Schneier on Security
A blog covering security and security technology.
« Cat Smuggler |
| The Politics and Philosophy of National Security »
January 9, 2013
Denial-of-Service Attack Against Facebook
Just claim the person is dead. All you need to do is fake an online obituary.
Posted on January 9, 2013 at 6:44 AM
• 12 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Or find someone with an identical name to that on an actual obituary.
I hope people discover that's all this "social" sites is just a waste of time... go live..
Another technique, reported a week or two ago, is to create a new Facebook group, add the intended target as administrator, and then post material which contravenes Facebook's terms and conditions. Voila: all administrative accounts for the group are disabled.
All the experimental indications are that you only need an obit with a vaguely similar name. No need to fake, just google. Maybe they'll tighten it a bit now, but it appears this has been an open issue since at least 2009.
There's a flip side too, a Facebook user who was a personal friend died (at a tragically young age) and the reminders from FB were upsetting to some. That issue was resolved, though. All-in-all there's a balance and I think social media are useful even if not ideal.
Given that Rusty hardly ever posts to his own website, it was probably easy to fake his death.
I hope they have safeguards against repeated attacks.
This isn't new:
Two years ago internet security researcher Robert Hansen, aka RSnake, announced he would leave the web app sec research scene and stop blogging. His peers performed this same attack to "memorialize" his Facebook persona.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.