mnemonic security podcast

Guidance for High-Risk Individuals

mnemonic

When we talk about securing an organisation’s assets, we most often mean its data, devices, servers, or accounts, but are we doing enough to secure the group of people leading the company? Or the ones doing high risk work on behalf of the organisation?

To discuss the importance of securing high-risk individuals, like journalists, politicians and executives, Robby is joined by an expert in this field, Runa Sandvik, journalist, security researcher and founder of Granitt. At Granitt, Runa works with digital security for journalists and other at-risk people, building on her experiences working at The New York Times, Freedom of the Press Foundation and The Tor Project.

During the conversation, they talk about how to secure devices when travelling to high-risk countries, what tools to use and at what time, and how threat actors usually target individuals. Runa also shares how she works to secure accounts and devices for her clients.

Speaker 1:

From our headquarters in Oslo, Norway, and on behalf of our host, Robbie Perelta, welcome to the Mnemonic Security Podcast.

Speaker 1:

Contrary to what the marketing people say, not all attention is good attention, and although this is unfortunate that we have to think this way, any attention in cyberspace should be greeted with skepticism. There's apparently 8 billion people in the world today, and some of us get more attention than others. Proofpoint likes to call them VAPs very attacked persons, and the most attacked groups are upper management, finance and HR personnel, followed by IT and security staff. We, of course, know this by now and have built up a corporate defense to address these threats, and members of these groups should rest easy at night knowing that nobody's really out after them personally. Other groups, however, for example, journalists or political activists, shouldn't be select Depending on what they're digging into, of course, and where in the world they're doing such digging. These groups have to where in the world they're doing such digging. These groups have to account for the worst of the worst Lawful intercept tools, forceful encounters at the airport and, in worst-case situations, physical threats and in that case, it doesn't help that social media sites and data brokers are selling everything your phone knows about you for $20. Although we'll never be journalists, it definitely can't hurt us to learn how they protect themselves from digital threats and consider doing some of the same ourselves. And today's guest is a go-to for journalists and other high-risk individuals wanting to up their cyber game.

Speaker 1:

Irina Sanvik, welcome to the podcast, thank you. Are you in the Big Apple right now or where are you at? I am in New York. Yeah, all right, nice.

Speaker 2:

So has New York made you a harder person yet Less so more friendly.

Speaker 1:

More friendly.

Speaker 2:

More likely to talk to strangers than in Oslo.

Speaker 1:

Well, that does not surprise me actually. So you're from Oslo. I am, yeah yeah, cool. So we that does not surprise me actually. So you're from Oslo, I am yeah, yeah cool. So we are the same, same but different. I guess I was born and raised in the States and you were born and raised in Norway, and then.

Speaker 2:

Yeah, we sort of like traded places.

Speaker 1:

Exactly. So yeah, the grass is greener on this side of the world, I would say, but I guess you would say different.

Speaker 2:

I don, which is funny because I've always said that it's the other way around. I wanted to move out because I knew that the opportunities would be greater outside of Norway for the type of work that I wanted to do, at least back then. I think maybe now things have changed a bit, but like 12 years ago, 14 years ago, a bit different.

Speaker 1:

Judging by your LinkedIn, you've had one hell of a career or journey. You could say so. You've been a teacher, a Google Summer of Code student, an IT support at your university, ntnu developer for the Tor project, awesome Contributor for the Forbes magazine, senior director of information security for the New York Times also awesome Member of the advisory board for Freedom of the Press, foundation Board member and advisor to a million different organizations, member of the Technical Advisory Council for the US CISA and, last but not least, the founder of Granite, which is your baby.

Speaker 2:

Yes.

Speaker 1:

Yes, and, as your LinkedIn so elegantly puts it, securing journalists and at-risk people around the world. Yes, it's awesome. Exactly I love that mission statement so much that I had to have you on the podcast. I had to ask you at least. And that's going to be like the focus of the whole entire episode. So what's your typical assignment that your clients are asking you of these days?

Speaker 2:

It's a bit of a mix right Majority these days is someone coming to me and saying I do this really mission critical work. It's really important to me. I recognize that I am at risk. I know I need to do better, but I don't know what better looks like. Help me.

Speaker 1:

What about, like company executives, are they ever somebody that reaches out?

Speaker 2:

Sometimes A bit more rare. I've sort of like built a name for myself as, like someone who works with reporters, sometimes with activists, but certainly executives, high net worth individuals, actors, like would sort of fall in under that same umbrella. So I view my work as it is my job, to help you do your work safely, and so, through an initial consultation, we sort of figure out what does safely mean for you. Is that like physical, digital, emotional, legal? What are the challenges that you're facing and what's it going to take for you to actually get that work done and stay safe at the same time?

