Clickjacking the iPhone

Yesterday I posted an entry explaining that smartphone users should pay attention to their web browsing to prevent clickjack attacks. That was just a general warning. Today I’d like to delve a little more into the details of smartphone clickjack attacks.

This is a prime example of why those of us who use iPhones, Blackberries, and similar devices should worry about clickjacking when we use our phones.

http://amyjoaquin.blogspot.com/2008/11/clickjacking-iphone-attack-by-john.html

In this article, John Resig discusses his experience at a 2008 iPhone development camp where he met some people developing JavaScript for the device. While talking to these developers he learned that they kept running into a bug that was causing some web page elements to jump off the screen. They were still there, but the user could not see them.

This concerned Resig because of its potential clickjacking implications. He got a sample test from one of the guys so that he could experiment on his own to determine whether users could actually interact with any of the elements that jumped out of the iframe.

It didn’t take long before he had confirmed his suspicions.

Apple isn’t run by a bunch of dummies, though. They were quickly looking for a solution to this problem, which they released with the iPhone 2.2.

That solves that problem, but it’s always a matter of time before clickjackers and other cybercriminals find a way to use the iPhone’s security against itself. After all, clickjacking uses one of the fundamental elements of the internet to truck users into doing things that they don’t even know they are doing.

Apple’s speedy update that corrected this potential clickjacking problem is one of the reasons that it’s important for people to use the latest technology instead of relying on old devices and software. If you’re still using an iPhone that uses the old software, then you’re still susceptible to this clickjack attack.

This goes for other smart phones and browsers as well.

Granted, if you hold on to the device for about ten years without making any changes, then there’s a good chance that you’ll be in the clear. Once your tech gets old enough, very few hackers will even think to focus on you. Then again, you probably won’t be able to use it for much either, so it’s kind of a win-lose situation…

Another WebCam Jack

Here’s another lesson in webcam clickjacking.

I hope that showing these videos will make internet users more aware of what they are doing online. It’s easy to find web sites with silly games that involve repeatedly clicking on an image. A lot of them emulate the old Duck Hunt game, or some basic variation. I once saw one that encouraged me to point zits on a guy’s face.

These games seem harmless, but you never know what is lurking behind the veil. Guya11, who made the video above, claims that this particular clickjacking technique doesn’t work anymore because Adobe has updated its framebusting code. That’s certainly a good thing, but I have heard claims from people who have managed to get around Adobe’s updates.

Granted, these clickjack attackers could just be lying to me, but I prefer to accept their testimony and stay on the safe side.

Choosing software that has been designed to counter clickjack attacks is a good idea, but one of the best ways to prevent falling into one of these traps is to simply pay more attention to what you do online. Don’t click on any unnecessary icons and don’t play games unless you trust the site.

There are far too many internet users in the world who don’t have this basic understanding. Taking the proper precautions can protect your computer from viruses, worms, keyloggers, and other malware.

I like to think of every click as a turn down a street. I only turn down avenues when they take me to a place that I want to go. Every extraneous click could send you down a dark alley; eventually you’re going to get mugged.

You Got Jacked! Now What?

Clickjacking attacks can come from out of nowhere. You use good browsing habits and you only provide information to reliable sites, but some times the cybercriminals are a step ahead of you.

Expert clickjackers can install malware without your knowledge. You think that you’ve just clicked on a dead link, but nefarious software begins operating in the background.

No matter what you do, you’re not completely protected. This makes it important to run antivirus software that will identify the most current malware and delete it before it has a chance to cause any damage.

Free Antivirus Software

Personally, I like free antivirus software. There are plenty of reliable versions out there that update frequently. Still, you can’t expect a single program to catch every bit of malware, so I suggest using at least two antivirus programs to make sure that your system is clean.

Avira AntiVir Personal has proven itself to me time and time again. I run it daily to make sure that my computer hasn’t picked up any nasty viruses. I spend a lot of time online, so you might not need to run your antivirus software as often. I would still recommend a quick hard disk scan every time that you surf for more than an hour.

The editors at CNET have given Avira AntiVir Personal a five-star rating. Users think that it’s more of a 3.5 star program. A full five stars is hard to reach, but I have to agree with the CNET editors on this one. Avira gets the job done reliably.

The CNET editors also give Norton Antivirus 2010 17.0 a five-star rating. This version of Norton Antivirus performs well, but I don’t agree that it deserves a perfect score. The most common complaint about Norton Antivirus is that it uses up too much of a computer’s resources, thus resulting in a slow computer. Quite frankly, avoiding a slow computer is one of the reasons that I use antivirus software.

Plus Norton Antivirus is only free for 30 days. After that, you have to subscribe. I think that there are plenty of free versions out there that work better.

Striking Back at Clickjacking Attacks

There are plenty of free antivirus software options available for download. Read several reviews, though, before you choose one. Not all of them are as reliable as others, and some are almost as hard to get rid of as the viruses that you contract through clickjacking attacks.