[UgaBYTES] Trust BUT Verify Friends On Social Networking Sites

Thu Aug 14 05:56:38 GMT 2008

Dear Friends,

This might of interest to you...

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Online social networking sites are hacker playgrounds by Glenn
Chapman
Thu Aug 7, 10:38 PM ET

LAS VEGAS (AFP) - Computer security researchers on Thursday warned that
online social networking websites are playgrounds for hackers who can easily
take advantage of people's trust.

ADVERTISEMENT

Opportunities for mischief abound as users place intimate details of their
lives on profile pages and install mini-applications made by strangers that
don't always have their privacy at heart. In a trend pioneered with
tremendous success by Facebook, social networking websites have opened their
operating platforms to let outside developers craft fun, hip, or functional
software "widgets" that can be added to profile pages. Malicious code can be
hidden in such applications, computer security specialists Nathan Hamiel and
Shawn Moyer said at a premier Black Hat conference in Las Vegas.

"I can't necessarily attack Facebook or MySpace, but I can attack their
users all day long," Moyer told AFP. "Don't put anything on a Facebook
account that you don't consider public." People are prone to place faith in
social networking widgets and links from friends, said Idea Information
Security consultant Nathan Hamiel. "People are going nuts adding
applications they don't need," Hamiel told AFP.

"Every time they do that they are showing an implicit trust in whoever wrote
the application, and most people don't know who that is." Hamiel and Moyer
showed peers software capable of plundering profile information, swiping
people's "friends," or locking people out of their own MySpace pages.

A pair of MySpace engineers who attended the demonstration said that hacks
are known risks in today's social platforms and that they had Hamiel's
application deleted by the end of the talk. Fake postings on comment boards
advising people to update software are ways to trick social network users
into downloading malicious software that can commandeer control of machines,
Hamiel said.

"Social networks really don't care if you get pawned or not," Hamiel said,
using slang referring to a computer user being dominated and humiliated by
hackers. "People know if they go on a computer and download a program they
could get a virus. They don't have the same view of how dangerous that can
be on a social networking site."

Hackers can write seemingly legitimate widgets that "go rogue" after
spreading to enough social network members, according to Hamiel. "It is not
a problem with a particular site," Hamiel said. "It is a problem with social
networking in general."

Even if tainted applications are deleted, the odds are that the data from
profile pages was already copied onto an outside computer, according to
Hamiel and Moyer. "MySpace and Facebook have no control over my servers,"
Hamiel said. "Once the content is moved from their site they have no control
over that." Those thinking that they will stay safe by not having social
networking pages may still vulnerable to trouble, according to the security
specialists. Another ruse is to create social networking profiles for people
using information mined from the Internet and then for the imposters to send
out "friends requests."

Those that take the bait give open doors to the private data in their
profiles. "We think you should make a profile for yourself before somebody
else does," Moyer said. "Just don't put anything there that you don't
consider public. And trust, but verify when people want to be your friend."

-- 
Executive Director
UgaBYTES Initiative
Tel: +256414370163
Mob: +256712314969
Skype: sulah.ndaula
Yahoo: ndaulasula
Email: ndaulasula@
(ugabytes.org,yahoo.co.uk or gmail)