11/25 – Friendship Hacking And Juice Jacking

A weekend coincidence brought to my attention a very simple, often quite under-appreciated tradecraft mistake that journalists commit quite often.  I have been, am currently, and will be in violation of the maxim I am about to impart.

Do not add your sources to any of your social networks.

Sounds head-thuddingly obvious.  But it’s actually really hard to enforce this, even upon yourself.  For one thing, for young reporters starting out, friends and sources are not mutually exclusive categories.  Journalists often find that the press wrangler from their first presidential campaign finds her way onto the National Security Council staff several presidencies later.  Since most of your social networks log your friend requests and whether you unfriend people, hiding your nest of life sources from, say, the government, if you cover national security, doesn’t track with how you live your digital life.

We are well-advised to try to force-feed young journalists this principle early, so they can avoid hassles down the road.  Another mistake, one that connoisseurs of MTV’s Catfish might find familiar, is not restricting access to your friends/contacts/connections list.

If you’re covering a big corporation and you use LinkedIn or Facebook (or even Twitter) to scout for sources, make sure you and your sources think about who might be able to discover whether a relationship between the two of you exists.

Some news of note:

Wired notes that Twitter now has better two-factor authentication. “Now, use it,” the pub says. The enhancement: you don’t need to give Twitter your phone number for the 2nd factor, which will help you if someone tries to spoof your phone number via an SS7 hack or some other technique.  Best practice: use a key. Use a key. Use a key. Use a … key.

LAX airport has discovered “juice jackers” in their terminals.  These easy-to-buy devices mimic self-charging USB ports and steal data as they provide a charge. Best way to avoid getting snared by one is to not use public chargers at all. Or, or if must, use electrical outlets and dock your power cords.

I helped WhatsApp figure out their communications strategy when the messaging app turned on endpoint encryption; with that disclosure, I am not sure what to make of Telegram’s recent attack against WhatsApp.  While it’s true that sophisticated non-state actors have found ways to inject hidden software to compromise and interrupt the secure communication stream, the exploitation of these vulnerabilities are largely a matter of users not being as aware of the dangers of clicking on random MP3 files anywhere — inside of or outside of a WA message.  For those who want to use WA securely, turn off cloud backups, make sure that you don’t save videos to other sites (because tokens might be compromised), and clear your caches frequently.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s