Archive for January 2011

Opera Improves Security

January 28, 2011

Even the best web browsers have their vulnerabilities.

Opera, for instance, has garnered a lot of attention over the past few years as a reliable browser that allows users to surf the Internet safely and quickly. Just because Opera is one of the best options, doesn’t mean that it offers every possible protection.

That’s what VUPEN (a security analysis company in France) discovered. When studying Opera, they found several security flaws, including one that made it easy for clickjackers to target the browser. VUPEN released a warning that included several risks. In addition to the clickjacking problem, they also found that Opera had vulnerabilities that could allow hackers to access private files on user computers and that the browser retained passwords longer than users wanted.

Opera has fixed these problems inĀ  its latest edition: 11.01.

The changes should help Opera users keep their computers safe from outside attacks. Clickjacking has become a major concern for security specialists because online social networks make it easy for cybercriminals to spread links to clickjacked pages. Although most clickjacking performs minor security infractions, there is serious potential for infecting computers with spyware that can steal private information such as bank account numbers and passwords.

One of the biggest concerns is that few Internet users recognize that they have become victims of clickjacking attacks. These attacks often take place silently without alerting the user. This makes it possible for the clickjacked pages to do damage without calling attention to themselves.

Opera has made a significant upgrade with its latest edition. Although it’s not 100 percent safe from clickjacking attacks, neither are other browsers. It does, however, offer a higher level of security than previous versions that will help protect users.

Advertisements

Clickjacking Problems Worsen

January 26, 2011

You can always count on Sophos to give you the bad news. They’ve come through with solid research before, and it looks like they’ve just released another report showing that the Internet is in a bad way, at least when it comes to security.

According to surveys conducted by Sophos, 40 percent of people using social networking sites like Facebook and Twitter have been exposed to some sort of malware. 40 percent probably sounds pretty high to you. It’ll sound even more outrageous when you realize that the number of people is actually 90 percent higher than the number of people affected by malware in 2009.

Why the huge jump?

A lot of it has to do with the increased popularity of social networking sites. A couple years ago, Twitter was just starting to become popular. You’d hear some real geeky friends talking about it, but your parents sure weren’t getting tweets at all hours.

Hackers have also upped their game to take advantage of flaws in the Internet and, dare I say it, human nature. Clickjacking, for instance, barely even existed a few years ago. Those who knew about it were mostly the same people trying to protect Internet users from it. Today, hackers have figured out how to create some rather ingenious clickjack attacks that can turn on your camera, purchase items without your explicit permission, and even install malware to your computer.

And human nature… that’s a problem not easily solved. Hackers have used everything from celebrity gossip to sex tapes to convince people to visit their websites. Once you click on that site, you’ve been jacked.

My Total Facebook Profile Views

January 25, 2011

Social networks are about popularity and connections, so it’s no wonder that people on Facebook are curious to know how many people have viewed their profiles. Facebook, however, has consistently prevented users from seeing how many people (and, more specifically, which people) have looked at their profiles.

While preventing users from accessing this information keeps online activity a bit more private, it also creates a vacuum that cybercriminals are eager to fill.

One of the latest clickjacking attacks that cybercriminals use focuses on giving Facebook members access to information that they have never been able to see before. Unfortunately, the hackers don’t really have applications that can provide accurate information.

The My Total Facebook Views scam promises to tell Fb members how many people have looked at their profile pages. By doing so, it preys upon human curiosity and the desire to see where one fits into the social hierarchy.

When you follow a link to the app (typically named either Pro Check or ProfileSpy), you’re prompted to take an online survey. After taking the survey, you’re given a number that supposedly represents how many people have accessed your profile. In reality, it’s just a random number without any basis in reality.

In addition to tricking you into taking online surveys for nothing in return, the app uses a clickjacking attack to spread itself to your friends. The clickjack posts information on your wall that encourages friends to take the survey and find out how many people have looked at their profiles.

That’s how it perpetuates itself and makes plenty of money for cybercriminals. As long as you stay informed, though, you don’t have to fall victim to this clickjacking scam.

