Clickjacking: Everyone’s Vulnerable
Yesterday, I emailed those on my newsletter and told them about Sandboxie. Why it’s so very important to use it in today’s environment. Just before sending, I received an email about the very same topic. But the email highlighted something that was so important I felt I must bring your attention to this. It is serious.
First. What is clickjacking? These are links that are cloaked as clickable buttons. We’re not going to get too technical. But it works by hiding behind actual buttons on a web site.
When you click the button to submit a form or to log in, you could be sending out information to somewhere else or giving the web site permission to access your computer’s resources such as camera or microphone (and eavesdrop or worse record). The bad news is, you’ll never know this is happening because the original form still gets submitted, the original links still work. It’s all very stealthy.
Here’s the kicker – it’s not just Windows folks. All you Mac and Linux users need to take a minute to read as well. All browsers are open to this exploit regardless of operating system. Even flash is susceptible but I hear they are working on this.
How to protect yourself as a user?
This is the confusing part. Some say disabling Javascript will do the trick others say it won’t. I would rather err on the side of being cautious. It sucks. Really does because in the Internet Marketing world, a lot of cool and good things are done via Javascript down to tracking stats.
Rather than turn it off completely, I installed Noscript on Firefox. Noscript will help you whitelist or blacklist certain sites from loading Javascript so you have a choice and it tells you where the Javascript is loading from. That helps your decision making.
2nd thing – don’t surf without a Sandbox. Granted, sandboxing won’t help you if the exploit is to trick you into sending information elsewhere but if it tries to secretly load a web site containing malicious software, then sandboxing definitely helps.
Stick to clean Internet neighborhoods. Chances are higher questionable web sites like porn, game or software cracking web sites may carry these (not saying you do visit them 😉 ). The down side is, that doesn’t mean all other web sites are automatically clean.
Check out this paper from US-CERT (part of Homeland Security) how to secure your browsers.
Finally, wait for the manufacturers to fix the browsers.
As a web master
Watch your web sites! Please, please, please be careful with your passwords.Check your sites regularly to make sure everything in it is there by your design. Don’t slack on your upgrades. I don’t like to do updates either but if it means a clean web site for my visitors, I’ll bite the bullet. It’s no longer about us, but our visitors, our potential customers.
Check your computers. Insist your contractors who log in to your site check theirs regularly too. The last thing you want is a key logger installed on a computer and being used that way to access your site. Use RoboForm all the time if you can. It’ll save you from manually entering passwords which can be a problem if you are unaware you have a key logger on your system.
Do You Want A Hands-Free Business?
Then get this guide to help you systemize your business so you'll have more time working on your business.
Hey! I want to make sure you know what you're getting here. In addition to the guide, you will also receive our memo that includes special offers, announcements and of course actionable information.
Thanks Lynette, great advice for us. Now to just get this done. 🙂
Thanks Lynette, great advice for us. Now to just get this done. 🙂
@Vera: Haha I understand. You’re a member of MM – there’s a SMMO for WordPress security. We check your site every single day.
For those who are not MM members, stay tuned. I’m rolling something out soon. Yeah. I’ve got quite a few things in the works.
@Vera: Haha I understand. You’re a member of MM – there’s a SMMO for WordPress security. We check your site every single day.
For those who are not MM members, stay tuned. I’m rolling something out soon. Yeah. I’ve got quite a few things in the works.
thanks for the heads up, lynette. however, i don’t understand some of the things you mentioned, such as “sandbox” and “key logger”. sorry!
thanks for the heads up, lynette. however, i don’t understand some of the things you mentioned, such as “sandbox” and “key logger”. sorry!
@Lexi: I explained about Sandboxing yesterday here. https://techbasedmarketing.com/blog/protecting-yourself-from-hijacked-sites/1118
As for key logger – those are software that log or track your key strokes. They save everything you type and sends it to the hacker so now they know everything from private emails down to private log ins even to banking sites etc.
@Lexi: I explained about Sandboxing yesterday here. https://techbasedmarketing.com/blog/protecting-yourself-from-hijacked-sites/1118
As for key logger – those are software that log or track your key strokes. They save everything you type and sends it to the hacker so now they know everything from private emails down to private log ins even to banking sites etc.
How do you know if you have a key logger on your system? Would that show up with an antispyware and virus checker?
How do you know if you have a key logger on your system? Would that show up with an antispyware and virus checker?
Ok I have Zone Alarm Pro. Does this help any?
Ok I have Zone Alarm Pro. Does this help any?
@Genesis: Sometimes an antivirus could pick it up. It depends on the keylogger software. Some antivirus programs are better at detecting things and some pick up virus that others don’t. One of my friends discovered she had a keylogger in her system by using this http://www.ewido.net/en/onlinescan/ the antivirus on her computer did not detect the logger but Ewido did.
@LaTara: For keyloggers or for Clickjacking? For keyloggers probably but for clickjacking nope. No firewall/antivirus can help with clickjacking.
@Genesis: Sometimes an antivirus could pick it up. It depends on the keylogger software. Some antivirus programs are better at detecting things and some pick up virus that others don’t. One of my friends discovered she had a keylogger in her system by using this http://www.ewido.net/en/onlinescan/ the antivirus on her computer did not detect the logger but Ewido did.
@LaTara: For keyloggers or for Clickjacking? For keyloggers probably but for clickjacking nope. No firewall/antivirus can help with clickjacking.