Trusted Friend Attack (TFA) allows attackers to compromise Facebook accounts by exploiting the "Forgot Password" and "Trusted Friends" features. The speaker conducted tests compromising 11 out of 69 accounts either by answering exposed security questions or using fake trusted friend accounts. Facebook could improve security by not exposing private information to potential attackers during the password recovery process and ensuring only the legitimate account owner can access recovery options.
Why Twitter Is All The Rage: A Data Miner's Perspective (PyTN 2014)Matthew Russell
Sunday 9:55 a.m.–10:45 a.m.
Why Twitter Is All the Rage: A Data Miner's Perspective
Presenter: Matthew Russell
Audience level: Novice
Description:
In order to be successful, technology must amplify a meaningful aspect of our human experience, and Twitter’s success largely has been dependent on its ability to do this quite well. Although you could describe Twitter as just a “free, high-speed, global text-messaging service,” that would be to miss the much larger point that Twitter scratches some of the most fundamental itches of our humanity.
Abstract:
This talk explains explains why Twitter is "all the rage" by examining Twitter in light of fundamental questions about our humanity:
* We want to be heard
* We want to satisfy our curiosity
* We want it easy
* We want it now
This session examines Twitter's ability to examine these questions and presents its underlying conceptual architecture as an interest graph.
Even if you have minimal programming skills, you'll come away empowered with the ability to think about data mining on Twitter in more effective ways and apply a powerful collection of easily adaptable recipes to fully exploit the 5 kilobytes of metadata that decorates those 140 characters that you commonly think of as a tweet. Learn how to access Twitter's API, search for tweets, discover trending topics, process tweets in real-time from the firehose, and much more.
Conflicting Content Your biggest nightmarePi Datametrics
Jon Earnshaw's deck from the 20:20 Digital Marketing Summit - March 2016.
The presentation covered the four types of cannibalisation:
1. Internal conflict
2. Subdomain conflict
3. International conflict
4. Semantic Flux
Why Twitter Is All The Rage: A Data Miner's Perspective (PyTN 2014)Matthew Russell
Sunday 9:55 a.m.–10:45 a.m.
Why Twitter Is All the Rage: A Data Miner's Perspective
Presenter: Matthew Russell
Audience level: Novice
Description:
In order to be successful, technology must amplify a meaningful aspect of our human experience, and Twitter’s success largely has been dependent on its ability to do this quite well. Although you could describe Twitter as just a “free, high-speed, global text-messaging service,” that would be to miss the much larger point that Twitter scratches some of the most fundamental itches of our humanity.
Abstract:
This talk explains explains why Twitter is "all the rage" by examining Twitter in light of fundamental questions about our humanity:
* We want to be heard
* We want to satisfy our curiosity
* We want it easy
* We want it now
This session examines Twitter's ability to examine these questions and presents its underlying conceptual architecture as an interest graph.
Even if you have minimal programming skills, you'll come away empowered with the ability to think about data mining on Twitter in more effective ways and apply a powerful collection of easily adaptable recipes to fully exploit the 5 kilobytes of metadata that decorates those 140 characters that you commonly think of as a tweet. Learn how to access Twitter's API, search for tweets, discover trending topics, process tweets in real-time from the firehose, and much more.
Conflicting Content Your biggest nightmarePi Datametrics
Jon Earnshaw's deck from the 20:20 Digital Marketing Summit - March 2016.
The presentation covered the four types of cannibalisation:
1. Internal conflict
2. Subdomain conflict
3. International conflict
4. Semantic Flux
These slides are from an online security class I taught at Darien Library in Darien, CT. They are the property of Darien Library.
Originally everything was nicely aligned, but then sending this up to Slideshare messed up the alignment, so I gave up! :-)
I have been thinking of tracking some sites which rank amazingly well in serp despite bad SEO. Finally I got time to do that.
Keyword : pirater compte facebook
Site: fbpirateruncomptegratuit.fr
I checked its ranking today 20th Sep and Here’s the screenshot:
Google SPAM - How does pure spam look like.
Deep Dive into a PURE SPAM victim.
Learn how to keep your Backlink profile clean and protect your Website form upcoming Google Updates like next #Penguin...
