The day the Russian invasion of Ukraine began, the hacker New York-based Norwegian Runa Sandvik tweeted that she could help: “If you choose to stay in Ukraine and report what is going on, I will be happy to discuss physical and digital security with you for free,” she wrote, alongside her email address. . The message went viral. The use of the internet is maintained in Ukraine and the mobile is a basic tool for journalists and citizens. But in 2022 the awareness that a digital device is useful and at the same time can be a scourge because it records our behavior, which can be observed.
If you’re choosing to stay in Ukraine and report on what’s happening, I’m happy to discuss physical and digital safety with you pro bono. Email me at runa dot sandvik at gmail. 🇺🇦🔐
— Runa Sandvik (@runasand) February 24, 2022
That consciousness is seen only with a glance at the apps most downloaded in Ukraine: there are apps connection, messaging and encrypted browsing, device cleaning or strict information about the war. Sandvik, who has worked on the Tor Foundation, the dark web browser, and has been director of information security for the newsroom of the New York Timesbelieved that with few details he could help: “It is what I call foundational security, which serves the general public,” he tells EL PAIS by videoconference from New York.
The tips serve to increase the complexity of accessing a mobile, not to defend against sophisticated adversaries, but it is already much more than what the vast majority of users have. The recommendations are assumable precisely because a war zone is, in addition to many other things, stressful: “If you are in a country reporting on the war there, it is stressful, it is frantic. There are a lot of unknowns,” says Sandvik. For those moments, only something concise and simple will do. The only thing that would change between a user in a peaceful country and someone in a conflict zone would be the order of the following tips.
1. Unique passwords
“The first best practice is to have a strong, unique password across all the sites you use,” he says. Why? To prevent the loss or theft of one from allowing access to several of our accounts. Also to make it harder to guess by brute force. Most of the passwords we use are very similar to those used by others: avoiding that is an affordable step.
“To help with that, you can employ a passport manager,” he adds. It is a program that stores dozens of passwords behind a single one. It’s a small effort compared to the benefit of having 30 random character passwords and never having to remember them again.
2. Another layer of security
“Two-factor authentication serves to add an extra layer of security to all accounts,” says Sandvik. In addition to a good password, with the activation of this process if someone could get it, they would still need to enter a code that you receive on the mobile phone to access the account. “This is not something that all companies do,” he says, but most large networks and banks do.
3. Social media settings
“If I were talking to a reporter in the Ukraine, I would change the order of what I suggest they do,” he says. Access to reporters’ social networks is, for Sandvik, a potentially more serious problem during a conflict. “I’d say look at the privacy and security settings on your social media account so you can be aware of what you’re sharing, when, and with whom,” he adds.
This type of adjustment is especially useful for Facebook, which has created a new function to protect accounts in Ukraine.
2/ Last night, we also took steps to help people in the region protect themselves online. We’ve launched a new feature in Ukraine that allows people to lock their profile to provide an extra layer of privacy and security.
— Nathaniel Gleicher (@ngleicher) February 24, 2022
Twitter has also remembered how to deactivate their accounts or protect tweets.
If you feel safest deleting your account, deactivating your Twitter account will be the first step and will mean that your username, profile, and Tweets won’t be viewable anymore unless you reactivate within 30 days. https://t.co/a3UJRpY1mC
— Twitter Safety (@TwitterSafety) February 24, 2022
4. A virtual private network?
Another recommendation focused on areas with restricted internet access are virtual private networks or VPNs. It is a way to gain access to content that is not available in some places.
“If you are in a place where, for example, access to Facebook is blocked, you can use a VPN service. It could also serve to limit access to our browsing,” she says. VPNs do have a problem though. When using one of these services, the provider cannot see our browsing, but who provides us with the VPN can. That makes them a tempting provider to trade on that data. To avoid that, Sandvik offers secure VPN accounts with OpenVPN or recommends this link where two other providers are listed.
5. And what messaging ‘app’ should I use?
Sandvik recommends two: “My favorite is Signal and WhatsApp is the second, very close to the first,” he says.
And Telegram? He has problems. “It is important to recognize that Telegram is extremely popular in Eastern Europe and many people use it. Unfortunately, however, Telegram over the years has been described as a secure messaging app and it is not. It is not encrypted in the way that the signal on WhatsApp is. So Telegram is great for accessing information. It’s also probably good for sharing memes and jokes and stuff like that. But if you’re looking for a secure messaging app that encrypts your calls and messages, it would be Signal,” he adds.
In the Ukraine they seem to have detected these differences between necessity and comfort. The three applications have since the beginning of the conflict between the most downloaded. For a safer use of Telegram, the Electronic Frontier Foundation has made a guide.
6. What to do with email
“You can have very secure email, where you run everything yourself, you have control of the server when you do that,” he says. “But then it’s like you’re the system administrator, the security engineer, the person who takes care of all the costs and you also have to respond to emails,” he adds. Which becomes unfeasible.
Sandvik is well aware of the need to find the right balance for each occasion and user, between security and ease of use: “In a journalistic context I think it’s completely appropriate to use a service like Google for email. And then just knowing when and for what purpose you can or should use something else,” he says. The goal is, when necessary, to set up a second email account with a different provider for a specific project or for the future.
For example in the Ukraine, or even better, says Sandvik, if you had gone to the Winter Olympics in Beijing: “Forget about your Gmail and set up one just for those days and hit that when you’re there,” he says. In a moment of risk, he tells her, it is not convenient to have to jump between email accounts.
7. What about suspicious links?
Journalists often receive interesting messages from auspicious sources with a file or link. The temptation to puncture is obvious: how to protect yourself from the danger that it is an attempt to phishing or fraud?
Sandvik recommends using the urlscan.io service. “Although you must be very careful if you are going to copy the link from a mobile phone,” she warns, so that you do not accidentally click.
For attachments, if you’re in Gmail you can simply click on the attachment within the Gmail web interface and it will open in your browser. “At that point, Gmail creates a sandbox for attachments,” he explains. So if there is something malicious in the attachment, it will only affect the sandbox [sandbox]. Not to the account, browser or computer. “The risk of malicious attachments appears mainly if it is downloaded to the computer and then opened. But just viewing the attachment in the browser is usually fine,” he says.
An additional trick to work with the document without downloading it is from the web version of Gmail to “print as pdf” the document. This creates a copy for your own use.
8. How to deal with wifi connections?
Sandvik doesn’t seem particularly concerned about what kind of browsing the Wi-Fi provider might see. “The challenge there and the thing to keep in mind when you’re on Wi-Fi in a hotel, library or airport, the admin can see what sites you’re visiting, but because so many sites offer encryption, the admin can’t see what you’re visiting. agree,” he says.
Although there are always methods: the owner of the Wi-Fi cannot see the search you do on Google, but he can see the link you click on. “But if you’ve searched for a book and clicked on Amazon, you won’t see what books it is,” adds Sandvik.
9. What if there is a lot of budget?
The biggest tip of hardware is to use a throwaway computer for delicate trips. If there is a fear that someone could access the device if it is left in a hotel room, for example, the best protection is to use an empty device with no access to sensitive accounts allowed. With the mobile it is less necessary because it is always carried with you.
“Today we have the technology, tools and software to really help users work safely. It’s just a matter of incorporating that into daily work.”
You can follow EL PAÍS TECNOLOGÍA at Facebook and Twitter or sign up here to receive our weekly newsletter.