Just when Paula Slier thought she was safe, or at least safe in cyberspace, she discovered just how vulnerable she actually is.
So there I am sitting in a restaurant – a nice cosy artistic place in a trendy neighbourhood of Tel Aviv – laughing and chatting with friends. Suddenly a complete stranger interrupts our conversation.
“Is there somebody here called Paula Slier?”
“Yes,” I reply.
“Your email address is email@example.com?”
“And the password to your email is…
I go pale. This man has correctly announced what I thought was a very clever seven-digit words-mixed-with-numbers-and-capital-letters password to everyone in earshot. I mean, talk about making an introduction!
No doubt it’s a dubious marketing tool, but the young man explains that he owns a startup that deals with information security and he often hacks into people’s private emails as a way of marketing his services. Next day I’m sitting in his office.
One of the biggest problems about being hacked is that most of the time one is not even aware of it. Or by the time you find out it’s too late. Compare it to, for example, losing your notebook or wallet – chances are you’ll notice before long. But, by comparison, by the time someone has copied or read all your emails, you might still be blissfully unaware you’ve become the latest victim of cyber intrusion.
The problem is compounded by the fast moving and intricately complex world of information technology. Even among those of us who are employing one or several of the dozens of intercept-resistant encrypted communication tools out there, nothing is foolproof.
A case in point is the recent bogus tweet posted from a hacked Associated Press (AP) Twitter account. A group calling itself the ‘Syrian Electronic Army’ targeted specific AP employees and sent legitimate-looking emails from trusted parties. The false message said there had been explosions at the White House and US President Barack Obama was injured. It sent the markets into a panic. Just one click on an innocuous-looking link – and the world’s oldest and largest news organisation had been hacked.
“Assume you’re being monitored” is the advice I repeatedly hear being given at journalism conferences I attend. Aside from hackers, those doing the monitoring could be governments (as the US Department of Justice recently illustrated by secretly obtaining two months of telephone records of reporters and editors of the same above-mentioned esteemed news organisation), criminals, or even one’s own Twitter followers. Just how well do you know the profiles of each and every person eagerly awaiting and reading every one of your tweets?
Gone are the days when to be a good journalist it was enough to understand and excel in the profession. Today it’s as important to be adept in computer skills. Information sent over regular phone lines, text messages and emails are easy to intercept – and even Skype is not foolproof. Only slightly more secure than phones, it can easily be intercepted with commercially available interception software. Scary stuff.
According to the Committee to Protect Journalists (CPJ) the volume and sophistication of attacks on journalists’ digital data is increasing at an alarming rate. I’m told that in China one has merely to stand next to someone with your cellphone in your pocket – and all your data can be transferred without you even blinking an eyelid.
There was a time when as journalists we were able to protect our sources – we’d defy court orders and even go to jail so as not to compromise those who put their trust in us. The irony is that governments still go to great lengths to get journalists to reveal their sources, but none of this is even necessary if a journalist is lax about their communication security.
Phone tapping is incredibly easy – and a lot more prevalent than many of us may realise. The CPJ recommends using phones that are not linked to one’s name and removing the battery on occasion to prevent detection.
Choosing a strong password is essential. Guidance is given at www.diceware.com.
Another idea is for media organisations to use a virtual private network (VPN) service to encrypt and send all internet data. To the online world it appears as if you are accessing the web and other internet services from the VPN server, not your actual location. In this way you can hide where you are and bypass local censorship systems.
The CPJ advises not using public computers in internet cafés or hotels for confidential conversations or to access your USB drive.
When you’re finished a day’s work, always make sure your computer is switched off. Even in the most credible of newsrooms, be wary of people peering over your shoulder to read what you’re furiously typing.
There’s a lot of advice out there – but what is sorely lacking is a greater awareness and strategy within news organisations to get professionals in our field to be internet security savvy: from the foreign correspondent working in the most dangerous of places, to the researcher sipping coffee in the newsroom.
So how did Aaron, the good-looking Israeli, hack into my email? Simple. Because I was linked to the restaurant’s open wi-fi he was easily able to access the same network and as he explained to me, it took just a few clicks and he was reading my mail.
IMAGE: A cafe in Tel Aviv, Ilana Shkolnik, Wikimedia Creative Commons