J-school security curriculum: New resource pack!

Hello again!

It’s Martin, deputy director of digital security at Freedom of the Press Foundation (FPF), with our regular update on the U.S. journalism school digital security curriculum.

J-school security curriculum update

• We’ve recently updated our digital security 101 module to include a new resource pack that you can share with your students. This will help you to quickly link out the most important pointers to continue learning about digital security. Check out the updated module here.
• Earlier this year, Customs and Border Protection published a new directive that expands the variety of devices they may search, including vehicle “infotainment” systems. We’ve added more slides to the J-school materials on how the computers in your vehicle may be searched when crossing the border. We’ve already been incorporating this guidance into our trainings with southern border J-schools, so we’ve added some new slides that you can use as well. See our new slides here.

Highlights from digital security in the news

• If your university uses the Canvas education platform, this may not be news to you. But in May, attackers shut down the classroom support tool, and posted a ransom note on university Canvas sites, threatening to release millions of user records stored within the platform, including names, email addresses, and communications from students and university staff. The attackers reportedly broke into the education platform’s parent company, Instructure, and exploited a weakness in its systems that allowed them to exfiltrate data, before pivoting to threats against universities. This may feel close to home, but it may tee up some useful discussions about how such attacks happen in the wild. Read more about the Canvas attack.
  
  Suggested module:

• In early June, a flood of Instagram accounts were hijacked using a simple yet powerful technique: Attackers asked Meta’s AI chatbot for access to the account. The hackers claimed to exploit “OG handles” (typically short or highly sought-after usernames) by telling the support chatbot that they were the owners of the targeted account. They then asked for the username to be linked to an email address in the attacker’s control, where it could be recovered with an eight-digit code. After entering the code, the chatbot would allow the attackers to change the target’s password. It seems that with agentic AI, sometimes asking nicely does work. Read more about the Instagram hacks.
  
  Suggested modules:

• One of our recommended password managers, Dashlane, suffered a breach of users’ encrypted password vaults. Attackers overwhelmed the service with attempts to enter two-factor authentication codes to add more devices to accounts, resulting in “fewer than 20” copies being made of personal plan users’ vaults before Dashlane’s security controls halted the attack. Because the vaults were encrypted, the attacker would still need a user’s master password to access any credentials, substantially slowing down any efforts to put the vaults to use. The company messaged affected users, so if you are a Dashlane user and you haven’t heard from the company, there’s nothing for you to do. Affected users should rotate their passwords. Read more about the Dashlane attack.
  
  Suggested modules:

What we’re reading:

• A group of cryptographers, including former developers of Signal, alongside contributors from Harvard and Microsoft Research have developed a series of tools for developers to help build robust, end-to-end encrypted collaborative apps. The Encrypted Spaces collaboration iterates on the security architecture behind Signal, which is designed to store certain user data on a server (e.g., about chat groups) without making that data legible to the service provider. Encrypted Spaces offers a code repository that can be reused by other technologists to create new, secure applications for working together online. For those curious, the team released a security white paper to explain how it all works. Read the white paper here.

As always, let me and our team know how you’re using the curriculum, what’s useful, and how it can be improved! Feel free to respond to this email or [email protected].

Thanks so much,
Martin

--

Martin Shelton
Deputy Director of Digital Security
Freedom of the Press Foundation