Scribd Logo
Upload

Welcome to Scribd!

  • Threat Modeling: Planning Digital Security For Your Story

    Uploaded by

    Jonathan Stray
    738 views52 pages
    Talk video at https://vimeo.com/87957065 There is no one-size fits all security, and no one tool will make you secure. Security threats can come from a variety of different actors, and attacks can be technical, social, physical, or legal. Threat modeling is an integrated approach to security based on an assessment of your specific situation. You will learn the basic questions you need to answer to determine your security needs, how security threats vary depending on what you’re working on and where you’re working on it, and how to design a security plan including determining which tools and services you should use.

    Original Title

    Threat Modeling: Planning Digital Security for your Story

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Talk video at https://vimeo.com/87957065 There is no one-size fits all security, and no one tool will make you secure. Security threats can come from a variety of different actors, and attacks can be technical, social, physical, or legal. Threat modeling is an integrated approach to security based on an assessment of your specific situation. You will learn the basic questions you need to answer to determine your security needs, how security threats vary depending on what you’re working on and where you’re working on it, and how to design a security plan including determining which tools and services you should use.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    738 views52 pages

    Threat Modeling: Planning Digital Security For Your Story

    Uploaded by

    Jonathan Stray
    Talk video at https://vimeo.com/87957065 There is no one-size fits all security, and no one tool will make you secure. Security threats can come from a variety of different actors, and attacks can be technical, social, physical, or legal. Threat modeling is an integrated approach to security based on an assessment of your specific situation. You will learn the basic questions you need to answer to determine your security needs, how security threats vary depending on what you’re working on and where you’re working on it, and how to design a security plan including determining which tools and services you should use.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 52

    DIGITAL SECURITY FOR YOUR STORY

    Jonathan Stray NICAR 2014

    Laptop falls into Syrian govt. hands, sources forced to flee

    Journalism Security Disasters


    ! Hacked accounts and sites ! AP ! The Washington Post ! The New York Times ! Etc. ! Sources exposed ! Vice reveals John McAfees location ! AP phone records subpoena ! Filmmakers laptop seized in Syria

    What Are We Protecting?


    ! Commitments to sources ! Physical safety ! Legal concerns ! Our ability to operate ! Our reputation

    Three Important Messages


    !Journalism is a high-risk profession !Even if youre not working on a sensitive story, you are a

    target !For sensitive stories, you need a plan

    WHAT EVERYONE IN THE NEWSROOM NEEDS TO KNOW

    LinkedIn from June 2012 breach

    Gawker from Dec 2010 breach

    Two-Factor Authentication
    !Something you know, plus something you have

    Passwords
    ! Dont use a common password ! Avoid words in the dictionary ! Use two-factor authentication !Consider password management tools like 1Password

    Phishing
    !By far the most common attack against journalists (or

    maybe anyone)
    ! Relies on getting the user to visit a site under false premises

    !Typically directs users to a fake login page to trick them

    into entering passwords


    ! But more sophisticated attacks exist that work when users just view

    page

    AP Twitter Hacked by Phishing

    AP Phishing Email

    The link didnt really go to washingtonpost.com!

    Read the URL Before You Click!

    Phishing
    ! Becoming increasingly sophisticated ! Spear phishing = selected targets, personalized messages

    All Is Not Lost If You Are Alert

    Defending Against Phishing


    !Be suspicious of generic messages !Read the URL before you click !Always read the URL before typing in a password !Report suspicious links to IT security

    THREAT MODELING FOR YOUR STORY

    Threat Modeling
    ! What do I want to keep private?
    ! Messages, locations, identities, networks, etc.

    ! Who wants to know?


    ! Story subject, governments, law enforcement,

    corporations, etc.

    ! What can they do?


    ! Eavesdrop, subpoena, exploit security lapses and

    accidents

    ! What happens if they succeed?


    ! Story's blown, legal problems for a source, someone

    gets killed

    What Must Be Private?


    ! Which data? ! Emails and other communications ! Photos, footage, notes ! Your address book, travel itineraries, etc. ! Privacy vs. anonymity ! Encryption protects content of an email or IM ! Not the identity of sender and recipient

    Threat Modeling Scenario #1


    You are a photojournalist in Syria with digital images you want to get out of the country. Limited Internet access is available at a caf. Some of the images may identify people working with the rebels who could be targeted by the government if their identity is revealed.

