Curated by Martin Shelton
While we often worry about sophisticated digital attacks, the most common attacks for accessing news organizations’ accounts depend on only a few simple weaknesses. These weaknesses are usually a combination of predictable passwords, phishing emails designed to steal login credentials, as well as malicious file attachments in email and elsewhere. While the attacks are simple, so are the defenses. This collection of resources and learning materials will walk you through practices recommended by security specialists for defending your newsroom against common attacks on your accounts.
This overview begins with a brief introduction to assessing newsroom security threats broadly, and moves on to more detailed recommendations. Jonathan Stray gets into specifics about strong authentication practices, as well as how to identify fake login pages and malicious attachments designed to steal your credentials, or to give an attacker access to your computer.
A brief introduction from the Electronic Frontier Foundation to two-factor authentication, which strengthens login security by requiring a second piece of authenticating information beyond your password. Importantly, it describes some practical challenges to consider before setting up two-factor authentication.
Though we know we shouldn’t, we often reuse passwords because they’re hard to remember. This can be dangerous because a single password breach on one website would allow an attacker to access numerous other services. This short guide (by me) introduces the need for unique passwords to isolate breaches, and how to choose a password manager that can make browsing the web safer and more efficient.
One of the most common security threats journalists will run into is simple—convincing you to enter your credentials into a fake login form, sent in a “phishing” email. This article from Harlo Holmes covers how to identify the telltale signs, and simple defenses.
A collaboration between several digital rights NGOs, this guide examines the basics of malware - malicious software designed to give an attacker access to your machine. It describes signs that your device might be infected, steps for addressing the issue, and precautions for avoiding malware in the future. It also includes information about when and how to contact a security professional about a potential breach.
This is not strictly related to account security, but encryption can help minimize damage when someone gets into your messaging accounts. Newsroom messaging accounts (e.g., email) are breached far too often. It’s not a matter of if, but when. To minimize damage, it’s wise to make a habit of avoiding unencrypted messages over email and to delete old messages whenever possible. A secure messaging app, Signal, makes this easy. I recently published this guide to getting started with Signal for iPhones and Android devices. When possible and practical, send Signal messages instead.
VirusTotal is a free service that allows you to quickly scan files and URLs for malicious content. VirusTotal compares the composition of a file (its alphanumeric hash) to known malicious file hashes in its public database. It can be a helpful option for analyzing suspicious materials, rather than executing them on your machine. While VirusTotal will not make your uploaded files publicly available, its analyses are entirely public. It’s a good option for scanning for malware when you are not concerned about the privacy of a particular file.
Two Factor Auth is an enormous list of websites, and information on whether they support two-factor authentication. The site includes links with instructions for setting up two-factor authentication on all supportive web services. Just type in your favorite service and go. It’s especially important to set up 2FA on your primary email - if an attacker gets your email, they can recover your other accounts.