Once they become a “friend” they are free to post messages and share files. Here’s the problem, most users have aliases, so even if they say that they are Jim from second grade how do you know icedancer35 could be someone pretending to be Jim for an insidious purpose. We have been taught and (hopefully) teach our staff not to open email from people they don’t know, but that is exactly how myspace operates. If users want to reak havoc on their own computers at home so be it, but our networks should suffer because of it. In the last week, two worms for myspace have been identified and there are certainly more on the way.
The latest myspace vulnerability can be found here http://www.gnucitizen.org/blog/myspace- ... w-up Basically, links on the users’s sites are re-directed to phishing sites and anyone who visits could be infected as well. No, this is not a major problem, but that is because they are only phishing links. What if the links instead brought the unsuspecting user to a page with had a 1X1 pixel of a Browser Helper Object (BHO), that installed a Trojan. The popularity of myspace could easily create a zombie net of several hundred thousand machines in a matter of minutes.
There are countless others, but this is the latest. I understand the appeal to re-connect with old friends or re-kindle lost loves, but not on my network. I am loathe to stop users from browsing the internet, it is more trouble than its worth and everyone deserves the right to browse the internet for a five minute break, to get re-focused. Myspace however is too susceptible to problems and therefore I am urging all responsible infosec professional to block myspace.
I have done some research and the following are methods that can be used to keep myspace off your lan.
http://www.softwaretipsandtricks.com/fo ... e-com.html
http://www.zemericks.com/support/howtos ... /index.asp
Again, the purpose of this post is not to highlight a particular worm or threat, but to illustrate the very real threat that myspace could become. If you do allow your users access to myspace, ask them to verify who it is they allow on their pages and that they only visit trusted sites.