full-disclosure-uk May 2007 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] Broadband routers and

Re: [Full-disclosure] Broadband routers and botnets - being proactive

From: Vlad Hackula <vladhackula_at_nospam>
Date: Sat May 12 2007 - 13:13:38 GMT
To: full-disclosure@lists.grok.org.uk


Myspace fails to protect it's community from malicious hackers.

As of May 12th, 2007, Myspace has 176,968,475 users in it's community and it is growing fast. To put this number in perspective, the US Census Bureau estimates there are currently 301,821,743 US citizens. The current number of users is well over half of the population of the entire United States. With this being said you would think that a company that has this many user's in it's community would pay closer attention to security.

Myspace provides a lot of services to it's user community and one of the most popular is Myspace Groups. There are thousands of groups covering a wide range of themes and let people collaborate on anything from beenie babies to the arts. One group in particular, The World Artist Network (WAN) http://groups.myspace.com/wan is the largest single group on Myspace and has over 200,000 members worldwide. This group serves the Art community and gives artists a place to go to collaborate with other artists. You can almost classify this as a somewhat educational experience because people will post their art there to get feedback from other artists and art enthusiasts. This helps to build an artists skill set and helps them to become a successful artist.

However, since around February of this year, a hacker has been targeting groups by exploiting Myspace's lack of security controls and causing DoS (Denial of Service) attacks by flooding the groups with thousands of postings making it nearly impossible to find the content posted by the members. The World Artist Network is currently under attack by this relentless hacker. After the attack started several days ago, the group has been brought to it's knees. The way the topics are displayed has been damaged by the attack and now the first 27 pages are blank. Several members now cannot even post to the group, myself included. It appears the hacker may be using code to perform various administrative functions which includes banning members as well as pinning/unpinning topics (a flag that lets the moderator anchor various topics to the top of the list). The hacker also seems to be able to bypass banning functions. Even when he is banned he is still able to post. He has created other accounts as well and after he is finally banned he will simply use a new profile to begin the attack all over again.

Using a special technique I was able to get one of the first attacker's IP addresses which shows the attacker was using an IP address from the Internet Service Provider intrstar.net (InterStar Communications, Inc) who is located in Clinton, NC. I sent a complaint to Inter Star and included all the relevant information yet they never responded to the incident. During this attack the hacker posted hundreds of pages of extremely disgusting and vial SCAT porn images. SCAT is pornography that deals with feces. Myspace was also alerted to this activity and there was no response.

Although Myspace is 'free' to users I still think it is their obligation to at least make a best effort attempt at protecting it's users. One of the biggest things they can do is have a better response to security incidents. Another would be to track down these people and prosecute them. And by putting simple controls in place and preventing these types of attacks from happening in the first place. One such method could be using software called CAPTCHA which forces a human to enter text displayed in an image file. Say after 10 posts within 5 minutes force the user to enter the text. This would make it literally impossible for the attacker to flood an entire group and thereby making it much less desirable for them to perform future attacks. This is such a simple thing to do it is bizarre to me that they haven't done it yet.

I can tell you one thing I truly believe, Myspace's banner ads, where their main revenue comes from, will always be working very smoothly. Just don't forget, it is your Myspace community that are the ones that either click or don't click on those ads. You need to protect those precious resources. <http://myspaceinfosec.blogspot.com/2007/05/myspace-fails-to-protect-its-community.html>

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/