This weekend Investigative reporters noted that, worldwide, they are between a rock and hard spot. The material on their computers may be open to everyone from unfriendly hackers to unfriendly governments. Some see the release of the e-mails, from the head of the Democratic National Committee to the search of Huma Abedin’s computer, as the tip of an iceberg that threatens to sink investigative journalism. What to do, what to do?
When we were queried this weekend, we answered that the fact the Internet wasn’t created with security in mind makes it nearly impossible to craft an easy but iron-clad method of fending off all intruders. Nonetheless, it is possible to make intrusions and thefts far more difficult.
First, use, and ask that correspondents use, end-to-end encryption of e-mails. We also advise people to encrypt all sensitive files on any computer connected to the Internet. Encryption reduces, but doesn’t eliminate, the danger of spillage.
That is a start, and a good one. There are good, but not foolproof, security techniques. It’s nearly impossible to steal, at a distance, e-mails or files from computers that are off-line. Therefore any saved e-mails or sensitive files are safer if they are located on a computer or device that is never or seldom hooked to the Internet. Theoretically a computer that is not hooked to the Internet cannot be accessed by hackers. (Obviously an insider attack is always possible.)
Our next suggestion — and we welcome other ideas — is based on the assumption that having no Internet connectivity improves security: Hook a hang-on hard drive (or a throw-away computer that does not have Internet connections) to the on-line computer. Transfer to, and store the e-mail or files, to that hang-on drive (or off-line computer.) The safest way of making the transfer is to use a second computer, burn the transferred information onto a disk and use an air-gap transfer, but a direct connection to a hang-on hard drive, for a limited time, is usually acceptable.
Then unhook the hang-on drive.
From then on, review and work with the e-mails or sensitive files only on the hang-on hard drive (reconnected to the on-line computer for short periods) or offline computer.
When the transfer to the hang-on drive or second computer is complete, delete ALL the e-mails or sensitive files from the on-line computer.
But remember, just hitting “delete” on a computer email or file does not actually physically remove it from a computer’s electronic memory; it just changes the name/identity so it cannot be accessed normally. “Delete” effectively hides it from most computer operations, but the file or e-mail remains on the computer and can be accessed by any reasonably competent fifth grader who can get on the system. Since hackers or others with knowledge can still access a deleted file or e-mail, most researchers consider hitting a delete button to be about as secure as putting a document in a drawer and closing it. Since the file or email still exists electronically on the online computer it has to be TRULLY eliminated.
On the computer that is hooked to the Internet run a program that has the capability of overwriting even the “free space” where the bulk of all former files and erased e-mails are found. The conventional wisdom is that three overwrites (the program puts in 1s and 0s in all places that are considered “clean,” does it a second time, and does it a third time) make certain it leaves no shreds of the original message.
It is important to use a shred technique to actually get information off the system and thwart any retrieval. Programs like Ccleaner, KCleaner, BitKiller, and WipeFile, or anti-virus security programs like Avast do this job.
Improving security is possible, but it is a multi-step job that is neither easy nor foolproof.