Speaker 1:

Cool, and let's dive into that process, if you don't mind. Like what does that process look like? Like you meet somebody for the first time.

Speaker 2:

Yeah. So it would be first like for me to understand what you do, who you are, how you're working, what it is that you're trying to now. Is this like the? You know you want to, like need to do better, but you don't know what that is. So we talk a bit more like high level about what you do, how you're working, what your days are like. If it's a specific project or a trip, we can sort of narrow in on like those details. But then from there I try to get a sense of like what is already in place for you. Are you familiar with a password manager? Do you have two-factor authentication? What kind of devices are you using? And I try to like figure out like what's the baseline, so that I know what to recommend from there, because I don't want to start at like level 5000 if you're at level 10 and everything else is just going to get lost in translation.

Speaker 1:

I made that mistake with my parents. I tried to take them to my level. I was like, okay, that's I need to redo this, all right yes, and I think it's also like fascinating.

Speaker 2:

So for me, I do, to some extent, view my work as a bit of a puzzle, right? So meeting you, hearing about your work, and then trying to figure out where you're at, what your knowledge and comfort level is with technology, and then try to figure out, like, what are the right pieces to put together, what are the right levers to pull to help you actually be safer online, and so the recommendations that I give and the way that I talk about it will change depending on the person and their background.

Speaker 1:

Do they come to you? Usually because something has happened or because, like, what's their motivator to take contact with you?

Speaker 2:

I think it's like a 50-50. I think there are people that come to me now that I've been working with for quite some time where maybe initially something had happened and we sorted that and now they know to like proactively reach out. But yeah, it's a 50-50. There are people that want to be like proactive, that just know they need to do better, and there are some that know they need to do better, haven't gotten around to it yet. Something hit the fan and now we're doing some cleanup.

Speaker 1:

That makes sense. I assume you got this idea from your time at the New York Times. Were you sort of responsible for helping secure your journalists? Is that where the inspiration came from?

Speaker 2:

So the inspiration for this came from, like back at the Tor project. So Tor got funding to train reporters. I ended up working on that project and sort of really got a feel for the sort of combining the world of cybersecurity and investigative reporting and high risk people and investigative reporting and high-risk people. And then later on, like after tour, did some work with Freedom of the Press Foundation. So how I landed at the New York Times and it was the head of security for the newsroom there. So at the Times there was a CISO responsible for like overall New York Times company security with your analysts and compliance and pen tester, and then I was dedicated to securing the newsroom.

Speaker 1:

Cool. Well, it's good they actually had a role for that. How many journalists do they have, if you remember?

Speaker 2:

I think back then like 1600 around the world globally. That may also include like contractors and I don't know.

Speaker 1:

It's a lot of people. It's like bigger than all Norwegian companies, yep.

Speaker 2:

It's a lot of people. There's a lot of lot of money that goes into reporting at like an organization like the Times.

Speaker 1:

Yeah, wow. So I mean, I don't want to ask you about the Times and how they do things, but a journalist they have very usually deal with somebody does not want them to speak or write about whatever they write about. So most of the time are you dealing with pretty advanced adversaries, or what can you say about a threat level towards journalists?

Speaker 2:

I think that's kind of going to really depend on the individual and where they're located, like physically in the world, and the type of stories that they write. So you can take someone who writes about culture in New York City and with that person we can talk about security, best practice, passwords, twofactor software updates and maybe just like park it there, and then there can be reporters who are doing like investigative stories in China or in Russia or in Venezuela, where there's a combination then of risk to electronics and like digital data and also physical safety becomes a big concern as well. So the sort of types of digital threats that you see is going to be all the way down to from your usual adware they install the thing it ended up being adware maybe it's a Bitcoin miner to state level adversaries with zero days.

Speaker 1:

Okay, wow. Well then, if you want to be super, duper, top echelon paranoid, what does that look like these days?

Speaker 2:

So I think there's the foundational security that we talked about and then from there there are certainly ways to make things more secure, like you could have a travel laptop and a travel phone. But I think as you increase security, you're also increasing friction in this person's workflow and you're making their job a bit harder to do. We do have all the apps and tools and settings to do things securely, to secure devices and phones and systems, but what we're lacking and sort of where people do run into challenges is that there's like a lack of process and a lack of like thoughts prior to taking on some of these projects. So it really becomes trying to figure out this right combination of security level versus friction and usability and speed and the reason that you're traveling or the project you're taking on just really depends on the case that I'm working.