Now that you have an overview of the viewpoint of death allows Google to focus on how to determine the system if you have been affected, and how to recover Penguin sanctions
Most popular seo prctise submit your site to bookmarkign websites and get high PR links from their domain and Get rank higher of your any website or blog Article source - Listnol
Social Bookmarking websites by
http://listnol.blogspot.com/2015/12/powerful-social-bookmarking-sites-free.html
This presentation covers a lot of topics related to personal internet security. Among the topics that are covered are:
- Password Management and how to create strong passwords
- Two factor authentication and bio-metrics
- Social Engineering and Personalized Attacks
- Online Trackers
- Instant Messaging Apps
- WIFI Security
- Mobile Security
- Online Payments
50% of Internet users will quit waiting for a video to load after 10 seconds. The first web page went live on August 6, 1991, dedicated to information on the www project made by Tim Berners-Lee. At the end of 2015, 48 BILLION webpages were indexed by Google.
Use an Initial Social Media Blast to Increase Your Visibilitylance carlson
This post tells you step by step how to prepare your posts, extractions you can make to make your job easier, and how to get that initial use of social media. Jack is confused as to how to use social media marketing and just how many people use social media but here we show him how to harness the use and power of social media as marketing. Remember this is only the first of many segments on the marketing of your blog. I do think however, that this next couple of posts will make a believer out of you and Jack.
It will allow you to know more about the data science
It will allow you to know more about the data science
It will allow you to know more about the data science
It will allow you to know more about the data science
It will allow you to know more about the data science
It will allow you to know more about the data science
These slides are from an online security class I taught at Darien Library in Darien, CT. They are the property of Darien Library.
Originally everything was nicely aligned, but then sending this up to Slideshare messed up the alignment, so I gave up! :-)
I have been thinking of tracking some sites which rank amazingly well in serp despite bad SEO. Finally I got time to do that.
Keyword : pirater compte facebook
Site: fbpirateruncomptegratuit.fr
I checked its ranking today 20th Sep and Here’s the screenshot:
Google SPAM - How does pure spam look like.
Deep Dive into a PURE SPAM victim.
Learn how to keep your Backlink profile clean and protect your Website form upcoming Google Updates like next #Penguin...
Now that you have an overview of the viewpoint of death allows Google to focus on how to determine the system if you have been affected, and how to recover Penguin sanctions
Most popular seo prctise submit your site to bookmarkign websites and get high PR links from their domain and Get rank higher of your any website or blog Article source - Listnol
Social Bookmarking websites by
http://listnol.blogspot.com/2015/12/powerful-social-bookmarking-sites-free.html
This presentation covers a lot of topics related to personal internet security. Among the topics that are covered are:
- Password Management and how to create strong passwords
- Two factor authentication and bio-metrics
- Social Engineering and Personalized Attacks
- Online Trackers
- Instant Messaging Apps
- WIFI Security
- Mobile Security
- Online Payments
50% of Internet users will quit waiting for a video to load after 10 seconds. The first web page went live on August 6, 1991, dedicated to information on the www project made by Tim Berners-Lee. At the end of 2015, 48 BILLION webpages were indexed by Google.
Use an Initial Social Media Blast to Increase Your Visibilitylance carlson
This post tells you step by step how to prepare your posts, extractions you can make to make your job easier, and how to get that initial use of social media. Jack is confused as to how to use social media marketing and just how many people use social media but here we show him how to harness the use and power of social media as marketing. Remember this is only the first of many segments on the marketing of your blog. I do think however, that this next couple of posts will make a believer out of you and Jack.
It will allow you to know more about the data science
It will allow you to know more about the data science
It will allow you to know more about the data science
It will allow you to know more about the data science
It will allow you to know more about the data science
It will allow you to know more about the data science
Cyber Security aware society is the need of the hour, there is a growing need for Cyber Security awareness, every user of internet should know at least the basics of cyber security, an educated and aware user can help in minimizing the impact and rate of cyber crimes, particularly of those that are related with online transactions and phishing…
How social media can be used as a social engineering tool to gather information and compromise information systems. Intercepting social media communications using connected service enumerations, and the Kill chain (presented in 2011)
Have you even been a victim of hacking? Hacking hurts, especially when your Fan page itself is hacked. A 7 Tips how to protect your Facebook page with your account.
