Cyber security training for journalists: Tips and tricks to keep your communications safe
en français / en español / en català
Journalists face an increasing challenge to secure their communications in a digital world. The protection of confidential source can be easily compromised in a world where surveillance is becoming ubiquitous. Can journalists secure their communications and protect their sources?
To address the issue, the European Federation of Journalists (EFJ) and the European Trade Union Institute (ETUI) has organised a four-day workship starting from 19 to 21 January in Brussels on “Cyber security for journalists”.
Run by digital security expert, Dmitri Vitaliev, twenty-one journalists and union officers are given a hand-on approach to protect their communications in a fast-pace digital newsroom. Journalists were also taught how to bypass internet censorship and secure their online communications.
Useful tips and tools
- Install anti-virus software on your computer. If you have a new computer, install the anti-virus before connecting online to minimise your chance of catching a virus.
- Firewall – Installing anti-virus software is not enough. The firewall is a stronger layer of security that you need to protect. Install software to reinforce your firewall protection.
- Don’t use pirated software. If you cannot afford licenced software, there is a lot of open-source software out there that you can download and use safely.
- If you are using a public computer or cannot gurantee that the computer is virus-free, you can opt for a USB flash drive. You will not leave any trace of your work on the computer.
- Use secured password. The longer and more complicated the password, the harder it is for hacker to break in. Use at least 12 figures in your password with letters, symbols and different characters. Don’t use the same password for everything. If you don’t have an elephant memory, you can use KeePass to store passwords securely. But remember to keep your master password strong for KeePass.
- DETEKT who has been spying on you. If you want to know whether you are being spied, you can download the free tool “Detekt” to scans your Windows computer for traces of (common spywares such as) FinFisher and Hacking Team RCS, commercial surveillance spyware that has been identified to be also used to target and monitor human rights defenders and journalists around the world.
Data management – How to delete, recover & encrypt your data?
- Deleting your data – You think by clicking the “delete” button, your file will be deleted forever? The answer is “no”. The file you deleted can still be recovered even though it may no longer be visible. It is still somewhere in your computer or usb stick. In order to delete your file permanently, you can download free software (such as CC Cleaner) that allows you to delete your file permanently.
- Recovering your data – However, journalists can use this to their advantage. If you are ever forced to delete your photograph by the authority, you can do so with the assurance that you can retrieve your photo when you get back to the office or home. All you need is the software (such as Recuva) to do that. But if the hard drive is damage severely (by fire), the data inside may not be recovered.
- Delete / manage your metadata because it tells people a lot about you and how the file is being created. If you do not want to remain anonymous or protect your sources, keep the meta data for yourself.
- Create a secured data back-up. You should always have a back-up of your important data but use a secured back-up. If you don’t want to carry sensitive data around when travelling, you should store your data in a secured drive (such as Mega.co.nz) that you can have access to wherever you go. Before storing your data, take one more security step to encrypt your data before storing them in a remote drive or cloud.
- Encrypting your data. You can download free software (such as Boxcryptor) that encrypt data before you send it or store it in a cloud. To encrypt your file and prevent others to have access to your file on your computer, you can use TrueCrypt to encrypt your files. This allows you to create a “secret vault” in your computer which is only visible to you who knows the password and location of the file in your computer. You don’t need to know about encryption or coding, all you need to do is to follow the simple steps of the software.
- What if I am forced to give away my password for the encrypted file? If you are ever in an extreme situation in which you have to reveal your password to the authority, you should take this last but important step to protect your sources or sensitive data. You can create “a hidden vault” within the “secret vault” in TrueCrypt. So your “secret vault” becomes a disguise in case you ever need to reveal your password for this “secret vault”. In this case, you can reveal the password to the authority to have access to your “secret vault”, but the real secret or sensitive data are stored in the “hidden file” within the “secret vault” which you have a different password to access that. Put the real sensitive content in the “hidden vault” but be aware that you should put the seemingly sensitive content in the “secret vault” which you will give the access to the authority so that they don’t suspect you and start looking for something else.
