Hacker heaven in MySpace, YouTube

Posted by Hitarth Jani | 7:06 PM | 0 comments »

Attendees are seen through a Black Hat logo during the Black Hat and Defcon hacker conferences at the Caesars Palace hotel-casino in Las Vegas.

Online sharing of videos and music at the heart of today's internet lifestyle gives hackers dangerous new avenues for attacking computers, security specialists say.

Malicious code can be hidden in video streamed or downloaded from websites such as YouTube or songs streamed from social-networking websites including MySpace, iSEC researcher David Thiel demonstrated at a Black Hat gathering of computer protection professionals in Las Vegas.

"The potential for attack is pretty severe," Thiel said. "Any MySpace page you go to you can't get it to stop playing music at you. You will probably start seeing malware installs this way just like we see through images."

The kinds of "malware," malicious software, that can be "injected" through video or music files run the gamut from programs meant to simply be annoying to code that takes command of infected machines for "bot armies."

"Stream formats are good for containing exploit code and are quite dangerous because of the widespread use of it with kids online these days," Thiel said.

"It is used so constantly."

Applications vulnerable to hackers include those used for MP3 music files; a speech feature in Microsoft's Xbox Live online video game software, and internet telephony, according to Thiel.

Security specialists at Black Hat say the popularity of "user-generated content" considered a defining characteristic of today's Web 2.0 Internet opens users to betrayal and attack online.

"Web 2.0 is a trust model with users controlling the content," said Websense researcher Stephan Chenette.

"You are building this gigantic network of friends. You have to trust that I am who I say I am and that the content is what I say it is. Trust is sometimes taken advantage of."

Malware-tainted video or audio files uploaded to social-networking websites can be rapidly sent to members by automated programs, said SPI Dynamics vice president Erik Peterson.

Last year it was revealed hackers use RSS (Really Simple Syndication) feeds to distribute malicious code to thousands of people instantly, Peterson said.

"Some say we are doomed to repeat the past and there is nothing you can do about it" Peterson said. "Don't trust data you get from anyone."

Thiel believes music recording labels and movie studios will use flaws in media files to insert stealth coding that tracks or disables pirated songs, shows or movies.

Media software applications vulnerable to hacking are being used in "smart" mobile telephones as well as cars and home multi-media systems, according to Thiel.

It is imperative computer users educate themselves regarding protecting software and dangers lurking on the internet, Chenette said.

People should bear in mind that websites in certain countries such as Russia are often lures set up by cyber criminals and that sites offering content such as sex videos frequently hide computer viruses, according to Chenette.

"If I'm going to a gambling website or if I'm going to a porn site it is much more likely to have malicious content on it," Chenette said. "Web 2.0 is something to be very wary of."