Facebook to be blocked in Papua New Guinea for one month

By Lisa Vaas

Who are these people who hide behind fake Facebook accounts? …Who uploads porn? …Who spread fake news? And how does it affect people’s security? …Their productivity? …Their well-being, or lack thereof?

One inquiring Communication Minister wants to know, and he’s planning to shut down Facebook for a month to get some answers as he tries to better enforce Papua New Guinea’s (PNG’s) 2016 Cyber Crime Act.

The Post Courier reported on Monday that PNG Communications Minister Sam Basil plans a month-long Facebook block that will give his department and the southwestern Pacific country’s National Research Institute a chance to research how people are interacting with the social network.

The Post Courier quoted the Communications Minster:

The time will allow information to be collected to identify users that hide behind fake accounts, users that upload pornographic images, users that post false and misleading information on Facebook to be filtered and removed.

This will allow genuine people with real identities to use the social network responsibly.

Basil and his department haven’t yet determined the timing on the ban, but as The Guardian reports, he’s been raising concerns about Facebook for a while.

There’s the privacy issue, for one. Last month, Basil told the agencies under him to do some research in order to advise him on how to protect the privacy of Facebook users in PNG.

That directive followed the revelation that Facebook apps were vampire-ing the personal data of millions of users and sending it to data-analytic firms such as Cambridge Analytica.

That leak was the first in what’s turning into a river: the Cambridge Analytica revelations were followed by news of similar leakage to Cubeyou and myPersonality.

Basil closely followed the aftermath, when first the US Senate and then the House of Representatives beckoned Facebook CEO Mark Zuckerberg into Washington for back-to-back hearings on the issues of Cambridge Analytica, fake news, fake accounts, Russian meddling, bots and other Facebook follies, including the class action lawsuit against Facebook over its facial recognition practices.

Read more at https://nakedsecurity.sophos.com/2018/05/30/facebook-to-be-blocked-in-papua-new-guinea-for-one-month/

Tor exit node admin acquitted of aiding terrorism

By Lisa Vaas

In 2017, Russian police detained a 26-year-old math teacher for allegedly calling for riots in Moscow’s Red Square.

According to The Moscow Times, the police were after whoever posted under an alias to call for “rags, bottles, gas, turpentine, Styrofoam and acetone” to be brought to an unsanctioned protest. The posts also contained a link to a music video in which protesters launch Molotov cocktails at police.

A year later, the teacher, Dmitry Bogatov, has been acquitted.

Bogatov denied writing the posts: as the administrator of a Tor exit node, it could have been anyone who used his IP address. Bogatov hosts a Tor node, through which other internet users can surf anonymously.

He’s not the first Tor node administrator whose IP address has led police to his door. Two years ago, police traced illegal child abuse imagery to a married couple’s home IP address in Seattle.

Early one morning, Jan Bultmann and David Robinson woke to detectives from the Seattle Police Department who demanded passwords to access the couple’s computers. They consented to the search and gave their passwords to police, who found no child abuse imagery, didn’t seize any equipment, and made no arrests.

The couple, who are well-known privacy advocates, are also hosts for a Tor exit node – a fact that local police were aware of.

Read more at https://nakedsecurity.sophos.com/2018/05/30/tor-exit-node-admin-acquitted-of-aiding-terrorism/

Facebook battles tiny startup over privacy accusations

By John E Dunn

Is there no end to Facebook’s petty humiliations?

Two weeks ago, CEO Mark Zuckerberg found himself having to account for his company’s behavior to members of the European Parliament, the latest round in the Cambridge Analytica ‘apology tour’ that happened after badly-received gigs in Washington in April.

But it’s not just the big guys that Facebook is having to answer to. This week, in a sign that even small problems have become big problems, it was the turn of an obscure startup called Six4Three to cause the company trouble.

The suit’s origins lie in Facebook’s 2014 decision to shut down the Friends data API, through which users could allow thousands of third-party apps to track their friends’ location, status, and interests.

One app that fell afoul of this supposedly privacy-oriented change was Six4Three’s $1.99 smartphone app Pikinis which touted the ability to find pictures of a user’s Facebook friends in their swimwear.

Tough luck, you might say, except that Six4Three launched a suit in 2015, in which it was alleged that Facebook turned off the tap as a way of forcing developers to buy advertising, transfer intellectual property or even sell themselves to it at below market value.

The change came in the wake of post-2012 worries about Facebook’s ability to generate revenue from advertisers as they switched to mobile platforms, which allegedly gave Facebook the motive to strong-arm developers.

Read more at https://nakedsecurity.sophos.com/2018/05/30/facebook-battles-tiny-startup-over-privacy-accusations/

Are your Android apps sending unencrypted data?

By Matt Boddy

Have you ever wanted to know what your phone is up to?

Good, then this article is for you.

Phones are locked down so you don’t have to worry about what’s going on under the hood. That’s great if you want a device that Just Works, and it’s the exact opposite if you’re the kind of person that worries about what it might be up to – like me.

Fortunately, if you have a bit of time and some technical skills, there are some simple ways to see what your apps are up to.

One of the things I worry about is oversharing – apps sending out more data than they need to, or transmitting data in insecure ways – such as using unencrypted HTTP requests instead of HTTPS.

My concerns led me to do some network analysis on popular Android apps, following the methodology set out in the OWASP Mobile Security Testing Guide.

I’ll tell you what I did, what I discovered and how you can do it to.

Read more at https://nakedsecurity.sophos.com/2018/05/29/are-your-android-apps-sending-unencrypted-data/

Wayback Machine ‘unarchives’ spying website

By Danny Bradbury

Who is archiving the web, and what happens when people ask for information to be ‘un-archived’?

The internet found out recently, when a company with a questionable marketing history reportedly asked the world’s best-known web archive to eradicate its information.

The Wayback Machine, which is run by the non-profit Internet Archive, has been quietly archiving as much of the web as it can to create a permanent record of our fast-moving, volatile digital landscape.

The archive’s preservation of online data has proven valuable on several occasions. In 2014, Ukrainian separatist leader Igor Girkin bragged about downing a Soviet military cargo plane on social media. After that plane was revealed as Malaysia Airlines Flight 17, the post was deleted, but the Wayback machine still had the original message.

Clearly, archiving information has its benefits. So what happens when someone doesn’t want information about them to stick around?

This issue came up recently when Thailand-based FlexiSpy reportedly asked the Internet Archive to delete its webpages from the Wayback Machine. FlexiSpy, which sells software for monitoring phones and desktop computers, used to market its software as a tool to spy on cheating spouses. As Motherboard points out, another archive still maintains images of the company’s site from several years ago.

Search the Wayback Machine’s archive for FlexiSpy, however, and it reports that the URL has been excluded. Does that mean it complied with the request?

The Internet Archive did not respond to requests about its policy. However, its terms and conditions say that if asked by an author or publisher, it “may remove that portion of the Collections without notice.” Its FAQ says that site owners can “send an email request for us to review”.

Read more at https://nakedsecurity.sophos.com/2018/05/29/wayback-machine-unarchives-spying-website/