Archive for April 2011

Have No Fear: Adobe is Here!

April 27, 2011

Just last weekend, I’m sitting at my parent’s house enjoying Easter lunch when my dad asks me if I knew that viruses could turn on my webcam.

I resisted the temptation to roll my eyes. Hey, dad, I’ve been working in Internet security for about a decade now, so you’re probably not going to stump me just because you got your AOL account up and running last year.

The truth is that there isn’t much to fear when it comes to clickjacking (or “viruses,” if you want to use my dad’s terminology) and webcams. We’ve known about Adobe’s vulnerability for sometime now, and the company has made it pretty easy for you to avoid clickjacking attacks that could turn on your webcam or microphone.

The latest version of Adobe isn’t susceptible to these attacks. If you haven’t updated your Adobe software recently, then go do it right now before you give some dirtbag the opportunity to eavesdrop on you. If, for some reason, you’re extremely reluctant to download the latest Adobe software, then you can tighten your program’s security parameters. Assuming that you’re not using software from the 90s, you’ll probably solve the problem this way.

This prevents the immediate problem, but doesn’t mean that you’re safe from clickjacking. Clickjacking attacks, after all, come in a wide range of flavors. None of them taste good.

Keep your system safe by avoiding suspicious links. Plus, you should really have some reliable antivirus protection for your computer. In fact, use two antivirus programs. That should stop pretty much anything from getting through. Even though it won’t completely stop clickjacks, it will almost certainly protect your computer from the harmful side effects that could result from clickjacked websites.


Sophos Makes Some Suggestions

April 27, 2011

Sophos, one of the top Internet security firms in the world, has worked with Facebook in the past to make their site safer for users. Facebook, of course, doesn’t always use their suggestions, which might be why Sophos has published an open letter to Facebook on the Naked Security blog.

In the letter, Sophos outlines three suggestions that would make Facebook safer for everyone.

1. Make Privacy the Automatic Default

Facebook users have the option to set their profiles to private, but it’s not the default setting. This offers some benefits to Facebook as a business. Making the profiles more available allows advertisers to target their markets more effectively. The current default, however, also has a negative effect that puts users at risk. Making privacy the default would help eliminate that risk.

2. Vet All App Developers

If you know how to make a simple computer program, then you could make an App for Facebook. Facebook doesn’t really control the content of apps. If there are complaints about one, then they’ll look into the matter, but they don’t make developers submit to any vetting process. That’s dangerous for users, especially those that assume Facebook is taking care of them by scrutinizing the apps.

3. HTTPS Only

Currently, some Facebook pages use HTTP and others use HTTPS. The added -s can mean a lot, especially for those accessing Facebook through unsecured wireless routers. HTTPS sites encrypt information sent by the user. That’s makes it harder for someone else to steal information. It doesn’t make it impossible; but it does provide an extra layer of protection that would deter most small-time hackers from taking information.

Does Facebook have a responsibility to enact these and other security measures to protect its users? Or should users take more responsibility by learning how to keep themselves safe while logged in to Facebook and similar sites?

Clickjackers Target Smart Phones

April 20, 2011

In Japan, most people access the Internet through their smart phones instead of sitting down at a desk to use a computer. Over the past several years, other countries have seen similar trends that point toward the future: computers are getting smaller and more portable. Soon, smart phones (or similar devices) will be the most easy way to access the Internet.

Clickjackers know that this will change the way that they find their victims, and they’ve already made numerous attempts to alter their strategies to focus on mobile device users.

Over the past year, the number of clickjacking attacks have tripled. Now, many of those attacks focus on techniques that target mobile decide users. Unfortunately, not many people understand how serious this threat is, so they fail to take the necessary precautions that will protect them from malware.

The big problem with clickjacking attacks that target smart phones is that they can access information stored on the devices. We have become so reliant on our mobile phones that few of us remember many phone numbers. You might even store much more than just contact information on your phone. You could have credit card information, passwords, and other private info as well.

Clickjacking attacks could target that information, giving hackers access to the data that they need to steal your identity or make fraudulent purchases in your name. They could also steal your contacts to spread clickjacking attacks to everyone on your phone.

The possibilities are frighteningly endless.Unfortunately, its unclear of how people can protect themselves best when using smart phones. For now, stay vigilant and critical of everything that you see online. And make sure that you check all of your devices for hidden viruses that might steal your information.

Facebook clickjacking moves to comments

April 14, 2011

If you’re a security-conscious person who pays attention to the latest online threats, then you almost certainly know about the dangers of clickjacking. You probably also know some of the most common ways to avoid clickjacking attacks. For instance, when you log on to Facebook, you don’t follow inflammatory links that promise pop culture oddities such as Jessica Alba naked or Justin Beiber yelling at a young fan. Instead, you bypass those links because you know they are exactly the types of headlines that clickjackers use to attract victims.

Unfortunately, your careful activities might not make you as safe as you think.

That’s because clickjackers have evolved. Once they  recognized that many Internet users had gotten wise to their plots, they switched up the game to find new victims. One of the latest strategies involves placing clickjacks in photo comments.

Here’s an example scenario:

You  just uploaded pictures from your vacation when you see that a friend has commented on one of your photos. You look at it only to find a message reading something like “great pic, check out mine!” You feel safe because the comment has come from a trusted friend. When you follow the link, though, you unleash a clickjacking attack that could infect your computer.

How do you protect yourself from these new attacks? It’s not entirely clear yet. There are, however, a couple of things that you can do to reduce the likelihood  that you’ll become a victim. If you see a comment that seems out of character for your friend, then don’t follow any of his or her links. Contact that friend to find out whether she actually posted the link. Instead of using Facebook, you should use that person’s actual email address. That way, you  can avoid the possibility that someone else has gained access to your friend’s Fb account and will simply reply to your query.

Mundolike Clickjack – Me No Like

April 8, 2011

Beware of a new clickjacking attack spreading through Facebook. This one spreads like so many other clickjacks: through user wall posts. This particular attack is recognizable by the post “Usted debe ver esta película!” along with a lude picture meant to convince you to follow the link. When you follow the link, it directs you to a page on that contains a video. There’s nothing sexy about it, though. When you click play, you get a video of a prank that involves throwing mannequin heads at unsuspecting people. It’s not even funny.

What else do you get?

Our old friend the clickjack. The video’s play button covers a Facebook”like” button. When you press play, you spread the clickjack through your Facebook wall by unintentionally posting the link.

This clickjack could trick you even if you sign out of Facebook before visiting the mundolike page. If you have signed out, then the page will redirect you to the standard Facebook log in page. When you sign in, it automatically posts the clickjack to your wall.

So much for trying to outsmart this clickjack.

It doesn’t seem that anything truly malicious happens when you fall for this scam. It just makes a fool out of you by using your wall to spread to other people. Some clickjack attacks, however, steal passwords and other private information. You can’t be too careful. If you have fallen victim to this clickjack attack, then remove it from your wall and change your password to make sure your account is safe.



Clickjacking on the rise

April 1, 2011

G Data Security Labs recently released a report showing that the number of clickjacking attacks used online has increased over the past year.

This shouldn’t come as any surprise. As more and more people join social networking sites and purchase smart phones, hackers will continue to focus on clickjacking as a way to spread viruses and cause general disarray for no reason other than having some geeky fun.

According to G Data Security Labs, Trojan.JS.Clickjack.A  will be one of the most troublesome forms of clickjacking in 2011. This specific type of clickjacking does not rely on a single object. Instead, it combines an invisible iframe with a javascript app that allows the clickjacked object to follow the cursor. This makes it more difficult for Internet users to determine which pages have been clickjacked. Currently, many people have become savvy enough to avoid Facebook like buttons and the play buttons on embedded video players. These are two of the most common objects used in clickjacking attacks. With Trojan.JS.Clickjack.A , though, there is no indication that the page might contain malware. No matter where you click on the page, you will activate the clickjack.

So far, clickjacking has been relatively benign. It’s most commonly used to artificially boost website rankings.

There is, however, the potential to use these attacks to spread viruses. That’s one of the biggest concerns facing Internet security professionals because it would make it much more difficult to educate users about potential dangers. You can’t just tell people not to click on their screen at all. That would defeat the whole purpose of using the Internet.