15 things journalists (and everyone) need to know about digital security
If one of your accounts is compromised, you (and your employer) can lose credibility, financial security can be jeopardized and reputations put at risk. And when you’re handling sensitive information from sources, contacts and clients, livelihoods -- sometimes even lives -- are on the line.
Many organized, well-funded groups -- competitors, criminals and governments -- have a vested interest in getting at your data. As digital technologies become more pervasive, protecting the security of our information will only become more important.
Here’s the problem: It’s all too easy to get lax with security, and being safe often means sacrificing some convenience. Keeping data secure takes ongoing vigilance. It’s also not always clear where vulnerabilities lie and when your data -- or your identity -- might be in peril.
Fortunately, there are some basic tenets you can follow and best practices you can adopt to stay safe online.
1. Most of the Internet is not, by default, secure.
Most of the protocols that make up the Internet -- including HTTP (the Web), FTP (file transfers) and SMTP (email) -- aren’t secure. That means data transmitted with these technologies are open for potentially anyone to see. This is, in one sense, what makes the Internet and the Web so great: open access to knowledge. But, in the case of personal or confidential information, openness does more harm than good.
The problem with online communication is the false sense of privacy we have when we, say, send an email to a friend or log in to a website. Though all we see is the end recipient with whom we’re communicating, our message is actually passing “in the clear” through any number of other computers before reaching its destination. In principle, anyone with access to those computers can monitor the communications that pass through them. We think we’re sending a sealed envelope, but we’re really mailing a postcard.
2. Encryption solves many problems.
Fortunately, some of the most common Internet protocols have secure alternatives. These options provide the same functionality, but also encrypt data before it’s transmitted and decrypt it once it’s received.
HTTPS is the most important secure protocol. This is the technology that makes it possible to transmit credit-card numbers and other sensitive data on the Web. Once confined to e-commerce, HTTPS is quickly becoming at least an option -- if not a mandate -- anytime you need to log in to an account. Encryption can slow down connections, but things are quickly improving on this front. If an HTTPS connection is available for a given site, you can always request it by typing https:// rather than http:// in your browser’s address bar. One good way to ensure you’re using HTTPS whenever possible is the HTTPS Everywhere browser plugin.
If you're running a website that involves logins or users contributing any kind of sensitive information, HTTPS won't be turned on by default -- you must purchase and install an SSL certificate to secure your site. This certificate uses a third party to verify your identify as a website host. This gives visitors a chance to see not only that their communications to you are encrypted, but also that you are whom you claim to be.
3. Weak passwords always compromise security.
Many security breaches begin with weak passwords. A weak password is one that’s easy to guess, either by social engineering or a brute-force attack in which many thousands of possible combinations are tried repeatedly. Studies have shown the most common passwords are also among the weakest.
Without fortifying our passwords, websites can implement certain measures to limit the effectiveness of brute-force attacks, such as limiting the number of incorrect attempts allowed in a given time period. But these measures aren’t under our control, and the possibility that someone could guess the password remains. The best approach is to start with a strong password.
Fortunately, there are clear guidelines for strengthening a password. Length is one factor -- eight or more characters is ideal. Including a variety of letters, numbers and symbols, along with a mix of upper and lowercase characters, helps a lot. Avoiding correctly spelled (or commonly misspelled) words is important.
One of the best tips I’ve come across is to think not about passwords but about passphrases. With a phrase, you create a strong but relatively easy-to-remember password by stringing together four or five words, interspersing numbers, using “creative” spelling and randomly capitalizing some letters.
4. No password is more important than the one for your email.
Email is a skeleton key. Someone who gets unauthorized access to your email will be quickly able to access any number of other accounts. That’s because most sites allow for password resets by clicking email-based confirmation links.
Often, these confirmation-link emails can be generated by providing the email address itself, so a would-be intruder doesn’t even need to know your account usernames to reset your passwords. All of this adds up to the need to use strong passwords first and foremost on your email accounts.
5. Using different email accounts for different purposes improves security.
Sometimes the best way to become more secure is to minimize the damage of a breach. This can be achieved by using one email account for most public communications and another email account that's kept private for more-sensitive communications. By limiting who knows about your private email, you can reduce its vulnerability. And if your “public” address is compromised, the damage is contained.
It’s also common to use a disposable or “spam” email account when you need an email address to confirm a registration but don’t otherwise want to give up any personal information. These services -- Mailinator is one popular option -- make it possible to create an email address on the fly and receive messages at the address without logging in. Messages are automatically deleted after a few hours.
6. For the best security, use a password manager and memorize just one "super password."
Strong passwords are essential to digital security. Using different passwords for different accounts is even better. But combine these approaches and you have a recipe for a lot of headaches. Who can remember lots of different complicated passwords? And who wouldn’t be tempted to use different simple passwords or one strong password, thus weakening their security?
