Cyber security for journalists: The internet is a hostile environment too
Alan Pearce
is a journalist and author specialising in cyber security
In the first of a series of posts, Alan Pearce looks at the dangers facing journalists in cyberspace and what they can do to keep themselves safe:
Being a journalist in 2015 is more dangerous than it ever was. In addition to the growing number of threats, attacks, murders and war casualties, we are now being actively targeted online by intelligence agencies, law enforcement and others.
Journalists are at the sharp end. We have contact with politicians and activists; we have our finger on the pulse; and we are capable of causing all kinds of trouble, both to governments and corporations. If they become interested in you, they will monitor all your online activities and read your email. They will see who your contacts are and they will start to monitor them too.
But it’s not just intelligence agencies we should worry about. All kinds of people have a vested interest in knowing about your next story: individual criminals and criminal organisations, political parties and extremist groups, law firms and the corporate giants.
Stay beneath the radar
A reporter working on a story about a local man with an idea to counter IEDs (improvised explosive devices) would very likely read up on military statistics, watch a few explosions on YouTube, check out different detonators and view an extremist website or two. He or she would be asking for trouble.
From that day on the reporter would be a marked man or woman. They could no longer research in private or correspond in confidence. They would never be able to protect the anonymity of a source - a fact not lost on potential whistle-blowers and informants.
It is safe to assume that if law enforcement or the intelligence agencies want to monitor anybody’s internet access then they can, regardless of the niceties of court orders and warrants. This means that absolutely everything is open to inspection.
The key here is never to come to their attention in the first place. Simply put, if they don’t know who you are or where you are, they can’t spy on you.
We can protect ourselves and those we are in contact with by installing a few free, tried-and-tested programs and by tweaking the computer and smartphone. We can easily mask our identity and location. And we can ask sensitive questions without Google or GCHQ building a profile on us.
But it is also vital not to ‘go quiet’. If you suspect you are being observed, you must carry on as you have always done. Continue buying cinema tickets online, chatting to your friends and posting to social media.
You must give them something to monitor. You need to keep them satisfied and to divert their attention while you operate elsewhere in unexpected ways.
In the final scene of the film Raiders of the Lost Ark, they place the Ark of the Covenant inside a crate and then hide the crate inside a vast warehouse full of identical crates. This is the principle by which to operate, but on an infinitely vaster scale, down in the Deep Web - the uncharted depths of the internet. Don’t think of a needle in a haystack. Think of a needle in a universe of haystacks.
How the ‘bad guys’ operate
With so much counter-espionage technology on the market, people who want to can now target the weakest link in the chain: the human being. And they do this through so-called ‘social engineering’ - the art of enticing users to malicious websites and then tricking them into giving out confidential information, or by planting malware in their system there and then, or via email.
At the basic level, advertising networks do this whenever users take on board cookies. Cyber criminals make the most of news events and consumer trends to draw people to a web page where malware will automatically plant itself in the computer - known as a ‘drive-by-download’. Malware can also be surreptitiously planted in advertising banners on legitimate websites to infect even the wary. These are known as ‘watering hole attacks’.
Within hours of the Boston marathon bombing the spammers were sending out emails and Twitter links, seemingly from CNN, which sent users to sites compromised by a ‘blackhole exploit kit’ where many were infected by Trojans, ‘backdoors’, ‘infostealers’ or ‘rootkits’.
The same thing happens around most major news stories. And it’s not just the gullible public who fall prey. Seasoned journalists are regularly sucked in with the apparent deaths of celebrities or looming sex scandals.
Take extreme care with anything that you receive. Intelligence agencies and law enforcement also use malware. One example is FinSpy which they send to people in spoof emails, allowing agents to take control of smartphones and computers, intercepting Skype calls, turning on web cameras and recording keystrokes. Researchers have found FinSpy running on 36 servers worldwide, from Austria to Vietnam.
As scary as this might seem, dodgy redirects and drive-bys can be pre-empted with a good anti-virus program. Equally, if you want to visit a site that may be unsafe, either because it’s being run by a criminal enterprise or because law enforcement may have surreptitiously planted a tracking device, ask Google or another search engine to call up a cached version of the page. That way you are not actually visiting the site but rather a copy of it held by the search engine.
To avoid automatic infection via email, disable HTML in your email program via the ‘Settings’ tab. Look for and untick ‘Display attachments online’or tick ‘View message body as plain text’.
Be aware of social media posts and emails with enticing links, many of which are often shortened so you don’t know where you’re heading. Short URLs can be enlarged at LongURL.org.
Never open attachments if you are unsure of their origin. Consider transferring to a separate offline computer - generally known as ‘air-gapping’ - or simply disconnect your computer from the internet and run documents and files through an anti-virus ‘sandbox’.
If you suspect you are a target, never make internet purchases of digital devices: smartphones, laptops, tablets, computer hardware, memory cards or even USB leads. There are credible reports that items destined for specific targets are being intercepted in the post and that key-loggers and other malware are being installed directly into the devices. Wherever practical make purchases from physical stores and pay cash.
Above all, do not rely on technology to keep you safe. No single system or piece of software is 100% secure or safe. You need to combine tools and techniques, and you need to devise tactics and strategies to avoid being found in the first place. In my next post I’ll show you how.
Alan Pearce is a newspaper journalist, broadcaster, former BBC foreign correspondent and the author of Deep Web for Journalists: Comms, Counter-Surveillance, Search.
Online security: Protecting private data
Investigative journalism blogs by web research specialist Paul Myers
Our investigative journalism section
