Archive for September 2010

The ultimate clickjack protection on Facebook

September 30, 2010

If you want to be safe from clickjacking on Facebook, then it’s going to take more than good antivirus protection that can recognize iframes. It’s also going to take more than smarts. The safest way to avoid clickjacking attacks is to stick to one simple rule: don’t click on links that aren’t personally related to you.

This advice comes from a blogger at who really hits the proverbial nail on the head. The truth of the matter is that a lot of people use Facebook as a form of entertainment. But it’s a communication tool that allows information to flow both ways, not a television that only sends messages to the audience. When you follow a link to check out the latest LOL cat, you set yourself up for as a victim to clickjacking. That doesn’t mean that every LOL cat is a clickjack. It means that you can keep yourself significantly safer by avoiding links and pictures that aren’t personal to you.

So, what qualifies as personal?

First, let’s cover what DOESN’T count:

  • the video titled “hottest celebrities ever” doesn’t count, even though it was shared by your best friend
  • links to non-Facebook web pages don’t count, even if your minister posted it on his wall
  • a picture of an LOL cat fighting a vacuum doesn’t county, even though your mother sent you the link.

Ok, so what DOES count as personal?

  • Pictures posted by your friends on Facebook that contain images of people you know
  • Links to your friend’s blog that is hosted on his or her own site
  • Video of last Christmas posted by your uncle on his own Facebook page or blog.

These things are relatively safe because they don’t try to lure in large groups of curious people. They are meant for you, so use them. Things that aren’t meant for you, though, should be avoided. Those things aren’t the reason that we want to use Facebook in the first place.


Let me clue you in

September 28, 2010

Let me clue you in on something.

There’s no guarantee that you’re going to avoid clickjacking attacked… unless you never ever click on a link. Just avoid the whole internet. That should keep you safe.

Even if you are using Firefox or some other security-enhanced Web browser in conjunction with NoScript, you could still fall victim to a clickjacking plot. You can only protect yourself to a certain extent. Even if you keep your wits about you, there’s a good chance that  you’re going to get clickjacked at some point. All it takes is one mistake, and hackers are very good at encouraging you to make mistakes long before you realize what you have done.

So, you’re at least somewhat screwed here.

That’s why it’s important to use third-party software to make sure that your computer doesn’t have any malware installed on it. In fact, if you really want to play it safe, then you’ll install two pieces of antivirus software and you’ll run them both daily.

Does that sound like a lot? I spend a large chunk of my day online because of work. That means I probably have a larger chance of running into clickjacks and malware than you, unless, of course, you’re a bigger dork than I am. At the same time, knowing a lot about computer security means that I should be able to protect myself from exposure. Even with my level of expertise, though, I frequently find that some piece of malware has slipped through my defenses. I certainly don’t find security risks every time I run my antivirus protection. But I find something fishy at least once a week.

If I’m vulnerable to these attacks, then just imagine your own risk.

Girl kills herself over Facebook comment

September 27, 2010

A couple years ago, a Facebook scam was going around the internet claiming that a young woman had committed suicide shortly after her father posted a comment to her Facebook wall. The implication is that she killed herself because of the comment. Thankfully, this never actually happened. It was just a hoax that wanted to turn into an urban legend.

Now it seems that this hoax has returned with an added twist: it’s been clickjacked.

The apocryphal story will tempt just about anyone to follow its link. Everyone wants to know what kind of comment could have such a powerful effect on a young woman. We want to know about her pain and her father’s pain. The story could unfold in so many ways. But you never actually get to the story, at least not a true story. Instead, you find yourself confronted with a test that asks you to click the numbers one, two, and three in order. This is supposed to prove that you’re a human instead of a bot that’s trying to spread spam.

Of course, the numbers are clickjacked. When you click on them, you spread the story through your Facebook page. This is a technique that has become recognized as a specific type of clickjacking called a likejack. It gets its name from Facebook’s “like” button, which is frequently used to spread spam by hackers.

When you click the numbers, you post the story to your own wall, where your friends will see it, become curious, and follow the link themselves. This perpetuates the hoax. Luckily, there doesn’t seem to be any malware attached to this attack. It does, however, open the door to lots of spam.

Can I get clickjacked on Facebook?

September 20, 2010

Facebook gets a lot of scrutiny for spreading clickjacking attacks. To be fair, though, any other social networking site with Fb’s level of success would receive similar criticisms.