Social Media Breakfast Edmonton: Optimizing Your Social PresenceDana DiTomaso
Showing up well in search results isn't just a matter of having the right keywords in the right places - it's your content too. Does your site deserve to rank well? The same is true of your social presence. Is your content share-worthy? Do you present it in a way that encourages sharing? And how do social signals impact search rankings? Dana will answer these questions to help you optimize your social presence.
How Social Media Can Enhance Your Personal BrandLeslie Bradshaw
This is a presentation that I developed for my talk on personal branding via social media at the 5th Annual St. Louis Business Journal Women's Conference (more at: http://www.slbjwomensconference.com/program.html). I adapted the content from a presentation that I gave to the National Foundation of Women Legislators (political audience) to fit an audience of primarily businesswomen.
Fellow panelists:
Allison Hawk Collinger (founder, AHC Conculting & holder of a Rams Super Bowl ring for her work in their PR department)
Kate Kromann (E-Communications Director, United Way of Greater St. Louis)
Deepest thanks to Ellen Sherberg, Publisher of the St. Louis Business Journal, for including me in this panel and the conference. It was one of the best events I've ever attended, learned from and contributed to.
Similar to Trusted Friend Attack: Guardian Angels Strike (20)
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
4. A RESEARCHER IN R UHR- U NIVERSITY B OCHUM, RUB ,
GERMANY
A STUDENT WORKING TOWARDS HIS PHD
LISTED IN ALMOST EVERY HALL OF FAME PAGES
@soaj1664ashar
12. STEP (1)
Go To https://www.facebook.com/
Click "Forgot YourPassword?"
13. Provideemail address andclick on "Search"button!
STEP (2)
Enter Your Email,Phone,Username or Full Name
https://www.facebook.com/login/identify?ctx=recover
24. TRUSTED FRIENDS FEATURE
Introduced in October 2011
(
)
https://www.facebook.com/notes/facebook-
security/national-cybersecurity-awareness-month-
updates/10150335022240766
25. TRUSTED FRIENDS
"It'ssort ofsimilar to givinga house key to yourfriendswhen
you go onvacation--pick the friends youmost trustincaseyou
need theirhelp"
https://www.facebook.com/notes/facebook-security/national-cybersecurity-awareness-
month-updates/10150335022240766
26. TRUSTED FRIENDS ACCORDING TO
READWRITE:
"" Who Wants ToBeA Millionaire" lifelineconcept- except it's
not a one-timedeal."
http://readwrite.com/2011/10/27/facebook_adds_security_features_trusted_friends_ap#awesm=~ohkTq
42. FACEBOOK FRIEND VS REAL LIFE FRIEND
http://blogs.mcafee.com/consumer/fake-friends
43. A SHORT FUN STUDY
Created3 FAKEACCOUNTS andsend Friendship requeststo
TWENTY ( 20 ) friends of mine on Facebook.
After some time, 8 friendshave acceptedall3 requests
44. DATA SCIENCE OF THE FACEBOOK WORLD
On average aFacebook user has 342 friends!
DO YOU THINK ALL 342 ARE REAL LIFE FRIENDS ALSOOR
JUST FACEBOOK FRIENDS OR WHAT ...?
http://blog.stephenwolfram.com/2013/04/data-science-of-the-
facebook-world/
45. SUMMARIZE EVERYTHING ABOUT FACEBOOK
& REAL LIFE FRIENDS
http://www.lolroflmao.com/2012/02/24/he-had-over-2000-friends-on-facebook-i-thought-it-would-have-more-people-here/
46. TRUSTED FRIEND ATTACK (TFA)
Inorder to startTFA, we needvictim's Facebookusername and
FYI, it is PUBLIC INFORMATION & part of FacebookURL.
e.g.,
https://www.facebook.com/ashar.javed
47. " "
ONCE TARGET SELECTED
Repeatthe "Forgot YourPassword" processas mentioned
before until STEP (3) i.e.,
No longer haveaccesstothese?