    File metadata

    Photos, PDFs, documents all have hidden info in the file

    Who Wants to Know?


    !Most of the time, the NSA is not the problem !Your adversary could be a government, the subject of a

    story, another news organization, etc.

    Threat Modeling Scenario #2


    You are reporting on insider trading at a large bank and talking secretly to two whistleblowers who may give you documents. If these sources are identified before the story comes out, at the very least you will lose your sources.

    What Can the Adversary Do?


    ! Technical ! Hacking, intercepting communications, code-breaking ! Legal ! Lawsuits, subpoenas, detention ! Social ! Phishing, social engineering, exploiting trust ! Operational ! The one time you didnt use a secure channel ! Person you shouldnt have told ! Physical ! Theft, installation of malware, network taps, torture

    Threat Modeling Scenario #3


    You are reporting a story about local police misconduct. You have talked to sources including police officers and victims. You would prefer that the police commissioner not know of your story before it is published.

    What Are You Risking?


    ! Security is never free ! It costs time, money, and convenience ! How much security do you need? ! It depends on the risk
    ! Blown story ! Arrested source ! Dead source

    Threat Modeling Scenario #4


    You are working in Europe, assisting a Chinese human rights activist. The activist is working inside China with other activists, but so far the Chinese government does not know he/she is an activist and the activist would like to keep it this way.

    DIGITAL SECURITY TOOLS

    Data at Rest / Data in Motion

    Secure Storage
    !Were assuming you have some data you want to protect ! Documents, notes, photos, interviews, video, etc. !But also: stored passwords, information about your

    colleagues, ability to impersonate you (e.g., fake emails)

    Laptop falls into Syrian govt. hands, sources forced to flee

    Securing Data at Rest


    ! How many copies are there? ! The original file might be on your phone, camera SD card, etc. ! What about backups and cloud syncing? ! Use secure erase products ! Could "they" get a copy? ! Steal your laptop ! Walk into your office at lunch ! Take your camera at the border ! If they had a copy, could they read it? ! Encrypt your whole disk! ! Use TrueCrypt (Windows), FileVault (Mac), LUKS (Linux)

    Securing Data in Motion


    ! Tools you should know ! PGP Secure email ! OTR Off-the-record messaging protocol ! CryptoCat Easy OTR through your browser ! Tor Anonymity ! SecureDrop Anonymous submission

    OTR
    ! Not an app ! A protocol for encrypted communication, supported by several apps. ! Does not hide your identity! ! Many chat programs can speak OTR ! Confusing and important ! Google Chats off the record option does not use OTR ! Google can read your messages

    Starting OTR in Pidgin

    Starting OTR in Adium

    Crypto.cat Easy OTR

    Am I Really Talking to You?


    !Man-in-the-middle pretends to be someone else

    Solution: Fingerprints

    !Contact your source over a different channel;

    verify he/she sees the same fingerprint you see

    Encryption vs. Anonymity

    Encrypted message is like a sealed envelope. Anyone can still read the address (metadata)

    Torproject.org

    Tor Browser Bundle

    Mobile Security
    ! Your phone ! Is a location tracking device ! Contains all your contacts ! Is used for every form of communication ! Stores a lot of information

    Tell-All Telephone (zeit.de)

    The Guardian Project

    Silent Circle
    ! Commercial service ! Secure mobile calls, video, texts ! Can hand prepaid cards to sources

    Legal Security
    !In the U.S., the Privacy Protection Act prevents police from

    seizing journalists data without a warrant


    ! If the data is on your premises

    ! If its in the cloud, no protection!

    Resources
    Committee to Protect Journalists information security guide
    http://www.cpj.org/reports/2012/04/information-security.php

    Jen Valentinos Encryption and Operational Security for Journalists Hacks/Hackers presentation
    https://gist.github.com/vaguity/6594731 http://www.cjr.org/behind_the_news/hacks_hackers_security_for_jou.php?page=all

    Threat modeling exercise


    http://jmsc.hku.hk/courses/jmsc6041spring2013/2013/02/08/assignment-6-threatmodeling-and-security-planning/

    You might also like