Archive for June 2010

No Commitment

June 29, 2010

Earlier this month, Informational Sites Collective started a blog named ClickJacking.org. At first, I thought that this was going to develop into a good site where people could go to learn more about the latest clickjacking attempts. Turns out, though, that they were just trying to grab a bit of attention from the likejack craze that swept through Facebook.

They haven’t posted a single blog entry since their very first on June 1.

As I search the internet for more information about internet security, I find the lack of information somewhat surprising. There are all kinds of sites like ClickJacking.org. They start off with promise, but they fizzle out quickly. This one is particularly sad. I hope they didn’t spend much on the domain name.

I want my website to become a place where people can learn everything that they need to know about clickjacking. That includes how hackers use the technique, what you can do to prevent it, and how much damage it can really harm.

I suspect  that one of the reasons there are so few hits on Google that provide good information about clickjacking is that internet pages get ranked and noticed by aiming at a popular audience. The site that throws out a few keywords and keeps the technical jargon to a minimum will, therefore, often beat the serious site that provides reliable info.

I’d like this site to become a combination of those things: a place where laymen can find good information about clickjacking that is easy for them to understand.

Please always feel free to post your questions in the comments section of this blog. Or send me an email if you’d rather not go public.

As always, thanks for reading!

Advertisements

Video Explanation of Facebook Likejacks

June 28, 2010

If you still don’t have a clear understanding of Facebook likejacks, then check out this YouTube video. The video is very obviously a Guarded ID advertisement. I’ve stated before that Guarded ID is one of the best ways to prevent clickjacking, so it’s no surprise that I find this video useful. On the other hand, I’ve also stated that there are ways around Guarded ID and pretty much every other clickjack protection that developers have come up with so far. It’s  the constant push pull of security and clickjacking.

What’s useful about this particular video is that it gives visual reference to how Fb likejacking works. People ask me all the time about these attacks, and I explain it as well as possible. When it comes to talking about things like “invisible iFrames,” though, visual tutorials tend to work best for laymen.

I hope that this helps you understand how the latest clickjacking attacks operate. Knowing about them is the first step towards protecting yourself and your computer. If you want, then check out Guarded ID to learn more about what the plug in can do for you. It can’t stop every single clickjack attack on the internet, but it is one of the best tools currently available.

How You Got Clickjacked

June 24, 2010

Clickjacks can do all kinds of things to your computer. One of the most recent attacks, likejacking, uses your Facebook account to spread through social networks.

Likejacking uses an invisible frame that puts a Fb “like” button underneath a link, graphic, video, or other object on a website. When you click that object, you activate the “like” button. More often than not, you don’t even know that this has happened because it works quietly in the background. You only recognize the likejack when you visit your Facebook wall or a friend asks why you’re  spreading stupid links.

Since Facebook allows members to share information with large amounts of people, likejacks tend to spread quickly. You might, for instance, click on a link that promises “the ten sexiest women in the world.” Clicking that link, however, does not show you pictures of beautiful women. Instead, it instructs your Facebook profile to “like” the link. All of your friends see. Some of them will fall for the trick and follow your like. Hey, who can blame them. They just wanted to see some pretty ladies.

That’s how you got clickjacked. The specific type of object that unleashes the attack can vary significantly. It doesn’t always have to do with sex or naked celebrities. These are just common themes. These likejack attacks focus on carnal human interests, so they usually offer sex, money, humor. Basically the types of things that the internet is so good at providing.

Avoiding Future Likejacks

Here’s the problem: you never really know what is a legitimate link and what is a likejack. The latest browsers, such as Chrome 2 and IE 8, make it more difficult for hackers to use this technique, but the security relies on the webmaster to use a tag that prevents invisible frames. The problem is that someone can clickjack a link on their own page. That way they avoid the security measure. If you are logged into Facebook when you click the jacked link, then you just got likejacked.

So, how do you avoid likejacking? You are your own best weapon.

Keep your wits about you as you surf the web. Think of the internet as a neighborhood. There are certain streets and alleys that you don’t want to walk down. Be mindful of where you go, and recognize that there are people out there who want to use you for their own nefarious purposes.

Paying attention and using a recent browser. That’s the best advice I can give anyone who wants to avoid clickjacks.

Free 4G iPhone! Suuuuuure.

June 23, 2010

Facebook hoaxes often promise big rewards for doing next to nothing. Here’s a particularly obvious scam that I recently found:

OH MY GOSH! I know I shouldn’t talk about this here in facebook, but I thought I
would message you from my new APPLE IPHONE 4G that I just got for free.
Don’t tell anyone but there is a website sending out free iPhone 4G to
anyone that signs up, http://www.giveaway-madness.com That is where I got mine btw
follow these steps exactly to get one for yourself, go http://www.giveaway-madness.com enter you email,
enter your shipping address and wait 3-5 business days to receive your it in the mail!
it works!!

Here’s how you know that this is crap.

