And We Persisted: Online Threats Leave Journalists Exposed to Physical Attacks

To Our Capital Gazette Colleagues,
we've got your back. #wepersisted ❤

IMG_9237The recent deaths of five journalists at the Capital Gazette in Annapolis, Maryland on Thursday underscore the hostile environment journalists are experiencing here in the United States. News organizations are reporting that the shooter had a long-standing anger at the newspaper for coverage surrounding a stalking charge reported from a police report. The shooter used a variety of social media accounts to lob jabs and physical threats at the newspaper staff over the years and filed and lost a defamation lawsuit against the organization. And most recent reports indicate that the shooter had also sent threatening letters to the news organization just days before this attack on Thursday, reports NBC. The 2:33 pm shootings at the Capital Gazette headquarters were preceded by years of online attacks against the organization and its personnel.

The subject line of TrollBusters’ 8 a.m. Thursday morning newsletter: Underestimating online threats can be deadly. We were referring to the recent death of a Japanese blogger who was giving a talk on online harassment, when his online stalker met him after the talk and killed the blogger. We did not know it would become the epitaph for our colleagues at the Capital Gazette.

they-got-the-paper-out_36730224_10214351431993429_5024671227294253056_n

These are dangerous times. The Boston Globe reports that Capital Gazette staff have received threats after the attack, celebrating the massacre. And as one reporter recently tweeted:

“People are going to say that journalists are overreacting,” tweeted Anne Helen Petersen, a Buzzfeed reporter cited by the Associated Press who said she’s received emailed death threats and someone who threatened to slit her dog’s throat.

Petersen tweeted. “We’ve been under-reacting for years.”

In today’s Boston Globe, @NotesfromHel describes the hate she and other women journalists of color have endured for years. Death threats should not be part of the job, Helen Ubinas, wrote in her column “The hate we get: Why journalists need to stop accepting threats as part of the job.” Ubinas describes why she has publicized these audio, text and verbal threats that she receives on every platform.

“Why? Because … receipts, but also because for years journalists — women and journalists of color especially — were expected to absorb the threats and hatred in silence, while others, often in the very same newsrooms, had the luxury of being blissfully unaware.”

“That was BS then. And it’s BS now.” calls Ubinas. As founder of TrollBusters, I too hold “receipts” of the years of hate mail I received as the first African-American columnist at a Florida newspaper. My experiences led me to create TrollBusters to support journalists from online threats and provide coaching to media organizations on navigating digital threats.

TrollBusters joins with the Associated Press Media Editors and the American Society of News Editors, in honoring our Capital Gazette colleagues this Thursday, July 5 at 2:33 p.m. with a moment of silence. The organizations have issued this list of safety practices to protect against physical attack.

However, the document does not provide management guidance on how to navigate online threats — before they result in physical attacks. TrollBusters provides coaching, infographics, education and training work and a growing consortium of organizations are working to combat online abuse and threats, particularly among journalists.

This week, TrollBusters is releasing its Global Safety Resource Hub, a geotagged directory of country-specific resources and organizations working to combat online abuse and threats against journalists. The Google map includes journalism professional organizations, governmental organizations, nonprofit organizations, training and education institutions, professional organizations and others working around the globe on online harassment and privacy issues.

TB_Global-Hub_Main-Page

We want our colleagues around the world to be able to receive just-in-time resources to combat online and physical threats. We invite you to suggest additional global resources to protect journalists under attack at report@troll-busters.com.

In addition, media management must examine their social media policies and protect their talent online and off. Here are some recommendations for immediate action as suggested by journalists from our research:

  • Educate management on the challenges journalists face in the field and assist management with devising strategy for prevention and greater security (both physical and digital).
  • Publish attacks on media sites to call attention to circulating rumors; support your journalists and their work.
  • Take threats more seriously by investigating and/or providing security while working.
  • Close off commenting on an article that is drawing fire.
  • Provide additional personnel on live shots or Facebook Live shoots.

Dr. Michelle Ferrier is the founder of TrollBusters: Online Pest Control for Journalists. Report #onlineabuse #onlineharassment @yoursosteam, report@troll-busters.com and http://www.troll-busters.com.

