CANCUN–Things are getting real these days for executives, researchers, journalists and others involved in the security community. Targeted surveillance is a reality for many in the community, and researchers and activists are trying now to help them assess and address that threat to their privacy and security.
Secure communications among researchers who know one another are typical, but for a researcher or journalist who is dealing with a new or unknown source, establishing a method for transferring documents or information securely can be a challenge. The SecureDrop system was designed with this in mind and it’s been used by journalists, activists and news organizations to communicate with sources and send and receive sensitive documents. Managed by the Freedom of the Press Foundation, the system is open source and it can be used by anyone concerned about privacy and anonymity, not just reporters.
In an environment that includes persistent hardware backdoors and an untold number of active APT groups, encrypted email or chat isn’t enough.
“It’s well known that if you have a hardware backdoor or implant, encryption won’t protect your secrets,” Runa Sandvik of the Freedom of the Press Foundation said in a talk at the Kaspersky Lab Security Analyst Summit here Tuesday.
The SecureDrop system allows users to leave and pick up sensitive documents, and relies on the Tor browser and some other components. There are a number of other technical tools that researchers and others concerned about potential targeted surveillance or physical threats can use, but perhaps the most valuable tactic is simple operational security. Being private and quiet about any sensitive projects or work you’re doing can be the most effective way of operating.
“The first rule of opsec is that silence is a security discipline,” Vicente Diaz, a principal security researcher at Kaspersky Lab, said in a session with his colleague Dani Creus.
Talking about research being done on a sensitive APT campaign is not the best idea if you’re interested in staying upright and continuing the work, Diaz said. Likewise, relying too much on encryption and other technical means for security and privacy can sometimes put you at a disadvantage.
“The adversary doesn’t have to break crypto to get your password. They can get it through many other means, by physical access, by beating it out of you,” Diaz said.
And as Creus emphasized, responding to privacy or physical threats–say border searches or warrants–by panicking or freaking out is not going to help the situation.
“You are not James Bond. Don’t make the situation worse,” Creus said. “Ask yourself what they want.”
Ultimately, being quiet can be the most reasonable option in many situations.
“Be the owner of your silence and not the slave of your words,” Diaz said.