Archive for July 2011

Clickjack Takes Advantage of Tragedy in Oslo

July 23, 2011

If you are the lowest of the low, then you spend your time thinking of ways to make money off of the suffering of other people. The way that you manage to earn your disgusting living depends on what type of skills you have. If you are a great motivator or actor, then you might make money by setting up a fake charity that supposedly benefits the families of victims in the recent Oslo tragedy (in case you don’t know, some wingnut shot a whole bunch of people. It was an instance of terrorism that many people didn’t see coming because of the ridiculous blinders that they wear. The shooter wasn’t Muslim. He was a white Christian. It took journalists more than a day to recognize that they were wrong about the man’s religion and ethnicity, but I digress in a serious way…)

If you have a bit tech experience, then you create clickjacked links to exploit the memories of those killed in Oslo. Perhaps you start a Facebook post that asks for donations to your fake charity, or maybe you hijack a link so that it directs caring people to some stupid survey site that has agreed to pay you money whenever you send someone their way. Or even better yet, maybe you promise video of the shooting, and when people follow the link, they buy items from an online retailer without ever agreeing to such a purchase.

All of these things have happened. If you were behind them, then I hope you never enjoy a single cent that you made from the pain of these people. You’re a cheat. You don’t even have the intelligence to con someone. You just have the rote ability to make an annoying link that benefits you and only you.

So Much for Self-Enforcement

July 17, 2011

We live in a world of ideals. Unfortunately, you won’t find many of those ideals in the real world.

Case in point: businesses have the ability to recognize their own problems and enforce proper security measures on their own to make sure that their customers are protected.

It seems like we’ve heard this argument before. Politicians saying that businesses don’t need the EPA overseeing changes; companies telling their stockholders that they can enforce policies better than any government organization.

And then what do we get when we believe them? We get stuff like Enron and BP spills.

In a much smaller way, this trust in business to do the right thing can also lead to vulnerabilities in computer software. Every software developer will say that it has created programs that will allow you to work more efficiently without compromising your security. But are these promises true? Or are the developers making promises about subjects they know very little about.

Recently, Microsoft decided to do a little of its own investigating into the security features of software and apps created by other companies. What they found should not surprise you.

  • Facebook has a vulnerability to clickjacked links
  • Picasa has a vulnerability that can allow hackers to take control of certain features in the program, allowing them to publish and change pictures

Hey, not exactly millions of gallons of oil covering the sea, but still something that Internet users must pay attention to on a daily basis.

That we have to rely on Microsoft to unveil these problems is particularly concerning. Google (which owns Picasa) and Facebook should be more forthcoming. We all know that nothing is perfect. We just want to know what risk we face.

Windows Continues to Improve Security Features And Miss Several Customer Service Needs

July 13, 2011

Windows updates… I’ll admit that I hate them. They always seem to come at the least convenient times and they seem to take forever. As someone unlucky enough to have Windows 7 on my personal laptop, I also understand the great frustration that of regular updates that don’t ever seem to click with the operating system. You spend five minutes waiting to download the update and then you wait so long for the update to configure itself that you say “screw it” and take your chances with a manual boot.

Yes, I understand the frustration.

On the other hand, I must admit that Windows has done a really good job of creating updates that address issues that affect today’s users most. Just this week, they published an update that corrected a Bluetooth radio vulnerability. Previous updates have done wonders for security issues such as worms, clickjacking, phishing, malvertisements, and many of the other problems that plague today’s most active Internet users.

In other words, Microsoft knows what problems exist out there in cyberspace, and they want to find solutions to those problems.

That’s terrific. I applaud them. I wish that more software developers would do the same.

No matter how much I respect their commitment to improved security performance, though, I can’t get over how slow and annoying the updates are. And the configurations!!! Just forget it. An update that doesn’t configure properly on the first try isn’t going to work because half of your customers are going to by pass the update and feel a sense of dread every time they see another update icon at the bottom of their screens.

Worms Take Clickjacking to a New Level on Twitter

July 1, 2011

I’ve never been a big fan of Twitter. I could never get beyond that tiny character limit. I just ramble too much, so it doesn’t work for me.

That aside, I think it’s a cool service and I understand why so many people use it.

What disappoints me, though, is how many people seem to think that it is a completely safe community that allows them to follow links with impunity. As if the people on Twitter (which, if recent polls are correct, is everyone in the world but me and a handful of people in China) were all good natured and never thought about how they might use this increasingly popular service to screw a bunch of people over.

Yeah, I hate to bust your bubble, but popular places in the virtual world are just like popular places in the real world: they attract criminals.

A group of researchers say that they have created a worm virus for Twitter that kind of acts like a clickjacking attack on steroids… AND crack. If that sounds like an overstatement, then check this quote from Lance James, one of the researchers at Secure Science who said that

You can couple an attack with our code and it would just tear the crap out of Twitter

Just lovely. Kind of makes you wonder why these researchers spend their time making computer viruses that could tear the crap out of anything. It’s like those biologists who intentionally make viruses that don’t exist yet.

What’s the point?

The point is defense. If security experts can stay ahead of clickjackers, then they have a much better chance of stopping nefarious technologies as soon as they are released. Still, it’s kind of a frightening though.