First off, no one is going to give you a free iPhone just for doing this. What’s the incentive? How would anyone make money off this? What would they promote? They don’t seem to get a lot in return.

Second, the message itself sounds moronic. The writer claims that he or she shouldn’t be posting this on Facebook. Why? If a website really were giving away free iPhones as some sort of promotion, then they would want people to post their link on Fb.

Third, I have a hard time believing that this was written by someone who has a firm grasp of English. Perhaps I expect too much from fellow native speakers, but  this is rubbish.  The last sentence alone screams “I learned just enough English to scam you.”

My recommendation: avoid, reject, criticize.

X-FRAME Denied

June 23, 2010

Facebook, Twitter, and many other popular websites claim that they protect users from clickjacking attacks by including the “X-FRAME-OPTIONS:DENY” tag that prevents browsers from hiding links in invisible frames. This sounds like a great step forward, but does it really help that much?

Including the tag is pretty much the best thing that a website can do to protect internet users from clickjack attacks, but it certainly does not protect everyone. This tag only works in conjunction with the latest browsers. If you’re using IE 8, Chrome 2, or Safari 4, then you’re probably in good shape. If you’re using an older version of these web browsers, then you are susceptible to clickjack attacks. Currently, the latest edition of Firefox does not even acknowledge the tag. Firefox does plan to improve security by recognizing the tag in future versions. Plus, Firefox has the optional NoScript plug-in that can help prevent clickjacks.

The point here isn’t that Facebook, Twitter, and other sites aren’t doing what is in their power to prevent clickjacks. The point is that it’s dangerous for them to make claims that aren’t true for many visitors. Including the “X-FRAME-OPTIONS:DENY” tag does qualify as improved security, but putting this at the center of your security-focused marketing encourages people to feel safer than they really are.

It’s not necessarily inaccurate. It’s not even necessarily disingenuous. But it is dangerous for the millions of people who use Firefox and older browsers. Many of them think that they are protected from clickjacking, but the truth is that they are victims in waiting.

Is Facebook to Blame for Like-Jacks?

June 22, 2010

The recent influx of like-jacking attacks has led many people to blame Facebook for poor security. The criticisms, in fact, started before like-jacking even became a problem. That’s because computer geeks knew that Facebook’s like button could be put to nefarious purposes. Still, Facebook went ahead and released the application.

For the most part, Facebook’s like button serves a good purpose. It lets friends communicate with a single click. Instead of actually commenting on a photo, post, or link, Fb members can simply like it. Realistically, that’s all that many people want to do. They don’t have anything to say about their friends’ posts. They just want to point out that they think it’s cool.

It took a while for likejacking to become a problem. Quite frankly, it’s surprising that it took months rather than days. The programming behind a like-jack attack isn’t difficult. Hackers have been clickjacking web pages for years now, and there isn’t much of a difference between the two techniques.

Even more surprising is that so far the like-jacks haven’t caused any significant problems. More often than not, they just propagate themselves. As far as anyone can tell, they haven’t been used to install any viruses or worms that can cause serious damage.

While critics point out that this is all a matter of luck and that sooner or later someone will use like-jacks on Facebook to release a serious attack, I think that it’s somewhat inevitable that hackers will focus their attentions on Facebook. After all, Fb is currently  the most popular social networking site. This popularity means more members, which means more hackers. No matter what Facebook does, someone will find a way to use it against people.

Still, Facebook’s customer service is notoriously terrible. They don’t respond to queries and don’t seem to take customer complaints very seriously. Plus, they’re much too secretive for their own good, causing many members to lose faith in the the overall benevolence of the company. A more open line of communication between Facebook and its members would help us understand what the company is doing to prevent like-jack attacks and other security issues. As long as Facebook remains popular, it will attract hackers who are smart enough to get around the latest security measures. If Facebook is to be blamed for anything, it’s keeping us in the dark, not allowing click-jacks.

Stop Liking, Stop Likejacking

June 21, 2010

If you want a surefire way to prevent likejacking from ruining your Facebook experience, then you should consider turning of Fb’s platform applications.

This will prevent annoying clickjack links from showing up on your wall, but it will also prevent liking of all kind. If you don’t feel that the like button is an important part of Facebook, then go ahead and disable it.

You can disable Facebook Platform by going to privacy settings > applications and web sites > edit your settings.

Disabling the Facebook Platform has other advantages as well. For instance, it can prevent Facebook’s annoying data harvesting and instant personalization apps. You don’t really need those attributes to use Facebook, so turning them off isn’t really a big deal.

Some people, however, will not want to disable the like button. I can understand that. The like button is a useful tool because it allows you to communicate with friends quickly and shows other people where the most popular comments and links are. Using the button wisely, however, isn’t always easy, especially since we’re talking about a social networking site with millions of users who don’t know anything about internet or network security.

Pay attention to the links that you follow on Facebook. Avoid those that seem suspicious.

If you have kids in the house who use your computer, then you might want to consider disabling the like button. Few children have the ability to differentiate between suspicious and legit links.