48. NO LONGER HAVE ACCESS TO THESE?
sometimes opensthefollowingdialog box(old &new version) :)
HOWAWESOMETHEY ARE?:-)
https://www.facebook.com/recover/extended
Inorder to findtheanswer of" sometimes ",I didan empirical
study (discusslater).
49. QUESTIONS...
How canFacebook bindthis new emailaddress or phone
number tothe legitimate user's address or phone?
How can Facebookdifferentiatebetweenanaccountrecovery
procedurestarted bya legitimateuser and the one startedby an
attacker?
Is it evenpossible?
Ithink NO!
50. CREATE NEW EMAIL ADDRESS AND ENTER IN
THE PREVIOUS DIALOG BOX & HERE YOU
HAVE:
51. QUESTION
WhyisFacebook exposingtheoneselected PRIVATE
SECURITY QUESTION in front ofthe ATTACKER?
Facebook is providinganoptiontotheattacker thathe canselect
from two routes i.e.,
1. Answer SecurityQuestion
2. Choose Three Friends of Attacker's Choice
52. TFA'S VARIATIONS/FORMS
1. Involveoneattacker i.e., the casewhere attacker will answer
theexposedsecurity question
2. Involvethree friendsi.e., the casewhere attacker chooses three
friendsofhischoice
54. ATTACKER'S CHOICES
Do selection offriends in anormalmanner evenwithout
POST-DATA manipulation ( works 100%)
Tryto sendcodes to hiscontrolledaccounts thatarenot on
victim's friendlist.( Doesn't work)
Tryto sendcodes to an attacker's controlled accountsthat are
on victim'sfriendlist but not in the presented listsoftrusted
friends. (works 50% )
Tryto sendcodes to an attacker's controlled accountsthat are
on the presented listof trustedfriendsand use POST-DATA
manipulation (defeat Facebook's shortenof listitems). ( works
100% )
Tryto sendallcodesto himself(evil idea). ( Doesn't work)
61. WHAT DOES IT MEAN?
Ithink it means thatif an attacker selecthimself or any particular
account3 to 5times for different victimsthenFacebook's block
access to particular account!
64. CHAIN TRUSTED FRIENDS ATTACK (CTFA)
InCTFA, attacker can make a chainof compromisedaccounts
and with thehelpofchain he may compromisedaccount(s)that
are evennotinhisfriends list.
69. ACCORDING TO "ME"
Followingways worklike charm:
-- Incase ofsocial network, answer can be foundonpublic profile.
-- Directly ask the answer viaroutine Facebook chat...most of the
time you will getthe answer.
-- Make aQUIZ related to securityquestion and postto yourfriends.
-- In case of family membersorclose friends,youalready know the
answer.
70. Question:
Remark:
ANOTHER BAD SECURITY PRACTICE
https://www.facebook.com/help/163063243756483
Whathappens ifa userrealize after
answering/settingthequestion thathehaschosena weak
answer?
In caseof compromisedaccounts,if attacker has
proceeded via answering the securityquestion,hecandothe
samething sometime after because "QnA"remains same.
72. WHAT IS YOUR REACTION IF YOU HAVE TO
GIVE AN ANSWER TO A SECURITY
QUESTION(S) THAT IS NOT EVEN A PART OF
FACEBOOK'S DEFAULT SECURITY QUESTIONS'
LIST?
76. https://www.facebook.com/
HOW CAN A LEGITIMATE USER GIVE AN
ANSWER TO A SECURITY QUESTION THAT HE
HAS NEVER SET?
No Way ...BUT
I know theanswer that workssometimes :-)
https://www.facebook.com/ashar.javed(ajaved)
mscashar.javed (mjaved)
77. EMPIRICAL STUDY
Testedreal250 accountsofmy friendsonFacebook.