TIP #9: DON’T LEAK YOUR LOCATION

RX_TIP_09

 

 

 

 

 

 

 

Make sure that image loading is turned off when you check your email on your laptop and phone. There are services that will notify the sender of an email when you open a message and sometimes even from where.

displayimagesThese services work by sending an invisible pixel that loads just like an image would. You may want to test some of these services (such as ToutApp or Yesware) to see what kinds of information they make available about people.

To turn off images in Gmail, click on the Gear icon, and then go to Settings->General->External Content. There’ll be a button that says “ask before displaying external content.” You can choose to allow or block images from specific senders.

location3It’s not just image loading that can give away your location, though. Checking into places on social media or registering publicly for events can do that as well. Eventbrite, Meetup, and other places may publish their guest lists publicly or make that information available to other members. Both Facebook and Twitter allow you to post your location as well, so double-check your settings. (Facebook’s Privacy Checkup can give you all sorts of information about what you’ve shared and are sharing.) You may feel comfortable publicizing this information. Just make sure you’re doing it deliberately and not signaling that your home is empty to thieves.

Yael Grauer is a freelance tech journalist covering online privacy and surveillance for WIRED, Forbes, Slate, and other publications. Find her at http://yaelwrites.com or on Twitter @yaelwrites, and check out her free ebook on staying safer online at https://yaelwrites.com/saferonline.pdf.

Check out more digital hygiene tips:

  1. Removing public data
  2. Privacy protection on domain names
  3. Https everywhere
  4. Anonymous “Tor” cloak or VPN
  5. Prepare for a DDos attack
  6. Two-step verification
  7. Privacy plug-ins/cookies
  8. Third-party permissions
  9. Image “hidden pixels”
  10. Links and attachments
  11. Install patches and updates
  12. Use a password manager/strong password
  13. Strengthen security questions
  14. Encrypt hard drive/backup data
  15. Click to play
  16. Use end-to-end encryption

TIP #10: BE CAREFUL WITH LINKS AND ATTACHMENTS

RX_TIP_10

 

 

 

 

 

 

 

 

Malicious links or attachments can be harmful to your computer or other devices. Obviously, it’s a bad idea to click on spammy links, or to open attachments from strangers (especially .exe ones). That doesn’t mean you necessarily need to stop clicking on links or opening attachments altogether, though.

linksandattachments

There are several options to keep you more secure:

  • If you use Gmail, you can open an attachment within Google Drive for some added protection.
  • For links, try scrolling over them to make sure the text on your page coincides with the actual URL. You can Google the URL or an article title instead of clicking on a link directly.
  • If someone’s sent you a shortened URL and you would like to expand it before deciding whether or not to click on it, LongURL allows you to do so.
  • You can scan suspicious links using a tool like VirusTotal. It is a free service that lets you scan suspicious links and attachments to see if they contain viruses, worms, trojans, and other types of malware. VirusTotal isn’t foolproof, but can reduce your risk of opening a malicious file. You’ll be sharing that file with the security companies so they can improve the scanning products.

Yael Grauer is a freelance tech journalist covering online privacy and surveillance for WIRED, Forbes, Slate, and other publications. Find her at http://yaelwrites.com or on Twitter @yaelwrites, and check out her free ebook on staying safer online at https://yaelwrites.com/saferonline.pdf.

Check out more digital hygiene tips:

  1. Removing public data
  2. Privacy protection on domain names
  3. Https everywhere
  4. Anonymous “Tor” cloak or VPN
  5. Prepare for a DDos attack
  6. Two-step verification
  7. Privacy plug-ins/cookies
  8. Third-party permissions
  9. Image “hidden pixels”
  10. Links and attachments
  11. Install patches and updates
  12. Use a password manager/strong password
  13. Strengthen security questions
  14. Encrypt hard drive/backup data
  15. Click to play
  16. Use end-to-end encryption

TIP #11: INSTALL PATCHES AND SOFTWARE UPDATE

RX_TIP_11

 

 

 

 

 

 

 


Whether you’re on your phone, your laptop, your tablet, or a desktop computer, there’s never a convenient time to install patches and updates. It’s easy to continue blowing this off.

updatesWhile you may not want to set everything up to update automatically, try not to put it off forever, either. Making sure you’ve got the newest software updates and bug fixes is an effective way to mitigate security risks and ideally patch up vulnerabilities before anyone can exploit them on your devices.

Check all of your electronic devices to make sure your apps and software are up-to-date. (If you’re curious, you can often check to see what’s new in the apps you’re updating, though sometimes serious security risks are downplayed as ‘minor fixes.’)

