Archive for September 2011

IE Only Offers Some Clickjacking Protection

September 23, 2011

It’s a given that you want to keep yourself safe from clickjacking scams. They’ve been known to cause all kinds of trouble. Not only do they post potentially embarrassing information to your social networking profile, but they can install viruses on your computer that will steal personal information that lets hackers commit identity theft.

You’d expect all Internet browsers to take this threat pretty seriously. After all, who would want to use a browser that exposes you to such a threat?

Unfortunately, though, some browsers are better than others at protecting you from clickjacking threats.

IE 8, for instance, looks for a tag that website designers use to prevent content from loading in frames. By getting rid of the frames, you solve a large part of the clickjacking problem. IE 8, however, relies on the website, not the user. That’s not very helpful for most people. If individual users had the option to say “don’t use any frames,” then they could rely on near-universal protection. When you leave it up to website developers, though, you’ve only offered help for those that don’t need it. If a website chooses to use the no frames tag, then they’re obviously not trying to clickjack visitors. That leaves things wide open for clickjackers that create sites specifically to attract victims.

This is the kind of protection that could actually cause more harm than good.

If nothing else, Internet Explorer should alert users when they have reached a page that does not protect them. Then the user can decide whether he or she wants to proceed. It would also encourage more web designers to include the tags when they build new sites.


A New Clickjack Protection

September 20, 2011

Clickjacking has been a huge problem because it takes advantage of security problems inherent in the Internet’s basic structure. It’s really difficult to tell whether a link or video is pulling a fast one on you. For a long time, Internet users could rely on NoScript, an app that worked with Firefox. It’s a pretty useful app, but it’s hard to rely on a single source of protection. Plus, the problem with having a single form of protection is that you never create competition that encourages NoScript to improve its service.

Now that competition has started.

Zscaler is a new widget that blocks clickjacked objects from unleashing their attacks on you. Unlike NoScript, which only works with Firefox, Zscaler works with Firefox, Chrome, and Safari.

It’s uncertain whether Zscaler actually works better than NoScript.

Actually, whether it’s better is only part of the point.What’s really important is that NoScript now has some competition. It also means that Internet users now have two options to protect them from clickjackers.

There’s just one potential problem with this. The more tools we have to protect ourselves, the more open we are to social manipulation. We begin to think that the apps and widgets will protect us no matter what. But they won’t. Clickjackers are always one step away from figuring out how to bypass even the latest security. That means each person has to pay attention to what actions they take online.Even with all the security tools, it’s still up to you to make smart, informed decision when you’re online.


Server-side Clickjack Protection

September 11, 2011

If you’ve been worrying about clickjacking attacks on the websites you visit often, you might be surprised to learn that site’s have the ability to impede these attacks. The fact of the matter is some websites just don’t focus that much on security strategies that would really keep their visitors safe. That isn’t to say that website administrators and developers could prevent all clickjacking attacks, but they could certainly make it harder for hackers to ruin your day.

Quite frankly, social networking sites (especially Facebook) are some of the worst offenders. To some extent, that’s understandable. Consider, for instance, how many people visit Facebook every day. That makes the site a target for clickjackers that want to reach a large audience quickly. Plus, Facebook wants to make it easy for people to share information  with each other. Any kind of block could negatively affect service.

When it comes down to it, though, more websites could use server-side clickjacking protection. It’s actually pretty easy.

The most common technique is called a framekiller. It’s a piece of JavaScript that prevents a site from loading frames from different sources. Unfortunately, it’s not always reliable. It’s especially easy for fairly advanced hacking techniques to trick Internet Explorer into loading the clickjacked link as asked.

Should websites have more responsibility when it comes to protecting visitors. That depends. A site like Facebook should definitely lead the security development to stop clickjacking. They’re big enough and have enough resources to take on the  problem. Plus, it’s in their best interest to offer more safety to their members. Since Facebook doesn’t have a true competitor, though, the company might not feel too motivated in this area.

How Many Facebook Videos Have Been Clickjacked?

September 10, 2011

If you’re on Facebook, then you have to know that  some of the videos you see posted on the walls of friends are clickjacked. Clickjacked videos typically have invisible frames hovering over them, either over the hole video or just over the play button. When you push play on the video, you may or may not actually get to watch it. What you actually do is unleash a tactic called UI redressing. More than likely, clickjacked videos just repost themselves on your wall without your permission.

That’s kind of scary, especially considering that some of the clickjacked videos can steal personal information from your computer that allows hackers to steal your identity.

What’s even more scary is that research now shows that 15 percent of videos on Facebook are clickjackers. That’s right. 15 percent. That means that for every ten videos you see, more than one of them has been clickjacked. Click on ten random videos and you’re going to get clickjacked at least once.

Let’s face it, Facebook hasn’t done much to stop this kind of behavior. They pretty much let anyone post anything without discretion (unless its porn, I guess. They have a thing against porn).

Yet again, that means you need to protect yourself by avoiding shady videos. If you see a video that doesn’t look like your friend actually posted it,then don’t click it. If your uncle who’s totally into football posts a video about lady gaga, then you can feel pretty certain that it’s a clickjack. There’s just something not right with it, so stay away.

Man in Wheelchair Falls to Death LOL

September 8, 2011

Fans of the Darwin Awards might find it entertaining to read about the dumbest possible ways that people die, but there’s a big difference between shaking your head at a written account of someone’s death and watching a video of it.

Recently, the moral fiber of Facebook users was tested by a post that reads

Man in wheelchair falls down the elevator shaft *SHOCKING VIDEO*
[LINK deleted]
This Video is really shocking. a man in a wheelchair is falling down the elevator shaft.

If you followed the link, then you found a fake Facebook page with what looked like an embedded video. Sorry, you’re not going to get to watch the gruesome video. In fact, such a video probably doesn’t even exist.

What you get, instead, is a clickjack. A lot of people have commented (and I kind of agree) that anyone who fell for this horrible scam got what they deserved.

If you use Firefox with the NoScript application, then you got a warning about the UI redressing attempt, as clickjacking is technically called. If you don’t use this security app, though, you were prompted to take an online survey. After taking the survey, you didn’t even get to watch the video. How lame is that?

Many clickjackeres use online surveys to earn money. By tricking people into visiting survey websites, they know that a small number will actually answer the questions. For each person that fills out the survey, the clickjackers earn a small amount of money that quickly adds up.


Clickjacking Affects Businesses Too

September 4, 2011

If you use the Internet, then you should know something about clickjacking. Simply put, you should know that it makes your browser perform an action that you didn’t (intentionally) execute. That can cause various problems, such as posting information on your Facbeook page, buying items on Amazon, or stealing your private information.

So, you know that there are some risks. If you’re smart, then you try to avoid suspicious videos and links. You might even use a widget or app that helps you detect potentially clickjacked sites.

But you’re just one person. Most of the time, you can protect yourself, but you know that things slip through every now and then. Chances are that you don’t even know when it happens. You just go about your day without knowing anything about it at all.

It’s a different story, though, when you are a business. Businesses have to worry about hundreds or thousands of employees clicking objects on the Internet. That means they are at a higher risk of contamination. It’s no wonder that so many businesses focus on security strategies that involve keeping a close eye on every employee.

You have to worry about things like identity theft. Businesses, however, have to worry about viruses stealing information from their clients. A business’s network often contains the credit card information and addresses of thousands of clients, not to mention the information that they use to confirm your identity when customers contact them.

This is a big concern for businesses, and that probably includes your employer. If your work doesn’t let you browse the Internet freely, there’s probably a good reason for that.