15 things journalists (and everyone) need to know about digital security

In these days of NSA snooping, SEA hacking, corporate espionage and cyber fraud, everyone should have digital security top of mind.

If one of your accounts is compromised, you (and your employer) can lose credibility, financial security can be jeopardized and reputations put at risk. And when you’re handling sensitive information from sources, contacts and clients, livelihoods — sometimes even lives — are on the line.

Many organized, well-funded groups — competitors, criminals and governments — have a vested interest in getting at your data. As digital technologies become more pervasive, protecting the security of our information will only become more important.

Here’s the problem: It’s all too easy to get lax with security, and being safe often means sacrificing some convenience. Keeping data secure takes ongoing vigilance. It’s also not always clear where vulnerabilities lie and when your data — or your identity — might be in peril.

Fortunately, there are some basic tenets you can follow and best practices you can adopt to stay safe online.

1. Most of the Internet is not, by default, secure.

Most of the protocols that make up the Internet — including HTTP (the Web), FTP (file transfers) and SMTP (email) — aren’t secure. That means data transmitted with these technologies are open for potentially anyone to see. This is, in one sense, what makes the Internet and the Web so great: open access to knowledge. But, in the case of personal or confidential information, openness does more harm than good.

The problem with online communication is the false sense of privacy we have when we, say, send an email to a friend or log in to a website. Though all we see is the end recipient with whom we’re communicating, our message is actually passing “in the clear” through any number of other computers before reaching its destination. In principle, anyone with access to those computers can monitor the communications that pass through them. We think we’re sending a sealed envelope, but we’re really mailing a postcard.

2. Encryption solves many problems.

Fortunately, some of the most common Internet protocols have secure alternatives. These options provide the same functionality, but also encrypt data before it’s transmitted and decrypt it once it’s received.

HTTPS is the most important secure protocol. This is the technology that makes it possible to transmit credit-card numbers and other sensitive data on the Web. Once confined to e-commerce, HTTPS is quickly becoming at least an option — if not a mandate — anytime you need to log in to an account. Encryption can slow down connections, but things are quickly improving on this front. If an HTTPS connection is available for a given site, you can always request it by typing https:// rather than http:// in your browser’s address bar. One good way to ensure you’re using HTTPS whenever possible is the HTTPS Everywhere browser plugin.

If you’re running a website that involves logins or users contributing any kind of sensitive information, HTTPS won’t be turned on by default — you must purchase and install an SSL certificate to secure your site. This certificate uses a third party to verify your identify as a website host. This gives visitors a chance to see not only that their communications to you are encrypted, but also that you are whom you claim to be.

3. Weak passwords always compromise security.

Many security breaches begin with weak passwords. A weak password is one that’s easy to guess, either by social engineering or a brute-force attack in which many thousands of possible combinations are tried repeatedly. Studies have shown the most common passwords are also among the weakest.

Without fortifying our passwords, websites can implement certain measures to limit the effectiveness of brute-force attacks, such as limiting the number of incorrect attempts allowed in a given time period. But these measures aren’t under our control, and the possibility that someone could guess the password remains. The best approach is to start with a strong password.

Fortunately, there are clear guidelines for strengthening a password. Length is one factor — eight or more characters is ideal. Including a variety of letters, numbers and symbols, along with a mix of upper and lowercase characters, helps a lot. Avoiding correctly spelled (or commonly misspelled) words is important.

One of the best tips I’ve come across is to think not about passwords but about passphrases. With a phrase, you create a strong but relatively easy-to-remember password by stringing together four or five words, interspersing numbers, using “creative” spelling and randomly capitalizing some letters.

4. No password is more important than the one for your email.

Email is a skeleton key. Someone who gets unauthorized access to your email will be quickly able to access any number of other accounts. That’s because most sites allow for password resets by clicking email-based confirmation links.

Often, these confirmation-link emails can be generated by providing the email address itself, so a would-be intruder doesn’t even need to know your account usernames to reset your passwords. All of this adds up to the need to use strong passwords first and foremost on your email accounts.

5. Using different email accounts for different purposes improves security.

Sometimes the best way to become more secure is to minimize the damage of a breach. This can be achieved by using one email account for most public communications and another email account that’s kept private for more-sensitive communications. By limiting who knows about your private email, you can reduce its vulnerability. And if your “public” address is compromised, the damage is contained.

It’s also common to use a disposable or “spam” email account when you need an email address to confirm a registration but don’t otherwise want to give up any personal information. These services — Mailinator is one popular option — make it possible to create an email address on the fly and receive messages at the address without logging in. Messages are automatically deleted after a few hours.

6. For the best security, use a password manager and memorize just one “super password.”

Strong passwords are essential to digital security. Using different passwords for different accounts is even better. But combine these approaches and you have a recipe for a lot of headaches. Who can remember lots of different complicated passwords? And who wouldn’t be tempted to use different simple passwords or one strong password, thus weakening their security?

