Clickjacking becomes more widely known

Not only have dictionaries recently started vetting the word “clickjacking” to determine whether it is worthy of long term use, but the Oxford University Press recently included it in their 2010 Word of the Year shortlist. You can read the entire list at the OUP UK website.

This annual list of words always gets a lot of media attention. That means more people are likely to become familiar with the word “clickjacking” over the next few weeks. Hopefully they will also learn what the word means and  how to avoid becoming a victim.

Luckily, the OUP editors got the word’s definition spot on.

Knowing what a clickjack is, though, is not the same thing as knowing how to protect yourself from them. In fact, there isn’t always a great way to protect yourself from clickjacking, especially considering that Facebook and other social networking sites make it easy for hackers to spread these attacks throughout communities quickly. Some times you get hit by an attack before you even know it exists.

Internet security companies are working on solutions that will prevent clickjacking attacks, but it seems unlikely that Internet users will be completely safe any time in the near future. That’s because UI redressing, as clickjacking is known more formally, takes advantage of a flaw that is inherent in the way that the Internet works. Someone would have to radically redesign the Internet’s basic structure before they could prevent all clickjacking attacks. That seems a little unlikely.

In the meantime, you can use your head to keep an eye out for suspicious links. Also, install antivirus software to help ensure that clickjacks don’t install any malware on your computer.

“Clickjacking” enters popular lexicon

Traditionally, dictionaries have been slow to pick up on the newest words in a language. Given the costs associated with research, printing, and marketing, it’s no wonder that  dictionary publishers want to make sure a word has real merit. Otherwise, they would end up printing a lot of words that belong in the Urban Dictionary, not the OED. Slang would cost the industry lots of money, so editors pay close attention to which words have real impact on the language.

That’s why it’s a relatively big deal that the word “clickjacking” is getting included in recent dictionaries. This means that the word has entered the popular lexicon. A significant number of English speakers now know and use the word regularly. A few years ago, the word was predominantly used by internet security nerds. Now it belongs to us all.

That’s both good and bad news. It’s good because it means that more people are learning about the dangers of clickjacking. Ignorance is a serious danger to people surfing the web. If you don’t know what to look out for, then you’re certain to fall right into a clickjacking trap.

The bad news is that common use probably means that clickjacking is effecting more people. That doesn’t necessarily mean that the threat of clickjacking is higher than it was a few years ago, though. It could simply mean that there are more people using social networking sites like Facebook and Myspace. The actual percentage of people effected could still be the same even though the number of victims is much higher.

HTML5 could pose bigger security threat

HTML5 promises to give Internet users a better experience that includes  highly interactive sites. According to Lavakumar Kuppan, though, very few people are talking about the negative aspects of HTML5 that could pose bigger Internet security threats than the current system.

This has special importance to Internet security specialists working to prevent clickjack attacks. With the current edition of HTML, a script will only run in the background for 20 seconds. With HTML5, though, the script can run indefinitely.  As long as a browser is pointed at the hacker’s URL, they can control the user’s computer. This gives clickjackers the opportunity to create web pages that have been created to open blank screens that contain hidden elements. This is a rather savvy approach to clickjacking. It not only uses the Internet’s faults against users, but also targets human behaviors.

Most people don’t pay a lot of attention to blank tabs or windows when they open on their screens. They focus on the screen that they are using, not those that just sit in the background, seemingly doing nothing. That’s fine with the current HTML edition. With HTML5, though, that browser tab could be doing all kinds of things without your knowledge.

At the moment, it is impossible to know which other features will give hackers the chance to make the Internet a more dangerous place., but some of the key threats include

• using your computer to send spam or attack a server. This takes up a lot of your Internet connection, resulting in slower speeds.
• viruses that steal personal information and allow hackers to commit identity theft.

Top Five Internet Security Misconceptions

Just a couple days ago, Kindsight, a company that focuses on issues such as identity theft, published a blog post explaining the top five internet security misconceptions that they have found amongst casual internet users. One of those misconceptions is that “Facebook is safe enough; no need to worry.”

Apparently, those people don’t read this blog, or the countless others discussing security issues spread through social networking sites.

To a large extent, Facebook itself is fairly safe. But it is used to push people towards compromised content. This is most often accomplished with clickjacking attacks. When hackers make clickjacking attacks, they often publicize the sites by posting the URLs on Facebook, Myspace, and other popular social networking sites. They usually include a statement that will entice the average user into following the link. Popular topics focus on busty girls and Justin Beiber, although I’m pretty sure that there is connection there.

When users follow the tempting link, they are taken to a page that has invisible elements. Click on the page, and you’ve just launched a potentially malicious piece of software that can infect your computer.

Facebook’s safety was listed as the number five misconception. The others include,

1. Internet users are safe from identity theft as long as they don’t shop online
2. Anti-virus protection means internet users are safe
3. Using secure websites means that you will never encounter security problems
4. Hacked websites are easy to identify and avoid

Unfortunately, none of these statements are true. You can read the entire article, and view video clips, at the Kindsight Blog.

The not-so Happy Meal

One of the most recent and popular clickjacking attacks going around Facebook preys on the concerns of parents. The clickjack is spread through a message reading “OMG… Look What This 6 YEAR OLD found in Her HAPPY MEAL from McDonalds! on CLICK HERE TO SEE.”

Following the link takes you to a video, or what appears to be a video. When you click on the play button, though, you never learn what the 6-year-old found in her Happy Meal. Instead, you get clickjacked.

As with most likejacks (clickjack attacks spread through invisible Facebook like buttons), this one immediately posts itself to your wall, therefore informing all of your friends that they should follow the link to see what the young girl found in her Happy Meal.

These clickjacks spread like viruses. One persons gets it, then passes the link on to his or her community members, who then pass it on and on and on.

The most problematic clickjacks tend to be those that bait our human curiosity, fear, or lust. In this case, the link goes straight for fear, although some people are certain to follow it out of pure curiosity.

So far, clickjacks haven’t caused any serious problems. They’re annoying and they represent a serious security threat, but they have not been used to steal personal information yet. At least, not as far as anyone knows. It’s quite possible that a clickjack attack could work so well that you would never even know it happened, which makes it difficult to determine how threatening these attacks are.

Detailed information about clickjacking for laymen

 

I don’t usually share detailed and technical information about clickjacking because I want to provide helpful advice to internet users rather than experts. The experts, after all, should know about the latest clickjacking techniques. If they don’t, then they’re not very good at their jobs.

There is, however, one resource that I feel is worth sharing. It’s called the Open Web Application Security Project, or OWASP.

OWASP’s clickjacking page provides enough information that even laymen can understand it. Plus, it’s written in common, no-nonsense language that explains concepts succinctly without delving into computer jargon land. It is, of course, impossible to completely avoid some jargon. Otherwise, you run into the complicated problem of what to call things that already have jargony names.

Some of the topics covered on the page include

• Techniques used to defend computers from clickjacking attacks
• Types of clickjacking attacks and how they work
• The limitations of clickjacking attacks
• The limitations of browsers and antivirus programs that prevent clickjacking attack

If you are even slightly interested in how clickjacking has become such a problem for internet users, then I suggest looking over this page. It’s fairly short, so you won’t have to spend a lot of time there. After you have read the information, I think that you’ll have a better understanding of the challenges that internet security specialists face when they deal with clickjacking. It might also help you choose preventative measures in the future that can really protect you from the most recent clickjacking strategies.

Consider it a primer for clickjacking.