SKeyes Center for Media and Cultural Freedom - Samir Kassir Foundation

Cybersecurity for Journalists: Threats and Security Basics

Wednesday , 13 May 2020

Cybercrime is a pervasive threat that few are exempt from in a world that relies on the Internet for the majority of its interactions and transactions.

 

Journalists have a unique set of concerns, in that digital attacks are not usually motivated by monetary gain. Rather, the intention is to spread misinformation, prevent a potentially controversial story from hitting the headlines, or harass a reporter for their beliefs. In the worst-case scenario, a poorly-secured device can jeopardize personal safety as well as data.

 

To begin with, hostilities towards journalists are a global problem: in 2020, the number of countries that limit freedom of the press is still disturbingly high. Governments have already begun to cross cyber boundaries to monitor private citizens.

 

One prime example of these blurred lines is Pegasus software, a product of Israeli company NSO Group Technologies. As of 2018, the governments of over 45 countries have access to it, including Saudi Arabia, Mexico, and Israel. Once a device is infected with Pegasus, all past, current, and future activities are visible, including the real-time location of the owner. Although the intended purpose of the spyware is to detect cyber threats, governing bodies can and do use the advanced spyware for insidious purposes.

 

In 2019, Mexican journalist Griselda Triana was targeted with the spyware following the death of her husband, fellow journalist Javier Valdez. A Morrocan journalist who has repeatedly spoken out against Morrocan security forces has encountered multiple attempts to install Pegasus on his mobile phone via browser redirects and suspicious links.

 

Unfortunately, attacks against journalists by states, or hacking groups that are presumably state-supported, are a harsh reality in numerous nations. In Egypt, the coordinates of a phishing page directed towards political dissidents and journalists indicated it originated from a domain that could be linked to the Ministry of Communications and Information Technology (MCIT).


Russian hacker group Fancy Bear has a history of seemingly random, far-reaching attacks that are suspiciously in-line with the strategic goals of the Russian government.

 

Irrespective of location, journalists should not grow complacent about cybersecurity, as traditionally repressive regimes are not the only ones with the potential for near-omniscient capabilities online. The United States’ National Security Agency (NSA) employs expansive methods of surveillance and record collection that could theoretically allow agents to track a reporter’s movements and even eavesdrop on communications.

 

In 2019, a leaked database confirmed that the US government had been actively surveying journalists on the border of Mexico investigating a migrant caravan originating from Honduras. Certain reporters were denied entry into Mexico, others had their passports red-flagged, and some were arrested. Government agents created comprehensive dossiers on each individual—one of the files on an attorney including her mother’s name and travel history.

 

Secondly, journalists must stay on guard against online harassment campaigns in which media outlets or representatives are the targets of cyberviolence. This can include compromising personal accounts to leak private information online or to make a statement. Tales of reporters enduring digital attacks are abundant: a sobering reminder that efforts to intimidate or silence members of the press are far from rare.

 

German news magazine Spiegel’s editor-in-chief, Klaus Brinkbäumer fell prey to such a campaign. His Twitter account was hacked in 2018 to post pro-Turkey sentiments after a series of critical articles about the Turkish regime. Brinkbäumer was not the sole victim of Turkish attackers: several prominent American journalists also found their accounts briefly out of their control.

 

Cybercriminals can be subtle, too: New York Times journalist Ben Hubbard revealed he had received a suspicious message that likely originated from Saudi Arabia in 2018. Fortunately, Hubbard screened the message and found that the link in the message contained malware. This type of phishing attack is akin to the one Jeff Bezos, Amazon CEO, experienced earlier in the same year.

 

The consequences of falling prey to a harassment campaign can have devastatingly personal consequences beyond a violated account or device. Russian television anchor Pavel Lobkov experienced this firsthand when Fancy Bear shared thousands of his intimate messages online.

 

Thirdly, to take cybersecurity lightly is inadvisable—phone numbers, addresses, and locations leaked online can pose a legitimate danger. It’s common knowledge that journalism can be a hazardous field to work in. According to the Committee to Protect Journalists 25 journalists were lost to motive-related deaths in 2019, 10 of which were murder.

 

CNN reporter Donie O’Sullivan intentionally allowed himself to be hacked by a white-hat (or non-malicious) hacker, demonstrating how seemingly innocuous information posted on social media accounts can be dangerous in the wrong hands. The hacker managed to acquire O’Sullivan’s cell number and his home address only through analyzing social media posts.

 

In the infamous case of Saudi journalist Jamal Khashoggi a hacked phone may have led to his murder. Pegasus, a sophisticated malware infected the phone of Omar Abdulaziz, a Saudi dissident Kashoggi was communicating with. Pegasus enabled hackers to gain full access to Abdulaziz’s mobile, including monitoring messages exchanged with the fallen reporter.

 

In light of these multifaceted menaces, it is clear that cybersecurity should be an essential priority for any journalist. There are several relatively straightforward protocols reporters can implement to safeguard their devices and communications.

 

A mainstay security tactic that media outlets, as well as individual journalists, can employ is to research and download a reliable VPN. All Internet traffic gets directed through an encrypted tunnel to keep it secure from snoops and attackers. This software can and should be installed on any device a reporter uses, whether primary or secondary (e.g., burner phones).

 

Communications should take place on secure applications, such as privacy-centric Signal. Aside from the standard end-to-end encryption, Signal also conceals metadata, meaning that only the message recipient can see the sender’s identification. Edward Snowden, arguably one of the most famous whistleblowers, uses Signal. Similarly, in-office applications need to be equally secure. Options such as Mattermost that have privacy features including no third party monitoring and private network deployment.

 

Passwords for accounts and devices must be as unassailable as possible: random sequences of numbers and letters are harder to crack. Ideally, the same password should never be used more than once. A password manager is a practical tool journalists can use to store complex passwords and avoid getting locked out of accounts.

 

Although somewhat inconvenient, multi-factor authentication can significantly reduce the risks of a breach occurring undetected. The majority of sites, including social media platforms, have settings to enable two-step verification.

 

Sensitive documents such as drafts of articles or interviews should be protected. Hard drives and USBs are helpful but do not cover sharing these files through cloud-sourcing platforms or other avenues. Encrypting files should be a standard practice regardless, as it can make it more challenging for hackers to gain easy access to files if the device is stolen.

 

Educational materials that cover common hacking techniques such as Watch Your Hack are worth pursuing to understand how attacks happen and the typical weaknesses cybercriminals exploit. Understanding the threats and encouraging awareness among fellow correspondents is key to building a future wherein journalists are less vulnerable to cyberattacks and consequent assaults, online or offline.

 

Reporters must also exercise good judgment when it comes to sharing personal information through social media platforms, and screen all incoming communications carefully.

Share News