Archive for December 2010

Clickjacking Threat Expected to Continue

December 29, 2010

Threatpost, a blog that helps internet security professionals spot problematic trends early in their development, has released its top 5 security concerns for 2011. As someone that works in the areas of social engineered malware, I found that the “mobile anarchy” section of the Treatpost’s blog was most interesting.

Threatpost expects that online threats such as clickjacking, phishing, and drive by downloads will continue to plague mobile device users. In fact, the number of users affected by these hacker strategies is likely to increase as more people begin using smartphones that give them easy internet access.

I think that this is right on the money. Currently, there are some decent clickjacking protections available to smartphone users, but none of them are strong enough to compete with the deluge of misinformation and compromised links that people encounter on web sites like Facebook and Twitter. As more people start using mobile devices with internet access, it’s hard to imagine that the problem won’t continue to grow. Will clickjacking and drive by downloads eventually become so problematic that they have a negative effect on the smartphone service industry? That’s hard to determine. I think that it would have to get pretty bad before people will become willing to lose their precious gadgets.

On the other hand, this might be the best way to encourage companies to develop anti-clickjacking technology. If consumers made a bold statement by saying that they will not use operating systems and browsers that compromise their security, then I bet we would find some of the brightest minds getting to work on the problem.

Internet Explorer 8 Tops Security List

December 28, 2010

NSS Labs has released a surprising report showing that Internet Explorer 8 blocks social engineered malware (malware that tricks people into performing tasks or allowing functions unknowingly). According to their report, IE 8 offered more protection than Firefox 3.6. Safari 5, Chrome 6, or Opera 10.

Ask pretty much any computer nerd and he (or she) is going to tell you that there is something bogus about this survey. No one in the know would consider using Internet Explorer.

What the report could reveal, though, is that IE 8 works better than previously thought. The reason that computer nerds go for Firefox and less popular internet browsers could have something to do with their specific needs. In general, hackers are not using clickjacks, phishing, and other types of social engineered malware to attack people who know  a lot about computers. They want to target people who, quite frankly, don’t know what’s going on and are very naive. They are easy targets.

While it is commonly held that Firefox offers better protection than Internet Explorer, it could be that IE actually offers better protection for the average user. Firefox users typically install additional applications that customize their experiences. Installing additional security makes Firefox safer, but average people who don’t know much about internet security technology probably don’t know how to maximize that protection. For these people, IE works well right “out of the box.” They don’t have to worry about setting up anything extra. They just open the program and start surfing the web.

In bare bones versions, IE might beat its competitors. Thinking that you are really safe by using the basic IE 8, however, could lead you to fall for clickjacks and phishing schemes that you can only prevent by knowing how to spot them.

Gingerbread Sentry

December 22, 2010

For many of us, the holidays have already started. Others just have a few days left before they get into full celebration mode.

This winter holiday season, don’t forget that it’s also a popular time of the year for cybercriminals to intensify their efforts. Clickjacking has become one of the most problematic techniques. Some mobile device users, however, now have a chance to block the latest clickjack attacks.

Bring in the Gingerbread Sentry.

Well, actually it’s just called Gingerbread. Its an updated version of Google’s Android operating system that promises to protect users from clickjacking attacks. But I like to think of a couple gingerbread men standing guard, possibly with candy cane spears in hand.

The updated version offers enhanced protection by preventing invisible frames from displaying on top of a web site’s visible elements. That means you should be able to tell exactly what you are clicking on when you use your recently updated Android phone. Older operating systems can’t tell the difference between visible and invisible elements. They will display visible objects underneath invisible frames, which makes it easy for cybercriminals to trick you into making purchases and downloading files without your knowledge.

At this point, it seems that Gingerbread works pretty well. Of course, it’s hard to tell how effective it really is since it’s only been out for a short period. It will take a few months for Internet security specialists to determine whether Gingerbread can actually stop all clickjacking attacks or just certain kinds.

By then, it’s possible that cybercriminals will have moved on to something else.

