Once again with security Spam
Why can't we pay attention to FB hacking warnings?
People do hack FB profiles, it happens every day. They often do it by inducing the target user into clicking a link that can steal their login information in any number of ways. This happens. It's a Big, Bad Internet, and in all likelihood at some point you will:
This sort of thing happens every day, to all of us. There are people deeply involved in network security who accidentally click some link and their profile gets hacked.
Occasionally, you see status updates like this:
BEWARE ATTENTION: THE HACKERS ARE PUTTING SEXUAL VIDEOS TO YOUR NAME IN THE WALLS / PROFILES OF YOUR FRIENDS WITHOUT YOU KNOWING IT. YOU DONT SEE IT, BUT OTHER PEOPLE CAN SEE IT, AS IF THESE WERE A PUBLICATION THAT YOU MADE! ALSO, THEY'RE SENDING INBOX MSGS TO YOUR FRIENDS ASKING YOU TO CLICK A LINK. DON'T DO IT!! SO IF YOU RECEIVE SOMETHING FROM ME ABOUT A VIDEO OR A STRANGE INBOX MESSAGE, IT'S NOT ME! copy this in your wall. It is for the security of YOUR OWN IMAGE!!! And REPORT IT!!!!! ALSO IF U ARE ASKED TO VOTE ON A PICTURE. DO NOT GO & VOTE: IT'S A HACKER!! POST THIS TO YOUR WALL FOR YOUR FRIENDS
There are so many problems with this they're hard to count. It's no different from a chain email warning of some vague threat from some somewhat familiar antagonist, like FEMA camp emails. It's so vague as to be meaningless, and just screams BE AFRAID literally as loudly as possible. ZOMGFEMAGONNATAKEAWAYMYGUNSANDLOCKUPOURFAMILIES.
ZOMGHACKERZONTHEINTERNETSWTFBBQ.
There are legitimate people doing hard work daily to make web browsing safer for everyone. These sorts of ridiculous "warnings" do a serious disservice to everyone in the community and lowers awareness among those people we should all be trying to reach. The more people keep re-forwarding this stuff, the more it becomes just "noise", and people start paying even less attention to their security than ever. People see this stuff as 2012 Mayan calendar doomsday predictions, as urban legends, and as plain SPAM, and tune it out, and they're not wrong to do so.
Real threat alerts look much more like this (from the NIST CVE database for CVE-2011-2383):
Vulnerability Summary for CVE-2011-2383
Original release date:06/03/2011
Last revised:09/27/2011
Source: US-CERT/NISTOverview:
Microsoft Internet Explorer 9 and earlier does not properly restrict cross-zone drag-and-drop actions, which allows user-assisted remote attackers to read cookie files via vectors involving an IFRAME element with a SRC attribute containing an http: URL that redirects to a file: URL, as demonstrated by a Facebook game, related to a "cookiejacking" issue, aka "Drag and Drop Information Disclosure Vulnerability." NOTE: this vulnerability exists because of an incomplete fix in the Internet Explorer 9 release.Impact:
CVSS Severity (version 2.0):
CVSS v2 Base Score:4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:N/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type:Allows unauthorized disclosure of information
What that means is "Someone can steal your cookies, and can gain lots of information about you, including usernames, passwords, session IDs".
You'll see that the CVE ticket is pretty dry, considering the potential impact, but they have lots of corroborating evidence, even videos to show you how easy it is to accomplish. And all they have to do is get you to click on a link.
The point is to always be aware before clicking on anything. If something is unusual, or sent by someone you almost never hear from, don't click it. If it's misspelled, has bad grammar, ALLCAPSALLTHETIME, don't click it. If you really, really just need to see what some near-stranger who can't spell needs you to click on so badly, then you should be aware of the risk you're taking.
For what it's worth folks; I'm unlikely to send you a link to porn, unless I'm really, really drunk. If I do, you I'll just go ahead and apologize now.
- xrayspx's blog
- Log in to post comments
- 3273 reads