Why LinkedIn users can get EASILY hacked, and the pros and cons of MegaUpload.com

Hey Security peoples!

I'm going to talk about the pros and cons of 2 of the most visited sites on the internet; LinkedIn and MegaUpload.com. LinkedIn is a great site to quickly expand your "business affiliates"; many people simply post their email address for anyone to contact them to "join their network". You could definitely establish some good contacts at specific companies or even find out about open jobs; many people even refer others or vouch for their experience, which pretty much means that they owe you a favor later on - like in the Godfather ; ) But the problem with leaving your internet address like that, is anyone can make a fake Linked In "Join my Network" request (that looks like the same request the victim has seen 300 other times), and pretty much trick the user into clicking on a link that can do really any number of things, by sending out an email that looks like it actually came from a valid LinkedIn user. To give you a scenario - If I was to do this, that link would automatically look for exploits or vulnerabilities in your browser (basic users prob. using Internet Explorer, right) and then exploit them with some new 0 day (new exploit with no patches yet) or some other exploit thats been floating around for awhile. This exploit will then allow me further control over your computer; I could even download more code from a remote internet server to use your computer for sending spam or DDOS attacks. I could search your machine for confidential info like login info, credit card #s, contacts and other personal info; I'm sure everyone gets the idea. So what could be done to protect yourselves? Well if its not against your companies security policy to surf random sites, and you have your own personal computer, I wouldn't be going to this site, amongst other sites like Myspace or MegaUpload. At a minimum, log into LinkedIn and accept your invitations to join peoples network from here; DO NOT accept a request from an email to your personal email address that you gave on LinkedIn to add them to your network.
Ever heard of MegaUpload.com? It's in the top 100 most visited sites on the internet. You can upload as much stuff to their servers as you want (like files too big to be sent via email), and other people can download it when they want (just send them a link), and the service is free. Could also be used for a public ftp server (unlimited bandwidth courtesy of MegaUpload). It also circumvents users from sending attachments via email (corporate users can easily violate their email security policy by simply sending someone a link to download their multimedia). Security managers must be shi)(n their pants; but at least there's a signature for this activity if your using a good Intrusion Detection System like Snort.

The moral of this story is that theres plenty of valuable sites out there, just be careful how you use them ; )

Until we meet again...