Category Archives: Social Media

Doxing Victim Zoe Quinn Launches Online “Anti-Harassment Task Force”

On Friday, Depression Quest developer and doxing victim Zoe Quinn launched an online “anti-harassment task force” toolset, staffed by volunteers familiar with such attacks, to assist victims of a recent swell of “doxing” and “swatting” attacks.

The Crash Override site, built by Quinn and game developer Alex Lifschitz, offers free services from “experts in information security, white hat hacking, PR, law enforcement, legal, threat monitoring, and counseling” for “victims of online mob harassment.” According to the site, those experts are “mostly former clients” who have faced similar online threats, and their efforts will not include “retaliatory action against abusers.”

In addition to a contact form and a lengthy summary of Crash Override’s pre- and post-harassment services, the site includes links to a guide to help people control how much personally identifiable information appears on the Internet, along with a Twitter feed containing public statements from two users claiming to have used Crash Override’s services to mitigate the effects of online harassment.

Read 4 remaining paragraphs | Comments

Facebook’s Auto-playing Videos in an ISIS Era

A few months ago, Facebook changed its default settings to enable auto-play of video content on the social network’s news feed, whether users accessed the site on a desktop browser or through its mobile app. Even though the latter has auto-play enabled by default with an “only on Wi-Fi” asterisk, the change has swept through millions of news feeds, perhaps as a way to ease users into Facebook’s video advertising initiative.

Now, users are calling that default video-play toggle into question thanks to a rise in disturbing content distributed via social media. Should an ISIS beheading or similarly disturbing content find its way to someone’s Facebook news feed while that user hasn’t opted out of the site’s video feature—a process possibly more complicated than it needs to be—they’re in for a rude awakening.

It’s tough to catalog exactly how many gore-filled videos have been successfully circulated via Facebook without the site intervening or taking them down. Publicly, Facebook representatives have argued that such content isn’t subject to removal. And as an example of video auto-play gone wrong, Ars readers directed us to a gory video posted to Facebook that had yet to receive any form of takedown in over a week. Its opening moment features the mass execution of children, all shot by a machine gun, and we chose not to watch the entire video (nor link to it) to see how much worse it got.

Read 3 remaining paragraphs | Comments

Four-year-old Comment Security Bug Affects 86 Percent of WordPress Sites

A Finnish IT company has uncovered a bug in WordPress 3 sites that could be used to launch a wide variety of malicious script-based attacks on site visitors’ browsers. Based on current WordPress usage statistics, the vulnerability could affect up to 86 percent of existing WordPress-powered sites.

The vulnerability, discovered by Jouko Pynnonen of Klikki Oy, allows an attacker to craft a comment on a blog post that includes malicious JavaScript code. On sites that allow comments without authentication—the default setting for WordPress—this could allow anyone to post malicious scripts within comments that could target site visitors or administrators. A proof of concept attack developed by Klikky Oy was able to hijack a WordPress site administrator’s session and create a new WordPress administrative account with a known password, change the current administrative password, and launch malicious PHP code on the server. That means an attacker could essentially lock the existing site administrator out and hijack the WordPress installation for malicious purposes.

“For instance, our [proof of concept] exploits first clean up traces of the injected script from the database,” the Klikki Oy team wrote in a blog post on the vulnerability, “then perform other administrative tasks such as changing the current user’s password, adding a new administrator account, or using the plugin editor to write attacker-supplied PHP code on the server (this impact applies to any WordPress XSS if triggered by an administrator). These operations happen in the background without the user seeing anything out of the ordinary. If the attacker writes new PHP code on the server via the plugin editor, another AJAX request can be used to execute it instantaneously, whereby the attacker gains operating system level access on the server.”

Read 1 remaining paragraphs | Comments

Woman Posts “Love” of ISIS on Facebook, Charged with “Promoting” Terrorism

FBI says these and other images were posted on Facebook by the defendant.
FBI affidavit

A 29-year-old Virginia woman is set to appear again in federal court Wednesday after being charged in connection to favorable Facebook posts about the Islamic State of in Syria (ISIS). One of her posts simply read, “I love ISIS.”

The woman, Heather Coffman, was caught in a terrorism sting operation after the authorities got a search warrant to unmask her Facebook account information. The warrant noted that there was probable cause to unveil who was behind several Facebook accounts because there were pictures of ISIS freedom fighters with words at the bottom that said “Allah has preferred the Mujahideen over those who remain [behind] with great reward.” She also shared a job description on the social networking site that said “jihad for Allah’s sake.”

“In my experience, this indicates support for violent jihad. Further, the mujahideen are individuals that fight violent jihad,” FBI agent Odette Tavares said in court documents (PDF). Additionally, in response to a question on Facebook about why she published pro-ISIS pictures, Coffman responded, “I love ISIS,” according to the government. The feds also said she posted that she hates gays and Zionists and that “they should all die.”

Read 6 remaining paragraphs | Comments