full-disclosure-uk May 2007 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] Myspace hackers - Mysp

Re: [Full-disclosure] Myspace hackers - Myspace lack of security

From: James Matthews <nytrokiss_at_nospam>
Date: Sun May 13 2007 - 01:51:07 GMT
To: cardoso <cardosolistas@contraditorium.com>


Myspaces issue's :)

On 5/12/07, cardoso <cardosolistas@contraditorium.com> wrote:
>
> "Myspace" and "hackers" are not allowed to be used in the same phrase.
>
>
> On Sat, 12 May 2007 09:23:14 -0400
> "Vlad Hackula" <vladhackula@gmail.com> wrote:
>
> VH> oops, sorry for making it a response to gadi's posting. i'm not awake
> yet.
> VH> duh
> VH>
> VH> http://myspaceinfosec.blogspot.com/
> VH>
> VH> Myspace fails to protect it's community from malicious hackers.
> VH>
> VH> As of May 12th, 2007, Myspace has 176,968,475 users in it's community
> and it
> VH> is growing fast. To put this number in perspective, the US Census
> Bureau
> VH> estimates there are currently 301,821,743 US citizens. The current
> number of
> VH> users is well over half of the population of the entire United States.
> With
> VH> this being said you would think that a company that has this many
> user's in
> VH> it's community would pay closer attention to security.
> VH>
> VH> Myspace provides a lot of services to it's user community and one of
> the
> VH> most popular is Myspace Groups. There are thousands of groups covering
> a
> VH> wide range of themes and let people collaborate on anything from
> beenie
> VH> babies to the arts. One group in particular, The World Artist Network
> (WAN)
> VH> http://groups.myspace.com/wan is the largest single group on Myspace
> and has
> VH> over 200,000 members worldwide. This group serves the Art community
> and
> VH> gives artists a place to go to collaborate with other artists. You can
> VH> almost classify this as a somewhat educational experience because
> people
> VH> will post their art there to get feedback from other artists and art
> VH> enthusiasts. This helps to build an artists skill set and helps them
> to
> VH> become a successful artist.
> VH>
> VH> However, since around February of this year, a hacker has been
> targeting
> VH> groups by exploiting Myspace's lack of security controls and causing
> DoS
> VH> (Denial of Service) attacks by flooding the groups with thousands of
> VH> postings making it nearly impossible to find the content posted by the
> VH> members. The World Artist Network is currently under attack by this
> VH> relentless hacker. After the attack started several days ago, the
> group has
> VH> been brought to it's knees. The way the topics are displayed has been
> VH> damaged by the attack and now the first 27 pages are blank. Several
> members
> VH> now cannot even post to the group, myself included. It appears the
> hacker
> VH> may be using code to perform various administrative functions which
> includes
> VH> banning members as well as pinning/unpinning topics (a flag that lets
> the
> VH> moderator anchor various topics to the top of the list). The hacker
> also
> VH> seems to be able to bypass banning functions. Even when he is banned
> he is
> VH> still able to post. He has created other accounts as well and after he
> is
> VH> finally banned he will simply use a new profile to begin the attack
> all over
> VH> again.
> VH>
> VH> Using a special technique I was able to get one of the first
> attacker's IP
> VH> addresses which shows the attacker was using an IP address from the
> Internet
> VH> Service Provider intrstar.net (InterStar Communications, Inc) who is
> located
> VH> in Clinton, NC. I sent a complaint to Inter Star and included all the
> VH> relevant information yet they never responded to the incident. During
> this
> VH> attack the hacker posted hundreds of pages of extremely disgusting and
> vial
> VH> SCAT porn images. SCAT is pornography that deals with feces. Myspace
> was
> VH> also alerted to this activity and there was no response.
> VH>
> VH> Although Myspace is 'free' to users I still think it is their
> obligation to
> VH> at least make a best effort attempt at protecting it's users. One of
> the
> VH> biggest things they can do is have a better response to security
> incidents.
> VH> Another would be to track down these people and prosecute them. And by
> VH> putting simple controls in place and preventing these types of attacks
> from
> VH> happening in the first place. One such method could be using software
> called
> VH> CAPTCHA which forces a human to enter text displayed in an image file.
> Say
> VH> after 10 posts within 5 minutes force the user to enter the text. This
> would
> VH> make it literally impossible for the attacker to flood an entire group
> and
> VH> thereby making it much less desirable for them to perform future
> attacks.
> VH> This is such a simple thing to do it is bizarre to me that they
> haven't done
> VH> it yet.
> VH>
> VH> I can tell you one thing I truly believe, Myspace's banner ads, where
> their
> VH> main revenue comes from, will always be working very smoothly. Just
> don't
> VH> forget, it is your Myspace community that are the ones that either
> click or
> VH> don't click on those ads. You need to protect those precious
> resources.
>
> -------------------------------------------------------------
> Carlos Cardoso
> http://www.carloscardoso.com <== blog semi-pessoal
> http://www.contraditorium.com <== ProBlogging e cultura digital
>
> "You lost today, kid. But that doesn't mean you have to like it"
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
-- http://www.goldwatches.com/watches.asp?Brand=39 http://www.wazoozle.com

_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/