Yael Grauer is a freelance tech journalist covering online privacy and surveillance for WIRED, Forbes, Slate, and other publications. Find her at http://yaelwrites.com or on Twitter @yaelwrites, and check out her free ebook on staying safer online at https://yaelwrites.com/saferonline.pdf.

Check out more digital hygiene tips:

  1. Removing public data
  2. Privacy protection on domain names
  3. Https everywhere
  4. Anonymous “Tor” cloak or VPN
  5. Prepare for a DDos attack
  6. Two-step verification
  7. Privacy plug-ins/cookies
  8. Third-party permissions
  9. Image “hidden pixels”
  10. Links and attachments
  11. Install patches and updates
  12. Use a password manager/strong password
  13. Strengthen security questions
  14. Encrypt hard drive/backup data
  15. Click to play
  16. Use end-to-end encryption

TIP #14: ENCRYPT YOUR HARD DRIVE AND BACK UP YOUR DATA

 

RX_TIP_14

 

 

 

 

 

 

 

In addition to protecting your online data, you’ll want to protect your physical devices too. Some of this is common sense, like making sure not to leave your laptop and phone unattended. It’s also a good idea to be careful when plugging USB devices into your computer, since they may contain malware that could damage your system or expose your personal information, so make sure to only plug in a USB device into your personal computer if you trust the person who gave it to you.

You’ll also want to make sure your computer has full disk encryption. That way, if someone steals your laptop and copies the files, they’ll just see a jumbled mess. If you’re on a Mac, go to System Preferences -> Security and Privacy and turn FileVault on. You’ll want to keep the backup key in a safe location. If you’re a Windows user, follow the instructions to turn on Bitlocker here: https://technet.microsoft.com/en-us/library/c61f2a12-8ae6-4957-b031-97b4d762cf31.

filevault

Make sure to back up the data on your computer to an external hard drive kept in a separate, secure location so that you’ll have an extra copy of your data available in case of theft. You can set a calendar reminder to back up your data at regular intervals.

You’ll want to encrypt your phone as well. Ars Technica’s encryption guide has step-by-step instructions for how to do that on an iPhone (which is decrypted by default, but the encryption isn’t automatically tied to a password only you know), as well as Android and Windows phones.

Yael Grauer is a freelance tech journalist covering online privacy and surveillance for WIRED, Forbes, Slate, and other publications. Find her at http://yaelwrites.com or on Twitter @yaelwrites, and check out her free ebook on staying safer online at https://yaelwrites.com/saferonline.pdf.

Check out more digital hygiene tips:

  1. Removing public data
  2. Privacy protection on domain names
  3. Https everywhere
  4. Anonymous “Tor” cloak or VPN
  5. Prepare for a DDos attack
  6. Two-step verification
  7. Privacy plug-ins/cookies
  8. Third-party permissions
  9. Image “hidden pixels”
  10. Links and attachments
  11. Install patches and updates
  12. Use a password manager/strong password
  13. Strengthen security questions
  14. Encrypt hard drive/backup data
  15. Click to play
  16. Use end-to-end encryption

TIP #15: START USING CLICK-TO-PLAY

RX_TIP_15

 

 

 

 

 

 

 

Adobe Flash has a long history of security vulnerabilities, but uninstalling it completely can make many sites unusable. A good middle ground is to enable click-to-play, which will allow you to selectively use Flash. You can whitelist specific websites, choose to allow all plugins on a page during a specific site visit, or just click on grey boxes with Flash content when you want to play a specific video.

clicktoplayoption1

You’ll want to avoid using Flash Player on sketchy sites you’ve never heard of (especially those without https), but be aware that even sites you trust can be vulnerable, since many serve content from third-party ad network partners. If a popular site is infected with malicious advertising, you’re still somewhat vulnerable, but limiting Flash usage to sites you select will lower your risk. Additionally, enabling click-to-play will improve your browsing experience by making things faster to load, improving your battery life, and by decreasing ads and pop-ups.

clicktoplayoption2

For specific details on how to set up click-to-play for Google Chrome and Mozilla Firefox, follow the instructions here: https://freedom.press/blog/2015/07/block-flash-with-click-to-play. Safari, Internet Explorer, or Opera are not as up-to-date as other browsers, but if you need to use them for work, you can still use click-to-play by following the instructions here: http://www.howtogeek.com/188059/how-to-enable-click-to-play-plugins-in-every-web-browser/

Yael Grauer is a freelance tech journalist covering online privacy and surveillance for WIRED, Forbes, Slate, and other publications. Find her at http://yaelwrites.com or on Twitter @yaelwrites, and check out her free ebook on staying safer online at https://yaelwrites.com/saferonline.pdf.

