How good was the physical security at the press area provided by the Finnish Foreign Ministry for the first official “meeting” between Vladimir Putin and Donald Trump in Helsinki in mid-July?
“Almost as soon as Samuli [Airaksinen, F-Secure’s Information Security Manager] and I took off our badges as we headed out of the Finlandia Hall for the night, a security guard asked what we were doing in the building,” Sean Sullivan, F-Secure’s Security Advisor told me.
Every entrance was secured, every badge was checked and the bus bringing the pool reporters to the now infamous press conference was checked by bomb-sniffing dogs.
This kind of physical security is a good first step of OPSEC, or Operational Security, but it can also lead to a false sense of invulnerability.
“I was just bit surprised that this was treated like just another work space,” Sean said, describing the manner in which journalists from around the world spent their day waiting for news to break. “Perhaps since were in an obviously safe space, they weren’t worried about cyber security. Maybe I’m too used to working with the tech press or investigative journalists, but from my perspective, the journalists covering this event were entirely too complacent about their cyber security.”
F-Secure offered a quick summary of essential OPSEC tips for journalists before the event, but after spending two days at the Helsinki “meeting,” Sean feels that many members of the press need basic pointers in security hygiene.
“They seemed like sitting ducks,” he told me.
So here is a quick summary of best practices that Sean saw violated over and over and journalists who cover newsmakers need to consider now. These tips would also be fundamentals for anyone who uses a co-working space where you have no reason not to trust the workers sharing the space, but no particular reason you should trust them either.
“If you’re not even doing these basics, I don’t think OPSEC advice is going to be helpful,” Sean said.
1. Always lock your laptop when you step away from it in a public space.
Sean and Samuli saw lots of of laptops closed at 45-degree angle so the machine wouldn’t go to sleep but wouldn’t seem readily available to passersby.
“Our consultants plus a USB device plus thirty seconds would equal a compromised machine,” Sean said.
Sean advises some basic guidelines. If you step away from your computer, even if your back is turned, lock your computer. If you’re going to step away for a while, shut the machine down so disk encryption is enabled. If you’re going to step away for longer than half-hour, bring your PC with you.
“Don’t make your colleagues responsible for your device’s security,” he said.
Reporters who cover newsmakers full-time likely don’t have sources to protect, but they may have access to their publication’s publishing platform. They almost definitely have access to their own Twitter accounts. Imagine the disruption that could be created with one well-placed fake news story or tweet. Sean calls this the “soft underbelly” and notes that one hacked tweet by the AP in 2013 took more than $100 million out of the U.S. stock market.
“The idea of one tweet sent from an event that the entire world has its eyes on shaking global market doesn’t just sound like the concept for a movie anymore, not based on what I’ve seen in cyber security over the last few years,” Sean said. He notes that we live in a world governed by algorithms. And if you’re a credible source, one ill-placed tweet could create a considerable mess and cost you your credibility. So don’t ever leave your unlocked laptop unattended.
Sean pointed to the booths or cubicles assigned to journalists. Many weren’t secure at all, some were secured with a three-digit lock. This one below caught Sean’s attention. Maybe you can see why.
“Security hygiene’s goal isn’t to stop a dedicated attacker but to make sure you’re not the lowest hanging fruit.”
Speaking of lowest hanging fruit, there were no privacy filters on any laptops Sean saw. “I didn’t even see any grooves where the filter could be inserted.” That makes an easy target for shoulder surfing.
2. Don’t identify your device by your name, first or last and definitely not both.
Sean was surprised to see how many broadcasting device names that could provide essentially information for anyone trying to use social engineering on you. Unfortunately, iPhone often defaults to using the name associated to your iTunes account.
3. Don’t use Bluetooth in a shared space.
“Bluetooth is potentially an open door into your PC,” Sean said, much like your USB port. “But someone has to walk up to plug something into your PC.”
4. Forget your local network before you leave. Reset network settings.
Sean found 1068 devices connected to the local network in Finlandia Hall. It was one of the most diverse collections of devices on one network Sean has seen. However, 56 percent were Apple or iPhones, a much greater percentage than its market share would predict. “The best practice would be to delete known or saved networks you’ll no longer use. Unfortunately you can only forget a network on iOS devices if that network is still in range. There is no list of known networks on iOS.”
This is a sorely lacking feature in Sean’s opinion.
There’s only one way to erase known networks after the fact. Go to Settings> General> Reset> Reset Network Settings. This will erase all networks and will also reset the device’s name. At this point, you have the chance to rename it something that won’t reveal personally identifiable information if you go to Settings> General> About> Name.
This event was an eye-opening experience for Sean. The venue was impressive and so were the Finnish strawberries and peas.
“I thought that lax security hygiene were be more common in workplaces where people know their coworkers. Now, I really want to do an investigation into co-working spaces.”