• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 815
  • Last Modified:

Is MY SPACE safe?

Several users here at work have asked my if it is safe to use the popular new site called MY SPACE.  Our concern is if it has any of the P2P vulnerabilities.  What do you think?
0
JayMulkey
Asked:
JayMulkey
  • 5
  • 3
  • 3
  • +7
6 Solutions
 
dmcoopCommented:
I don't know for sure but why take a chance?  We blocked it in our firewall weeks ago because folks were spending to much time there and not working.  I don't have to worry about security issues now.
0
 
JayMulkeyAuthor Commented:
I agree.  May I know how you blocked it at the firewall?  Is it an IP address or what?
0
 
dmcoopCommented:
What kind of firewall do you have?

We use WatchGuard firewalls and they have a product called WebBlocker.  I just put myspace.com in the blocked list.

There are other ways though depending on your firewall or proxy server.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
kevinf40Commented:
The other thing to consider id data leakage - any of these type of applications make it that much more likely that corporate/customer data will end up in the wrong hands either by intentional employee action or due to a vulnerability in the application being exploited.

Another application to watch out for is google desktop and it's search anywhere facility.

there are various options for blocking web sites depending on you set-up at work -

via the firewall - either if you have a way of filtering by url as above, or by blocking all IP's associated with the site - a router can likely perform the IP blocking function as well.

Block the url(s) on a proxy server if you use one

If none of these options are available you can point all the sites IP's to 127.0.0.1 on machines hosts files although this is hardly and enterprise level solution!

0
 
kevinf40Commented:
Oh, I found this list of MySpace IP's that may be helpful - I cannot guarantee it is 100% complete.

63.208.226.219
63.208.226.24-63.208.226.28
63.208.226.40-63.208.226.43

Also found this broader list:

63.208.226.24 through 63.208.226.255 (a variety of MySpace Servers)
63.209.191.74 (www.myspacedirect.com)
69.89.74.30 through 69.89.74.255 (another batch of MySpace Servers)
82.165.169.214 (MySpacePhotos)
209.59.200.170 (MySpacePimper)

Worth confirming the IP's, but should help as a start should you need to block IP ranges rather than by url string..
0
 
bnedelcovCommented:
The answer for that question is: it is as safe as any other site like it. I do not get why do you need to block users from accessing it when they can access websites that are much more harmful. Why disconnect one when you are going to leave the other one available to everyone. As for your P2P question it cannot have those vulnerabilities as it woks on another type of protocol. But having said that I don't see why emplyees have to go to My Space from their office pc. You should monitor the connection for this kind of behavior.
0
 
JayMulkeyAuthor Commented:
I work in a networked environment where we have 300+ pc's and own only about 100 of them.  The majority are independent contractors who pay us for Internet access.  Lots of them have laptops that go home with them and - as you know - stuff happens at home.

As the Administrator for the network I have only so much authority in dictating what the users can do while they are here in the building.  Most are very respectful of the fact that their behavior (good or bad) affects all of us.

My desire is to prevent users from accessing ANY site that would be dangerous to our network.  I've spoken to them about P2P sites and let them know that I monitor what shows up at the firewall and can talk with them directly if they choose to do this stuff.

Today a user asked if it was okay to visit MY SPACE while on her breaks.  I said I did not know (thus, my question to all of you).

Thank you ... those who have said I can block this site at the firewall.  I think I will.
0
 
dmcoopCommented:
You are better off to block by URL than IP if your firewall allows it.  That is why I ask what kind of firewall you have.

If you block by IP range or specific IPs that can create some problems.

0
 
JayMulkeyAuthor Commented:
We use a FortiGate 200 (by Fortinet).  It has tons of controls on what is allowed and what is not.  It also alerts me (by email) when suspecious activity takes place.  Recently it noticed one user using Skype and let me know it is potentially dangerous since the packets are encrypted and might allow a virus to get past the firewall.
0
 
rfportillaCommented:
One interesting way to do it is this.  (This is how I would do it)  Block port 53 (DNS) from any computer except the internal DNS.  Force users to use your internal DNS.  Then create a myspace.com DNS record that points to the internal Company Internet use policy.
0
 
rfportillaCommented:
If you are paranoid about sites people are looking at, you may want to consider websense or a similar product.  They monitor thousands of websites and maintain a database that an ISA firewall server can update.  It's kind of pricey and I wouldn't consider it unless you have at least 50 nodes(minimum).

Cheaper solution would be to limit web sites people can view to only a few safe sites.  But, that takes all of the fun out of the office's Internet connection ;)
0
 
Rich RumbleSecurity SamuraiCommented:
Agreed, WebSense is probably the best overall solution to block "rated" and other unwanted WEBSITES. http://www.websense.com/global/en/ As far as blocking/preventing P2P, the solution is typically 3 fold
First, keep users from installing apps on their pc's, this typically requires you to remove admin and poweruser rights.
Second, impliment a proxy like the websense product. Block destination ports 21, 25, 80, 443, 8080, 8090 at the very least. You should only allow the proxy to access those destinations ports, that way users can't by-pass the proxy.
Third, some sort of IDS like Snort. If the first and second criteria are met, the third might not help much for p2p detection as you will have eliminated almost every chance of having p2p's on the network.

