Mondial was pivotal in setting up the communication channels and ensuring that the information exchange avoided surveillance. In the following guest post for onMedia, he gives some tips on how to protect communications from snooping eyes while still keeping the information flowing.

There is much uncertainty and doubt (and perhaps fear) about whether it’s possible to keep any collaboration among reporters, editors and sources secure these days. Based on my experiences with the global offshore-leaks project and similar international endeavors, I want to share some recommendations for setting up secure communications for collaborative projects.

But before you even start, you need to be honest about your technical skills and the situation. If you are reading this text, chances are you’re not an A-grade hacker or system administrator. You don’t need to be. But the less developed your technical skills are, the more you will need to rely on other people’s work and the less you will be able to evaluate for yourself if a solution is really secure.

Take the anonymous surfing project Tor, for example, and more specifically Tails. Tails is a ready-to-use system that allows novices to surf the internet anonymously. While such software has major advantages, the drawback is that you absolutely have to trust the source, the creators, of this system. Since Tails and Tor are open source and used by many people, any security flaws will probably be found and fixed at some point. But as long as you can’t match the source code with the software yourself, there’s a chance it’s been manipulated. (Recently this was done for TrueCrypt, a disk encryption software – you can read about it here.)

So when you lack the necessary skills, you need to decide to either:
– “buckle up” and learn the necessary skills
– trust tutorials and follow step-by-step solutions
– find/hire an expert who you have to trust from this point on

This will be the Achilles’ heel of your security concept, so choose wisely!

The cardinal question

Then you need to ask yourself the following (multipart) question: How many people need to communicate, for how long and from where, what are their roles and how much time do you have to prepare for this situation?

RedPhone – an open source encryption app

I’ll walk you through some answers to this question using two scenarios. But before I start, if you need to keep the contents of your conversations secret and can’t meet face to face, I recommend RedPhone (Android) and Silent Circle (Android+iPhone) for the time being. Both of these will keep the content of your talks safe as long as your devices/phones aren’t compromised. (Calling people does creates specific metadata – while it’s possible to avoid this by controlling and encrypting the whole connection from end to end, that is too much ground for this post to cover).

Scenario A – exchanging information among five people or fewer (assuming you don’t need to send many files)

Depending on the nature of what you are exchanging, having five people or fewer means sharing information via email is still manageable (but it does still create a large amount of duplicate text when referring and refining because email programs often just paste replies above the original messages).

First, make security a special responsibility. If you have a team leader – good. If not, choose one person to have the last word about security – a security “first among equals,” if you like. If unsure about who to chose, pick the person who’s the most sane and the most paranoid at the same time. If you share responsibility, it will degrade security, trust me.

If you’re not all working within the same company and are on different mail servers (meaning you have different email addresses – like mike@yahoo.com and claire@web.de), you should set up extra accounts on another mail server especially for your project.

The best would be a server you can trust to not be accessible to law-enforcement agencies. In Germany, for example, all email providers with more than 1,000 users are required to allow such agencies direct access to mail accounts without users knowing.

This means you will have to set up a server yourself or get a managed server (where you have the problem of having to trust the admin). You need to have that machine in a physical space which you trust won’t be compromised easily.

You can then set up the server to accept only secure (SSL) connections and use forward secrecy (also called perfect forward secrecy – you can read more about how to configure it here). This will also cost money to run – around US$25-50 a month plus the hardware lease. Security isn’t cheap if you want to have it done right. But this ensures that as you exchange information, none of the metadata is accessible to the NSA and other snoopers (read more about metadata here).

The server will be a “central point of failure” – meaning if your information there is accessed by a third party, unless it is already deleted, the invader gets it all. So you need to add a third layer of protection just in case – encryption. This will keep things secret. GPG, the open source implementation of the cryptographic software PGP, is fine for that.

Since you’re all using the same server, again, metadata will be the least of your worries because it’ll only be available to outsiders if they get on the server.

I recently started to work with PGP V2-Smartcards. These are physical cards you can use to store GPG cryptographic keys. The sweet thing about them is that you can set them up, send them to someone and people then have the encryption keys “outside” their computers protected with a pin or passphrase that is most unlikely to be brute-forced, since it locks down after three false access attempts. It also works within companies with a central IT department; they only need to set up your computer – Windows, Mac or Linux with a GPG version higher then 2.0.8 and a common reader and you can encrypt on your own.

Since we’re talking about computers – if you work in an environment where virtual and real break-ins are likely, here are some more tips.

Buy a computer in a store rather than ordering it online because the NSA is known to have diverted online purchases to install spyware on machines. Select the computer for its modularity – how easy it is to take apart because you might want to do things like remove the camera or the microphone (see www.ifixit.com for tips on taking apart devices). Set up the computer afresh with full disk encryption (here are some links to setting it up on Windows, Mac and Ubuntu).

Here are some basic pointers to setting up systems but as I have already emphasized, you need to have or acquire some skills and/or trust other people to make it really safe.

– securing one of many Linux Distributions
– hardening OS X (if you run a Mac client) –
– setting up a secure system. Note that with this, as with any other tutorial, you really need to know what you’re doing

If you set up your system like this, your activity will have very limited visibility and no metadata about the information exchange will be revealed unless the “other side” gets hold of the server.

However, if you need to send a lot of files and/or you are collaborating on a project with ever-changing information, this isn’t the correct scenario for you. See Scenario B instead. 

Scenario B. Exchanging information among six or more people and/or collaborating on a data-intensive topic over an extended period of time

A larger collaboration makes email a burden rather than a useful tool. Since it is likely different people will be communicating on different topics, and you also might have people joining and leaving the project, you need a different method of setting up secure communications.

I recommend setting up a web forum with enhanced encryption and file storage capability on a dedicated secure server. Start with a root/managed server as described above. Then set up a forum like fud-forum and harden the system. If the machine has the necessary CPU power, you can also reuse it as a mail server as seen above. On top of this, you could enable a VPN (Virtual Private Network), which will add an encryption layer.

By doing this, you can then communicate and keep records in a central location while also being able to control the level of information accessed by those involved. In the offshore-leaks collaboration, we had a core group who were able to access all information as well as a reporter group who only had specific access to certain information relevant to their areas of expertise or their countries. People who were new to the forum could read all communications on their access level chronologically as well as in “thread-mode,” meaning that they could see questions and answers.

If we had needed to, we would have been able to shut down the whole system and make the data disappear at any point. An advantage of such a system is that you can also make a complete “private” copy at the end of the project as a reference.

I know this post has only scratched the surface of some of your secure communication needs. The good news is that there is a wealth of great information out there on the internet about making your communication server even more secure.

One more thing – there is no such thing as perfect security. Forget it! But you can reduce the chances of being snooped on or your information compromised. Once you have some knowledge and set up the system, you need to maintain your level of security and keep an eye out for any possible breaches.

If you have any questions or need more pointers, I’m happy to help – I just might need some time to respond. You can email me on kappuchino@h2h.de or you can get in touch with me on Twitter at @kappuchino.

Sebastian Mondial is a freelance data journalist who works mainly for German state broadcaster NDR in the investigative research team. He is also one of the founders of the first full-time data team in Europe – the regiondata desk at German press agency dpa. When he’s not busy crunching data, he also trains journalists on security and data journalism.

Everything from the very real threats journalists face from internet surveillance, to losing control of personal data through mobile messaging applications were all canvassed at DW Akademie’s Digital Safety for Journalists panel discussion at the ARD-Hauptstadtstudio in Berlin.

Joining DW Akademie’s Holger Hank on the panel were Anne Roth (Tactical Technology Collective), Zahi Alawi (DW Akademie), Malte Spitz (German Greens Party), John Goetz (NDR) and William Echikson (Google).

Along with discussing the need for media organizations to be proactive and train journalists to use encryption and secure digital communications, the data retention policies of governments and technology firms, and how the internet should be controlled were also lively debated.

The panel was conducted in both German and English and you can listen to and share the audio of the entire event via SoundCloud. A video will be made available shortly.

The conversation about digital safety for journalists continues on social media via #digisafe. Check out our Storify below highlighting a selection of quotes and comments from the event.

Watch out! Someone could be spying on you

When hackers broke into AP’s Twitter account earlier in 2013, their fake tweet about Barack Obama being injured in an explosion at the White House caused the US stock market to plunge. Just before the Twitter account was hacked, AP staffers had received an email asking them to click on a link that supposedly went to a Washington Post article.

Although it looked legitimate, the email was actually a phishing attack (view the email here). The fraudulent link redirected the recipients to a bogus site where they were asked for their login credentials. At least one person fell for the phishing email and gave the hackers, the Syrian Electronic Army, the password they needed to tweet in AP’s name.

In this case, the incident proved more embarrassing than damaging – the tweet was corrected immediately and the stock market recovered within minutes.

But falling for a phishing attack can have much more serious repercussions.

