Post on 23-Dec-2015
transcript
Steve DoigCronkite School of Journalism
Arizona State University
Spycraft: Keeping your sources safe
Why spycraft for reporters?
Need to keep identity of confidential sources secret from subpoena or government snooping.
Need to keep identity of confidential whistleblowers secret from corporations.
Need to travel in places where governments detain journalists.
Examples
National Security Agency revelations from Snowden
Barry Bearak of the NY Times in ZimbabweHewlett Packard board leaksSecret subpoena of AP phone recordsFox News reporter’s email contents
What I’ll cover
Keeping internet searches privateMaking and receiving untraceable callsKeeping email privateEncryption/decryption programsKeeping your computer cleanTricking keyloggers
Private internet searching
NSA monitors search termsAOL debacle: 36 million search terms of 650,000
users (http://www.aolstalker.com/)Subpoenas to your IT department or IP providerAlternative: www.ixquick.com: No IP addresses
kept, no cookies, search terms deleted within 48 hours
DuckDuckGo.com: nothing keptAnonymizer.com?: Anonymizer Universal ($80)
Torproject.org
TOR enables anonymous browsingBounces your browsing through a worldwide net of
relaysGet through national firewallsUsed by journalists, activists, bloggers, NGOs,
companies, et al.
Keeping identity private in calls
*67 blocks Caller ID in U.S.Old NYT caller ID: 111-111-1111“Spoof” your Caller ID with SpoofCard
(www.spoofcard.com) -- $10/60 minutesCrazycall.net (international)Also do voice changing
Cellphone cautions
GIS-equipped cellphones track your locationCellphones also track location by cell tower
triangulationCellphones and wireless phones can be heard by
scannersCellphones can be bugged
Cellphone spyware
Listen to calls, extract SMS, view photos, read call logs ($60) (but not iPhones)
Pre-paid “burner” cell phones
No-contract cell phones and SIM cardsIMPORTANT: Buy with cash, and replenish with
cashCommon outside the U.S. Phones as cheap as $10-$20Pre-paid cards as cheap as 10 cents/minute in US
Voice over Internet Protocol (VoIP)
Internet voice callsBeware “man in the middle” attacks (NSA, for
instance)Skype encrypts voice/video data stream
But there is an NSA back door…
Use Jitsi.org instead of SkypeZfone with VoIP clients like Gizmo, GoogleTalk,
Magic Jack
Silent Circle
Started by PGP inventor Phil ZimmermanApp for iPhone or AndroidEncrypts phone, text, video chatBut secure email server has been shut down!$10/monthPrepaid “Rōnin card” – get service anonymously
Blackphone
Use with Silent CircleSecure phone, text, wirelessAnonymous search/browsingRemote wipe if lost
Texting and chat
TextSecure from WhisperSystems: (for Android, but IOS soon?)...encrypted end to end
ChatSecure: Use for Facebook chat, Google Hangouts, et al....works on any platform
Keeping identity private in email
Use free “throwaway” email addresses from Yahoo, Gmail, etc.
Anonymizer.com: Nyms software creates throwaway email addresses that will forward to your real address ($20/yr)
Other remailers: Mixmaster, QuickSilver, et al.
Email without sending email
Trick used by CIA director David Petraeus and mistress Paula Broadwell
Create an anonymous Gmail accountWrite messages as drafts, but don’t send
them
Smuggling your text and pictures
Use micro SD cardsUp to 128 GB
Cryptography
Use code to make files on disk, phone, etc., unreadable
Avoid simple ciphers, one-time pads, etc.Public-key cryptography is bestTrueCrypt.org: not secure!!TrueCrypt to be replaced by CipherShed Boxcryptor: encrypt files in the cloud GnuPG 2.0 also open sourceUse a strong passphrase!Keep data on encrypted thumb drive
Hidden USB drives
Email encryption
MS Outlook will encrypt email
Better: GnuPG 2.0 (free) Uses public-key crypto
Can be built into GmailEnigmail extension for
Mozilla Thunderbird
Cryptonerd’s fantasy
Steganography
Poe’s “Purloined Letter”: Hide in plain sightMessage hidden in “covertext” of some sort:
Plaintext MP3s, jpegs, video, Flash, etc.
www.jjtc.com/Steganography/tools.htmlOpenPuff 4.0 – deniable encryption using less
secret data as a decoyNew – hiding files in the silence of Skype
conversations!
Stego example: original
Stego example: encoded
Hiding directories
Create hidden “safes” on computer“Safes” can be on USB drives, DVDsEspionageapp.com
Watermarking, fingerprinting
Related to steganographyHidden information embedded in filesInvisible watermarking uses variety of techniques: Shift
lines, text and/or characters; deliberate misspellings, etc.Used to verify copyright, reveal image tampering, traitor
tracingWatermarker.com: “IceMark” invisible watermark ($50)Strategy: Retype the document, adding your own
variations…
Spammimic.com
Turns a short message into spam, which can be decoded
“Dear Friend ; Thank-you for your interest in our publication . If you no longer wish to receive our publications simply reply with a Subject: of "REMOVE" and you will immediately be removed from our club ! This mail is being sent in compliance with Senate bill 1816 ; Title 3 ; Section 304 ….
Spammimic.com
Turns a short message into spam, which can be decoded
“Dear Friend ; Thank-you for your interest in our publication . If you no longer wish to receive our publications simply reply with a Subject: of "REMOVE" and you will immediately be removed from our club ! This mail is being sent in compliance with Senate bill 1816 ; Title 3 ; Section 304 ….
Cleaning your computer
Deleting files doesn’t destroy themNeed software that overwrites deleted file space,
temp files, etc.CyberScrub Privacy Suite ($60)
Overwipes data files, erases other traces
Ccleaner (free), Eraser 6.0, other freewareDarik’s Boot and Nuke (CD wipes all drives)Blancco: industrial-grade data wiping
Keyloggers
Hidden program that captures keystrokes and sends them to whoever installed it.
Common at internet cafes!FBI’s Magic Lantern keyloggerAnti-spyware software will detect many – but
not all – keyloggers.Stopgap protection: When typing password
letters, type a few random letters elsewhere on window between each
Hardware keyloggers
Insert between keyboard and computer ($50-$200)
Software keyloggers
Installs software in 5 seconds ($99)
GPS tracking
GPS Trackers with cell SIM cards can update location every minute
Recommendations
Assess the risk to your source Who wants your source’s identity? What are their capabilities?
Discuss security with your sourcesMake security decisions sooner rather than
laterConsider low-tech face-to-face meetings
Some privacy resources
www.privacy.orgwww.epic.orgwww.privacyinternational.orgwww.journalistsecurity.net/www.securityinabox.org
Questions and ideas?