lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 12 May 2007 09:23:14 -0400
From: "Vlad Hackula" <vladhackula@...il.com>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Myspace hackers - Myspace lack of security

oops, sorry for making it a response to gadi's posting.  i'm not awake yet.
duh

http://myspaceinfosec.blogspot.com/

Myspace fails to protect it's community from malicious hackers.

As of May 12th, 2007, Myspace has 176,968,475 users in it's community and it
is growing fast. To put this number in perspective, the US Census Bureau
estimates there are currently 301,821,743 US citizens. The current number of
users is well over half of the population of the entire United States. With
this being said you would think that a company that has this many user's in
it's community would pay closer attention to security.

Myspace provides a lot of services to it's user community and one of the
most popular is Myspace Groups. There are thousands of groups covering a
wide range of themes and let people collaborate on anything from beenie
babies to the arts. One group in particular, The World Artist Network (WAN)
http://groups.myspace.com/wan is the largest single group on Myspace and has
over 200,000 members worldwide. This group serves the Art community and
gives artists a place to go to collaborate with other artists. You can
almost classify this as a somewhat educational experience because people
will post their art there to get feedback from other artists and art
enthusiasts. This helps to build an artists skill set and helps them to
become a successful artist.

However, since around February of this year, a hacker has been targeting
groups by exploiting Myspace's lack of security controls and causing DoS
(Denial of Service) attacks by flooding the groups with thousands of
postings making it nearly impossible to find the content posted by the
members. The World Artist Network is currently under attack by this
relentless hacker. After the attack started several days ago, the group has
been brought to it's knees. The way the topics are displayed has been
damaged by the attack and now the first 27 pages are blank. Several members
now cannot even post to the group, myself included. It appears the hacker
may be using code to perform various administrative functions which includes
banning members as well as pinning/unpinning topics (a flag that lets the
moderator anchor various topics to the top of the list). The hacker also
seems to be able to bypass banning functions. Even when he is banned he is
still able to post. He has created other accounts as well and after he is
finally banned he will simply use a new profile to begin the attack all over
again.

Using a special technique I was able to get one of the first attacker's IP
addresses which shows the attacker was using an IP address from the Internet
Service Provider intrstar.net (InterStar Communications, Inc) who is located
in Clinton, NC. I sent a complaint to Inter Star and included all the
relevant information yet they never responded to the incident. During this
attack the hacker posted hundreds of pages of extremely disgusting and vial
SCAT porn images. SCAT is pornography that deals with feces. Myspace was
also alerted to this activity and there was no response.

Although Myspace is 'free' to users I still think it is their obligation to
at least make a best effort attempt at protecting it's users. One of the
biggest things they can do is have a better response to security incidents.
Another would be to track down these people and prosecute them. And by
putting simple controls in place and preventing these types of attacks from
happening in the first place. One such method could be using software called
CAPTCHA which forces a human to enter text displayed in an image file. Say
after 10 posts within 5 minutes force the user to enter the text. This would
make it literally impossible for the attacker to flood an entire group and
thereby making it much less desirable for them to perform future attacks.
This is such a simple thing to do it is bizarre to me that they haven't done
it yet.

I can tell you one thing I truly believe, Myspace's banner ads, where their
main revenue comes from, will always be working very smoothly. Just don't
forget, it is your Myspace community that are the ones that either click or
don't click on those ads. You need to protect those precious resources.

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