myspace.com is safe.

[kev woodman]

Are social engineering attacks a particular problem on MySpace. When the term is used in IT security it is usually in the context of attackers gaining access to systems by exploiting human weakness e.g. by collecting usernames and passwords by ringing up and pretending to be from the IT department (a depressingly succesful tactic).

I suppose that this could be used to gather MySpace account details but it's hard to know what real advantage would be gained by an attacker being able to access some 14 year olds page (unless they re-wrote all the text speak into legible English, that might be worth doing).

Children being put at risk by the actions of predatory adults is certainly a concern on sites like MySpace and Bebo but I don't think that counts as social engineering.

[scream]

kev,

well as myspace is such a popular service, i know exactly what i would use it for if i was engineering an attack. You might know that someone in a company that you're planning on attacking uses myspace. Rather than trying to fake your way in through ringing them up at work or something, you could target them on myspace as their deffence wouldn't be so high.

It's just another approach. It's like cracking message boards to get password lists. The majority of users use the same passwords that they use for message boards as well as work.

[kev woodman]

That's a suspisciously good idea mate

[paul]

Quote:

Originally Posted by scream

well i would have to disagree. If social engineering wasn't anything to do with security, then it wouldn't be covered in security topics. As i've mentioned, the key to stop such attacks, is knowledge. It's having a policy that users keep too and having checks every so often to see if such policies are working.

The fact that the very nature of social engineering is used to break into systems, clear puts it within the security topic for a security person. Speaking from experience. Whenever i've done penetration tests i've used social engineering to gain access to their network. From this i would then tell the client how such attacks can be prevented.

__________________________________________________ ________________

I am not talking whether it is covered in security topics or not, but I am still firm at my earlier comment, my point is that "few" people just misuse it by finding the weakest link to exploit people, I have came across with a renowned CRM company, they gathered datas and personal information of people but their few employees has misused it for their personal benifit, even though it is clearly mentioned in their TOS that they are not going to reveal it to any third party. In your case for performing penetration test can not be considered part of social engineering to gain access to your client network, as most of the client provide usually their login detail/root password and other details to get remotely access by a service providers complying to their TOS or NDA.

[kev woodman]

So are we all agreed that by any usual definition MySpace can't be considered 'safe' although how insecure it is and why may be open to debate?

[scream]

Paul in my case the client doesn't know this is happening. I'm effectively cold calling an employee in that company and pretending to be someone, either within that company or a contractor. THAT is social engineering to gain accesss. All companies have the policy of not to hand out their username and passwords, even to their own IT staff, but people still do it. That's why social engineering is so effective, and why it's such a big security problem.

[sMaRtiEs]

i myself dont thing myspace has a good security and they need 2 work on the loop hole they created themself...

[paul]

Possibly that is the reason that US plan to ban social networking site, by inforcing DOPA Act, Children in the US could be banned from using social networking sites in schools and libraries by a new law; http://news.bbc.co.uk/2/hi/technology/5230506.stm

[kev woodman]

They are doing this in Ireland as well but I'm not convinced that's the right way to go about it.

Firstly I'd argue that local authorities are probably the agencies that should be enforcing any ban in schools/public libraries. I'm sure that public institutions like these already operate filtering software so adding social networking sites shouldn't be a problem.

Secondly I'd suspect that misuse of these sites is not taking place in libraries or schools but at home. The high profile cases of teenagers posting nude/semi-nude photographs of themselves highlight this. I'm guessing that these children didn't take the photographs on their school webcam, they did it in their bedrooms.

Surely it is up to parents to ensure that they know what their children are doing on the 'net and, most importantly, that 'net enabled computers are in areas of the house where they can be monitored.

[paul]

Let us see how US people are going to react on this.