In 181 cases, Facebookdoesn'tallow us to proceed ...It means no
securityquestion exposed + nooptionoftrustedfriends
In69cases,Facebook allows ustoPROVIDEa NEWEMAIL
ADDRESSandonce provided, wecanhave either security
questionexposedor trusted friends featureappearsor BOTH
79. 181 CASES (NO EMAIL ACCESS ... WE ARE
SORRY)
https://www.facebook.com/recover/extended/ineligible
80. IN 69 CASES
Facebookexposed the selectedsecurity questionofthevictim
OR
OptionofTrusted friends' selection
OR
Choiceamong above two options
81. 11 OUT OF 69 ACCOUNTS COMPROMISED
Out of 11 compromised accounts
8 byansweringsecurity question
AND
3 usingtrusted friends feature
ENOUGHFORPOC! #ofcompromised accountscanbe easily
raisedto20-25 but requiresmore work& motivation :-)
83. ON FACEBOOK ANYBODY CAN SEND ANYONE A
PASSWORD RESET REQUEST IF HE KNOWS
THE USERNAME WHICH IS PUBLIC
INFORMATION
84. Attacker doesn't haveaccesstovictim's emailbox inorder to get
thevalid 6 digitcode but he has the above dialog box in frontof
him ...
AT THE SAME TIME DENIAL-OF-SERVICE
(DOS) VICTIM
What ifattacker will enter 20-30 times wrongsecretcode?
90. TRUSTED FRIEND FEATURE DOS
If an attacker hasstarted the passwordrecovery usingTFandat
thesame timevictim tries to use thisfeature...hewill receive the
followingmessage from Facebook
93. 1) SECURITY ALERT VIA EMAIL OR MOBILE
SMS
As soonasattacker starts an account recoveryvia"password
reset" functionality,Facebook immediatelysends an emailor sms
alert tothe legitimate user.
110. 3) 24 HOUR LOCKED-OUT PERIOD
As an attacker this isthe biggest hurdle to cross...
111. DISAVOW PROCESS
Legitimate user can"disavow"theprocess any timeby clicking
on the linkintheemailhe receivedfrom Facebookor making
Facebook activityduringthis time.
BUT
Majorityoftheusers,as shown in users' reaction consider
Facebook'sinformative/warning emails as spam.
125. SORRY FACEBOOK :-(
It doesn't makes sensetoreproduce thisattackonTEST
ACCOUNTS...
The results wouldlook likeFAKE.
126. ON THE OTHER HAND ...
Our approach issimilar toa recently publishedacademic paper in
Second International Workshopon PrivacyandSecurity in
Online Social Media
Co-located withWWW2013
(
)
http://precog.iiitd.edu.in/events/psosm2013/9psosm3s-
parwani.pdf
141. OUR METHODOLOGY BY KEEPING IN MIND
THREAT MODEL
Registeredthe followingemailaddressonsocialnetworks:
user1@bletgen.net
AND
The followingistheattacker'saddress and goalis to compromise
the victim'saccountlabelled withabove email address
jim@mediaob.de
Attacker's addressis noteven registered onsocialnetworks!
159. DELICIOUS'S SUPPORT TEAM RESPONSE
They have switchedthe emailaddress from victims'toan
attacker controlled email address and havesent passwordreset
linkto the attacker'semail address.
161. IMPLICATIONS OF FACEBOOK CONNECT
(1 MILLION WEBSITES HAVE INTEGRATED
WITH FACEBOOK)*+ ACCOUNT HACK
Controls emailaccounte.g.,Yahoo
Go for shoppinge.g.,Etsy
Create havoc for victim :)
79%ofsocialmedia log insby online retailers are with
Facebook ( )
60 millionusers of FacebookConnectin2009 accordingto
TechCrunchreport( )
http://socialmediatoday.com/node/1656466
http://goo.gl/a6lsCx
*http://goo.gl/x8BKe
163. GUIDELINES FOR USERS
Do not ignore email or SMS alertfrom Facebook
Do not place TOO MUCHinformation onsocialnetwork
Do not accept friend requestsfrom strangers
Enable log-in notifications
164. GUIDELINES FOR SOCIAL NETWORKS
Train your supportteams.
Facebook should raisethe bar as far ascommunicationwith
theresearchersor bugsubmitters isconcerned.
For Facebook: Please don't send TOOMANYEMAILSbecause
users startbelievingthat thesearespam emails.
Joewrote in his post( ):
In caseofTFA,Facebook failed in "CORRECTLY
IDENTIFYINGandREALIZATION OFAN INFORMATION
FLOWPROBLEM "
http://goo.gl/Wf6QMZ