You are here

A digital security advisory

Published: 
Tuesday, August 4, 2015
Bit DepthXX
Lindsey Anderson explains security strategies at a recent Matt seminar. PHOTO: MARK LYNDERSAY

On Wednesday last week, three trainers from Internews offered local journalists an insight into digital security principles at a seminar organised by the Media Association of T&T.

Internews  (https://www.internews.org) is an international nonprofit that provides training for both media professionals and citizen journalists in a range of journalism disciplines. Led by Lindsey Anderson, the three presenters offered a range of suggestions and approaches to improving digital security.

Anderson opened with a conversation about passwords, noting that “after 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember but easy for computers to guess.” Length, she noted, is preferred to obscurity, suggesting that it’s better to create long random passphrases that make sense to their users than convoluted passwords with obscure characters that are difficult to remember.

As many as 30 per cent of the users in the world today use passwords that are on password hack lists that are the first recourse of hackers. Computers can run through those collections of words in a matter of seconds. Dictionary attacks can blast run through all the words in all the dictionaries in the world while brute force attacks use cryptanalytics to guess the individual characters in a password.

The Internews team recommends KeePass (http://keepass.info), an open source password manager for keeping track of the multiple passwords they recommend that users deploy when following the best practice of creating a different password for each service they access on the web.

But passwords, they warned, are outdated technology and users should look to two-step verification, already implemented by GMail, Twitter and Facebook, for improved security. After a review of malware, and the various strains of trojans, worms and spyware that users might want to look out for, Anderson explained the rapidly evolving realm of social engineering and phishing schemes in particular. Common phishing attacks come via emails, Twitter and Facebook messages and often make use of bit.ly links created using the popular URL shortener.

As a first bit of investigation of a suspect email, Anderson suggested hovering your computer’s cursor over a link to see what you’ll be actually be clicking on. Don’t click on links in any emails without that first bit of screening.

In investigating suspect emails look out for spelling and grammar errors in addition to links, as well as generic greetings, programming errors, lack of professional formatting and unusually strong warnings or threats for non-compliance with requests made in the email. High-profile subjects, or any political reporter over the next four weeks, should watch out for efforts at spearphishing which puts significant social engineering resources into targets an individual target to gather personal information.

Antivirus software is only as good as its last update, and the most important thing is to have one (and just one) and keep it updated with new definitions of malware. Users should always enable the firewall on their computers, decline to download unexpected attachments, protect their information with regular backups, install antivirus on their phones and don’t download unnecessary applications. Always be prepared to wipe a drive and reinstall everything.

Even documents created in a word processor will embed personal information into documents, and some software will retain, invisibly, even more than that. There is also the threat of surveillance, which every cell phone and Internet connected device is susceptible to. Even without a GPS radio active, cell tower triangulation can place the position of a user and IP address requests can be used for tracking as well.

Telecommunications providers have huge datasets about every user, which they can use to design more effective networks but which can also be sold to businesses or governments who want to understand more about how the public moves around and accesses information.

That information can be used for beneficial purposes, allowing planners to work with data that reflects real world activity or it can be mined for more devious purposes. To manage online data collection, users cannot only shut down the transmission radios in their mobile phones; they must also remove the batteries from their device, though some phones have backup batteries that keep them alive at a lower level. 

Set a passphrase for your phone and set the lock time longer, so the phone isn’t constantly locking, which can become annoying and drives users to remove passphrase protection. Don’t use the swipe to unlock option. It isn’t hard to reveal the trail your skin oils on a screen.

Avoid unnecessary apps, wallpapers and ringtones. Review what software on the phone requires to run and look out for apps that ask for unneeded information. Turn off WiFi and Bluetooth when they are not in use. Bluetooth is a very hackable technology. Modern smartphones are computers and the Internews team encourages journalists and users with sensitive information to use them that way.

Resources
VPN: https://www.tunnelbear.com, https://www.torproject.org
Encryption for mobile: https://psiphon.ca, Redphone (http://ow.ly/QnDZE), Signal (http://ow.ly/QnENy)
Antivirus for mobile: Avast (http://ow.ly/QnEjx), AVG (http://ow.ly/QnEqn)
Secure chat: Crypto.Cat (https://crypto.cat) Jitsu (https://meet.jitsi.org/)
Secure video chat: Talky (https://talky.io)
Secure messaging: Peerio (https://peerio.com)
Background security information: https://securityinabox.org/en, Speaksafe (http://ow.ly/QnFrp) Surveillance Self-Defence (https://ssd.eff.org/en)

Disclaimer

User comments posted on this website are the sole views and opinions of the comment writer and are not representative of Guardian Media Limited or its staff.

Guardian Media Limited accepts no liability and will not be held accountable for user comments.

Guardian Media Limited reserves the right to remove, to edit or to censor any comments.

Any content which is considered unsuitable, unlawful or offensive, includes personal details, advertises or promotes products, services or websites or repeats previous comments will be removed.

Before posting, please refer to the Community Standards, Terms and conditions and Privacy Policy

User profiles registered through fake social media accounts may be deleted without notice.