Check out more digital hygiene tips:

  1. Removing public data
  2. Privacy protection on domain names
  3. Https everywhere
  4. Anonymous “Tor” cloak or VPN
  5. Prepare for a DDos attack
  6. Two-step verification
  7. Privacy plug-ins/cookies
  8. Third-party permissions
  9. Image “hidden pixels”
  10. Links and attachments
  11. Install patches and updates
  12. Use a password manager/strong password
  13. Strengthen security questions
  14. Encrypt hard drive/backup data
  15. Click to play
  16. Use end-to-end encryption

TIP #13: STRENGTHEN YOUR SECURITY QUESTIONS AND ANSWERS

RX_TIP_13

 

 

 

 

 

 

 

When someone tries to reset a password, they’re often able to do so by answering security questions. Unfortunately, many of these questions are asking for information that’s either publicly available or very easy to find: Your date of birth, the name of your first pet, or your mother’s maiden name, for example. If an account doesn’t have two-step verification and you’re concerned about the possibility of someone trying to reset your account, consider giving the wrong answers for these questions.

securityquestion

 

 

 

 

 

 

 

You can make up a false location, date, or name, or answer a different question than the one asked—giving a place of birth when asked about a maiden name, for example. The only drawback with this approach is that can, of course, be difficult to remember what your security answers are, so make sure to store them in a safe place.

Yael Grauer is a freelance tech journalist covering online privacy and surveillance for WIRED, Forbes, Slate, and other publications. Find her at http://yaelwrites.com or on Twitter @yaelwrites, and check out her free ebook on staying safer online at https://yaelwrites.com/saferonline.pdf.

Check out more digital hygiene tips:

  1. Removing public data
  2. Privacy protection on domain names
  3. Https everywhere
  4. Anonymous “Tor” cloak or VPN
  5. Prepare for a DDos attack
  6. Two-step verification
  7. Privacy plug-ins/cookies
  8. Third-party permissions
  9. Image “hidden pixels”
  10. Links and attachments
  11. Install patches and updates
  12. Use a password manager/strong password
  13. Strengthen security questions
  14. Encrypt hard drive/backup data
  15. Click to play
  16. Use end-to-end encryption

TIP #12: USE A PASSWORD MANAGER

RX_TIP_12

 

 

 

 

 

 

 

The best way to keep your online account secure is by using strong, unique passwords. That means that your password has to be complex enough that it’s hard to crack. You should also use a different password for each account in case one gets compromised. An easy way to memorize complex passphrases (which could be combinations of symbols and numbers and random letters) is to let a password manager do it for you.

Download a password manager such as as 1Password (around $50) or LastPass (which includes a free option or a $12/year one). Start generating new, unique passwords for your credit cards, bank accounts, social media accounts, email, domain registrar, hosting provider, cell phone company, etc. Accounts that are linked to your bank account, such as ones you buy books or food from, should also be changed.  Changing passwords on all of your accounts can be time-consuming, but if you install a password manager, you can just change them as you use them. Make sure to save the new passwords to your password manager.

passwordmanager

In addition to changing your password for each site you use, you may want to change your recovery email address for them as well. Consider creating a separate email account for password recovery requests, so that if you are somehow hacked, you can see all of the password reset requests in this email account and have a checklist for what needs to be reset. Keep this account secret. (Remember that keeping the password for your recovery email account secure is paramount, since all other accounts use password reset emails as a verification mechanism.)

Yael Grauer is a freelance tech journalist covering online privacy and surveillance for WIRED, Forbes, Slate, and other publications. Find her at http://yaelwrites.com or on Twitter @yaelwrites, and check out her free ebook on staying safer online at https://yaelwrites.com/saferonline.pdf.