An alternative to these approaches: Use a password manager. This tool automatically generates very strong passwords. It then encrypts those passwords, along with information about the sites they belong to, preventing access unless a master password is supplied.

This one password — which must be strong and memorized — unlocks the vault and provides access to all the credentials stored therein. KeePass is one good password-management option. It’s free, open source (see below) and cross-platform.

7. All things being equal, open source is more secure.

Open-source tools and platforms have a well-deserved reputation for being secure. Paradoxically, source code that’s open is more secure, for the simple reason that anyone can know exactly what the software does, how it manages data and where potential vulnerabilities might lie. Closed-source, proprietary software, on the other hand, is a black box.

Potential vulnerabilities are hard to know and potentially significant security or privacy compromises are hidden. For open-source projects with many contributors, there’s the added benefit of lots of people working to fill security holes as they’re discovered.

8. Open-source software is great, but must be kept up-to-date.

Open-source software can benefit from quick updates when security exploits are identified, but in most cases you don’t get those benefits automatically. That makes it essential to install updates as they’re released. Most software will tag updates with security implications as “critical” ones.

In other words, as long as these updates remain unapplied, the site’s vulnerable. Update procedures will vary from one platform to another and, in some cases, it’s advisable to back up data before running an update.

9. Storing and communicating data necessarily compromise security.

Encryption is a great tool. Good passwords can go a long way toward keeping our data safe. But once you decide something needs to be digitized and (especially) transmitted to someone else, you create the possibility for a breach. For these reasons, it’s important to consider whether something has to be digitized in the first place. Would it be possible, for example, to meet someone face-to-face instead?

10. Security breaches can happen in the moment, or months or even years later.

Digital communications, while fleeting on one hand, are also permanent. Once you publish something on the Web, it’s best to treat the communication as more or less indelible.

It’s true that messages come and go, never to be seen again, but much of what you put online is stored in one form or another. Even if the initial transmission isn’t compromised, you’re counting on whomever’s storing your information to take appropriate measures to protect it, especially when it comes to encryption.

11. Anonymization can solve certain security concerns.

Encryption isn’t the only way to improve security (and privacy). Anonymization — a process by which your actions aren’t necessarily encrypted but can’t be traced back to you — is another tool in your arsenal.

Anonymization involves technologies such as proxy servers and VPNs. Tor, one popular anonymization tool, uses a combination of encryption and relays to obfuscate data and send it on a roundabout path before it reaches its destination. This makes the communication both anonymous and secure. Web-based services such as Anonymouse.org make it possible to use a proxy server without needing to install any software.

12. Open WiFi networks can be a problem.

In general, HTTPS is a big security boost, even for communications over insecure wireless networks. But risks still remain. On an unencrypted WiFi network, anyone connected can view anyone else’s traffic. Information encrypted over HTTPS won’t be visible, but some websites implement HTTPS incompletely, protecting login pages (and thus usernames and passwords) but not other details.

Unfortunately, in some cases it’s possible to compromise security with another piece of information — a session cookie. This cookie is a unique identifier that tells a website who you are and “proves” you have authorized access.

If someone else figures out what your cookie is, they can “hijack” your session. In other words, they’re suddenly logged in as if they were you. And even without hijacking a session, an intruder could eavesdrop on private communications if you’re not using HTTPS or the site you’re on isn’t implementing it completely.

13. Multi-factor authentication improves security.

This is a fancy way of saying security gets better when you have to prove yourself two or more ways to gain access to a restricted system. One well-known implementation of multi-factor authentication is Google’s two-step verification process.

This demands that you supply not only a valid password but also a valid verification code — one that’s transmitted to a phone number provided during the initial registration process. Security gets a big boost with two-step verification because a valid username and password combination is no longer enough — you also have to be in physical possession of your phone.

14. Protecting unauthorized access to your physical devices is essential.

All these efforts to secure your online activities may be for naught if your computer isn’t physically secure. If you stay signed in to accounts in your browsers and apps, is your device itself password-protected? If the answer is no, it takes very little time to access sensitive data or even lock you out of your own accounts.

All the major operating systems provide a means of password-protecting access, and these are well worth looking into. It can be annoying to supply a password every time you wake your device up, but good security means forgoing some convenience.

15. Encrypted email and OTR chat provide the best security for ongoing sensitive communications.

Unfortunately, the benefits of HTTPS encryption don’t extend to communications that unfold online but off the Web — such as email and instant messaging. And sending an email from an encrypted Web page doesn’t mean the message itself will be encrypted — only that your connection to the remote server is secure.

This encryption is important — it means your username and password are protected — but it doesn’t protect your correspondence once it leaves the server and travels to (and arrives at) its destination.

