A digital security advisory

BitDepth#1,000 for August 04, 2015

Lindsey Anderson explains security strategies at a recent MATT seminar. Photo by Mark Lyndersay.
Lindsey Anderson explains security strategies at a recent MATT seminar. Photo by Mark Lyndersay.

On Wednesday last week, three trainers from Internews offered local journalists an insight into digital security principles at a seminar organised by the Media Association of Trinidad and Tobago.

Internews is an international nonprofit that provides training for both media professionals and citizen journalists in a range of journalism disciplines.

Led by Lindsey Anderson, the three presenters offered a range of suggestions and approaches to improving digital security.

Anderson opened with a conversation about passwords, noting that “after 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember but easy for computers to guess.”

Length, she noted, is preferred to obscurity, suggesting that it’s better to create long random passphrases that make sense to their users than convoluted passwords with obscure characters that are difficult to remember.

As many as 30 per cent of the users in the world today use passwords that are on password hack lists that are the first recourse of hackers. Computers can run through those collections of words in a matter of seconds.

Dictionary attacks can blast run through all the words in all the dictionaries in the world while brute force attacks use cryptanalytics guess the individual characters in a password.

The Internews team recommends KeePass, an open source password manager for keeping track of the multiple passwords they recommend that users deploy when following the best practice of creating a different password for each service they access on the web.

But passwords, they warned, are outdated technology and users should look to two-step verification, already implemented by GMail, Twitter and Facebook, for improved security.

After a review of malware, and the various strains of trojans, worms and spyware that users might want to look out for, Anderson explained the rapidly evolving realm of social engineering and phishing schemes in particular.

Common phishing attacks come via emails, Twitter and Facebook messages and often make use of bit.ly links created using the popular URL shortener.

As a first bit of investigation of a suspect email, Anderson suggested hovering your computer’s cursor over a link to see what you’ll be actually be clicking on.

Don’t click on links in any emails without that first bit of screening.

In investigating suspect emails look out for spelling and grammar errors in addition to links, as well as generic greetings, programming errors, lack of professional formatting and unusually strong warnings or threats for non-compliance with requests made in the email.

High profile subjects, or any political reporter over the next four weeks, should watch out for efforts at spearphishing which puts significant social engineering resources into targets an individual target to gather personal information.

Internews warned of common myths that lead to unearned comfort, among them, that Macs and Linux systems don’t get viruses, that viruses don’t attack smartphones and that an antivirus will always clean an infected computer.

Antivirus software is only as good as its last update, and the most important thing is to have one (and just one) and keep it updated with new definitions of malware.

Users should always enable the firewall on their computers, decline to download unexpected attachments, protect their information with regular backups, install antivirus on their phones and don’t download unnecessary applications. Always be prepared to wipe a drive and reinstall everything.

Even documents created in a wordprocessor will embed personal information into documents, and some software will retain, invisibly, even more than that.

There is also the threat of surveillance, which every cell phone and Internet connected device is susceptible to.

Even without a GPS radio active, cell tower triangulation can place the position of a user and IP address requests can be used for tracking as well.

Telecommunications providers have huge datasets about every user, which they can use to design more effective networks but which can also be sold to businesses or governments who want to understand more about how the public moves around and accesses information.

That information can be used for beneficial purpose, allowing planners to work with data that reflects real world activity or it can be mined for more devious purposes.

To manage online data collection, users cannot only shut down the transmission radios in their mobile phones; they must also remove the batteries from their device, though some phones have backup batteries that keep them alive at a lower level.

Set a passphrase for your phone and set the lock time longer, so the phone isn’t constantly locking, which can become annoying and drives users to remove passphrase protection.

Don’t use the swipe to unlock option. It isn’t hard to reveal the trail your skin oils on a screen.

Avoid unnecessary apps, wallpapers and ringtones. Review what software on the phone requires to run and look out for apps that ask for unneeded information. Turn off WiFi and Bluetooth when they are not in use. Bluetooth is a very hackable technology.

Modern smartphones are computers and the Internews team encourages journalists and users with sensitive information to use them that way.

Resources…

VPN: TunnelBear, Tor

Encryption for mobile: PsiPhon, Redphone, Signal

Antivirus for mobile: Avast (Avast) , AVG

Secure chat: Crypto.CatJitsu

Secure video chat: Talky

Secure messaging: Peerio

Background security information: Security in a BoxSpeaksafe, Surveillance Self-DefencePrivacy Tools