In Bahrain at least 11 people were imprisoned between October 2012 and May 2013 after the Bahraini government successfully phished their identities. All had allegedly written anonymous Tweets criticizing Bahrain’s King Hamad. The authorities identified the individuals by sending them fake links from Twitter and Facebook. When they clicked on the link, spy software noted the computer’s IP address allowing authorities to track the Twitter users down (read how the Bahriani government did this in an extensive report by Bahrainwatch.org).

Phishing attacks don’t just have to come from Twitter or email though; from sms to Skype, What’s App or even via the comments box on an online article, fake links can be embedded in any kind of communication.

What’s more, phishing doesn’t always involve a fake link. It might contain a downloadable file containing malicious software (or malware) that installs itself on your computer or smartphone without your knowledge.

Renowned security expert Jacob Appelbaum tweeted earlier this year about discovering spyware on the computer of an Angolan activist. Installed when an email attachment was opened, the spyware took shots of the victim’s screen and copied his files, automatically sending the information to remote servers.

This particular spyware wasn’t very high-tech but other malware can log keystrokes to steal logins and passwords, record visited websites or even activate the camera or microphone on the laptop to record what people are doing.

We journalist are used to receiving emails, tweets or Facebook messages with links to stories or documents. After all, being on top of the news is part of our jobs. But letting hackers, whether they are government authorities or criminals, steal our information can endanger not only our stories, but also ourselves, our colleagues and most importantly, our sources. That’s why it is essential to be aware of the problem.

Here are a few tips:

Mouse over the link. You can view a link’s URL by hovering over it with your mouse (but don’t click). If the URLs doesn’t look legitimate, or doesn’t match the one given in the email text, don’t open it.

Read the URL carefully. Fake links will often try to trick you into thinking the URL is real by using similar spelling to a real site, for example www.aljazera.com instead of the correct www.aljazeera.com. If you don’t look carefully, it’s easy to think you’re clicking on a legitimate link.

Check the domain name. The domain name is the part of the URL just before the first slash. For example, Deutsche Welle’s domain is www.dw.com. Genuine DW links have the domain name before the first slash – for example, http://akademie.dw.com/digitalsafety/ is still a genuine DW URL as the “dw.de” is before the first slash. A phishing URL to a fake DW site may look like this www.topstories.com/dw/globalization. Here’s a great spambusters post that tells lets you know more about checking links.

Use an URL checker. They aren’t foolproof but sites such as safeweb.norton.com are a good start.

Don’t open unverified attachments. All file types can contain malware. If in doubt, delete.

To find out more about avoiding hacking attacks, tune into the What’s in that message live online session with security expert Morgan Marquis-Boire on December 6 at 4pm CET. It’s just one of six online sessions happening during the “Digital Safety for Journalists” Open Online Workshop running from December 2-6. Other live sessions include mobile phone safety and using the Internet without being tracked.

Organized by DW Akademie together with Reporters Without Borders, the online workshop is free and open to anyone. For more information, visit the Digital Safety for Journalists website where you’ll also find daily posts on the topic starting from November 25.

Otherwise check out the Rory Peck Trust website which has fantastic online digital security resources written specifically for freelance journalists. For more about malware, see the entry How can I avoid malware.

Written by Kate Hairsine and edited by Kyle James

Flickr user: jmarty CC BY 2.0

Are you using any encryption tools or doing anything to protect your files, email and contacts on your computer or mobile phone?

As we find out more about the internet surveillance activities of the US National Security Agency, it’s clear that journalists and media organisations are among the targets of intelligence gathering agencies.

“Encrypt everything.”

That was one of the take home messages of Hauke Gierow’s talk on journalism and surveillance at this week’s Social Media Week Berlin.

Gierow heads the internet freedom desk at Reporters Without Borders in Germany. Surveillance he says has a chilling effect on journalism. Your sources become unwilling to talk; there is an erosion of trust in the media; and, people who might be key whistleblowers hesitate to speak out.

Perhaps just as worrying is what he describes as the complicity of technology firms in surveillance – or as Reporters Without Borders refers to them in their 2013 report: “Corporate Enemies of the Internet”.

Gierow says there are some 230 companies worldwide that develop spyware and internet traffic monitoring products that may be used by governments to violate human rights and freedom of information. A number of these firms are within EU countries.

Tools for online security

Here on the onMedia blog you can check out our in-depth series on online security resources and techniques produced by Natalia Karbasova. It’s an ongoing topic onMedia will cover.

But for journalists in developing countries, working safely online can be even more challenging – particularly if they are using shared computers in newsrooms, or in internet cafes. And, some tools may make the net slower to use or be hard to install on shared computers.

So what can you do?

Gierow says open source tools are useful for online security

Gierow says to first check out the tools and the how to guides in Tactical Technology Collective’s Security in a Box. These guides are also available in many languages.