Check out more digital hygiene tips:

  1. Removing public data
  2. Privacy protection on domain names
  3. Https everywhere
  4. Anonymous “Tor” cloak or VPN
  5. Prepare for a DDos attack
  6. Two-step verification
  7. Privacy plug-ins/cookies
  8. Third-party permissions
  9. Image “hidden pixels”
  10. Links and attachments
  11. Install patches and updates
  12. Use a password manager/strong password
  13. Strengthen security questions
  14. Encrypt hard drive/backup data
  15. Click to play
  16. Use end-to-end encryption

TIP #16: USE END-TO-END ENCRYPTION

RX_TIP_16

One of the best ways to keep your communications safer is to use end-to-end encryption, which encodes your messages in a way that only an authorized recipient can read it. Many options exist, but they’re not always easy to set up or use. Open Whisper Systems’ free and open source apps are an exception, and they allow iPhone and Android users to make encrypted phone calls and send secure text messages, pictures, and videos to one another for free. (Texts sent via iMessage are encrypted between iPhone users, but not between iPhone and Android). Calls and text messages use data, so you won’t have to pay SMS or MMS fees.

OWS
The Open Whisper Systems app allows you to use end-to-end encryption in phone and text messages.

Android users can install Google Play and then download RedPhone :: Private Calls and TextSecure Private Messenger, while iOS users can download and install Signal – Private Messenger from the app store.

After registering and verifying your phone number, you’ll see which of your contacts are already using the app. When making an encrypted call, you’ll see a random pair of words that you can exchange with the person you’re speaking with. This pair of words should be identical on both phones.

 

 

Yael Grauer is a freelance tech journalist covering online privacy and surveillance for WIRED, Forbes, Slate, and other publications. Find her at http://yaelwrites.com or on Twitter @yaelwrites, and check out her free ebook on staying safer online at https://yaelwrites.com/saferonline.pdf.

Check out more digital hygiene tips:

  1. Removing public data
  2. Privacy protection on domain names
  3. Https everywhere
  4. Anonymous “Tor” cloak or VPN
  5. Prepare for a DDos attack
  6. Two-step verification
  7. Privacy plug-ins/cookies
  8. Third-party permissions
  9. Image “hidden pixels”
  10. Links and attachments
  11. Install patches and updates
  12. Use a password manager/strong password
  13. Strengthen security questions
  14. Encrypt hard drive/backup data
  15. Click to play
  16. Use end-to-end encryption

TIP #7: USE PRIVACY-ENHANCING PLUGINS AND EXTENSIONS

RX_TIP_07

 

 

 

 

 

 

 

Consider installing browser extensions or plugins to help minimize your online footprint. These tools primarily protect you from advertising, or from companies tracking you across multiple sites through cookies and other methods that track your browsing habits. However, this type of blocking also helps minimize the personal information websites can find out about you, which helps prevent them from being compiled or winding up online.

Ad blockers, such as Adblock Plus or Ghostery, will block out many ads and also protect you from ad-based malware being served through sites you trust. AdBlock relies on an external filtering list created by its users. Ghostery lets you see some of the trackers placed on web pages and lets you learn more about the companies working behind the scenes, so you can block scripts, images, etc. from companies you don’t trust. Sometimes these extensions make it difficult to use sites that you’re on, in which case you can selectively turn the block off for those URLs.

extensions

Privacy Badger doesn’t block all ads, but it will protect you from third parties trying to track you through spying ads or invisible trackers. It works with most antivirus software and trackers, however it is not compatible with the Avast antivirus extension.  The cool thing about Privacy Badger is that if it renders a site unusable, you can look at a list of potential culprits and adjust the slider setting to improve functionality.

Yael Grauer is a freelance tech journalist covering online privacy and surveillance for WIRED, Forbes, Slate, and other publications. Find her at http://yaelwrites.com or on Twitter @yaelwrites, and check out her free ebook on staying safer online at https://yaelwrites.com/saferonline.pdf.

Check out more digital hygiene tips:

  1. Removing public data
  2. Privacy protection on domain names
  3. Https everywhere
  4. Anonymous “Tor” cloak or VPN
  5. Prepare for a DDos attack
  6. Two-step verification
  7. Privacy plug-ins/cookies
  8. Third-party permissions
  9. Image “hidden pixels”
  10. Links and attachments
  11. Install patches and updates
  12. Use a password manager/strong password
  13. Strengthen security questions
  14. Encrypt hard drive/backup data
  15. Click to play
  16. Use end-to-end encryption