Social sites are becoming more dangerous
Own “spaces” on MySpace, your own video clips on YouTube, personal blogs on LiveJournal ... Social sites where each user can independently create web content, choose their own environment become extremely popular. But their insecurity is causing increasing excitement.
It is the increased attention of users to those services where the audience independently forms the content of the site, which has led to the fact that an increasing number of attackers want to "use" these same services - both from hooligan motives and for profit. There are more and more examples of this.
Last weekend, a considerable part of MySpace users “granted” access to their accounts: the service pages were infected with a virus, which replaced links to the page, usually used to enter a username and password. As a result, videos of obscene content and links to websites that disseminate child pornography, among others, appeared on the victims' pages. Letters are also sent on behalf of the victims inviting them to visit porn sites. Attackers used both MySpace vulnerabilities and flaws in Apple’s QuickTime Player. As a result of infection, the “friends” of affected users are also exposed who view the contents of infected pages in their “friend feed”.
Websense reported last monththat video clips appeared on MySpace, when viewing which “adware” is installed on the local computer - adware. Attackers used a vulnerability in the Windows Media Player license management system.
MySpace is the "favorite target" of attackers - which is not surprising: its popularity allows you to "cover" the maximum number of "victims". For example, a year ago a java-script “added” Samy to the “friends” of the user’s pages. Then the administration of the service simply deleted the user - and refused to comment on the situation.
Of course, not only MySpace remains vulnerable to such attacks. Online encyclopedia, anyone can add and edit the content of it - Wikipedia also faces similar problems. In November, a link to a site allegedly containing a “cure” for the MSBlast virus was posted on the German version of Wiki . Attackers did not stop at “link vandalism”: they sent out emails inviting them to visit the wiki page. Users who were unlikely to believe a direct link to an unknown site took advantage of the data of a well-known network encyclopedia - and infected their computers.
And the virtual world of the Second Life multiplayer game was once covered in “gray goo”. In various parts of the “world” strange golden rings began to appear, multiplying at high speed. After a while, the game servers simply stopped dealing with so many new objects - and the game stopped for about half an hour. The danger was quickly enough eliminated - but experts say that writing a new script for such an infection will not take much time. It is worth noting that only in the fall on Second Life three attacks have already been carried out, in particular, in September, hackers were able to crack more than 600,000 player accounts .
Free blog sites also easily become “carriers” of fraudulent information. Microsoft security experts discovered a network of sites during their researchwhich, through spam (both email and trackbacks), lured visitors to sites selling illegal software. About 17,000 of these sites are hosted by Blogger . However, this Google service has repeatedly come across vulnerabilities: users occasionally find other people's posts on their pages, and once attackers were able to post false information on the official Google blog .
The developers do not seem to think much about the question: how to control what was not required to be controlled before? Content posted by users can be much more dangerous than the owners of MySpace or Blogger suggest. Vulnerabilities of social sites bring damage not only to their owners, but also to users. In addition, they can cause losses to third-party companies, so News Corp. once or Google may well become defendants in a high-profile lawsuit if they do not really begin to seriously approach security issues on their social services.
It is the increased attention of users to those services where the audience independently forms the content of the site, which has led to the fact that an increasing number of attackers want to "use" these same services - both from hooligan motives and for profit. There are more and more examples of this.
Last weekend, a considerable part of MySpace users “granted” access to their accounts: the service pages were infected with a virus, which replaced links to the page, usually used to enter a username and password. As a result, videos of obscene content and links to websites that disseminate child pornography, among others, appeared on the victims' pages. Letters are also sent on behalf of the victims inviting them to visit porn sites. Attackers used both MySpace vulnerabilities and flaws in Apple’s QuickTime Player. As a result of infection, the “friends” of affected users are also exposed who view the contents of infected pages in their “friend feed”.
Websense reported last monththat video clips appeared on MySpace, when viewing which “adware” is installed on the local computer - adware. Attackers used a vulnerability in the Windows Media Player license management system.
MySpace is the "favorite target" of attackers - which is not surprising: its popularity allows you to "cover" the maximum number of "victims". For example, a year ago a java-script “added” Samy to the “friends” of the user’s pages. Then the administration of the service simply deleted the user - and refused to comment on the situation.
Of course, not only MySpace remains vulnerable to such attacks. Online encyclopedia, anyone can add and edit the content of it - Wikipedia also faces similar problems. In November, a link to a site allegedly containing a “cure” for the MSBlast virus was posted on the German version of Wiki . Attackers did not stop at “link vandalism”: they sent out emails inviting them to visit the wiki page. Users who were unlikely to believe a direct link to an unknown site took advantage of the data of a well-known network encyclopedia - and infected their computers.
And the virtual world of the Second Life multiplayer game was once covered in “gray goo”. In various parts of the “world” strange golden rings began to appear, multiplying at high speed. After a while, the game servers simply stopped dealing with so many new objects - and the game stopped for about half an hour. The danger was quickly enough eliminated - but experts say that writing a new script for such an infection will not take much time. It is worth noting that only in the fall on Second Life three attacks have already been carried out, in particular, in September, hackers were able to crack more than 600,000 player accounts .
Free blog sites also easily become “carriers” of fraudulent information. Microsoft security experts discovered a network of sites during their researchwhich, through spam (both email and trackbacks), lured visitors to sites selling illegal software. About 17,000 of these sites are hosted by Blogger . However, this Google service has repeatedly come across vulnerabilities: users occasionally find other people's posts on their pages, and once attackers were able to post false information on the official Google blog .
The developers do not seem to think much about the question: how to control what was not required to be controlled before? Content posted by users can be much more dangerous than the owners of MySpace or Blogger suggest. Vulnerabilities of social sites bring damage not only to their owners, but also to users. In addition, they can cause losses to third-party companies, so News Corp. once or Google may well become defendants in a high-profile lawsuit if they do not really begin to seriously approach security issues on their social services.