He also suggests journalists using shared computers at work should have a dedicated user name and login; try to store their files in encrypted folders; limit the applications you install on the computer to the ones you only need to use; surf the net using the TOR network; and use encrypted chat programs.

Gierow cautions journalists to avoid talking about sensitive information over Skype.( You can also read our interview with Fabian von Keudell from CHIP magazine that examines the security of VoIP services such as Skype.)

You can watch Hauke Gierow’s full presentation below and follow the journalism related links and discussions at Social Media Week Berlin on #smwbjournalim.

UPDATE:

Dutch MEP Marietje Schaake has also drawn attention to the dual use of “digital arms” and wants European lawmakers to take action.

‘It is a bit hypocritical to talk about the NSA revaluations with concern to stress the importance of cyber security, which is also a very popular topic nowadays, without addressing the fact that it’s EU based companies that are making and producing these digital arms.’

Author: Guy Degen

The revelations of the surveillance program of the US

DW Akademie’s Natalia Karbasova spoke to Roth about the biggest risks journalists face online, and about the parties interested in gathering all relevant and irrelevant information: from local authorities to national secret services.

Is it possible for journalists to completely protect their online privacy?

Complete protection is not really possible. It will not be possible in the future either, since we need to supply our data to an internet provider to go online in the first place. The question is rather: what do you want to be secure from? If you want to be sure you are not being tracked by the advertising industry, you can use an adblocker as a browser plugin and configure it manually. If you want to shop online and at the same time protect your identity, you can use secure online payment services like Paysafecard or UKash. If you want to use internet services without disclosing your IP address, you should use the software Tor. Still, this personal anonymity is only guaranteed if you don’t use your personal log-in data while browsing the web.

What are the biggest security vulnerabilities online?

There’s no general answer to this question. It depends on whether you are a big company, a journalist or just a normal user. Access to data which are being transferred unencrypted through email or other internet services pose a big problem. If data transfer isn’t SSL-encrypted (you can see this encryption in your browser address bar which says “https://” instead of “http://”), it can be easily intercepted in an open WiFi network.

It is especially Windows users who face security problems. There’re numerous viruses and malware for Windows out there since this operating system is wide spread. They use unknown security weaknesses of Windows or install standard software and browser plug-ins to get daily access to the computer. That’s why is it is extremely important that you install the latest updates and the latest software.

You should also be really careful and limit yourself to the software, plug-ins and add-ons you really need. You can also protect yourself by installing a personal firewall and a virus scanner.

How do I know I’m being spied upon?

Normally you won’t discover if you’re being kept under surveillance by the authorities. In Germany, you have the right to request this information from the German Federal Intelligence Service and other services. The question is, if you get the answer. Foreign secret services like the NSA don’t provide any information to non-US citizens.

Who is interested in gathering my private information in the first place?

On the one hand, we talk about authorities, on the other hand, about companies. Their motives and methods differ of course. Secret services gather information on internet usage and on users not only to protect their country against terror attacks, but also to exchange this information with foreign secret services which are not necessarily able to track the global internet traffic on their own. The approach of the secret services can be described as “full take”: you take so much information as you can. Edward Snowden and other whistleblowers have shown that secret services often use special interfaces, which global companies have provided them with. Secret services also use intercontinental internet lines.

You have to be extremely cautious when it comes to using free services on the web. Remember that you still pay for it, but in a different manner, that is, not with money but with your data. That’s when you stop being a client and become a product.

What do companies do with the data they collect?

The data are collected through third-party cookies – little text files – users accept by browsing the web. Most users are not aware that they interact with other, third, parties when reading a news or any other website. These sites get paid to let the third parties have access to their users’ data. The more information is known about a user, the more valuable and up-to-date is his or her profile.

The advertising industry uses profiles for individual ads. Financial and insurance industries use your profile data to give predictions and to calculate how expensive their services should be for the end customers. By the way, the German registry office also sells your data, which many of us don’t know.

What’s so bad about it?

The problem of such data pools is, data collectors want more and more data. The intended use is often expanded later without updating those affected. That’s why I would recommend to be very careful with requests to share your address, you date of birth or the data of your children.

There’s an ongoing discussion in Germany following the data retention directive of the European Union. It regards retention of communication meta data. It is basically the same as gathering of metadata which is being intensely debated in the light of Prism. You can easily generate motion profiles and networks with the help of these data, which show who knows whom, who makes calls with whom and how long these calls last. The initial purpose of the initiative was counter-terrorism, but it’s obvious that even here others are interested to extend access options.