Tuesday, June 19, 2007

"1 for the show... 2 for the money"

Yes, the title is right. And this is finally a post that is actually useful (as opposed to interesting and useful somewhere down the line, I hope).

If a friend of yours on MSN Messenger messages you to look at a site that looks something along the lines of messengerweb don't go. Or, go but know the risks.

The title - confusing as it may be reflects the change in attitudes of the "blackhat" or "hacker" community.

1 - it used to be for show - how many site can you hack in 24 hours?, how many machines can you bring down?, is Google invulnerable?
2 - now its for the money.

The site above is an excellent example of this. It is packed full of Google adverts. So each time someone visits the site the owner gets a (very) small amount of money. The way to make that into a big amount is to get a large amount of people to visit.

There is the way I do it which is try to make good content and hope that people find it useful but there is another way - the way that site does it.

The site offers a dubious service to the people that log into it. You need to log in with your MSN credentials (which also happen to be your MSN passport and hotmail password). The site does some checking in its database for you (thats the service) and (this is the genius bit) uses the recently acquired MSN username and password to send a message (as you) to all of your contacts telling them about this "really cool" site and so the networking effect goes on until a lot of visits happen and the site owner makes a load of cash.

You have to accept the terms and conditions before connecting where it is spelled out in no uncertain terms what the site will do.

I got "fake announcements" from a number of technical people who had obviously
not only visited the site but also entered in their usernames and passwords.

To the general public: don't give up your password ever! Even when asked to on websites. The MSN password is for MSN only - not for other websites like messengerweb. Ask yourself before you enter any information onto a site - how much do I trust this site? Rather close the window if you are not sure

To security people: it looks like we have failed again if people are so keen and eager to just give away their passwords. We have to focus on the principals - "Don't share your password! Know where to use them and where not to" and not the modus operandi - "watch out for emails asking for your password or directing you to a bank website" because the principals don't change but the modus operandi do.

No comments: