Deep dive into digital security and privacy for journalists

Hacks/Hackers Nairobi shows reporters how to protect their data.

Privacy is increasingly under threat in today’s online world. In the face of widespread internet surveillance, we need a secure and practical means of talking to each other from our phones and computers.

But let’s get one thing straight from the start.

Digital security and privacy is not about hiding a wrong. Digital Security is the PROCESS of protecting your personal data and privacy on computer devices and networks. Privacy both online and offline, is an inherent human right, and a requirement for maintaining the human condition with dignity and respect as enshrined in the Universal Declaration of Human Rights.

Being careful with your data isn’t just about protecting sensitive information and sources. It’s also about upholding your own right to privacy and keeping out criminals too.

“ Two of the greatest challenges I face include personal safety when dealing with sensitive stories, since it’s easy to track location. The second being hackers accessing my website.” - Kennedy Kachwanya

For journalists, the demands of today’s audiences are redefining news-gathering and reporting practices through online tools. This makes it imperative for journalists to adopt measures to stay secure both online and offline.

We want to help African journalists adapt to the digital era, which is why Elric Wamugu was the perfect speaker to invite to talk to the Hacks/Hackers Nairobi community. Wamugu is an experienced software developer and digital security enthusiast at the Human Rights Information and Documentation Systems (HURIDOCS).

When considering measures to take to stay safe online, Wamugu says, it’s important to conduct a risk assessment and asking this questions ensures you can pick the best measures to protect yourself.

  • 1. What do you want to protect?
  • 2. Who do you want to protect it from?
  • 3. How likely is it that you will need to protect it?
  • 4. How bad are the consequences if you fail?
  • 5. How much trouble are you willing to go through in order to try to prevent those

During this meetup, we covered four major categorisations of digital security measures.

Basic Device Security

How likely are you to use a random USB stick found in a parking lot? How about if the USB has your company logo on it? Apparently, 35% of users report having picked up a computer virus through a USB device.

“Human interactions are often the weakest links in the chain of digital security.” — Elric Wamugu

You are responsible for your devices and that data in them. Here’s Wamugu’s quick and easy steps to ensure that your devices are secure.

  • Use passwords to protect startup logins.
  • Install software updates as soon as they are available.
  • Use password enables screen savers or lock screens when away from your device.
  • Switch your computers off overnight.
  • Run updated and reliable antivirus and spyware software.
  • Do not open suspicious looking emails, curiosity actually kills cats.
  • Keep encrypted backups of your data on removable media.

Security of data stored on devices

Encrypting your phones and laptops to protect private files ensures that your files, messages and communications are unreadable to unintended parties. Available encryption options include MS Windows bitlocker encryption for Windows 7 Ultimate onwards or File Vault to encrypt the startup disk on your Mac.

VeraCrypt works like an electronic safe in which you can securely store your files. VeraCrypt is free software that allows you to encrypt your files. It is an updated version of the unmaintained TrueCrypt project and is available for Microsoft Windows, Mac OS X and GNU/Linux. It addresses various security vulnerabilities that have since been identified in TrueCrypt. VeraCrypt also offers encrypted hidden volumes.

Security of data as it moves through networks

Without taking extra safety measure to protect your privacy, every phone call, text message, email, instant message, voice over IP (VoIP) call, video chat, and social media message may be vulnerable to eavesdroppers.

To secure Voice Calls here’s some available services that offer end-to-end encrypted VoIP calls:

  • Signal, an OpenSource project is the most widely used service as it provides end-to-end encrypted calls and messaging.
  • Ostel also provides end-to-end encrypted phone calls with the goal of promoting the use of free, open protocols, standards and software, to power end-to-end secure voice communications on mobile devices, as well as with desktop computers.
  • The Silent Phone app offers encrypted communications on any Android or iOS device, through peer-to-peer encryption.
  • Jitsi Meet provides for secure video conferencing in your web browser with Off-the-Record (OTR) end-to-end encryption protocols.
“Beware! Most popular VoIP providers, such as Skype and Google Hangouts, offer transport encryption so that eavesdroppers cannot listen in, but the providers themselves are still potentially able to listen in.” — Elric Wamugu

Standard text (SMS) messages do not offer end-to-end encryption, what’s more they are trivial to intercept. The Silence app (formerly SMS Secure) provides a way to send encrypted SMS messages. If you have to send encrypted messages on your phone, though, it’s better to use encrypted instant messaging software instead of text messages.

