I have quite a few friends in Finland.
Some of my friends in Finland are terrified of the SVR, Russia’s external intelligence service (much like the CIA). These friends jump through every hoop imaginable to communicate securely, to ensure nothing they type or speak has a remote possibility of being intercepted and decrypted by the SVR.
These tips, by F-Secure, should be common sense for most people who read this blog. My thanks to F-Secure for sharing these tips.
Whenever I traveled to Russia or China, my security-minded friends always told me – first and foremost – don’t carry any electronic devices with me. Barring that, carry a throwaway, a device you will never use after the trip. The instant you walk off the plane you are an active target, you need to think and act that way at all times. Anything and everything you have will be electronically probed, beginning at the exit of the plane, perhaps even sooner.
I gave a classified briefing to the On-Site Inspection Agency before they went to Russia to inspect Russian nuclear weapons, many years ago. They wanted to know how to write classified notes, how to communicate securely, how to keep some findings private. With my background in secure communications in a special operations environment, I was the ideal person to give them that information. The problem was the threat level was too high because they were too high profile of a target, making many of my suggestions moot and getting them their own equipment would have taken them too long. My Plan B was practical and easily implemented.
Technology has changed since then. The OSIA is now a part of DTRA, and the emphasis on exploiting any and all communications equipment carried by tourists is exponentially more sophisticated than what I briefed.
A major point in this article is that all USB devices received as “gifts” should be immediately dumped into the nearest trash receptacle. Sorry, that customized high-speed gold and silver engraved USB has to wind up in a dump.
This should give you, dear readers, a good starting point for how to write and communicate securely in a possibly hostile environment. There is much more you can and should be doing…
OPSEC for Journalists Covering Trump and Putin
Helsinki will play host to the first summit between Vladimir Putin and Donald Trump, two world leaders noted for their antipathy toward the press. Since journalists likely won’t have time during this whirlwind event to enjoy the town F-Secure has called home for the past 30 years, we’ll save our tips for drinking and dining and focus on something else our fellows know well – operational security or OPSEC.
Finland is known for having among the freest media in the world. But that doesn’t mean that your privacy is guaranteed when you travel here, or anywhere.
Erka Koivunen, our Chief Information Security Officer, often notes that the best OPSEC tip is to not get any intelligence agency on your trail. For journalists covering the most powerful people in the world, this may not be an option.
There are still things you can do to safeguard your privacy. Samuli Airaksinen, F-Secure’s Information Security Manager, offers four basic tips for journalists:
1) Always use a VPN on unfamiliar networks, even if you paid for internet access.
Choose your VPN provider with care. (You can always try our acclaimed FREEDOME VPN for free.) Journalism is about information, so control who sees yours.
2) Beware of USB – especially devices you have received without asking.
Found a USB stick? Don’t plug it in. Reporter gift package included a USB fan? A fan can also be a virtual keyboard that enters commands once it’s set up. USB stands for “Universal Serial Bus” and you should take the Universal part of that seriously. Any USB peripheral can be a Trojan Horse and can’t be guaranteed to be what it appears to be. Keep them far away from your devices. A stranger wants to charge their device from your laptop? Show them the nearest wall power socket instead. Same goes for your USB equipment: only plug them to your own devices. Mac users, no USB ports equals less opportunity to plug the wrong thing in, so leave your dongles at home.
3) Choose your communication channels with great care.
Favor end-to-end encrypted services like Signal, especially over SMS or plaintext email. It’s not only about your own privacy and security; it’s also about those of everyone you communicate with.
4) Lock down your devices.
Hardware gets lost or stolen. Journalist’s devices are especially interesting to motivated thieves. Make sure losing your devices never creates a liability. Use encrypted devices, lock them well, and install security updates without delay. When you travel, it’s best to do your updates before you travel. If you still need to run your patches, consider using your VPN to port back to a country you trust to run them.
Sean Sullivan, F-Secure Security Advisor, notes that this summit likely to be a hectic event. “Be wary of any prompts that request credentials while multitasking, which will be impossible to avoid in an event like a Trump/Putin summit,” Sean said. “If you see such a prompt or a ‘security’ update, give it your single-minded focus.”
Sean has seen intelligent people who knew they were being targeted in an experiment who fell for traps in the form of tricky prompts, in part because they were in a chaotic environment.
This is, in short, the argument for using a VPN, which is a private tunnel for network traffic.
“When it’s running, someone can’t just inject something into your plain-text traffic,” Sean said.
Erka adds that locking down your devices and staying focused isn’t just a matter of your own privacy; it’s about protecting your sources. And you cannot protect them if your endpoints have been compromised by malware.
“Journalistic source protection is a legal concept designed to keep your own government and other law-respecting governments at bay,” he said. “It will not help against criminals, rogue nations and hostile foreign powers, unless you take technical steps and practice OpSec to secure your own computing and networking.”
Erka pointed to the recent Project Polar revelations that show how easy it is to find “the names and home addresses of intelligence agents, people who work at sites where nuclear weapons are stored, and military personnel on assignment.”
Journalists need to be especially aware that location tracking and leaky apps may expose their sources or even endanger the covert operations they are covering.
This is why you probably won’t learn good OPSEC from movies: it can be quite boring and look like deleting apps and turning off location tracking rather than hunting down secret locations.
“In the movie The Post about the Pentagon Papers leak, there was a scene where a journalist went to payphone on the street to speak to a source,” Erka said. “He was ordered to hang up and call back from another line. The journalist moved one foot to the right and took the next payphone! If they were being surveilled, that cheap trick wouldn’t have made a difference.”
You’re not going to find any payphones in Finland, which is also the homeland of Nokia. But a basic lesson applies: If you’re being watched, it’s up to you to make sure you are not an easy target.
For more about OPSEC while traveling, whether you’re a journalist or not, check out this recent episode of our Cyber Sauna podcast.