Everything, Everything

2020: J F M A M
2019: J F M A M J J A S O N D
2018: J F M A M J J A S O N D
2017: J F M A M J J A S O N D
2016: J F M A M J J A S O N D
2015: J F M A M J J A S O N D
2014: J F M A M J J A S O N D
2013: J F M A M J J A S O N D
2012: J F M A M J J A S O N D
2011: J F M A M J J A S O N D
2010: J F M A M J J A S O N D
2009: J F M A M J J A S O N D
2008: J F M A M J J A S O N D
2007: J F M A M J J A S O N D
2006: J F M A M J J A S O N D
2005: J F M A M J J A S O N D
2004: J F M A M J J A S O N D
MySpace
Thursday 1st November, 2007 09:42 Comments: 0
The McAfee Avert Labs Blog mentioned MySpace yesterday, and provided a decent overview of why SSL is a good thing if you'd like any sort of privacy or protection. According to MySpace:

MySpace.com member accounts are secured by member-created passwords. MySpace.com takes precautions to insure that member account information is kept private. We use reasonable measures to protect member information that is stored within our database, and we restrict access to member information to those employees who need access to perform their job functions, such as our customer service personnel and technical staff. Please note that we cannot guarantee the security of member account information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of member information at any time.

Is it reasonable that usernames and passwords (data that's stored in their database) are sent over an unencrypted connection?
> nmap -P0 -p 80,443 www.myspace.com

Starting Nmap 4.22SOC8 ( http://insecure.org ) at 2007-11-01 09:32 GMT Standard Time
Warning: Hostname www.myspace.com resolves to 6 IPs. Using 216.178.38.129.
Interesting ports on 216.178.38.129:
PORT    STATE    SERVICE
80/tcp  open     http
443/tcp filtered https
It's not even a case of trying to find the link to login and browse the site over SSL, as they don't even have port 443 open, so you're forced to send everything over an unencrypted connection as there's no other option. That doesn't sound very reasonable to me!

The scary thing is a lot of users will be using the same usernames and passwords on other sites that do use SSL. As mentioned on McAfee's blog:

Don't get me wrong, a malicious user doesn't care about your myspace.com page. I'm sure it "teh sucks" and your profile is "teh fail" (to quote a buddy at Foundstone, Brad Antoniewicz). They're after your credentials & betting big on password reuse. Stop for a moment and think about your own work, Ebay, email, bank, etc accounts. Are you reusing your credentials anywhere?
© Robert Nicholls 2002-2020
The views and opinions expressed on this site do not represent the views of my employer.
HTML5 / CSS3