Not sure which encrypted messaging app to use? There’s a lot of choice and the trade off is between security and convenience. The Secure Messaging Scorecard is a good place to start, though. It examines the usability and security of tools such as AIM, Blackberry Messenger, Facebook chat and Facetime among others by comparing their encryption in transit, provider readable encryptions, verifiability of contact identities, security of past communications when passcodes are stolen as well as how well the providers security design is documented.

Pretty Good Privacy (PGP) which was developed by Phil Zimmermann in 1991 is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. In PGP each party creates a key in two parts: a private part and a public part. You GUARD the private part securely on your own devices, but distribute the public part to any one you would like to communicate with using PGP.

An illustration of PGP security.

It’s important to note that PGP encryption only protects the content of your communication and does not protect your metadata, such as your IP address and location, including the subject line of your email, or who you are communicating with and when.

Secure messaging apps, meanwhile, may keep that data hidden (so long as no-one gets hold of your phone) but be sure to check who has access to chat information before you choose one.

Connecting safely to the internet

When you go online, from a phone or a desktop PC, the good news is that lots of websites and apps will now encrypt data by default. But there’s always a chance you’ll leak some information, and not even private WiFi networks are safe from hacking.

It’s a good idea, then, to make sure your connection is safe. Especially when transmitting personal data and passwords.

HTTPS Everywhere is a Firefox, Chrome, and Opera extension that makes sure you always connect securely to websites when an encrypted connection is available. If you run a website and want to add the ability to encrypt traffic, you can use free tools such as Let’s Encrypt or Cloudflare SSL, which offer free SSL/TLS certificates to enable secure HTTPS connections.

Connecting anonymously to the internet also provides safety when online. The Tor Browser Bundle is free and open-source and provides you with anonymity as well as allows you to circumvent censorship.

Virtual Private Networks (VPNs), on the other hand, encrypt and send all internet data between your computer and the VPN provider located in another country this protects your traffic from being intercepted locally and thus protecting your location. Ensure that you use a VPN subscription that has a good privacy policy and doesn’t keep user logs.

Software such as Surfeasy and TunnelBear provide paid Virtual Private Network subscriptions. Psiphon is a popular VPN application developed for activists and journalists needing to protect their Internet traffic.

For bloggers and website owners, it’s import to protect your website from Distributed Denial of Service (DDoS) attacks by signing up for tools like Google’s JigSaw Project Shield which uses Google’s infrastructure to protect independent news sites from DDoS attacks which exploits thousands or even millions of computers to overwhelm a website’s servers and take it offline. Project Galileo provides world-class network attack protection to smaller news outlets for free.

Social Accounts Security

To protect your social accounts, ensure that you use:

Pathetic passwords
  • Multi-factor authentication and one-time passwords.
  • Strong passwords.
  • Password Managers to store all your other complex passwords.

Using a complex and unique password for every website is great advice, but it can be very difficult to remember all of them. A password manager ensures you only use strong passwords and are a great way to manage the passwords, since they will remember everything for you with a master password. Lastpass and KeePass are excellent password managers.

Multi-factor authentication ensures that in the event that your password is stolen, the attacker cannot use it without the second factor. Most services and software tools currently let you use two-factor authentication (2FA), also called two-step verification or two-step login.

2FA using a mobile phone can is done in two ways the service can send you an SMS text message to your phone whenever you try to log in (providing an extra security code that you need to type in) or your phone can run an authenticator application that generates security codes from inside the phone itself.

#HHNBO

A big thank you to Elric Wamugu for facilitating this excellent session as well as Lilian Kaivilu, Catherine Gicheru, Kennedy Kachwanya and Ephraim Percy and the larger #HHNBO community for setting the tone of the discussion.

We’ll be closing the year in style, be sure to stay connected for updates on the final #HHNBO for 2017.

The worlds of hackers and journalists are coming together, as reporting goes digital and Internet companies become media empires.

Journalists call themselves “hacks,” someone who can churn out words in any situation. Hackers use the digital equivalent of duct tape to whip out code.

Hacker-journalists try and bridge the two worlds. Hacks/Hackers Africa aims to bring all these people together — those who are working to help people make sense of our world. It’s for hackers exploring technologies to filter and visualise information, and for journalists who use technology to find and tell stories. In the age of information overload and collapse of traditional business models for legacy media, their work has become even more crucial.

Code for Africa, the continent’s largest #OpenData and civic technology initiative, recognises this and is spearheading the establishment of a network of HacksHackers chapters across Africa to help bring together pioneers for collaborative projects and new ventures.

Follow Hacks/Hackers Africa on Twitter and Facebook and join the Hacks/Hackers community group today.