BBB Expects More Online Scams

January 18, 2011

According to a report in The Vancouver Sun, the Better Business Bureau plans to keep a close eye on Internet scams throughout the upcoming year. The organization has become increasingly worried about scams that target online users. Now that social media has become even more pervasive, the BBB expects that more cybercriminals will try to use their scams to take advantage of those who are new to social networking sites and the Internet in general.

Social networking sites include Facebook and Twitter. Any network that allows members to connect and share information with each other, however has the potential for abuse.

Some of the most problematic scams found online these days include

  • Not-so-free trial offers
  • Clickjack attacks
  • Work-from-home scams
  • Overpayment scams
  • Phisphing hoaxes
  • Investment scams

All of these techniques have been used on the Internet before. There’s nothing new about phishing and investment scams. In fact, frauds have used similar strategies long before the Internet even existed.

Despite the pervasiveness of clickjacking, Trojan viruses, and other scams, many Internet users do not know how to protect themselves. many believe that they are safe from online attacks as long as they avoid downloading files. The truth, however, is that some of today’s most problematic attacks come through the Internet without requiring the user’s permission. Clickjacking attacks, for instance, trick the user with invisible frames. Worms don’t even require that much participation. Simply accessing a website makes you vulnerable.

Using reliable antivirus software can help protect you from these online attacks, but you also need to pay attention to your activities. Avoid questionable sites and scrutinize every file that you download.

Clickjacking Demo for Digg

January 12, 2011

If you don’t fully understand how clickjacking works, then you certainly are not alone. Clickjacking actually isn’t that hard for people with Web development experience to implement. Laymen, however, have no need to know what terms such as “UI redressing” and “i frame” mean.

There are plenty of clickjacking demonstrations online that will show you the fundamentals of how clickjacking works. The below demo focuses on a clickjacked page that diggs an article. You’ll notice that the invisible frame follows the mouse cursor on the screen. That’s a dynamic way for cybercriminals to trick Internet users. No matter what you do on that page, you will initiate a cross-site clickjack.

Obviously, no one would fall for this example. It’s intended as a demonstration, not a real example of clickjacking attacks. It is easy to see, however, how easily someone could turn this example into a real clickjacking attack that would draw in thousands and thousands of hits.

It’s also easy to see that clickjacking has applications outside of Digg. You could create clickjacked pages that do just about anything. Some of them purchase items on Amazon.com. Others release scripts that spy on your activities. This is particularly dangerous because hackers can use the information that you send over the Internet to steal your identity or commit credit card fraud. Something as simple as falling for a little trick like this on a website could have long lasting implications that ruin your credit and siphon money away from your bank accounts.

Here’s the demo video that will help you understand how this basic attack works:

 

MediWiki Gets a Security Boost

January 7, 2011

MediaWiki has received an upgrade that tackles some serious security flaws in earlier releases. One of the most problematic aspects of the original MediaWiki was that it offered no protection against clickjacking. This made it possible for hackers to use Java Scripts and CSS to gain access to user accounts. Technically, it was an XSS (cross-site scripting) problem. Anyone with MediaWiki open would compromise their accounts when they visited sites that had been designed to gain access. Just because the person wasn’t currently using WikiMedia didn’t mean that they were safe. Having it open at all was problematic.

The newly updated version should solve this problem, making it safer for users to browse the Internet while keeping MediaWiki open.

The update also fixes a host of other problems associated with earlier releases. It addresses some programming issues and errors in addition to security concerns. This should make it much easier for people to use.

For those not familiar, MediaWiki is software that was originally designed for Wikipedia. Today it is used by a wide range of Wiki sites. The software makes it easy for users to update content and share information with each other. Essentially, it could turn any web page into something as functional as Wikipedia by allowing users to revise content and discuss issues surrounding posts on wiki pages.

Internet users should recognize that, although the update fixes many problems, it does not offer a foolproof protection from clickjacking. Clickjacking takes advantage of security flaws that are inherent to the very structure of the Internet. The update, however, does offer protection from some of the most commonly found attacks.