Common social-networking hack

We get a lot of questions in the ConnectSafely forum about people finding their profiles compromised in various ways. One way this can be done concerns social networkers' passwords - if they've either given their passwords to friends or their passwords have been stolen. A researcher colleague of mine in Portugal, Daniel Cardoso, sent me a heads-up about the latter. Here, a post in EthicalHacker.com explains that there is free downloadable software on the Net that allows malicious hackers to steal users' passwords. Cain & Abel is "a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols." In Slashdot, which Daniel linked me to, a young security expert posted: "If I were to run this attack on the computers at my high school, I could cripple a lot of kids' social lives (and get expelled when the admins see :) I see SO many of my classmates using proxies to get on MySpace at school (even though it's against school rules, which I don't blame after seeing some of my classmates' MySpace pages). They just don't understand how easily I could get their password (or whoever's, running the proxy, or even the admins). And it's worse when you wonder how many kids use the same user name and password for everything. Kids these days [note that he's talking about his peers] are just not educated enough on good security practices, or show a lack of common sense with this stuff." Parents, make sure your kids practice good computer security - choose hard-to-guess passwords, don't share them with friends, change them fairly often, and choose different ones for different sites and services. IT News in Australia reports that "criminal hackers now view social networking sites as their best target for attacks." It goes on to describe another vulnerability besides passwords, and IT Pro in the UK reports on a Facebook vulnerability involving users' private photos.