An alternative to these approaches: Use a password manager. This tool automatically generates very strong passwords. It then encrypts those passwords, along with information about the sites they belong to, preventing access unless a master password is supplied.
This one password -- which must be strong and memorized -- unlocks the vault and provides access to all the credentials stored therein. KeePass is one good password-management option. It’s free, open source (see below) and cross-platform.
7. All things being equal, open source is more secure.
Open-source tools and platforms have a well-deserved reputation for being secure. Paradoxically, source code that's open is more secure, for the simple reason that anyone can know exactly what the software does, how it manages data and where potential vulnerabilities might lie. Closed-source, proprietary software, on the other hand, is a black box.
Potential vulnerabilities are hard to know and potentially significant security or privacy compromises are hidden. For open-source projects with many contributors, there’s the added benefit of lots of people working to fill security holes as they’re discovered.
8. Open-source software is great, but must be kept up-to-date.
Open-source software can benefit from quick updates when security exploits are identified, but in most cases you don’t get those benefits automatically. That makes it essential to install updates as they’re released. Most software will tag updates with security implications as “critical” ones.
In other words, as long as these updates remain unapplied, the site’s vulnerable. Update procedures will vary from one platform to another and, in some cases, it’s advisable to back up data before running an update.
9. Storing and communicating data necessarily compromise security.
Encryption is a great tool. Good passwords can go a long way toward keeping our data safe. But once you decide something needs to be digitized and (especially) transmitted to someone else, you create the possibility for a breach. For these reasons, it’s important to consider whether something has to be digitized in the first place. Would it be possible, for example, to meet someone face-to-face instead?
10. Security breaches can happen in the moment, or months or even years later.
Digital communications, while fleeting on one hand, are also permanent. Once you publish something on the Web, it’s best to treat the communication as more or less indelible.
It's true that messages come and go, never to be seen again, but much of what you put online is stored in one form or another. Even if the initial transmission isn’t compromised, you’re counting on whomever’s storing your information to take appropriate measures to protect it, especially when it comes to encryption.
11. Anonymization can solve certain security concerns.
Encryption isn’t the only way to improve security (and privacy). Anonymization -- a process by which your actions aren’t necessarily encrypted but can’t be traced back to you -- is another tool in your arsenal.
Anonymization involves technologies such as proxy servers and VPNs. Tor, one popular anonymization tool, uses a combination of encryption and relays to obfuscate data and send it on a roundabout path before it reaches its destination. This makes the communication both anonymous and secure. Web-based services such as Anonymouse.org make it possible to use a proxy server without needing to install any software.
12. Open WiFi networks can be a problem.
In general, HTTPS is a big security boost, even for communications over insecure wireless networks. But risks still remain. On an unencrypted WiFi network, anyone connected can view anyone else’s traffic. Information encrypted over HTTPS won’t be visible, but some websites implement HTTPS incompletely, protecting login pages (and thus usernames and passwords) but not other details.
Unfortunately, in some cases it’s possible to compromise security with another piece of information -- a session cookie. This cookie is a unique identifier that tells a website who you are and “proves” you have authorized access.
If someone else figures out what your cookie is, they can “hijack” your session. In other words, they’re suddenly logged in as if they were you. And even without hijacking a session, an intruder could eavesdrop on private communications if you’re not using HTTPS or the site you’re on isn’t implementing it completely.
13. Multi-factor authentication improves security.
This is a fancy way of saying security gets better when you have to prove yourself two or more ways to gain access to a restricted system. One well-known implementation of multi-factor authentication is Google’s two-step verification process.
This demands that you supply not only a valid password but also a valid verification code -- one that’s transmitted to a phone number provided during the initial registration process. Security gets a big boost with two-step verification because a valid username and password combination is no longer enough -- you also have to be in physical possession of your phone.
14. Protecting unauthorized access to your physical devices is essential.
All these efforts to secure your online activities may be for naught if your computer isn’t physically secure. If you stay signed in to accounts in your browsers and apps, is your device itself password-protected? If the answer is no, it takes very little time to access sensitive data or even lock you out of your own accounts.
All the major operating systems provide a means of password-protecting access, and these are well worth looking into. It can be annoying to supply a password every time you wake your device up, but good security means forgoing some convenience.
15. Encrypted email and OTR chat provide the best security for ongoing sensitive communications.
Unfortunately, the benefits of HTTPS encryption don’t extend to communications that unfold online but off the Web -- such as email and instant messaging. And sending an email from an encrypted Web page doesn’t mean the message itself will be encrypted -- only that your connection to the remote server is secure.
This encryption is important -- it means your username and password are protected -- but it doesn’t protect your correspondence once it leaves the server and travels to (and arrives at) its destination.
Unfortunately, these options can be more cumbersome to set up than some of the other reviewed techniques, and both parties need to take steps to secure the communication. When you need to correspond with some in a way that’s truly private, though, it’s well worth the extra effort to establish a secure line of communication.