As journalists, the need to improve our digital hygiene is self-evident. However, many of us are new to digital security, which can be overwhelming and filled with complicated security concepts and unknown acronyms.
This article is a basic introduction to some concepts security-conscious journalists might want to consider when assessing their security practices. I’ll update this page over the next few months with links to additional articles that treat these (and other) topics more in depth.
1. Enable Two-Step Authentication
More and more online services are beginning to offer two-step authentication which adds an extra layer of security to the log-in process. This includes apps such as Twitter, Facebook, and DropBox. For this article, however, I will discuss Google since many of us are forced to use its services on a daily basis. Part of the reason for this is that many organizations have begun using Google Apps for Business, which gives emails under a domain the same access and privileges to Google services as a regular Gmail address.
By adding the two-step verification process to your Google account, every time you log in, a verification code is sent to your phone, which you must input in addition to your username and password. This means that even if your password is stolen or cracked, an attacker cannot log in to your account without your verification code. If you have a regular Gmail address, you can enable this feature yourself. For a domain using Google Apps, the administrator must enable it.
2. Encrypt Your Hard Drive
If you lose your laptop, whoever ends up with your computer can access all your files even without knowing your log-in password. If your computer leaves your control (at a border crossing, for example), encrypting your drive and turning the computer off will keep the data inaccessible until you turn it on and enter the password. FileVault on Macintosh and TrueCrypt on Windows are the usual recommended ways to encrypt stored data.
3. Do NOT Click on Email Links or Open Attachments
Phishing emails that contain links or attachments can lead to malware that can subvert your computer’s defenses or trick you into giving up your passphrase. Those who work at high-value organizations, like many journalists, can be targeted by phishing emails personally crafted to appear to be from colleagues. Even if your own work is not particularly sensitive, the mere fact that you have access to organization-wide resources might make you a tempting target for an attacker who would seek to access sensitive material from your laptop.
Phishing emails can appear to come from people you know, so be careful. Don’t open attachments or click links unless you’re expecting them. Never give out your password to anyone or any software you are unfamiliar and don’t use on a regular basis.
4. Update your Browser
Considering the amount of time you spend surfing the web, this might be one of the most important things you do to improve your digital hygiene. Online criminals take advantage of security holes in browsers to infect your computer with a plethora of malicious code. As browser developers discover these threats, they provide fixes via updates. Browsing the Web without an updated browser is like fishing with sharks without the proper gear — it’s extremely dangerous and leaves you open to a variety of attacks.
5. Password Protect your cell Phone
Most retail or commercially available mobile phones are extremely insecure for a variety of reasons, which will be explored in future articles in detail. Setting a password for your mobile phone is important, however, because many of us store personal information on our phones. This includes contacts, access to social networks, calendar, and files. In addition, if you use cloud apps like Dropbox, anyone using your phone will have direct access to them. Keep in mind, however, that if you lose your phone, your password can eventually be hacked. As such, you should never store sensitive information on your mobile.
6. Mobile Location Settings
Mobile phones also serve as a type of individual locator thanks to phone tracking — a method which determines your location by triangulating your position from mobile phone towers and wireless hotspots. To make matters worse, apps and games installed on your phone can reveal your location publicly or record your movement, at times without even asking if you want this information shared. The best solution is to disable your location settings on your mobile phone.
7. Stay Off Skype
No one should use Skype for secure communications. Earlier this year, Ars Technica found that Skype is not using end-to-end encryption and, more than likely, your conversations are being listened to. In fact, Skype’s privacy policy states that they have the right to scan and review your instant messages and SMS. Unfortunately, there is no good, trustable, encrypted voice or video infrastructure to replace Skype, so we recommend you simply don’t use it for sensitive discussions.
However, if you are going to use Skype, there are a few things you can do to at least protect yourself from Skype-targeted phishing, spam and viruses. In your privacy settings, make sure that only people in your contact list can contact you either through IM or video.
8. Use HTTPS by default
When you see HTTPS at the beginning of a Web address, you know that communication between you and that page are encrypted. Even though many sites offer HTTPS, such as Wikipedia and Google, many still don’t default to it. A good solution is to install the EFF’s browser plugin, HTTPS Everywhere (available for Firefox and Chrome), which enables HTTPS protection for many sites. When you use the plugin, third parties may be able to see what site you are visiting, but not what page or content you are viewing. In addition, encryption protects information you send to the site, such as your log-in information.
9. Don’t Install Unknown Programs
This really means “don’t visit suspicious sites from your working computer” — pornography sites, cracked software sites, torrent sites serving music and video — not because you’ll get in trouble, but because they tend to be crawling with pop-ups waiting to trick you into installing something you didn’t mean to. The Web is littered with software that earns its keep by spying on users, and sometimes it’s even more malicious than that. If you don’t know who makes and distributes a program, it’s hard to know if a software is safe. Make a habit to download programs directly from websites of trusted vendors, or well-known open-source projects.
10. Use Strong Passphrases
Did you know that a simple PC can crack 100 million passwords a second, and that many passwords can be found through Facebook? Unfortunately, having a strong password that you routinely change is part of the cost of being online. For a password to be strong it should not resemble a word. In fact, it should be long! To emphasize this point, the security community talks about “passphrases” instead of “passwords.” Make sure that your passphrase includes numbers, capitalized letters, and alpha-numeric characters, such as spaces. If you’re having trouble coming up with a good passphrase, take a look at this article.
11. Social Media Privacy Settings
Social media is a computer criminal’s dream come true. Your digital imprint says more about you than your social security number or even bank number. Thanks to something called metadata, individuals can figure out, for example, who you spend the most time with, track your movements, and find out who your family members are and where they live, and even what diseases you have. Not only should you be strategic about what information you put online, but you should be careful about who is able to access that information. Each social network has its own vulnerabilities and privacy settings, which this column will also cover in depth in the future.
Sandra Ordonez is currently the Outreach Manager for OpenITP, part of the Open Technology Institute, that focuses on supporting the community behind anti-surveillance and anti-censorship technology. Ordonez calls herself a web astronaut who has been helping organizations navigate digital strategy and collaborative culture since the early 90’s. She has conducted over 350 interviews on the future of journalism, and currently managed the New York chapter of Girls in Tech. Previously, she was the Communications Manager for Wikipedia. She graduated from American University with a double degree in International Relations and Public Relations.
OpenITP improves and increases the distribution of open source anti-surveillance and anti-censorship tools by providing the communities behind these tools with many kinds of support.
View Comments (4)
Sandra - this article is SO helpful for anyone who wants to stay 'clean' online! Two factor authentication is really important and if more companies and people were using it, many hacks could be prevented! i think one of the problems with 2fa adoption is that it tends to not be very usable, prompting a user every single time they log in! Have you tried any other 2fa or multifactor authentication tools?
Good start.
I would add.
You need to learn how to use a VPN to anonymize your IP address.
Then you need to use the Epic browser which is specifically engineered to prevent tracking.
Stop using Google services altogether.
Then you need stop using Windows PCs as those are far more easily exploited.
And then, if you really need to go dark to contact a source, learn about PGP e-mail and use the TOR browser.
most definitely. this is just a basic start. someone from Tor is actually writing a piece for this column in coming weeks.
Excellent, I have trained RFE/RL reporters across Central Asia and they have been using TOR for years. But please ask that person if they recommend using a VPN in combination with TOR and how that workflow should look. My hunch is that a VPN/TOR combo would bring greater anonymity as the TOR exit node will be a VPN IP in another country.