Speaker 1:

Right, listen to this podcast. Most likely don't have journalists in their company, but they probably do have some sort of like executives or higher ups that probably don't care or know that much about security, and there was essentially this report from this company that we don't need to mention. But basically they specialize in like providing security to executives, right, and I'm reading through it and I'm thinking, like how much of this is bullshit, like how much is marketing and how much is it is actually like something that's. I think that some of the services provided there were like doing talking with individuals, talking to their families, making sure they understand security, like a little bit and putting it in a context for them, but they were also doing things like monitoring of like home networks and stuff like that. I just wanted to hear what are your thoughts around executive cybersecurity protection. Like is that something every company should actually be focusing on, or is that just somebody exploiting the paranoid higher ups?

Speaker 2:

No, I think it is absolutely relevant for some companies. I think executives are people who don't have a lot of time. They're very busy. They do have access to a lot of important information. I think their name, their email address, carries a lot of weight and in a sort of company context, especially for a company that's like public, their name will be out there as well as associated with this company.

Speaker 2:

And I think for companies, we're sort of at a point now where we're very good at talking about securing company assets, company email, company devices, company servers, company online accounts, but an executive is an executive for that company, 24-7. That role doesn't end at five o'clock. That does extend to the executives personal devices, personal accounts, potentially then also their home network, and then, depending on the type of work that this company is doing, yes, that could also then start including their partners, their children and so on, and so I think that there's absolutely value in talking about how you secure this group of people as well. So, like the report that we read, it's not, it's not all snake oil. I do believe that there is value in there.

Speaker 1:

Right, how often do you come across like new conversations in that line of work? Is it like I'm so? I mean, obviously, all the work, all these stories, that all these use cases they're working with, they're like fun. You have to put yourself in their life and, okay, I would do this. But do you come across very many new things?

Speaker 2:

very often um, I think, oh, I, I am, yeah, so I think, at the, at the end of the day, a lot of the recommendations that I gave do end up and being fairly similar, but the, the challenge there is sort of hearing what this person is up to, which always changes right, another war, another conflict, another investigative story. So it's a different person that I'm speaking with and then trying to figure out, like the challenges now, this person, this context, at this point in time, what do they need? And figuring that out and being able to help them, um, I, I really, really enjoy that right, the threat actors that they're up against right, and these are probably adversaries.

Speaker 1:

Some of these adversaries probably have like things like what do they call that? Spyware or lawful intercept tools and stuff. Do you have anything to say about that?

Speaker 2:

I think that they exist. We we know that there are states out there that are using these tools, that also do use them against journalists and activists and lawyers, and so certainly for some other people that I work with, that is part of the conversation we try to figure out how do we defend against it, how do we detect it, how do we deal with a potentially compromised device? What would the impact in that case be on the work that they're doing and really try to come up with a sort of a plan around that?

Speaker 1:

Do you ever like just tell them to assume breach if you're going to like one of these war zones or a few, because I mean one thing about journalists, I'm not sure. Well, yeah, if you work for the New York Times, maybe you have like an EDR agent on your computer or on your phone or whatever. I'm just kind of thinking like I love having it like my mnemonic device because I know that there's a sock 24-7 if I click on something. Most hopefully, most likely.

Speaker 1:

I put my eggs in the basket, that somebody will, you know, detect it and hit me up. But that's not necessarily the case with a lot of your potential or your clients, right, or is it Right?

Speaker 2:

So there will be some contexts where you just have to accept that someone is watching, right, if you are doing like investigative work now and you travel to like China or to Russia, you may be under physical surveillance, and sure, there's a whole field of like counter surveillance that we can like rabbit hole into and talk about and that is also incredibly fascinating. But for the journalists who actually do the work that they need to do, it is, I think, much more effective for them to just talk about. Like this is just going to be something that is going to happen. You're going to have to accept it. Here's how you operate now within that context, which is sort of the physical security version of assume breach.

Speaker 2:

I think online works slightly differently because there are just like far more variables there. But I think there's a lot of discussions that we can have around, like what are the limitations that we still have today? There's a lot of things that we can do to secure an iPhone, but there's no guarantee, right, you can use all the security and privacy settings available to you today, but there's still no guarantee that you're not going to get compromised. But the goal is to make the attacks harder and more expensive for the threat actors. So if you had a strong, unique password stored in your password manager to factor with a security key only, that is now a much, much harder attack to pull off and the threat actor would have to put in more time, more money and be very motivated to successfully get into your email account. So I tried to think about it in terms of, like, making the attacks harder, adding friction for the threat actor, um, as opposed to telling a reporter to like assume breach it's like literally a copy-paste of how we're doing security for organizations, right?

