This is the Digital Security Training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. If someone has shared this newsletter with you, please subscribe here.
It’s Kevin Pham, intern on the Digital Security Training team, taking over the newsletter this week.
In the news
An Ohio judge issued a temporary restraining order against security researcher David Leroy Ross after Ross proved that a recent ransomware attack on the city of Columbus had leaked sensitive personal information. This came after 6.5 terabytes of data was allegedly stolen by the hacker group known as Rhysida. Approximately 45% of the stolen data was released after the group failed to find a bidder.
Columbus Mayor Andrew Ginther announced that the data was either “encrypted or corrupted,” claiming that the information would not be useful for Rhysida. Ross presented evidence to the contrary, revealing that the data was fully intact. Ars Technica reported that “Ross, who uses the alias Connor Goodwolf, presented screenshots and other data that showed the files Rhysida had posted included names from domestic violence cases and Social Security numbers for police officers and crime victims.”
Despite this, city officials sued Ross for criminal acts, invasion of privacy, negligence, and civil conversion. “The lawsuit claimed that downloading documents from a dark web site run by ransomware attackers amounted to him ‘interacting’ with them and required special expertise and tools,” Ars Technica wrote, adding that the suit went on to challenge Ross alerting reporters to the information, which it claimed would not be easily obtained by others. Read more here.
What you can do
If you are a cybersecurity reporter or have sources that work in security research, this lawsuit is worrisome. If similar suits arise, security researchers might not investigate or disclose their findings on recent cyberattacks. Here are some recommendations that may help protect yourself and your sources.
- If you or your sources suspect that they would face retaliation for disclosing information, you may want to use anonymous file-sharing or whistleblowing software. For anonymous submissions, many news organizations use the open source whistleblower submission system SecureDrop, which is a project of Freedom of the Press Foundation (FPF). Depending on your situation, you might also want to look at Signal or OnionShare to share files with individuals.
- Don’t forget about your address book! Email is a popular way to contact sources; however, your address book may reveal their identities if someone finds a way to access your email account. Read these guides to learn more about secure email services and address books.
- The Electronic Frontier Foundation offers legal assistance for cases related to communications technologies and civil liberties. Likewise, you can also turn to your local affiliate of the American Civil Liberties Union or to the Reporters Committee for Freedom of the Press legal defense hotline.
- You may also want to report any press freedom violations to FPF’s U.S. Press Freedom Tracker.
Updates from our team
- Are you a journalist with a digital security question? Share it with us for our new digital security advice column! We’re trying this out for the first time, so let us know if you like this kind of thing and if you’d like to see more. Check out our announcement and submit your questions.
- I wrote a blog on Apple’s Advanced Data Protection feature. If you use Apple devices for work, you might want to enable it. Read more.
Our team is always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.
Best,
Kevin
–
Kevin Pham
Digital Security Training Intern
Freedom of the Press Foundation