Tag Archives: phishing

Four examples of different threat models

Leave a reply

My post on threat models for journalists is quite lengthy, so I thought I’d put the sample threat models from that in their own, separate post. Here they are – note that these are very simple, sketchy threat models and you would want to expand on these. But hopefully they provide a starting point. I’d also recommend checking out this resource from Privacy for Journalists.

What info do you want to keep? Passwords. Why might someone want it? To spam. What can they do? Guess password, phishing. What might happen? Damage to brand, trust.

A basic threat model for anyone with access to a key social media account – or colleagues who do.

What info do you want to keep? Communication with sources. Why might someone want it? To prevent publicaiton, smear. What can they do? Guess/hack password, phishing, legal avenues. What might happen? Story killed, credibility, trust.

This is an example of a threat model for anyone who deals with protestors, complainants, or others who might be targets of others

What info do you want to keep? Identity/location of sources. Why might someone want it? To intimidate, attack, smear. What can they do? Guess/hack password, phishing, metadata, mobile trail, more. What might happen? Source attacked, imprisoned, trust.

When dealing with whistleblowers, leaks, or sources in oppressive regimes, you need to protect identity and location. Here’s a sample threat model for that.

What info? Documents. Why? To prevent publication, identify sources. What can they do? Guess, hack, phish passwords for cloud services. Legal avenues etc. What might happen? Story killed, credibility damaged, sources don't trust.

When working with documents, you may need to prevent others getting access to them. Here’s a sample threat model for that.

Why every journalist should have a threat model (with cats)

10 Replies

Just because you're paranoid doesn't mean they aren't after you

If you’re a journalist in the 21st century you have two choices: you can choose to be paranoid, or you can choose to be delusional.

The paranoid journalist assumes that someone is out to get them. The delusional journalist assumes that no one is.

In this post I will explain why and how every journalist – whether you’re a music reporter or a political correspondent – can take a serious and informed look at their security and arrive at a reasonable evaluation of risks and safeguards.

Don’t panic. I promise that by the end of this piece you will be less anxious about security, and no longer paranoid. I also promise to use lots of lolcats. Continue reading

Web security for journalists – takeaway tips and review

1 Reply

Web security for journalists - book cover

Early in Alan Pearce‘s book on web security, Deep Web for Journalists, a series of statistics appears that tell a striking story about the spread of surveillance in just one country.

199 is the first: the number of data mining programs in the US in 2004 when 16 Federal agencies were “on the look-out for suspicious activity”.

Just six years later there were 1,200 government agencies working on domestic intelligence programs, and 1,900 private companies working on domestic intelligence programs in the same year.

As a result of this spread there are, notes Pearce, 4.8m people with security clearance “that allows them to access all kinds of personal information”. 1.4m have Top Secret clearance.

But the most sobering figure comes at the end: 1,600 – the number of names added to the FBI’s terrorism watchlist each day.

Predictive policing

This is the world of predictive policing that a modern journalist must operate in: where browsing protesters’ websites, making particular searches, or mentioning certain keywords in your emails or tweets can put you on a watchlist, or even a no-fly list. An environment where it is increasingly difficult to protect your sources – or indeed for sources to trust you.

Alan Pearce’s book attempts to map this world – and outline the myriad techniques to avoid compromising your sources. Continue reading