Don’t get clickjacked on your mobile phone

December 14, 2010

With the holiday season upon us, many people anticipate that they will get slick, new smartphones that let them access the internet on the go. Mobile phones have really come a long way in the past few years. Just think, little more than 15 years ago people walked around with huge cell phones that could barely make phone calls. Today, we download movies and watch them from our mobile devices.

The advances in technology are pretty awesome, but they come with a few security threats. New smartphone owners are at the greatest risk of falling for clickjacking schemes. The combination of excitement and ignorance sets them up as victims.

Android phones have taken a step forward with touch filtering technology that will help prevent clickjack attacks. In the long run, though, we all know that hackers are just going to figure out a way to circumvent Android’s security. Within a few months, we’ll be right back where we are now. The most naive of us will continue clicking on every links that promises risque videos or unbelievable (i.e., untrue) facts.

There are a few things that you can do to protect yourself.

  • Always check the URL of a link before you click on it. If the link does not display its destination, then avoid it. Likewise if it seems suspicious.
  • Keep your operating system updated to take advantage of the latest security apps.
  • Avoid links that offer free gift cards, even if an annoying voice tells you that you’re today’s big winner. No, especially if it tells you that you’re the big winner.

Cheryl Crow gets clickjacked

December 13, 2010

Fans of Cherly Crow, the British pop star and judge of The X-Factor, should watch out for a Facebook post that promises to, um, expose the young singe: the post contains a clickjacked link that will “like” the post and share it with friends.

As far as convincing clickjacks go, this one’s pretty bad. The hackers have taken a picture of Crow getting out of a  car and superimposed a big censored sign, suggesting that she was pulling a “Britney,” as it were, and posted it on a fake BBC web page. Yes, BBC, as in British Broadcasting Corporation, which doesn’t tend to focus a whole lot of celebrity genitalia.

The fake page isn’t very convincing, but it doesn’t need  to be. The damage is done as soon as  you follow the link. Anyone who has clicked on this post can look at their recent activities, where they will find that they liked the post without ever having clicked a like button. This has happened because the hackers used a clickjacking technique to hide an invisible frame that contains a Facebook like button. Even though you never knew that you clicked it, Facebook doesn’t  see the difference.

Hackers have found that this is a convenient way to spread links quickly. The very nature of social networking sites like Facebook means that clickjacked links can spread to thousands of people within a few short hours.

You can protect yourself by only following links that you trust. If you are uncertain of a source’s legitimacy, then do a little research before following the link.

New Android OS May Help Prevent Clickjacks

December 9, 2010

Clickjacking poses a problem for smartphones as well as laptop and desktop computers. In fact, some people worry more about clickjacking attempts directed at phones than computers. That’s because people store so much information about themselves, their friends, relatives, and colleagues on their phones. Even those who just use the phone’s most basic functions will have hundreds of numbers programmed into their devices. This gives clickjackers access to information that they could use to steal identities and perform other illegal tasks.

The latest update for Android users, however, promises to prevent clickjacking attacks.

Google is calling the Android version 2.3 “Gingerbread,” perhaps because it’s being released during the holiday season. The update offers lots of advantages over the previous version, FroYo. Internet security specialists, however, will pay the most attention to operating system’s clickjack blocking capabilities.

Gingerbread essentially blocks clickjacking attempts with touch filtering technology. Smart phones use touchscreens that give clickjackers lots of opportunities to truck people into activating scripts without ever knowing it. Gingerbread, however, prevents users from activating windows that are obscured by or are obscuring other winders. This should significantly reduce the risk of encountering a clickjacked link.

The improvements, of course, completely depend on whether they actually work. This sounds like a good idea that could help Android users avoid clickjacks. It is not, however, the first time that such tools have been used before. NoScript, for instance, identifies clickjacked links and highlights them in red, altering the user that something funny is going on. Unfortunately, hackers are much smarter than that. It didn’t take long before they found ways around NoScript.

Since Gingerbread is new, we will just have to wait before knowing how effective it is.