Posted tagged ‘internet’

Clickjacking Affects Businesses Too

September 4, 2011

If you use the Internet, then you should know something about clickjacking. Simply put, you should know that it makes your browser perform an action that you didn’t (intentionally) execute. That can cause various problems, such as posting information on your Facbeook page, buying items on Amazon, or stealing your private information.

So, you know that there are some risks. If you’re smart, then you try to avoid suspicious videos and links. You might even use a widget or app that helps you detect potentially clickjacked sites.

But you’re just one person. Most of the time, you can protect yourself, but you know that things slip through every now and then. Chances are that you don’t even know when it happens. You just go about your day without knowing anything about it at all.

It’s a different story, though, when you are a business. Businesses have to worry about hundreds or thousands of employees clicking objects on the Internet. That means they are at a higher risk of contamination. It’s no wonder that so many businesses focus on security strategies that involve keeping a close eye on every employee.

You have to worry about things like identity theft. Businesses, however, have to worry about viruses stealing information from their clients. A business’s network often contains the credit card information and addresses of thousands of clients, not to mention the information that they use to confirm your identity when customers contact them.

This is a big concern for businesses, and that probably includes your employer. If your work doesn’t let you browse the Internet freely, there’s probably a good reason for that.

 

Windows Continues to Improve Security Features And Miss Several Customer Service Needs

July 13, 2011

Windows updates… I’ll admit that I hate them. They always seem to come at the least convenient times and they seem to take forever. As someone unlucky enough to have Windows 7 on my personal laptop, I also understand the great frustration that of regular updates that don’t ever seem to click with the operating system. You spend five minutes waiting to download the update and then you wait so long for the update to configure itself that you say “screw it” and take your chances with a manual boot.

Yes, I understand the frustration.

On the other hand, I must admit that Windows has done a really good job of creating updates that address issues that affect today’s users most. Just this week, they published an update that corrected a Bluetooth radio vulnerability. Previous updates have done wonders for security issues such as worms, clickjacking, phishing, malvertisements, and many of the other problems that plague today’s most active Internet users.

In other words, Microsoft knows what problems exist out there in cyberspace, and they want to find solutions to those problems.

That’s terrific. I applaud them. I wish that more software developers would do the same.

No matter how much I respect their commitment to improved security performance, though, I can’t get over how slow and annoying the updates are. And the configurations!!! Just forget it. An update that doesn’t configure properly on the first try isn’t going to work because half of your customers are going to by pass the update and feel a sense of dread every time they see another update icon at the bottom of their screens.

Clickjacking Threat Expected to Continue

December 29, 2010

Threatpost, a blog that helps internet security professionals spot problematic trends early in their development, has released its top 5 security concerns for 2011. As someone that works in the areas of social engineered malware, I found that the “mobile anarchy” section of the Treatpost’s blog was most interesting.

Threatpost expects that online threats such as clickjacking, phishing, and drive by downloads will continue to plague mobile device users. In fact, the number of users affected by these hacker strategies is likely to increase as more people begin using smartphones that give them easy internet access.

I think that this is right on the money. Currently, there are some decent clickjacking protections available to smartphone users, but none of them are strong enough to compete with the deluge of misinformation and compromised links that people encounter on web sites like Facebook and Twitter. As more people start using mobile devices with internet access, it’s hard to imagine that the problem won’t continue to grow. Will clickjacking and drive by downloads eventually become so problematic that they have a negative effect on the smartphone service industry? That’s hard to determine. I think that it would have to get pretty bad before people will become willing to lose their precious gadgets.

On the other hand, this might be the best way to encourage companies to develop anti-clickjacking technology. If consumers made a bold statement by saying that they will not use operating systems and browsers that compromise their security, then I bet we would find some of the brightest minds getting to work on the problem.

Clickjacking becomes more widely known

November 30, 2010

Not only have dictionaries recently started vetting the word “clickjacking” to determine whether it is worthy of long term use, but the Oxford University Press recently included it in their 2010 Word of the Year shortlist. You can read the entire list at the OUP UK website.

This annual list of words always gets a lot of media attention. That means more people are likely to become familiar with the word “clickjacking” over the next few weeks. Hopefully they will also learn what the word means and  how to avoid becoming a victim.

Luckily, the OUP editors got the word’s definition spot on.

Knowing what a clickjack is, though, is not the same thing as knowing how to protect yourself from them. In fact, there isn’t always a great way to protect yourself from clickjacking, especially considering that Facebook and other social networking sites make it easy for hackers to spread these attacks throughout communities quickly. Some times you get hit by an attack before you even know it exists.