Lot's of data is encrypted, like Skype, Jabber etc... if you want to mitigate the possible damage a possible virus could cause, then best practices are, low and behold best practice! http://xinn.org/win_bestpractices.html
DNS and hosts files will not stop determined users, and so you should use a proxy like websense, force users to use the proxy by blocking dst ports common to http/ftp. This way users that find a "dig" nslookup or other resolution site and start accessing pages via ip http://72.14.207.99/search?hl=en&q=site%3Axinn.org+best+practices&btnG=Google+Search 
http://64.233.187.99/search?hl=en&lr=&q=site%3Amicrosoft.com+XP+security+best+practices&btnG=Search
-rich

0
 
rfportillaCommented:
I don't think encrypted packets justify a security concern necessarily.  A virus scanner on all of your computers will handle the "might allow a virus to get past the firewall."  The firewall's job is to control traffic, not to monitor viruses.  Get a virus scanner for that.

Generally speaking, my policy on security is to deny access to everything except for what I think people should have access to.  I think Richrumble is working with the same basis that I was above with the proxy.  You need to channel all traffic through your servers, if you don't already.  Don't allow anyone to access the Internet without going through you first as mentioned above on my post, block port 53 and configure an internal dns server.  As mentioned by Richrumble, block the other ports he mentioned.  Configure the firewall so that your proxy is the only computer that can make these outgoing connections and configure all other computers to use your server as the proxy.  

One side note, the ports that have been mention by Richrumble, were mentioned because those or the types of traffic that most proxies are developed to handle: http, shttp, smtp, ftp.  Other types of traffic may not be handled by your proxy properly.  That will just require a little bit of research into your proxy.

Websense is a great product, but you don't have to have it.  If it is relatively small company and you can have a reasonable level of trust with your users, don't spend the money.  If you have a medium to large company and you can't trust the users, definitely get something like Websense.

Has any of this helped?
0
 
hstilesCommented:
I don't see myspace as a security risk, just somewhere that staff can easily waste an entire day.  Also, some of the photos that people upload to their myspace pages can be a little risque.
0
 
rfportillaCommented:
There are risks.  It's personal postings with various types of mixed content (some of which may be dangerous to a computer if downloaded).  
0
 
xy8088Commented:
Myspace is a risk from an HR and legal perspective. There are often some very sexually provocative images posted on Myspace. If a user was viewing this content and another user saw it and was offended by it then it could turn into a legal nightmare. For that reason alone you should block it.

Last year we had a female employee file sexual harrassment charges against a fellow employee plus filed charges against the company. What happened was a guy a few cubes down from her was looking at Yahoo personals and there were some risque pictures there that offended her and she decided to take legal action because of it.  
0
 
kevinf40Commented:
Hi

Following on from other users posts if you don't already have one in place a proxy server of some sort behind a firewall that only allows the proxy server web access thus forcing your users to connect via the proxy server sounds like the way you need to go.

There are many proxy products on the market - some appliances you buy (e.g. Bluecoat, Websense etc) some free software - e.g. Squid.

This would allow you to have some measure of control over the browsing habits of users on your network.  Another advantage of the proxy is that it will provide you with a nice audit trail - e.g. if there is a complaint about a user accessing inappropriate sites you have a nice centralized record of this access.

In addition there are bold on products such as 'smartfilter' that provide a database of sites split into categories making it easy to block all known p2p sites or all dating sites etc.  These lists while obviously not infallible are not bad, cover most sites in any category and are usually updated daily with new sites.

The other thing not to overlook is policy - it sounds like a web use policy may be required this should cover obvious stuff like no porn etc, but can also specify no VOIP, not p2p, no remote storage etc.  Get the buy in from a CIO or similar and distribute the policy to all users.  Then even if they are able to circumvent any technical solutions you put in place to manage access you have the policy to fall back on if users are caught accessing sites they shouldn't.

A specific site such as MySpace shouldn't really be your primary focus, more categories of sites you think pose an unacceptable risk.

cheers

K
0
 
prueconsultingCommented:
Plain and simply as stated.. Myspace is just another "web community" no different than say any geocities website.  Controlling access to the site comes down to an Acceptable usage policy of the company and if browsing those sites would violate said policies.

It uses regular HTTP , RSS type feeds for connectivity.

0
 
TolomirAdministratorCommented:
Lately also the "no-such-agencies" think myspace is a great place to stay, well they rather collect all data, relationships and connections these users are absolutly freely offering to them...

Tolomir
0
 
TolomirAdministratorCommented:
0
 
rfportillaCommented:
Thanks.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

  • 5
  • 3
  • 3
  • +7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now