Internet security experts get asked a lot of questions that aren’t easy to answer. Perhaps the most common is “can I get clickjacked on Facebook?” I’ll try to answer this question as plainly as possible without delving into a lot of industry jargon and what-ifs.

In a word: Maybe.

I know, that’s not very helpful.

Here’s the thing, Facebook has actually been pretty good about stopping clickjacking attacks before they spread too far. The reality is that you’re 95 percent safe as long as you never stray from Facebook. The other side of that reality is that you’re going to click on links that take you away from FB’s domain.

Myspace tried to solve this problem by forcing members to acknowledge that they were leaving the site whenever they tried to follow an external link. Facebook hasn’t really gone  in this direction, which is good and bad. It’s easy to understand why Facebook doesn’t want to use this strategy. The warning is annoying. After a while, it becomes completely ineffective because users stop paying attention to it. The warning simply becomes a button that you have to click to move forward.

This leaves all FB members open to attack, but only when they follow clickjacked links. I’m not aware of any clickjack attacks that were implemented from Facebook itself. Whenever you follow a link, though, you never know where you’re headed.

Facebook has a good security team, but they could do a little more to educate their users about the nature of clickjacks. Even though the Myspace warning page was annoying, it offered information that users need to stay safe. Unfortunately, doing so could encourage members to use other social networking sites that won’t nag them.

All networking sites, therefore, have a tough choice to make between improved security and a growing base of frequent users. From a business perspective, you have to choose more members. That’s unlikely to change unless people start leaving FB for social networking sites that they perceive as safer alternatives.

Automated stupidity

September 13, 2010

Since creating this blog, I’ve come to understand the need for tests that ensure internet users are humans rather than bots.

I pay close attention to internet security, but I’ve never really considered the importance of these tests when it comes to simple pages such as this blog. When buying items from a website, then it makes sense to test the person. Whenever I encounter them elsewhere, though, I tend to think “well, isn’t that a bit paranoid.”

Well, I’m not right all the time.

Some hackers are simply ingenious. They really know how to make programs work for them. The problem for hackers, though, is that the programs often reveal their stupidity. Never mind that the programs post ridiculous comments on blogs. The important part is including a link that leads to a clickjacked site.

For several months now, I’ve been replying to comments that didn’t make much sense. “My god,” I would think, “some of these people sure are stupid.”

There was definitely one stupid human in the interaction. But that dummy was me.

Those comments were coming from bots programmed, essentially, to spread spam through blogs. What will they think of next? I’d be impressed if it weren’t so annoying. Even then, I’m still slightly impressed. Only slightly, though, because the automated stupidity becomes obvious almost immediately.

So I just removed a bunch of comments saying ridiculously off topic things like the overly enthusiastic (and totally contrary to the substance of the post) “where can I get that FREE  IPHONE!” or the overly ambiguous “I’m with you check out my site…”

I might be the dummy, but at least I don’t sound as stupid as the robots.

Spreading distrust throughout the virtual land

September 7, 2010

How pervasive are clickjacks on Facebook?

You probably hear about people who have fallen for stupid clickjacking attacks. Certainly you would never fall for them though. Don’t be so certain.

Clickjacking that occurs on social networking sites intentionally take advantage of the trust we give our friends. You assume that your best friends are intelligent people who would never fall for a ridiculous scheme. The problem is that everyone thinks this. Yet there are still lots of successful clickjacking attacks.

Obviously, we need to rethink our idea of trust when it comes to socializing on the internet.

We extend trust to online friends just as we do in real life. Say, for instance, you’re out at a club and you ask a friend to watch your drink while you go to the restroom. Hopefully you can trust that person to make sure that no one takes your drink, or slips something into it.

Imagine, however, if your friend put that same trust in another person, who put that trust in someone else, and so on and so on.

Eventually, one of those people is going to fail big time. They might mean to, or they might not. It’s hard to say. The end result, however, is that you come back from the restroom only to find that everyone in the club has been drugged with roofies. They can’t make wise decisions, and they can’t seem to keep their mouths shut about how awesome the drinks are.

This is essentially the scenario that we see at social networking sites. It’s a bunch of people who may or may not have control over themselves telling you that you absolutely have to follow their advice. Whether you decide to drink the punch isn’t just your decision, though. Once you’ve imbibed, you’re going to turn around and do the exact same thing to your friends.

A complete lack of control: that’s the reality of clickjacking and that’s why you have to remain distrustful of everything you encounter on Myspace, Facebook, and other networking sites.