Speaker 1:

I guess I could say it like this Is there any differences between people and organizations, or is it a lot of the same advice the whole way through?

Speaker 2:

It's a lot of the same advice. I think what changes is how you talk about it, the budgets and the tools. There will be security tools that companies will have access to, right. They can have full teams. You mentioned a 24-7 SOC. Individuals are just not going to have that. They're a bit more resource constrained, right, but a lot of the same sort of like guidance and the workflows and just sort of way of thinking remains the same.

Speaker 1:

The threat actors? How are they targeting their individuals? Do you have any like interesting, like TTPs that you've seen recently that are like worth mentioning? Dumb question, but maybe you have a cool answer, so I have to ask it.

Speaker 2:

No, I mean like in this space, there's everything from the silent, zero glitch, zero day on your iPhone to be someone being detained at an airport, forced to give up all of their passwords, spyware at that point being installed on their unlocked device, to phishing, which can be anywhere from light and just sort of your regular run-of-the-mill, not very sophisticated type of phishing, all the way to something very targeted and a bit more sophisticated. It's really just all over the place.

Speaker 1:

Yeah, All right. If I go through an airport I landed in a country, should I be turning off my Wi-Fi and my Bluetooth? Or am I just being way too paranoid?

Speaker 2:

You should turn off your phone before you go through immigration.

Speaker 1:

Why.

Speaker 2:

If your phone is powered on, even if the screen is locked, it may be technically possible for someone to take that device and be able to get the data that is stored locally without knowing your passcode. If it's fully powered off, the phone is encrypted and the likelihood that they will be able to pull any information without your consent is slim to none. Without your consent is slim to none. It's also way easier to just power button turn off your phone than to individually go and turn off Wi-Fi and Bluetooth and whatever else.

Speaker 1:

You're right, that's actually totally right. The same applied to my Mac or my computer as well. I should also shut that off. Yes, correct. How the hell are they doing that? Like some magnets, that must be some, really advanced technology.

Speaker 2:

There are forensic tools that have that capability, and agencies in different countries have enough money to have them and use them at airports.

Speaker 1:

Cool Things like advanced protection, all these new Apple things, verified security keys and stuff like that. Do you recommend those?

Speaker 2:

So Apple has advanced data protection, which just means that the data in your iCloud is end-to-end encrypted, meaning you are the only one that can access that data. Apple cannot get a hold of it. Law enforcement trying to request it from Apple cannot get a hold of it. You should absolutely turn that on.

Speaker 1:

But that basically is like if you lose your phone and you don't have those security keys or your passcode or whatever that I set up, if you lose that, goodbye to your pictures. So just-.

Speaker 2:

Yes, exactly.

Speaker 1:

People need to know that.

Speaker 2:

What about lockdown mode for your phone?

Speaker 1:

lockdown mode. What is that?

Speaker 2:

okay. So apple took uh years of research into how spyware like pegasus gets onto an iphone and came up with this free opt-in security mode that you can turn on, called lockdown mode. That makes it even more difficult for spyware to install itself on your device. When you turn it on, you basically tap turn on, your phone will restart and it will be on, and before you do that you will get information about the things that are like slightly different. But if it's too much friction for you, you can always just go and tap turn off. Your phone will reboot and it will be off. So there's really no cost in like trying it out and to this day I am not aware of a successful compromise of a device with lockdown mode turned on and you can have that on for like your phone, your Mac, your iPad, your watch, all your Apple things, basically.

Speaker 1:

Was there any friction that it gave you in your life when you turned it on?

Speaker 2:

No.

Speaker 1:

No.

Speaker 2:

There are a couple of things that are like slightly different, Like when you get, if I send you a news article on iMessage like a link, right, you usually get like the thumbnail and you get the URL and you can tap on it to open it. In Safari, With lockdown mode on, you will just get the text URL and if you want to open it you have to copy it, open Safari and then paste in the link. The whole idea there is to prevent you from accidentally tapping a link that would infect your device with something. So yeah, that's a tiny bit more friction, but I think that's fine and it gives me that added safety.

Speaker 1:

Yeah. What about when it comes to browsers Like I have the DuckDuckGo one just because it has that button that you could just like burn all your cookies and whatnot? Is that paranoia, or is that just like, do it?

Speaker 2:

So I have a device that I travel with where I have a bit of a different way of working than my home device. So in some contexts yes, in other contexts I can see people saying that that's too much friction and it's too annoying and I need all my cookies.