When the content of your messages is sensitive, switching to secure channels such as PGP-encrypted email and OTR (off-the-record) messaging is a good idea.

Unfortunately, these options can be more cumbersome to set up than some of the other reviewed techniques, and both parties need to take steps to secure the communication. When you need to correspond with some in a way that’s truly private, though, it’s well worth the extra effort to establish a secure line of communication.

We have made it easy to comment on posts, however we require civility and encourage full names to that end (first initial, last name is OK). Please read our guidelines here before commenting.

  • cfrech

    Thanks for taking the time to make this thoughtful comment. Your point about protecting data at rest as well as in transit is well-taken. I tried to get at this in item #10, but it’s somewhat buried.

    But, you’re right: We tend to focus on the security of the connection, and we assume what’s transmitted securely will be stored securely. Unfortunately, that’s not always the case, and it’s a much harder weak point to verify.

  • JoePete

    I am glad to see your comment about open-source software. Perhaps the best way of affirming this fact – which many people continue to be in denial about is to reference to the Common Vulnerabilities and Exposures (CVE) list that can be found at mitre.org. Proprietary software is far more risk-laden than most open-source equivalents. If someone wants to try things out Ubuntu (ubuntu.com) is a great start. Or in terms journalists can embrace – open source makes us secure in the same way things like open meeting laws and the Freedom of Information Act secures – by making things transparent, mistakes and misdeeds cannot hide.

    In regard to encrypting communication, yes, this is a good idea, but the likelihood and risk often is poorly understood. To use an analogy the way most of us approach encryption is like the person who expends a great deal of energy to test the airbags in his or her car but never wears seat belts or checks the tires and brakes. To reasonably intercept Internet traffic all-but-requires you to be on the same network as the source or the destination. Typically you can’t control the destination (Google’s server farm for example). You might be able to control the source, your network, but here is the paradox: If some thief is on your network, listening to your traffic, you probably have already lost regardless of your encrypted communication. As someone else noted, most security breaches do not involve data in transit. Rather it is the unsecured data at rest – how it is stored/found on a network. As a thief, if I can get on your network – a prerequisite of my being able to intercept your traffic – am I going to go to the trouble of trying collect all these packets of data over time in the hope of catching that one juicy nugget, or am I going to instead go to the treasure trove that is your file server, mail server, backups server, etc.? This is where the attack happens. In security circles, we often refer to network design as Tootsie Pop architecture – hard on the outside, soft and chewy on the inside. Most IT defenses work on the perimeter, once you get inside the network (e.g. via a wireless access point, VPN, breaking an Internet-facing server on your LAN, compromised laptop), there are few (or perhaps relatively minor) hurdles for a capable thief.

    The message here is that if you are worried enough to encrypt data in transit, then you should be worried enough to encrypt it at rest (which most people don’t). Look at it this way. You have an important document. You encrypt it with something like PGP (and responsibly secure your keys). Now, you have protected yourself at rest and in transit (thief intercepts the encrypted document, he or she still can’t do anything with it).

    However, the general public (and a lot of IT folk) have it backwards. We are obsessed with things like HTTPS and “secure servers.” And even this pharse is misleading. HTTPS primarily is about authenticating a server. It is a means of affirming that a server is who it claims to be (this is why a paid-for third party certificate is critical – it’s third-party verification). What happens to data after transit (e.g. your credit card or personal information gets stored in the clear in a poorly secured database. Even if well secured technically, does the company do background checks on its IT administrators?). Typically we worry about data in the brief moments that it spends in cyberspace as a few hundred packets, but are oblivious to its state as it gets stored, replicated, and accessed.

  • freddy k

    Use encrypted email services rather than regular email via https. Https does nothing for securing emails during storage. http://salusafe.com uses message level encryption and allows you to store your private key on your computer, so even the system admins cannot read your email.

  • cfrech

    That’s a great point, David. The more access we give to sensitive information, especially to folks outside our organizations, the more vulnerable we make ourselves.

    I didn’t have a chance to cover it in the piece, but this can also play out through the use of social widgets — the more outside content we host on our sites, the more we’re entrusting our security to someone else. If we’re embedding JavaScript from Twitter, and someone manages to compromise that code, we could end up in a bad position.

  • http://www.newsinc.net/ David M. Cole

    Good, thorough roundup, though I would hazard to include a 16th point: the weakest link in journalistic digital security may be an end user far from the newsroom. The interruption of Washington Post services two weeks ago and the New York Times outage earlier this week can both probably be traced not just to newsroom contractors, but affiliates of those contractors, whose passwords were somehow “compromised.” Publishers seem to be willing to hand the veritable “keys to the car” to suppliers without making certain everyone who has the capability of taking down their systems is as security-conscious as they are.