Thursday, 27 August 2015

SumVoices: Cyber Security & Social Media in Indonesia

SumNews is excited to launch SumVoices, a series that invites individuals around the globe to share their local knowledge of the Internet, cybersecurity, digital privacy and net neutrality. If you are interested in contributing to SumVoices, please email blog@sumrando.com for more information. 

In our first post, Indonesian author and entrepreneur, Ollie, offers a glimpse into the dangers that lurk for internet users in Indonesia. Be informed, surf secure and stay Rando!

Ollie, internet, cybersecurity, cyber security, Indonesia, Aulia Halimatussadiah, social media
The Indonesian Internet, according to Ollie.
Threat #1: Stolen Passwords
A few months ago, my father suddenly got many phone calls from his friends, not to have a conversation, but to inform him that his Facebook account had been hacked.

Someone stole my father’s Facebook password and used it to break into his account and started to message his friends to ask for money. Apparently these hackers actually do it manually because they replied on many kinds of questions asked by my father’s friends.

My father is one of 65 million people in Indonesia that have logged into Facebook at least once. From 74 million internet users in Indonesia, that’s 30% internet penetration. Most of them are very active to Facebook, Twitter, Instagram and other social media sites, but only a few of them know the danger they face every day due to the reckless use of social media.

Threat #2: Malicious Malware
Not only password hacking, Facebook users in Indonesia also face malicious malware from a virus in the form of links. Gadis Mabuk XXX, or Drunk Girl malware, tries to ‘sell’ sexually explicit videos of drunk girls to attract people to click the dangerous link. The link has circulated Indonesian Facebook accounts and more than 2,000 Facebook accounts were affected.

Threat #3: Romance Scams
Romance scams are also happening on Facebook. One girl shared her experience of having a relationship with someone from the military that seduced her on Facebook. Luckily, she’s aware of the situation, and it didn’t cost her financial loss. But romance scammers know exactly what Indonesian women want: a fairy tale. A stable relationship with some hunk and romantic foreigner from the States. Sometimes the relationship has been widely known by their friends and their family, so, when the time has come for this ‘fake boyfriend’ to come to Indonesia, she will do everything to help make her dreams come true. That’s including sending thousands of dollars when the so-called fake boyfriend calls from immigration, asking for help. Even if only 1% of Indonesian women users fall for the scam, that's still around 300,000 people. The potential damage from romance scams alone is $3 million, minimum.  

Threat #4: Email Phishing
Scams using social engineering through email can easily be found in the community. I won’t respond for that email from the King of Ghana, but when my own friend with his own email sent me an email with subject: Important Files, this was the one that I almost clicked. What saved me was: being aware of what I’m clicking.

Being aware of phishing saved Benakribo, a famous blogger and videographer from Indonesia. His Instagram account was almost hacked. If he cared less to check the email address of the sender and clicked the very convincing link that was sent to him anyway, he not only would have lost his precious contents, but also the 264,000 followers and community he had built for years.

The Future of Indonesian Cyber Security
Research by eMarketer estimates that by 2018, nearly 95 million people in Indonesia will access Facebook via their phones. More access to technology means more education and awareness of cyber security is needed for the general population. It’s the role of government in Indonesia to help implement the basic education on safe internet practices from early level of education at schools. Participation of private sectors to assist with trainings and individuals to spread the awareness of best practices would increase the strength of people’s cyber defense. And it should start, not next year nor tomorrow, but now, by educating yourself on how cyberattacks look and work on the internet in general and on social media. 

Have a safe day!

Ollie has published 27 books and founded several startups in Indonesia. She participates in Girls in Tech Indonesia to encourage girls to use technology as a catalyst for success. For such work, she received the Indonesian Ministry of Communications and Technology's Kartini Next Generation Special Award 2013--Inspiring Woman in ICT and was listed in InfoKomputer's 2011 Top 10 Women in Indonesia as well as Girls in Tech's 2012 5 Geek Girls in Asia to Look out for. Learn more about Ollie at www.salsabeela.com/about and follow her on Twitter @salsabeela

Wednesday, 26 August 2015

Twitter Shuts Down Politwoops, Signifying “Work Left to Do”

Last Friday, Twitter informed Open State Foundation that it would no longer have the API access necessary to continue Politwoops and Diplotwoops, platforms that post the deleted tweets of elected officials, diplomats and embassies in 30 countries including Egypt, India, Tunisia and Turkey. The news was hardly a surprise, given the suspension of API access to Politwoops US in May, but certainly came as a disappointment. 