Some hard facts about communications on the internet…
The truth is that you cannot really keep your online activities private to yourself. Today, there is no anonymity on the internet unless you take specific measures that include disguising your digital identity and activities and taking measures to secure your online communications but even so, it is not guaranteed that your communications are safe.
Someone, somewhere will be able to monitor your activities online. People (whether they are your Internet Service Providers -ISP or national authority) out there who have access to your internet connection can monitor your activities online. They will be able to tell when and where you have visited certain websites or chatted with a particular person online via Skype.
Under EU data retention law, ISPs can store your communications data online or telephone data for law enforcement purposes. They can reveal all your communications and digital identity to the authority upon requests. On Monday 19 January, it was reported that thousands of emails of journalists in international media organisations were collected by the British intelligence agency.
Even though there is nowhere for us to hide in the digital environment, there are some measures that you can take to protect certain communications online such as emails, instant messaging and video/audio conversations.
- Encrypt your email messages. You can download web-based softwares (such as Mailvelope) to encrypt your emails so that no one (apart from yourself and your recipient) can read your messages. But this will require the recipient of your email to take the same measure. This software is only for web-based emails and it cannot encrypt your attached files in the email. For step-by-step tutorial of how Mailvelope works, please watch the video HERE. To encrypt files, you can use GPG encryption programme.
- Securing instant messaging and audio/video conversations. Most popular instant messaging and audio/video platforms (such as Skype, Facebook chat, Google Hangout, etc.) that are owned by big corporations no longer provide the absolute privacy and anonymity you want. If you want to communicate sensitive information, you should use peer-to-peer online instant messaging and audio/video conferencing plateforms (such as Cryptocat, meet.jit.si, talky.io, Whispersystems, etc.). If you want to find out more secure messaging plateform, you can visit the Electronic Frontier Foundation which has enlisted all the latest secure messaging or audio/video conferencing platforms. (see below list of resources)
- If you think that it is only in science fiction that you have to put your mobile phone in the fridge in order to prevent prying ears, then you are wrong. Our mobile devices can be switched on remotely and used as spying tools. We cannot remain anonymous using our mobile phones because the same network that provides you with internet access also provides you with the mobile communications. The ISP can locate you even though your mobile phone is not switched on. In many countries, you are required to provide your ID in order to buy a SIM card. What happen if you want to use your mobile phone and remain anonymous? There are some devices and applications (see below resources) out there which provide you with certain degree of security for your mobile commucations. For example, WhisperSystems is an application for smartphone users to make private call without their identities or location being revealed.
- How to bypass internet censorship? In countries where internet censorship is a commom practice to oppress the media or critical voices, access to information or communication can be a problem for journalists and human rights activities. There are ways to bypass internet censorship that come at a very small price. You can rent a virtual private network (VPN) that will encrypt and redirect all your traffic from your computer to that VPN. However, this does not prevent your ISP or the government from noticing that you are using a VPN that is located in the other end of the world. But what they cannot do (thus far) is to block the VPN connections.
- Using temporary email service to remain anonymous.If you want to avoid spam or don’t want to give your real email address to strangers, you can use temporary email service (such as GuerrillaMail or Mailinator) to remain anonymous. The service provides you with an unique email address that you can dispose.
- Private browsing. Cleaning your cookie and internet history is not enough. If you want to minimise the chance for internet surveillance, you can use Tor Browswer so that no one can see what sites you have visited or track down your location. It will also allows access to websites not available for normal browsers.
Where to go for more information on cyber security?
General guide on cyber security
- Passwords storage software http://keepass.info
- Secured back-up server http://mega.co.nz
- Email encryption https://www.mailvelope.com/
- Electronic Frontier Foundation https://www.eff.org (you can check out the EFF secure messaging scorecard with a list of secured platforms)
- Secured mobile communications application https://whispersystems.org/