An information security company has highlighted the growing rise in “fairly sophisticated” hacking attacks against journalists – by monitoring Wi-Fi traffic on the open network at the news:rewired conference (20 February 2014).
SensePost staff monitored traffic on the conference’s open and unencrypted Wi-Fi network for 40 minutes over the lunch break and gathered almost a gigabyte of data which they later then destroyed. They then searched the data for specific references to this (WordPress-powered) blog and detected a login cookie from one of our journalists containing his username and password to the admin area of our site. This did not give them full administrative access to our blog, but would have been sufficient to allow them to subtly alter any stories posted by that author, for example.
This is a known vulnerability of WordPress blogs when installed with default settings; banking and other sites that take security seriously use the https protocol to encrypt access and authentication over networks. No private data was accessed from our journalist or any other delegates at the conference.
Chief operating officer Daniel Cuthbert, who started hacking in the mid-1990s, told the London conference:
The human being is always the weakest link. Human beings are very easy to target and they’re very trusting when it comes to the internet. It’s not if, but when. There’s a big misconception now that you’re not going to get hacked. Instagram, Facebook, Twitter, you name it they’ve all been hacked. The sad reality of the internet today is there’s no expectation of privacy. We seem to have this trust when it comes to the internet – but the internet is an ugly place.
The issue of online security for journalists has become increasingly important over the past year in light of the Guardian’s publishing of material from the NSA whistleblower Edward Snowden.
Cuthbert added:
If you’re doing a story that’s going to embarrass, you need to go into a whole load of steps to protect that information.
Among the key tips to protect your security:
- Beware of open Wi-Fi networks: “A lot of the times there are pretty bad people behind them.” VPNs provide privacy. TOR provides anonymity. At the very least, use your own 3g/4G MiFi devices as they are more secure than open networks;
- protect conversations using secure chat software: Adium for OSX, Pigeon for Win, SilentCircle for iOS/Android;
- PGPMail: is “not that widely used by journalists”. When you send an email by Gmail it could be going over 19 different data centres around the world – so plenty of places where it can be intercepted. But beware with PGPMail: avoid insecure passwords and short key lengths. Also, PGPMail does not protect meta data;
- TrueCrypt: For encrypting files/disk on your computer;
- compartmentalise: store data separately, destroy disks with secure data on, take a separate machine to an insecure place (such as a basic Google Chromebook);
- web habits: don’t use the same browser for everything: online banking, researching a story. Be aware of unusual web pages and emails;
- 1 Password – generates random passwords for everything you do;
- beware of free apps on smartphones: many can access microphone, camera, location data and the adverts they contain can conceal spyware.