Politwoops, Diplotwoops, Sunlight Foundation, Open State Foundation, Twitter, campaign tweets
Politwoops US archived campaign tweets, which will no longer be available. [Source: Politwoops]

Until Friday, Politwoops and Diplotwoops had provided valuable insight into politics for journalists and everyday citizens alike. Of note, Politwoops US caught politicians rescinding their praise of Sgt. Bowe Bergdahl once they discovered that his 5 years of Taliban captivity may have been initiated by his own desertion and that his freedom came at the cost of releasing five Taliban detainees. Politwoops US also preserved Senator Nancy Pelosi mistaking the African continent for a country.
Arjan El Fassed, Open State Foundation’s Director argued, “What elected politicians publicly say is a matter of public record. Even when tweets are deleted, it’s part of parliamentary history. These tweets were once posted and later deleted. What politicians say in public should be available to anyone. This is not about typos but it is a unique insight on how messages from elected politicians can change without notice.”
Twitter’s defense of its decision has raised all sorts of eyebrows and red flags. The statement received by Open State Foundation read in part: “Ultimately, Twitter’s decision was guided by the company’s core value to “Defend and respect the user’s voice.” The ability to delete one’s Tweets—for whatever reason—has been a long-standing feature of the Twitter service. Imagine how nerve-racking—terrifying, even—Tweeting would be if it was immutable and irrevocable? No one user is more deserving of that ability than another.” Twitter further claimed that Politwoops and Diplotwoops violate their developer agreement, which promises to delete content that has been deleted.
Twitter believes that all users should be treated equally, but established protocols push against this notion. Google’s Right to Be Forgotten, for example, simultaneously protects a citizen’s right to anonymity and her right to information about public figures. Politwoops and Diplotwoops share tweets that are considered public information and deserve protection as such. Many countries guarantee a right to access of public information--temporary or otherwise--a fact that has pushed Open State Foundation to pursue alternate ways of continuing its deleted tweet project.
If there were a flaw in the Politwoops and Diplotwoops model, it is not the “nerve-racking terror” imbued by a tweet living on in perpetuity. It is simply that these platforms have always relied on Twitter’s willingness to share user data with a third party. Open State Foundation has used human curation to carefully distinguish between that which is public and that which is private, but ultimately the platforms represent yet another example of users signing up for one service and unwittingly feeding their information elsewhere.
The criticism for Twitter’s latest action far outweighs the praise, but unfortunately, in a world where legislation has not caught up with technology, it is ultimately free to do as it likes. Sunlight Foundation President Chris Gates perhaps summed it up best: “Technology is creating new and imaginative ways to support a healthy civic discourse, but we clearly have work left to do to determine how our expectations for public discourse will play out in privately owned and managed spaces.”

Monday, 24 August 2015

2015 World Press Freedom Index Shows a “Worrying Decline”

In Bangladesh, 4 “atheist” bloggers have been brutally murdered this year.

In Egypt, 22 journalists sit in prison.

The really scary fact, however, is this: of the 180 countries on the 2015 World Press Freedom Index, Bangladesh ranks 146 and Egypt ranks 158. Two countries with little regard for freedom of expression are simply two of many—and are actually more tolerant than dozens.

Reporters Without Borders’ 2015 World Press Freedom Index map and rankings:


The index takes into account each country’s plurality of opinions, media independence, environment and self-censorship, legislative framework, transparency, infrastructure and abuses of information providers.

The good: Finland, Norway, Denmark, the Netherlands, Sweden, New Zealand, Austria, Canada, Jamaica and Estonia topped the index.

The bad: Laos, Somalia, Iran, Sudan, Vietnam, China, Syria, Turkmenistan, North Korea and Eritrea claimed the bottom 10 spots.

