting yourself, your colleagues, your organization and your sources starts with basic security practices.
- Choose strong passwords, and do not use the same password everywhere
- Use 2-step verification on your email and other critical accounts
- Always check the URL before you enter a password
- Be suspicious of generic messages that try to get you to click a link
- Try to avoid downloading attachments, viewing them online if possible
- Encrypt the drives of all your computers
These steps are free, easy, and dramatically increase security. There’s a lot more to know about protecting yourself, your colleagues, and your sources, but these are the basics. Every journalist—whether working on a sensitive story or not—should be doing at least this much.
Co-founder & Advisor of Workbench. Jonathan is currently working as a research scholar at Columbia Journalism School. He has written for the New York Times, Associated Press, Foreign Policy, ProPublica, and Wired.