Speaker 1:

DuckDuckGo is a horrible search engine, but they have that button, so if I know exactly what I'm looking for, I use that. If not, I use the Google Safari VPNs. Smart, always smart, always use VPN.

Speaker 2:

Not necessarily always so I think a VPN can be a great tool for location privacy. So if you are doing research for a story and you want to visit a forum and you plan on doing this multiple times over multiple days, using a VPN that exits in different locations, I think might be a good move, because if these people are actually paying attention to their web server logs, you don't want your main IP in Oslo to be the one that pops up over and over and over again because that might tip them off. So using a VPN, using something like Tor, I think would be a great option. Another use case is if you're traveling. Use case is if you're traveling, you know you're staying in a hotel.

Speaker 2:

The Wi-Fi or the network admin at that hotel or at that chain can then see which connections your devices are making. They can't see things like username and password. They can't see, like, specifically, which articles you're reading on nytimescom, but they can see that your device is visiting nytimescom. A VPN would only give them that you are using a VPN but times for any reason, because it just shifts who has access to what. But I don't think that it needs to be like a blanket. You must use it at all times um understanding which tools to use at what point in time and then sort of figuring out which level of usability versus friction you need and any given time good advice uh, sure, take down services in terms of like uh, they go and they ask data brokers to delete your, their stuff, your, whatever they know about you.

Speaker 1:

What do you think about that? Is that? Is that over at the top, or yeah?

Speaker 2:

No, I think it seems to be necessary if you live in the US, so in other countries it's perhaps not as big of a concern, but the second you live in the United States. Data brokers will all their different processes for removing your personal information. Making sure that that actually gets done. It takes a lot of time, takes a lot of resources. I would much rather subscribe to a service that can just do that for me. Again, for a lot of these data broker sites in the US. I did not appear in those databases until I moved to the US.

Speaker 1:

So that's just a way of life here. Is there anything I missed?

Speaker 2:

I'm just clearing my paranoia conscience right now, the only one you've mentioned so far that I don't have is the lockdown mode, which I'm going to do afterwards. Let's see If you're using Gmail. There's the advanced protection program for Google accounts that you can turn on, which requires you to use the physical security keys for two-factor Lockdown mode. Advanced data protection for iCloud advanced data protection for iCloud. There's a few different settings on X and Facebook, signal, whatsapp that you can use.

Speaker 2:

I think bottom line there is, for the different tools and sites that you're using, make sure that you from time to time review the security and privacy features that are available to you, because it's impossible to keep up Otherwise. There's a browser extension called Privacy Party that aims to help you review your privacy and security settings across different social media sites, because otherwise, for you to spend that time to go through all the different options, I think becomes very, very time consuming, and so the browser extension aims to make that a bit more approachable, so that you can be aware of and just really understand what it is that you're sharing, with whom, for how long, and be a bit more in control over how you use social media.

Speaker 1:

Privacy party. Every time I go into one of those sites and look at settings, I have 50 new things that are just like turned on. I'm like, hey, I never told you to turn on that.

Speaker 2:

Exactly.

Speaker 1:

Especially Facebook. They're the worst. I got rid of X. Thank you so much, for I didn't mean to make this like a personal security thing, but that's actually what it became and I think that if everybody in a company kind of thought and had this conversation with themselves or their colleagues, that would up the standard of security for the company, if their employees were kind of thinking along these lines.

Speaker 2:

That would be huge. I think that would make a big difference for people.

Speaker 1:

Any final words from you?

Speaker 2:

I think this has been great. It was a lot of fun.

Speaker 1:

I appreciate you saying that. I also think it was very fun, but I've got a lot out of it, so it makes sense. So, for all you listening, granit G-R-A-N-I-T-T. Granit right, yes, granit, if you need help with your personal security journey or your journalists or your high-risk individuals, hit Runa up. Are you going to be at a CKS festival this year?

Speaker 2:

No, but I'm sure I'll be in Oslo at some point in the fall Cool, I'll be in Oslo at some point in the fall. Cool, I'll let you know.

Speaker 1:

Well, let me know I owe you one. Thank you so much for your time. Stay safe over there in the States and have a wonderful summer.

Speaker 2:

Thank you, you too.

Speaker 1:

Talk soon, Ciao. Well, that's all for today, folks. Thank you for tuning in to the Mnemonic Security Podcast. If you have any concepts or ideas that you'd like us to discuss on future episodes, please feel free to hit me up on LinkedIn or to send us a mail to podcast at mnemonicnet. Thank you for listening and we'll see you next time.

People on this episode