If you’re a journalist, read this

In the second of our two-part series on online security, ethical hacker and CEO of cybersecurity firm Smokescreen Technologies, Sahir Hidayatullah, talks specifically of how journalists can keep data safe online. Journalists are getting hacked all the time, judging by reports coming out of the U.S. We don’t know how much of that is happening in India, where corporate exposés are not so common. Still, if you’re on to the next Watergate, here’s how you can keep your story safe, along with your sources. Edited excerpts:

Should journalists encrypt their e-mails?
All journalists should be doing it. All journalists should know the basics of GPG [GNU Privacy Guard] encryption for e-mail, and make sure that encryption is extremely strong. If this was good enough for Edward Snowden against the NSA [National Security Agency], it’s good enough for the rest of us. In fact, you should have your public key location (see box) listed in your contact information.

If a source wants to interact only on e-mail, what can I do to protect the source and myself?
There are three aspects to this. First, protecting the source’s location. Second, protecting the content the source sends you. Third, ensuring that nobody has modified whatever the source is sending you.

In terms of protecting location, it’s up to the source to use a combination of Tors and TAILS (see box), and also change the envelope of the e-mail—the header—which reveals the IP address. We often advise such people [who want to protect their location] to use a public wireless network like a coffee shop. Also, a good operational security (OPSEC) practice is to look around for CCTV cameras and avoid them.

Once these steps are taken, the mail itself should be encrypted [protecting the content], and the journalist will have to verify this particular source. Your source and you can download GPG and exchange public keys [ensuring that what is sent is from the source and has not been hacked].

If your source is sending you documents, how do you make sure they are actually from him? GPG can fix this because it can sign documents. For instance, I could send a GPG encrypted Word file to your regular e-mail. Here the e-mail is unencrypted, but the document itself is signed. Also, make sure you encrypt the document while saving it to your computer. Otherwise, if ever someone breaks into your computer, they will be able to access this information.

Is there software that can fully protect us?
In security parlance, there is a ‘threat model’. It is a procedure of identifying assets to be protected and the 5Ws (what, who, when, where, why) and 1H (how) that can be attacked or compromised. By identifying what’s at risk, and who will attack it and how, one gains a model of where the vulnerabilities are. You can then figure out how best to deploy countermeasures. So, if I want to anonymise what I do on the Internet, there is a different set of things I should do as against, say, if I was doing it to overthrow a dictatorship.

You could switch your browser to incognito mode which will not log your online activities on your system and it won’t identify you to the websites that you visit.

After this, you will have to secure your IP [Internet protocol] address, that is, to anonymise yourself. You can do this by using a VPN [virtual private network]. All you have to do is search for a VPN provider online where you can sign up for a couple of dollars a month where you will get a username and password. You can also set up your own VPN. This is sufficient to stay off the grid.

If you really want to secure yourself, start thinking in terms of what are the risks to your life or to your sources. To protect your location, like your source, you should use Tor and TAILS.

If a news organisation allows whistleblowers to reach it through its website, how can the whistleblower be protected?
You cannot protect them, you can only allow them to submit as anonymously as possible. In most cases, whistleblowers want assurance that logs of them communicating with you are not retained. Plausible deniability is usually sufficient in these situations.

You could have a link on your website, and include a non-technical guide saying ‘If you want to submit something securely, these are steps to take’, and ask them to download the Tor browser. Provide the reporters’ GPG keys so that the whistleblower can communicate with them.

Most people think it is enough to set up a dummy Gmail account. But you should know how easy it is track someone down if they are not careful. Companies, never mind governments, can track a guy down in just about 15 days if they want to.