Myspaces issue's :)<br><br><div><span class="gmail_quote">On 5/12/07, <b class="gmail_sendername">cardoso</b> <<a href="mailto:cardosolistas@contraditorium.com">cardosolistas@contraditorium.com</a>> wrote:</span>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">"Myspace" and "hackers" are not allowed to be used in the same phrase.<br>
<br><br>On Sat, 12 May 2007 09:23:14 -0400<br>"Vlad Hackula" <<a href="mailto:vladhackula@gmail.com">vladhackula@gmail.com</a>> wrote:<br><br>VH> oops, sorry for making it a response to gadi's posting. i'm not awake yet.
<br>VH> duh<br>VH><br>VH> <a href="http://myspaceinfosec.blogspot.com/">http://myspaceinfosec.blogspot.com/</a><br>VH><br>VH> Myspace fails to protect it's community from malicious hackers.<br>VH><br>
VH> As of May 12th, 2007, Myspace has 176,968,475 users in it's community and it<br>VH> is growing fast. To put this number in perspective, the US Census Bureau<br>VH> estimates there are currently 301,821,743 US citizens. The current number of
<br>VH> users is well over half of the population of the entire United States. With<br>VH> this being said you would think that a company that has this many user's in<br>VH> it's community would pay closer attention to security.
<br>VH><br>VH> Myspace provides a lot of services to it's user community and one of the<br>VH> most popular is Myspace Groups. There are thousands of groups covering a<br>VH> wide range of themes and let people collaborate on anything from beenie
<br>VH> babies to the arts. One group in particular, The World Artist Network (WAN)<br>VH> <a href="http://groups.myspace.com/wan">http://groups.myspace.com/wan</a> is the largest single group on Myspace and has<br>
VH> over 200,000 members worldwide. This group serves the Art community and<br>VH> gives artists a place to go to collaborate with other artists. You can<br>VH> almost classify this as a somewhat educational experience because people
<br>VH> will post their art there to get feedback from other artists and art<br>VH> enthusiasts. This helps to build an artists skill set and helps them to<br>VH> become a successful artist.<br>VH><br>VH> However, since around February of this year, a hacker has been targeting
<br>VH> groups by exploiting Myspace's lack of security controls and causing DoS<br>VH> (Denial of Service) attacks by flooding the groups with thousands of<br>VH> postings making it nearly impossible to find the content posted by the
<br>VH> members. The World Artist Network is currently under attack by this<br>VH> relentless hacker. After the attack started several days ago, the group has<br>VH> been brought to it's knees. The way the topics are displayed has been
<br>VH> damaged by the attack and now the first 27 pages are blank. Several members<br>VH> now cannot even post to the group, myself included. It appears the hacker<br>VH> may be using code to perform various administrative functions which includes
<br>VH> banning members as well as pinning/unpinning topics (a flag that lets the<br>VH> moderator anchor various topics to the top of the list). The hacker also<br>VH> seems to be able to bypass banning functions. Even when he is banned he is
<br>VH> still able to post. He has created other accounts as well and after he is<br>VH> finally banned he will simply use a new profile to begin the attack all over<br>VH> again.<br>VH><br>VH> Using a special technique I was able to get one of the first attacker's IP
<br>VH> addresses which shows the attacker was using an IP address from the Internet<br>VH> Service Provider <a href="http://intrstar.net">intrstar.net</a> (InterStar Communications, Inc) who is located<br>VH> in Clinton, NC. I sent a complaint to Inter Star and included all the
<br>VH> relevant information yet they never responded to the incident. During this<br>VH> attack the hacker posted hundreds of pages of extremely disgusting and vial<br>VH> SCAT porn images. SCAT is pornography that deals with feces. Myspace was
<br>VH> also alerted to this activity and there was no response.<br>VH><br>VH> Although Myspace is 'free' to users I still think it is their obligation to<br>VH> at least make a best effort attempt at protecting it's users. One of the
<br>VH> biggest things they can do is have a better response to security incidents.<br>VH> Another would be to track down these people and prosecute them. And by<br>VH> putting simple controls in place and preventing these types of attacks from
<br>VH> happening in the first place. One such method could be using software called<br>VH> CAPTCHA which forces a human to enter text displayed in an image file. Say<br>VH> after 10 posts within 5 minutes force the user to enter the text. This would
<br>VH> make it literally impossible for the attacker to flood an entire group and<br>VH> thereby making it much less desirable for them to perform future attacks.<br>VH> This is such a simple thing to do it is bizarre to me that they haven't done
<br>VH> it yet.<br>VH><br>VH> I can tell you one thing I truly believe, Myspace's banner ads, where their<br>VH> main revenue comes from, will always be working very smoothly. Just don't<br>VH> forget, it is your Myspace community that are the ones that either click or
<br>VH> don't click on those ads. You need to protect those precious resources.<br><br>-------------------------------------------------------------<br>Carlos Cardoso<br><a href="http://www.carloscardoso.com">http://www.carloscardoso.com
</a> <== blog semi-pessoal<br><a href="http://www.contraditorium.com">http://www.contraditorium.com</a> <== ProBlogging e cultura digital<br><br>"You lost today, kid. But that doesn't mean you have to like it"
<br><br>_______________________________________________<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html
</a><br>Hosted and sponsored by Secunia - <a href="http://secunia.com/">http://secunia.com/</a><br></blockquote></div><br><br clear="all"><br>-- <br><a href="http://www.goldwatches.com/watches.asp?Brand=39">http://www.goldwatches.com/watches.asp?Brand=39
</a><br><a href="http://www.wazoozle.com">http://www.wazoozle.com</a>