Posted tagged ‘mobile’

Clickjackers Target Smart Phones

April 20, 2011

In Japan, most people access the Internet through their smart phones instead of sitting down at a desk to use a computer. Over the past several years, other countries have seen similar trends that point toward the future: computers are getting smaller and more portable. Soon, smart phones (or similar devices) will be the most easy way to access the Internet.

Clickjackers know that this will change the way that they find their victims, and they’ve already made numerous attempts to alter their strategies to focus on mobile device users.

Over the past year, the number of clickjacking attacks have tripled. Now, many of those attacks focus on techniques that target mobile decide users. Unfortunately, not many people understand how serious this threat is, so they fail to take the necessary precautions that will protect them from malware.

The big problem with clickjacking attacks that target smart phones is that they can access information stored on the devices. We have become so reliant on our mobile phones that few of us remember many phone numbers. You might even store much more than just contact information on your phone. You could have credit card information, passwords, and other private info as well.

Clickjacking attacks could target that information, giving hackers access to the data that they need to steal your identity or make fraudulent purchases in your name. They could also steal your contacts to spread clickjacking attacks to everyone on your phone.

The possibilities are frighteningly endless.Unfortunately, its unclear of how people can protect themselves best when using smart phones. For now, stay vigilant and critical of everything that you see online. And make sure that you check all of your devices for hidden viruses that might steal your information.

Advertisements

MediWiki Gets a Security Boost

January 7, 2011

MediaWiki has received an upgrade that tackles some serious security flaws in earlier releases. One of the most problematic aspects of the original MediaWiki was that it offered no protection against clickjacking. This made it possible for hackers to use Java Scripts and CSS to gain access to user accounts. Technically, it was an XSS (cross-site scripting) problem. Anyone with MediaWiki open would compromise their accounts when they visited sites that had been designed to gain access. Just because the person wasn’t currently using WikiMedia didn’t mean that they were safe. Having it open at all was problematic.

The newly updated version should solve this problem, making it safer for users to browse the Internet while keeping MediaWiki open.

The update also fixes a host of other problems associated with earlier releases. It addresses some programming issues and errors in addition to security concerns. This should make it much easier for people to use.

For those not familiar, MediaWiki is software that was originally designed for Wikipedia. Today it is used by a wide range of Wiki sites. The software makes it easy for users to update content and share information with each other. Essentially, it could turn any web page into something as functional as Wikipedia by allowing users to revise content and discuss issues surrounding posts on wiki pages.

Internet users should recognize that, although the update fixes many problems, it does not offer a foolproof protection from clickjacking. Clickjacking takes advantage of security flaws that are inherent to the very structure of the Internet. The update, however, does offer protection from some of the most commonly found attacks.

Don’t get clickjacked on your mobile phone

December 14, 2010

With the holiday season upon us, many people anticipate that they will get slick, new smartphones that let them access the internet on the go. Mobile phones have really come a long way in the past few years. Just think, little more than 15 years ago people walked around with huge cell phones that could barely make phone calls. Today, we download movies and watch them from our mobile devices.

The advances in technology are pretty awesome, but they come with a few security threats. New smartphone owners are at the greatest risk of falling for clickjacking schemes. The combination of excitement and ignorance sets them up as victims.

Android phones have taken a step forward with touch filtering technology that will help prevent clickjack attacks. In the long run, though, we all know that hackers are just going to figure out a way to circumvent Android’s security. Within a few months, we’ll be right back where we are now. The most naive of us will continue clicking on every links that promises risque videos or unbelievable (i.e., untrue) facts.

There are a few things that you can do to protect yourself.

  • Always check the URL of a link before you click on it. If the link does not display its destination, then avoid it. Likewise if it seems suspicious.
  • Keep your operating system updated to take advantage of the latest security apps.
  • Avoid links that offer free gift cards, even if an annoying voice tells you that you’re today’s big winner. No, especially if it tells you that you’re the big winner.

Clickjacking without the click

May 25, 2010

Demonstrations debuted at this year’s Black Hat Europe conference in Barcelona, Spain have revealed that clickjacking techniques don’t necessarily have to rely on mouse clicks to trick victims into participating in unknown activities. Instead, new clickjacking attacks focus on Java’s drag and drop capabilities. This allows clickjack attackers to steal information from text forms.

Even though these new clickjacking techniques don’t rely on mouse clicks, they still use invisible iFrames to trick internet users. In these instances, however, the invisible frames are placed on top of blank text forms. When a user fills out the form, they are contributing information unknowingly in another frame that they cannot see.

Drag and drop functions even make it possible for clickjacking attacks to steal information from entire sessions, not just individual forms. This presents a serious information security threat to both individuals and organizations who have private passwords, account numbers, and other bits of information that could help criminals commit theft or fraud.

Most recently updated web browsers can prevent invisible frames, but they rely on the website’s X-FRAME-OPTIONS: DENY tag. Websites that don’t include this tag, therefore, don’t offer protection from next generation clickjacking attacks.

Large sites like Facebook and Myspace have committed themselves to included frame busting tags and other security techniques to protect users. The mobile versions of these sites, however, do not usually offer as much protection as the Web versions, so users should be careful when using mobile devices to access their accounts.

You can read a summary of Paul Stone’s Next Generation Clickjacking demo at blackhat.com.