Internet security companies are working on solutions that will prevent clickjacking attacks, but it seems unlikely that Internet users will be completely safe any time in the near future. That’s because UI redressing, as clickjacking is known more formally, takes advantage of a flaw that is inherent in the way that the Internet works. Someone would have to radically redesign the Internet’s basic structure before they could prevent all clickjacking attacks. That seems a little unlikely.

In the meantime, you can use your head to keep an eye out for suspicious links. Also, install antivirus software to help ensure that clickjacks don’t install any malware on your computer.

HTML5 could pose bigger security threat

November 23, 2010

HTML5 promises to give Internet users a better experience that includes  highly interactive sites. According to Lavakumar Kuppan, though, very few people are talking about the negative aspects of HTML5 that could pose bigger Internet security threats than the current system.

This has special importance to Internet security specialists working to prevent clickjack attacks. With the current edition of HTML, a script will only run in the background for 20 seconds. With HTML5, though, the script can run indefinitely.  As long as a browser is pointed at the hacker’s URL, they can control the user’s computer. This gives clickjackers the opportunity to create web pages that have been created to open blank screens that contain hidden elements. This is a rather savvy approach to clickjacking. It not only uses the Internet’s faults against users, but also targets human behaviors.

Most people don’t pay a lot of attention to blank tabs or windows when they open on their screens. They focus on the screen that they are using, not those that just sit in the background, seemingly doing nothing. That’s fine with the current HTML edition. With HTML5, though, that browser tab could be doing all kinds of things without your knowledge.

At the moment, it is impossible to know which other features will give hackers the chance to make the Internet a more dangerous place., but some of the key threats include

  • using your computer to send spam or attack a server. This takes up a lot of your Internet connection, resulting in slower speeds.
  • viruses that steal personal information and allow hackers to commit identity theft.

Top Five Internet Security Misconceptions

November 19, 2010

Just a couple days ago, Kindsight, a company that focuses on issues such as identity theft, published a blog post explaining the top five internet security misconceptions that they have found amongst casual internet users. One of those misconceptions is that “Facebook is safe enough; no need to worry.”

Apparently, those people don’t read this blog, or the countless others discussing security issues spread through social networking sites.

To a large extent, Facebook itself is fairly safe. But it is used to push people towards compromised content. This is most often accomplished with clickjacking attacks. When hackers make clickjacking attacks, they often publicize the sites by posting the URLs on Facebook, Myspace, and other popular social networking sites. They usually include a statement that will entice the average user into following the link. Popular topics focus on busty girls and Justin Beiber, although I’m pretty sure that there is connection there.

When users follow the tempting link, they are taken to a page that has invisible elements. Click on the page, and you’ve just launched a potentially malicious piece of software that can infect your computer.

Facebook’s safety was listed as the number five misconception. The others include,

  1. Internet users are safe from identity theft as long as they don’t shop online
  2. Anti-virus protection means internet users are safe
  3. Using secure websites means that you will never encounter security problems
  4. Hacked websites are easy to identify and avoid

Unfortunately, none of these statements are true. You can read the entire article, and view video clips, at the Kindsight Blog.

Can I get clickjacked on Facebook?

September 20, 2010

Facebook gets a lot of scrutiny for spreading clickjacking attacks. To be fair, though, any other social networking site with Fb’s level of success would receive similar criticisms.

Internet security experts get asked a lot of questions that aren’t easy to answer. Perhaps the most common is “can I get clickjacked on Facebook?” I’ll try to answer this question as plainly as possible without delving into a lot of industry jargon and what-ifs.

In a word: Maybe.

I know, that’s not very helpful.

Here’s the thing, Facebook has actually been pretty good about stopping clickjacking attacks before they spread too far. The reality is that you’re 95 percent safe as long as you never stray from Facebook. The other side of that reality is that you’re going to click on links that take you away from FB’s domain.

Myspace tried to solve this problem by forcing members to acknowledge that they were leaving the site whenever they tried to follow an external link. Facebook hasn’t really gone  in this direction, which is good and bad. It’s easy to understand why Facebook doesn’t want to use this strategy. The warning is annoying. After a while, it becomes completely ineffective because users stop paying attention to it. The warning simply becomes a button that you have to click to move forward.

This leaves all FB members open to attack, but only when they follow clickjacked links. I’m not aware of any clickjack attacks that were implemented from Facebook itself. Whenever you follow a link, though, you never know where you’re headed.

Facebook has a good security team, but they could do a little more to educate their users about the nature of clickjacks. Even though the Myspace warning page was annoying, it offered information that users need to stay safe. Unfortunately, doing so could encourage members to use other social networking sites that won’t nag them.

All networking sites, therefore, have a tough choice to make between improved security and a growing base of frequent users. From a business perspective, you have to choose more members. That’s unlikely to change unless people start leaving FB for social networking sites that they perceive as safer alternatives.