The ugly reality: Overall, 2015 Press Freedom showed a “worrying decline” with two-thirds of countries exhibiting a decrease in freedom as compared to 2014. According to the study, reasons for the decline include the continuance of global conflicts, the proliferation of non-state actors, the growth of religious censorship, an increase in opposition to journalists covering demonstrations, a shift in the European Union away from freedom of information, an increased emphasis on “national security” in democracies and non-democracies alike and authoritarian regimes seeking evermore control. 

Know your freedoms, surf secure and stay Rando!

Friday, 21 August 2015

Egypt’s “Anti-Terror” Law Further Limits Free Speech

Mahmoud Abou Zeid, Egypt, detained, photojournalist, Abdul Fattah al-Sisi
Mahmoud Abou Zeid [Source: CPJ]
August 14, 2013: Egyptian photojournalist Mahmoud Abou Zeid was detained while covering a pro-Morsi sit in. He remains imprisoned, without charges or trial.
Saeed Abuhaj, Muslim Brotherhood leaflet, Abdul Fattah al-Sisi, Egypt
Saeed Abuhaj [Source: CPJ]

November 4, 2013: Egyptian videographer Saeed Abuhaj was arrested on anti-state charges. While filming a Muslim Brotherhood demonstration, he was found carrying a leaflet in support of the outlawed organization. A trial date has not been established.

April 9, 2014: Egyptian Freedom and Justice Gate correspondent Abdel Rahman Shaheen was arrested on charges of inciting and committing violence during protests. In February 2015, charges of aiding terrorism and broadcasting false news were added.

January 31, 2015: Egyptian Freedom and Justice Gate editor and cultural affairs correspondent Ahmed el-Tanobi was arrested for “incitement against the government,” “participating in illegal protests,” and belonging to an “illegal group.” Tanobi was released with bail on June 9.

August 16, 2015: Egyptian President Abdul Fattah al-Sisi signed an “anti-terrorism” bill into law.

In short, a bad situation just became far worse. 

Currently, 22 journalists are imprisoned for their reporting on Egyptian affairs. Sisi’s new law will only serve to expand the state’s ability to punish freedom of expression. 

As the BBC News explained, under the new law:

  • Trials for suspected militants will be fast-tracked through special courts. Anyone found guilty of joining a militant group could face 10 years in prison
  • Financing terrorist groups will also carry a penalty of life in prison (25 years)
  • Inciting violence or creating websites deemed to spread terrorist messages will carry sentences of five to seven years
  • Journalists can be fined between 200,000 and 500,000 ($25,500-$64,000) Egyptian pounds for contradicting official accounts of militant attacks

The Committee to Protect Journalists’ Sherif Mansour remarked, “As of today, journalists are legally prohibited from investigating, verifying, and reporting on one of the most important matters of public interest. The state has effectively made itself the only permissible source of news on these stories.”

The law, however, will not stop at published journalists. It broadly defines terrorism as any act designed to harm public order, social peace or national unity, consequently posing a threat to a long list of individuals who do not see eye-to-eye with Sisi. 

According to BBC columnist Bill Thompson, “They’re trying to control all of the avenues through which information can get to people because they’re concerned about the impact it might have. And even if the intentions are good, it will have a chilling effect because the penalties can be so severe…I just worry that the flow of information particularly within Egypt about these important things is going to be so limited that the population won’t have the information they need to make good choices or to influence the policy of the government. It gets in the way of politics if you say you can’t say anything except what the government allows. That’s the danger.”

Sisi’s strict anti-terrorism law is largely an attempt to maintain order in the face of increasingly routine jihadist attacks and the assassination of Prosecutor General Hisham Barakat in particular. If the events immediately following the signing of the law are any indication—peacekeepers looking to pull out of the Sinai Peninsula, a security building bombed, and four Palestinians kidnapped—the law will bring anything but peace.

