Friday, November 18, 2011

Facebook's porn and gore attack: Who gets the blame?

msnbc.com

By Helen A.S. Popkin

Some of it was just funny ? an image of Justin Bieber passionately singing into a man's ... um ... appendage pasted where the microphone should be.

Other hardcore porn images were of the banal fare so easily found outside Facebook's gated Internet community. But there was also the Newsfeed spam featuring child pornography reported by some. The bloody dead dog and decapitated corpses were also among the shocking fare Facebook users found themselves subjected to when the week began and the world's largest social network battled "a coordinated spam attack that exploited a browser vulnerability."

"XSS, as I suspected," Jay Ashworth, this computer geek I know from Facebook, said following confirmation of the days-long debate by security experts and civilians alike over what caused ? and who was behind ? the gore and porn spreading across the social network. An XSS scam ? or cross-site scripting ? is as common as Facebook scams come, spread largely because of uneducated and/or insatiably curious Facebook users tricked into copying and pasting offending JavaScript into a vulnerable browser.

Here's Facebook's official statement:

Live Poll

Who's at fault for the Facebook porn n' gore scam?

  • 167979

    Users who pass this junk along!

    25%

  • 167980

    Facebook and its Swiss cheese security!

    20%

  • 167981

    The lunks behind the spam!

    16%

  • 167982

    All of the above, plus my neighbor's dog!

    38%

  • 167983

    Other! (Explain in comments.)

    1%

VoteTotal Votes: 4570

Protecting the people who use Facebook from spam and malicious content is a top priority for us, and we are always working to improve our systems to isolate and remove material that violates our terms. Recently, we experienced a coordinated spam attack that exploited a browser vulnerability. Our efforts have drastically limited the damage caused by this attack, and we are now in the process of investigating to identify those responsible.??

During this spam attack users were tricked into pasting and executing malicious JavaScript in their browser URL bar causing them to unknowingly share this offensive content. Our engineers have been working diligently on this self-XSS vulnerability in the browser. We've built enforcement mechanisms to quickly shut down the malicious Pages and accounts that attempt to exploit it. We have also been putting those affected through educational checkpoints so they know how to protect themselves. We've put in place backend measures to reduce the rate of these attacks and will continue to iterate on our defenses to find new ways to protect people.

Oh, and you can bet they are. While many users threatened to quit the site and made accusations that Facebook CEO Mark Zuckerberg couldn't care less about the ick that might very well have caught the eye of Grandma and/or all those 11-year-olds parents allow to lie about their age to be on the social network, Facebook wants the nude splatter-fest out of your News Feed even more than you do. Because it's a business. Businesses are customarily not fans of outside influences that drive away customers. And therein ? as the much-abused Hamlet quote goes ? lies the rub.

While Facebook points to a flaw in a browser, it won't identify which browser allowed the malicious code to?spam violated Facebook accounts.?While naked people and blood splatter grabs the headlines, less sensational XSS and clickjacking scams such as tricking Facebook users into clicking on "Why were you tagged in this video?" or pasting code into browsers in the hopes of getting a free meal at Olive Garden are so quickly forgotten they're often repeated.

"The bigger question is what motivated the attackers to use this flaw in such a strange way?" Chester Wisniewski?of Sophos writes in the security company's Naked Security blog.?"We investigate lots of Facebook scams here at Naked Security, and I would guess that nearly 100 percent?of them lead to some financial payout for the scammer." Usually, scammers earn money when Facebook users are tricked into viewing advertising.

The latest outbreak "seems to be a purely malicious act," Wisniewski writes. "Facebook has a reputation for maintaining a reasonably family friendly environment and most Facebook users don't expect dead dogs and penises showing up on their wall."

The lack of monetary motivation has led security experts and others to speculate whether this was an attack by the hacker collective Anonymous, but there are no clues or confirmation. Facebook is letting it be known that it's on the case.

"In addition to the engineering teams that build tools to block spam we also have a dedicated enforcement team that has already identified those responsible?and is working with our legal team to ensure appropriate consequences follow," Facebook said in an email statement. The site cited two prominent anti-spam legal victories.

In 2009, Facebook successfully sued "Spam King? Sanford Wallace for spamming users' Facebook walls in a lawsuit that resulted in a $711 million judgment in the social network's favor and possible jail time for Wallace. In 2011, Facebook was awarded more than $360 million in statutory damages from spammer Philip Porembski, who grabbed the login info of at least 116,000 accounts, which he used to spam 7.2 million users.

Meanwhile, Facebook users can do a lot to prevent spam simply by not clicking on suspicious links. Viral scams persist on Facebook?because Facebook users continue to click malicious links.?Over the last year, Facebook stepped up its defenses?against these seemingly unstoppable pests by launching a variety of new security tools to help prevent spam and educate users.

To review, here are some things you can safely assume you won't see via Facebook: Osama bin Laden's body, that video of that thing Justin Bieber did to that girl, what happened when that girl's dad walked in on her, an app that reveals?who has?been looking at your profile, or any "authentic" message from Facebook WRITTEN IN ALL CAPS.

If you do get sucked into this or any Facebook spam scam, it's easy to remove the application, using Facebook settings, so that it no longer accesses your profile.?Here's how:

  • Remove any content the rogue app may have posted on your Facebook wall.
  • Go to the Account Settings drop-down menu in the upper right side of your screen.
  • From the Account Settings drop-down menu, choose Privacy Settings.
  • On the bottom right side of the Privacy Settings Page, click the Apps & websites link "Edit your settings."
  • On the App page, next to "Apps you use," select edit settings.
  • There you will see the third-party apps that have access to your Facebook profile. Delete any rogue applications. (It's a good idea to check this setting regularly, anyway.)
  • Send an apology to all your Facebook friends who may have been tagged, and advise them to do the same.
  • Join Facebook's Security page as well as the Sophos security page on Facebook to stay up-to-date on the latest security issues.

?More on the annoying way we live now:

?Helen A.S. Popkin?goes blah blah blah about the Internet. Tell her to get a real job on Twitter and/or Facebook.?Also, Google+.

Source: http://technolog.msnbc.msn.com/_news/2011/11/16/8838807-facebooks-porn-and-gore-attack-who-gets-the-blame

ou football ryan torain ryan torain world series game 3 sign language alphabet texas tech texas tech

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.