A Bureau of Investigative Journalism and Sunday Times investigation recently revealed the scale of a “hack-for-hire” industry in part targeting journalists, politicians and businesses in the UK. BBC political editor Chris Mason was among those targeted, in his case with a series of phishing emails soon after his appointment earlier this year.
Tom Kidwell, a British Army and UK Government intelligence specialist and founder of Ecliptic Dynamics, explains the risks posed by malicious threat actors in today’s working world, and how members of the press can take steps to protect themselves, especially when investigating sensitive topics that take them to riskier parts of the digital landscape.
The recent “hack for hire” revelations have displayed the level of capability available to purchase, and the intent of those looking to use it for nefarious activity. It was reported that individuals in the UK have paid criminal groups in India to conduct cyber attacks with the purpose of stealing data.
The exact nature and methods used have not been fully declared, although it has been mentioned in the context of phishing and mobile device control. Both are well known methods of attack vector and cyber threat. Attack vectors and Cyber threats both need to be considered.
Cyber threats are ways to steal or damage an asset, usually involving malware, ransomware, or phishing. The attack vector is the way the threat reaches you. A good example of this was the widely reported breach of Whatsapp in 2019. In this instance the NSO Group are alleged to have used a vulnerability in the Whatsapp silent calling to deliver a small payload to the target device. This was the attack vector. Once delivered to the target device the smaller payload could silently call and deliver the main malware. This malware then took control of the device.
The intent was never to breach Whatsapp, that was just the access point they needed to breach the whole device. Once they controlled the device, they could access whatever they liked, including all of its apps and data.
Often, the question for threat actors is: How can we deliver this attack vector to a remotely targeted device? How do we get the malware onto the target device without the user knowing? The attack vector is a crucial aspect. This is why phishing is such a widespread attack vector. It’s a low-cost methodology and can be achieved with minimal technical setup/cost. If it fails it doesn’t stop the whole process, and it can be repeated until success is achieved.
Basic device management
The best way for journalists and media organisations to be proactive in protecting themselves is to implement basic access control and device management. It’s not necessarily the most technical or high-end aspect of cyber, but implementing good procedures and processes makes you a much harder target to exploit.
Using Two Factor Authentication is a quick way for journalists to secure access to their online accounts. The concept is based around having something you know (username, password) and something you have (a token on your mobile). This means, even if your social media login credentials are compromised, you still have a layer of protection. Unless the attacker knows your second factor, they won’t be able to access your work login, for example.
Password managers are a very good idea. Reusing passwords across multiple online accounts (email, work logins, social media etc) means once one account is compromised, it compromises all the accounts you have used the same password for. The only way you can alleviate this is to be proactive, and create complex bespoke passwords for each individual service you use, and a password manager allows you to do this without needing to remember every password. Using a bespoke, complex password for the password manager itself is also essential.
Not all digital work is equal in risk, so it’s important to consider isolating the more exposed areas of your work. In most contexts people split their personal and professional lives, and in many instances certain aspects of their professional life should also be isolated from one another. Someone conducting surveillance in the real world is highly unlikely to do this using their personal vehicle. It’s important for journalists to have dedicated equipment that splits their personal and professional activities.
Bomb disposal robot
And if a journalist travels to a high-risk area of the world, they would usually have some form of insurance to protect them if they encounter trouble. The same mindset should be applied to online research, especially into sensitive subjects which involve access to high-risk areas of the digital landscape, such as the dark web. Isolating the risky activity by creating a ‘virtual environment’ or ‘sandbox’ will contain any malicious activity and protect your data, as well as any other third-parties you’re communicating with. If you require an open email address for people to make contact, which most journalists and editors do, you can expect to receive a stream of phishing attacks. Some will be more sophisticated than others. However, if you ‘sandbox’ emails, links, and attachments from unknown senders to a disposable environment, it will isolate your device and protect all your other assets.
Effectively a ‘disposable environment’ sits outside of your corporate digital environment, and externally from your device and server, meaning everything you do in the disposable environment is contained within itself. It locks down all of your activity, and only delivers the pixels to your screen.
It’s a little like having a bomb disposal robot you send out. If this ‘sandboxed’ environment is hit with malware or a trojan horse from a phishing attack for example, the environment destroys it, killing the attack at source and stopping it from ever coming into contact with your actual device or corporate environment.
Underpinning all of this though should be a robust cyber risk assessment. If you haven’t identified your assets (data, devices, property) you can’t put measures in place to protect them. It’s also vital to ensure any security measures and processes you implement are proportionate to the perceived threat.
The responsibly for protecting your data and people sits with you as the ultimate owner of the asset. Only you can decide the value of your data and the impact of it being lost or stolen.
- Ecliptic Dynamics is a leading internet infrastructure security specialist providing businesses, employees and freelancers exceptional security, privacy, and data protection when researching and investigating online.
Email pged@pressgazette.co.uk to point out mistakes, provide story tips or send in a letter for publication on our "Letters Page" blog