Tuesday, 18 August 2015

It’s A Vulnerable World: mid-August 2015

Early August brought renowned security conferences Black Hat and USENIX, and with them came a seemingly endless list of vulnerabilities. With Tor, Apple and even the Internet of Things on the roundup below, it’s hard not to wonder if anything remains secure:

Challenging the notion that Apple computers are inherently secure, researchers proved that even the Mac can succumb to the attack of a firmware worm. Researcher Xeno Kovah highlighted the severity of such an attack: “For most users that’s really a throw-your-machine-away kind of situation. Most people and organizations don’t have the wherewithal to physically open up their machine and electrically reprogram the chip.”
The United States Food and Drug Administration warned that the Hospira Symbiq Infusion System is vulnerable to takeover by hackers and advised against its use. The pump system is commonly used to send medication into the bloodstream of patients in hospitals and other healthcare facilities.

RSA reported that a China-based VPN, dubbed the“Terracotta” network, has obtained many of its hundreds of exit nodes by hacking into vulnerable Windows servers across the globe, which are then used to exploit government and commercial organizations. Hackers such as those responsible for the U.S.’s OPM attack are thought to be operating out of the Terracotta VPN. 

Tor, security vulnerability, MIT, QCRI, EFF
Researchers successfully unhid hidden Tor servers. [Source: EFF]
MIT and QCRI researchers proved that Tor, a network that protects anonymity by routing traffic through a series of tunnels, has its flaws: by analyzing traffic patterns and without breaking encryption, the researchers determined what sites users were visiting.

Within days of the release of Windows 10, Cisco reported an accompanying ransomware scam. A phishing email masking as a Windows 10 update releases CTB-Locker and asks for payment within 96 hours.

Security researcher Paul Rosenzweig argued that Apple’s iPhone is anything but end-to-end secure, citing cellular provider and metadata records, brute-force password unlocking, iCloud backup and potential for wiretapping as concerns. Before you abandon your iPhone for Android, keep in mind ACLU technologist Christopher Soghoian’s recent tweet: “If law enforcement can’t hack the hundreds of millions of Android phones running out-of-date, vulnerable software, they’re not trying.”

Vulnerable encryption keys were found in Zigbee, a wireless language that connects 1000+ Internet of Things devices, meaning door locks, lights and other smart home devices could all fall into the hands of hackers. A Symantec report released at Black Hat 2015 further suggested that Internet of Things vulnerabilities could be ransomware's next frontier.

Internet of Things, Symantec, Zigbee, security vulnerability, insecurity
The Internet of Things is increasingly a part of (insecure) everyday life. [Source: datasciencebe.com]
A committee investigation reported alarming structural flaws in the U.S. Food and Drug Administration, the National Institute of Health and the Department of Health and Human Services. In the authors’ words, “Americans should not have to worry that the U.S. government is left so vulnerable to attack…Unfortunately, the bar has been set low and we have nowhere to go but up.”
Israeli researchers proved it is possible to take data from an air-gapped computer with an out-of-date features (i.e. not smart) phone, technology that is frequently allowed in otherwise secure areas.

Government ministries in India are taking measures to defend themselves against Pakistani attempts to retrieve sensitive information. The ministries of Defense, External Affairs, Civil Aviation, Finance, Power and Telecoms are all on alert.

Security researchers Alexandrea Mellen and John Moore revealed the danger of using a Square Reader to complete a credit card transaction: “In the [point of sale] market, we’ve seen new hardware and software coming out from lots of providers usually implementing their own solutions. These are cheap, compact and compatible. They also face the challenge of being secure. Lower hardware budgets and their ability to interface with cell phones that are used for other purposes is leaving customer card information vulnerable and making it harder to secure devices.” Mellon and Moore cracked a Square Reader in less than 10 minutes.
Anonymous, Malaysia, Anonymous Malaysia, Prime Minister Najib Razak, August 29, security vulnerability, insecurity
Anonymous has threatened Malaysia with an Internet war. [Source: Anonymous]

Anonymous Malaysia has threatened an “all-out Internet war” against the government if Prime Minister Najib Razak does not resign by August 29. In response, government agencies are in the process of upgrading software and patching security vulnerabilities.

A study presented at the USENIX Security Symposium showed that journalist practices are frequently inadequate for protecting sensitive information. According to senior author Franzisksa Roesner, “It’s not just a matter of giving journalists information about the right tools to use—it’s that the tools are often not usable. They often fail because they’re not designed for journalists.”

If we’ve missed any vulnerabilities, let us know in the comments below. Surf secure and stay Rando!