From Vivian Chandra, a quick guide to using PGP email encryption.
You might also be interested in:
Matt Nippert from the NZ Herald caught up with First Look Media’s director of security Morgan Marquis-Boire ahead of the 2014 Kiwicon conference in Wellington.
Of particular interest to me was this quote:
While unwilling to discuss specific threats to First Look, [Marquis-Boire] said his new workplace faced similar issues to other prominent news organisations.
“Twenty-one out of the world’s twenty-five top news organisations have been targeted by state-sponsored attacks.
As a statistic that definitely shows the viability of the press as a target for espionage,” he said.
Matt Nippert was also a Kiwicon speaker, along with fellow NZ Herald journalist David Fisher, on the subject of: Hackers and Hacks, or: How I Learned to Stop Worrying and Love the MSM
The notion of trust underpins much of what the media does: Whether readers trust what they read, and whether sources trust journalists not to burn them to the ground. The Rawshark saga – encompassing Gmail and Facebook hacks, Police raids, ministerial resignations, High Court injunctions and meters of quality news stories – gives an insight into how this process functions under conditions of high stress. Based on historic and [obviously sanitised] contemporary experience, this talk will let you know how the code of journalism works, the limits journalists go to to protect sources and how quickly old media can learn new tricks.
I’m very much looking forward to hearing Nippert and Fisher and the rest of the speakers. This will be my first Kiwicon and it looks like a cracker. See you there.
From Mike O’Donnell’s column on stuff.co.nz, some sage advice on being careful with browser add-ons and extensions:
1. If you start seeing weird or inappropriate ads on websites there’s a fair chance you’ve been targeted. You should go to your “options” menu in Internet Explorer (or “settings” menu in Chrome) and disable recent extensions.
2. If you get an email inviting you to install a browser extension or a new Flash player, be wary.
You should Google the title text from the request to find out if it is associated with a scam before proceeding.
3. You should only install browser extensions from known companies like Google and Mozilla – this means going to the vendor’s website and installing directly from there (and reading reviews first).
4. There is a bunch of good free PC check-up programmes you can run your lappie or desktop computer through – Bellguard Internet Security and Microsoft Security Essentials are a good place to start.
Read more about some of the scams and the rest of Mike’s column here.
The headlines about the NSA just keep on coming…
N.S.A. Foils Much Internet Encryption | NY Times
The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents.
Most 2006-2009 NSA queries of a phone database broke court rules | Reuters
The National Security Agency routinely violated court-ordered privacy protections between 2006 and 2009 by examining phone numbers without sufficient intelligence tying them to associates of suspected terrorists, according to U.S. officials and documents that were declassified on Tuesday.
Privacy Scandal: NSA Can Spy on Smart Phone Data | Spiegel
SPIEGEL has learned from internal NSA documents that the US intelligence agency has the capability of tapping user data from the iPhone, devices using Android as well as BlackBerry, a system previously believed to be highly secure.
NSA shares raw intelligence including Americans’ data with Israel | Guardian
The National Security Agency routinely shares raw intelligence data with Israel without first sifting it to remove information about US citizens, a top-secret document provided to the Guardian by whistleblower Edward Snowden reveals.
Google encrypts data amid backlash against NSA spying | Washington Post
Google is racing to encrypt the torrents of information that flow among its data centers around the world in a bid to thwart snooping by the NSA and the intelligence agencies of foreign governments, company officials said.
Drug Agents Use Vast Phone Trove, Eclipsing N.S.A.’s | NY Times
For at least six years, law enforcement officials working on a counternarcotics program have had routine access, using subpoenas, to an enormous AT&T database that contains the records of decades of Americans’ phone calls — parallel to but covering a far longer time than the National Security Agency’s hotly disputed collection of phone call logs.
The US government has betrayed the internet. We need to take it back | Guardian
We need to know how exactly how the NSA and other agencies are subverting routers, switches, the internet backbone, encryption technologies and cloud systems. I already have five stories from people like you, and I’ve just started collecting. I want 50. There’s safety in numbers, and this form of civil disobedience is the moral thing to do.
Part 3: Verifying Keys | Keith Ng’s how-to series on encryption | Public Address
So there’s a public key on my page. How do you know that’s *my* key? Anyone could have created that key, just like I created the John PGPKey key. For all you know, some Russian hacker could have taken over Public Address and put that key there. As a first step, you should look up my key. My key is published, so you can go to this keyserver and look up it up using my name.
The concept of threat modelling is a useful one. It’s about understanding what assets you have that need protecting, and what risk there is of them coming under attack.
The Committee to Protect Journalist’s Journalist Security Guide is a highly useful resource. It recommends you start by understanding your assets and move on from there. The guide steps through the following :
Danny O’Brien, one-time Internet Advocacy Co-ordinator for the Committee to Protect Journalists and International Director of the Electronic Frontier Foundation, talks in this video about some simple things journalists can do to protect their sources and work, particularly when out in the field. They include encrypting your hard drive, using burner phones, and not taking any phone at all to particularly sensitive meetings.
Security in a box has a host of tips on how to select passwords, work anonymously, protect information on your devices and when using social accounts, and recovering from information loss. They also spell out how to operate in different operating environments (Linux, Windows, Mac, Android etc).
There’s also this video from SophosLab on picking a password.
Keith Ng outlines how to use public-key encryption.
This technique is based on a pair of matching keys – one public, one private. Anything encrypted with one can only be decrypted with the other. Why? MATHS, that’s why. The public key is then made public (my key is here), and anyone can use that key to encrypt a messsage. Only you – with the private key that you keep secret – can decrypt that message. It’s actually not that hard. The simplest tool for dealing with PGP keys is gpg4usb. Go download it and have a play.
And Vivian Chandra has published this video quick guide to using PGP email encryption.
You might also be interested in: