To dumb to make your own clickjack attack? No problemo

The internet has always made it possible for enthusiasts to find each other, form alliances, and learn tricks from each other. Back in the day, hackers traded information through various usenet groups that made it possible for computer enthusiasts to gather virtually. Not all of their activities had to do with illegal activities. In fact, both Bill Gates and Steve Jobs were members of hacking communities in the 1970s. Without this community, we wouldn’t have personal computers that perform as well as they do today.

The current term “hacker” most often refers to cybercriminals who break into computer systems, steal information, and design malware.

But you don’t have to be a computer expert to take advantage of everything that hackers and clickjackers can do. Today, you can just hire one to do your dirty work for you.

See, for instance, http://www.blackhatmoneymaker.com/. I wouldn’t explore the site too much if I were you. It’s just impossible to trust these people with even the most cursory browsing.

This site makes it easy for domain owners to purchase clickjacking programs, viruses, and other malware that they can use to take advantage of people who visit their pages.

That’s just great. At one time you at least had to have some smarts to be a cybercriminal. Now you can just be an idiot with a few bucks in his pocket.

If you’re feeling brave, then you can browse the site for forums where people advertise their clickjacking programs and other dubious wares. What really blows my mind, though, is that some people obviously take these hackers up on their offers.

Who in their right mind would pay someone for software that is completely unethical? Don’t the buyers realize that they can’t trust the very people selling the malware.

I guess greed can make morons do stupid things.

And, yes, I’m not pulling my punches at all. They are morons. The people creating the malware, they are probably intelligent people who don’t have any sense of ethics. Those who buy the malware, though, are too stupid or lazy to learn how to do it themselves.

They’re just script kiddies looking to make a few extra bucks. Half of them probably run porn sites that break copyright laws every day and don’t even reimburse their “models” and “actors.”

Going manual

I recently posted a blog entry about a friend of mine who was caught in a compromising position when a clickjack attack turned on her web cam. As I had hoped, this nightmare of a story caught readers’ attentions. The one question on everyone’s mind: how can I stop such a thing from happening to me?

First, you should recognize that Adobe has made some security upgrades that make it much more difficult for clickjack attacks to take control of your computer’s web cam. Harder, yes. But not impossible.

If you want to make it impossible for clickjackers to catch you doing something private, then you have two options:

1- act like you’re sitting in front of an audience every time you use your computer, and

2- go manual

Frankly, the first suggestion is going to help many people. It’s simply too difficult to pretend that you’re sitting in front of a worldwide audience when you’re actually in your own home, the place where you feel most comfortable to let let it all hang out. Plus, consider all of the things that some people might consider personal. My friend’s case was exceptional, an example of the worst case scenario. For many, though, it wouldn’t take much to cause extreme embarrassment. Caught with your finger in your nose? Staring slack jawed at some stupid YouTube video? Falling asleep at the screen and drooling all over yourself? All of these things could be considered embarrassing to some people. What are the chances that none of them are ever going to happen.

That’s why I suggest the second option: go manual. Perhaps that’s a poor choice of phrasing considering what my friend got caught doing, but the point still stands:  you can override any software by altering the real world.

How?

Tape.

Opaque tape.

If you have a web cam that’s built into your laptop or computer, then simply put a piece of tape over the lens. If a clickjacker can figure out a way to get around that, then I say he deserves whatever footage he gets. He’s obviously either a genius or a magician.

If you have an external web cam for your  computer, then unplug it when it’s not in use.

Until we develop a foolproof way to prevent clickjacking attacks from taking control of web cams, it is prudent to take matters into your own hands by going manual.

Who is responsible for clickjack attacks?

Clickjacking attacks are perpetrated by black hat security experts, hackers, cybercriminals, and kids who have more computer smarts than real world sense. Recently, though, I have been wondering how much responsibility should fall on web site owners when it comes to the negative effects of clickjacking.

If someone, for instance, used a clickjack attack on a WordPress blog, would you hold WordPress responsible?

I think that to some extent we have to say ‘yes.’ I’m not saying that the web site is fully responsible. After all, clients will always demand some level of access to their content that supersedes the server’s ability to monitor it for illicit content, malware, and clickjacking attacks.

Some sites, however, are extremely lax in their security protection measures. They basically don’t care what their clients post as long as they get paid on time for their server space. This is where I start to hold web site owners responsible  for the content on their pages.

If a site tries to regulate its content, not in terms of censorship but in terms of security, then it’s understandable that a few things might slip through the cracks. Especially if they have a client who is particularly savvy and on the cutting edge of hacker tech. If a site doesn’t regulate at all, though, then it becomes a hot bed for hackers and clickjackers looking to find new victims.

Trust me, the hacker community is fairly tight. They share information with each other all the time. When one of them finds a host that doesn’t regulate for security at all, a huge number of them will know about it.

What’s the answer to this problem?

I don’t think that we can effectively regulate the internet. What kind of governing body, after all, would tell a host in Africa that it has to follow certain regulations? Even if such a body existed, how would it enforce those regulations?

The ultimate responsibility, therefore, falls to us. Instead of worrying about clickjacking sites, we should be compiling lists of hosts that allow such activity to take place. In other words, we behave like the cybercriminals by sharing our information with each other. A site that lists and advertises other web sites that commonly host malware, clickjack attacks, and other scams could educate internet users, basically telling them where the bad parts of town are. That way we can avoid them and anyone who uses them.

A personal clickjacking story

I’ve frequently wondered why some clickjackers bother making pages that will turn on a computer’s camera or microphone. I guess that it’s probably somewhat funny or exciting to spy in on unsuspecting people. But I imagine that the experience would quickly become even less entertaining that Chatroulette. After all, most people are probably just sitting there staring at the screen as they read what they type.

A few days ago, though, I learned about something that hadn’t occurred to me before. This story came from a friend of mine who dropped by this Clickjacking page to see what I had been blogging about lately. What she said surprised me, but I guess it shouldn’t have. In my experience, if you can think of something horribly stupid and irresponsible, then someone on the internet is willing to do it.

A couple years ago, a friend of mine, we’ll call her Shelly, was sent a video attachment from an old boyfriend. Being wary of the ex, she read the email and deleted it. Apparently it went on about how she was a hot internet sensation and he wished that he had gotten some of the action back in the day.

More so than anything, it confused her. She quickly put it out of her mind.

Soon, though, she started getting emails from other people. Many of them people that she hung out with regularly and trusted. Something was obviously up. She opened the attachment and watched the video.

She was shocked to see a picture of herself in a, shall we say, rather uncompromising situation. To put it mildly, she was looking at internet porn and doing the thing that many people do while watching porn. At some point while masturbating, she had apparently used a site that had been clickjacked. It turned on her web cam and recorded everything.

Needless to say, this young woman was mortified. She wondered how many people had seen the video. What if there were people out there “using” her video. Even more disturbing was the disgusting thought of her parents seeing it.

Shelly had no way to track down the person who made the video. Many people didn’t even believe her when she told them that she hadn’t made it herself. What could she do? She suffered months of embarrasment. Every time she went to class or work, she knew that she was surrounded by people who had watched her in the middle of very private moment.

There wasn’t much that Shelly could do. She stopped responding to emails about the video. Eventually they stopped coming in and the whole thing died down. Still, she knows that it is more than possible that she has been displayed on numerous pornographic web sites without her knowledge and that thousands of people have probably seen it.

With this thought in mind, web cam clickjacking attacks seem much scarier than before. After all, how many people out there can honestly say that it’s absolutely impossible for something similar to happen to them?

The ultimate clickjacking protection

Firefox and NoScript offer some protection from clickjacking attacks. You cannot, however, rely solely on these programs to protect you. Instead, you might have to take some behavioral changes on your own behalf. Some of these suggestions might seem a little paranoid, but they will add some extra protection for your computer and personal information.

1. Designate a web browser for sensitive surfing. You might, for instance, use IE8 for online banking. Close all other browsers and windows when you access your bank, or any other password  protected site that contains sensitive information.

2. Log out of sites when you are done using them. If you’re done paying your credit card bill, then log out before doing anything else online. If you’re done accessing your tax documents online, then log out. This will make it more difficult for clickjackers to gain access to sensitive information.

3. Make sure your Firefox and NoScript security settings offer the highest level of protection. This means restricting any sites that use iframes.

Doing these three things will give you a little more control over your personal information. It’s important for us to stop clickjackers at every step. The more successes they have, the more they will try to develop new techniques to take advantaged of internet users.

It’s unlikely that clickjackers are going to go away completely. Not any time soon at least. But we can make it much harder for them and dissuade hobby criminals from devoting their time to clickjacking.

Don’t knock on IE too hard

Those of us who use computers a lot and know a fair bit about how they work often find ourselves avoiding Microsoft products. There are several reasons for choosing operating systems, browsers, and software made by other companies, but my recent research has led me to believe that low security standards is not something that we can really blame on Internet Explorer’s developers.

Is IE open to clickjacking attacks and malware more than browsers like Chrome and Firefox. Well, that largely depends on what type of attacks we are talking about. In general, though, I have to say that I have had more problems using IE than other browsers. The problems, however, don’t stem from low security standards. Instead, they are a result of Microsoft’s market dominance.

Cybercriminals know that most people use IE, so they focus on attacks that can infiltrate that browser’s security standards. Of course there are plenty of people who use Firefox and Google Chrome, but the vast majority use IE. Recognizing this and focusing their efforts on IE security allows cybercriminals to dupe more people into installing malware and clicking on objects hidden in invisible frames.

The truth is that Microsoft has done a lot to prevent clickjacking attacks in IE8. You can learn more about the innovative steps that they have taken at the IEBlog. You might notice that the security protocols developed by Microsoft in 2008 are the same measures being used by other developers now.

What does this mean for Microsoft? It means that they have a difficult fight ahead of them. Staying at the top of the industry means that more hackers will concentrate on their products. Which in turn means that Microsoft looks like it has poor security options to many internet users.

I guess it’s hard to be on top. I feel some sympathy for Microsoft. At the same time, I also agree with critics who have cited the company’s non-competitive tactics as a reason that IE is a prime target.

I’ll continue using non-Microsoft browsers for the foreseeable future to give myself increased protection. After spending a few days reading about Microsoft’s security issues, though, I won’t be so quick to blame them for clickjacking attacks and maleware susceptibility.

NoScript or GuardedID?

Those of you who are looking for a good way to avoid clickjacking attacks may have run across GuardedID and NoScript. Both of these programs offer some protection against clickjack attacks, but you need to know which one to choose if you want to really protect yourself. Both pieces of software offer some advantages, so you can choose one that suits your concerns.

NoScript Protects Against Clickjacking

When it comes to clickjack protection, you have to go with NoScript because it is specifically designed to prevent JavaScript applications from running without your knowledge. This makes it difficult for most clickjackers to hijack your browser. My recommendation is to use NoScript with the most recent version of Firefox. This combination will offer the best protection against clickjacking attacks.

Does that mean you are completely protected?

Unfortunately, no, it does not. NoScript will make it nearly impossible for amateur hackers to hijack your browser, but those who are on the cutting edge of computer security can still find ways around NoScript’s defenses. As with most security concerns, the criminals keep moving forward, finding new ways to counter the protective measures that we take. NoScript’s programmers and other software developers around the world, however, continue to update their browser plug-ins so that they identify the latest clickjacking attempts. This is why it’s so important to use the latest version of your internet security programs and browsers.

GuardedID Offers Additional Protection

As far as protecting you from clickjacking attacks, I wouldn’t recommend using GuardedID as your only line of defense. Despite its much better looking website and an intimidating picture of Armand Assante, NoScript offers more clickjacking protection. GuardedID does offer some protection, but the software’s designers really created the program to stop keylogging. Anti-keylogger software is important because it can prevent criminals from stealing sensitive information such as your bank account number and email password. GuardedID is great at doing this. The clickjacking protection, however, is small in comparison to NoScript. Think of it as an added bonus. You wouldn’t rely on it, but it’s nice to have.

New Clickjacking Strategies

Those of you with a technical background might want to learn about four new clickjacking methods recently unveiled by Paul Stone of Context Information Security.

One of the newest methods discovered by Stone involves typical drag-and-drop API that can get people to enter text into unidentified spaces without even knowing that they have done so. This opens up a whole new door for clickjacking criminals who want to steal personal information and trick internet users into performing acts without their knowledge.

If you are technical minded, then you will benefit from checking out this download from Context Information Security. The software will let you play around with Stone’s latest discovery.

Of course, then intent of Stone’s release is not to encourage more people to use clickjacking techniques maliciously. As a computer security professional, it is up to him to discover vulnerabilities before black hat security experts even know that they could use certain aspects of the internet against users.

It is now up to web site and browser designers to find a way to prevent these clickjacking techniques from becoming the next new wave in attacking unsuspecting internet users.

The Confused Deputy

If you want to blame anyone for clickjacking attacks, then blame the confused deputy. This guy’s been sitting around letting cybercriminals hijack browsers all over the world simply because they say that they have the authority.

Who is this confused deputy? Well, like most things on the internet, he doesn’t really exist in a physical sense. The confused deputy problem is one way of describing why web browsers are susceptible to clickjacking attacks.

The problem is that web browsers are designed to give users the authority to implement certain commands. As an internet user you have the authority, for instance, to delete your emails or open a web page. You do these things by clicking on buttons. This simple method makes it really easy for pretty much anyone in the world, other than your grandparents for some insufferable reason, to access web pages, emails, and various servers. It’s this level of user authority that has made the internet so popular.

Now, lets say that each time you request a command, that request is intercepted by a deputy. It could also be a cop or a department manager or whatever position of authority you are used to dealing with. Every time you tell the deputy, “hey, I’m going to open this page, ok?” the deputy basically says, “well, that seems like a perfectly reasonable command. Go right ahead!”

The confused deputy hears your instructions, but he doesn’t fully understand what you are telling him. Let’s say that you are playing a duck hunt game on a clickjacked page. Clickjacked pages are designed to hide buttons in certain places on the web page. You can’t see them, but they are there.

When you use your mouse to shoot a duck, you say to the deputy, “hey, I’m gonna shoot this thing with my mouse cursor!” And the deputy yells back, “Way to go! Nice shooting!”

Things change when you use your cursor to “shoot” a duck that is over an invisible link. Suddenly, you’re yelling “I’m gonna shoot this thing, ok?” but he hears “hey, I’m clicking on this link, ok?” This misunderstanding can cause all sorts of problems. When the deputy looks at the link that you’ve clicked, he assumes that you know what you’re doing, so he says “you want to click on this link that starts your web cam? You got it good buddy?” Or he might yell back “install this software? Sure thing, pal!”

The problem, of course, is that the deputy never hears you and you never hear the deputy. The confused deputy problem is, therefore, really a miscommunication between the user and the computer. We could just as easily call it the Confused User Problem. Until we find a way of making the communication loud and clear, there is always the possibility that you will fall victim to a clickjack attack.

Can we get an answer about clickjack protection?

There are several things that you can do to avoid clickjacking attacks. As this blog has previously reported, you should use a web browser that will protect you from clickjacking and you should install NoScript to prevent unauthorized JavaScript from hijacking your browser.

Is there, however, a real consensus on how to eradicate the clickjacking problem?

Unfortunately, there are lots of answers, but computer security specialists haven’t completely found the foolproof option that will make clickjacking a thing of the past.

I’d been going back and forth with myself about how well security specialists are handling clickjack attacks. I’ve decided that by and large they are doing a really good job, but they have a lot of work ahead of them. This is because clickjacking, also known as IU redressing uses an inherent characteristic of the internet to hijack browser and cause various problems for web users.

I came to this conclusion about the amount of work ahead of us when I read this thread on whatwg.org’s 2008 September Archive. It’s full of complicated information and ideas about computer security that laymen don’t really need to understand. Here’s the gist of it: we have lots of ideas about addressing clickjacking security issues, ranging from software ad-ons to web site responsibility, but we’re still searching for the right answer that solves every clickjacking problem.

True, this is a fairly old archive. A couple years means a lot in the world of online security. It is important, though, to recognize that while we have come a long way since 2008, we still have not eradicated clickjacking issues.

Eventually, I think that we will reach a solid confusion. In the meantime, watch where you click!