The Digital Rag
Real World Information in a Virtual World
Sign Up!
Login Welcome to The Digital Rag
Wednesday, March 10 2010 @ 07:15 PM PST

The Digital Rag - One of the longest-running webzines on the internet

From Government to Motorcycling to the Internet - news and views

Click-jacking and you

Wednesday, October 08 2008 @ 09:02 AM PDT

Contributed by: Richard Pitt

Computers in Use

I've been watching a breaking story about a "new" (actually known about in deep security circles but not by the bad-uglies until recently) way that your security and privacy can be attacked.

This is truly a nasty one because it involves all the various platforms including MAC and Linux - and is not limited to any particular browser.

As an example of how nasty - it is possible with one of the methods shown in a "proof of concept" attack to take over your web-cam and microphone and send video of what they see/hear to streaming servers - you DON'T want that to happen!!!

 


It also applies particularly to Adobe's flash player, used in all platforms; slightly different problems in each platform but Adobe is working hard to fix them in all. Watch for a new Adobe flash update due out soon and make sure you apply it.

One of the truly nasty aspects of this attack is that it has been shown possible to turn on and use a connected web-cam and microphone without the system owner's knowledge!!! This is NOT a hoax - it is a real threat and there are only a couple of things that you can do about this, and in some instances (laptops particularly) only minimal things that you can do.

Let's first deal with the click-jacking itself. What is it? How do I know if/when it happens to me?

The general attack is one where the bad-ugly gets you to either click on or just "mouse over" (run your mouse over the top of an ad for instance) which causes the underlying Javascript (the almost universal language of special effects on the web) to do something. They (the attackers) do this by any of several methods including popping up a dialog box that looks like something you might get from Adobe's flash setting manager.

There is a demonstration of this at: http://blog.guya.net/2008/10/07/malicious-camera-spying-using-clickjacking/ if you really want to explore the problem. The description is a bit more technical than most people can handle but the links to the game he's written are on the page.

The write-up here: http://ha.ckers.org/blog/20081007/clickjacking-details/ details each of many different ways this attack is done, what is being done about them, and who is working on the fixes. It is NOT complete but gives a good indication of what things are involved.

In the worst case scenario, your system may become compromised and someone other than your friends may end up looking out your web-cam when you are not expecting them - and be listening in on the sounds where your computer microphone is.

The only way to guard against this is to cover or disconnect your web-cam when not in use - and the same for your microphone. The problem is that some cameras and microphones are built-in and don't have "mute" buttons or covers. You'll have to either ensure your system is OFF, or do something external (cover the lens of the camera and stuff a sock over the microphone hole if you can find it)

The bottom line is that you, along with some help from your browser's add-ons (you ARE using Firefox with NoScript, aren't you?) are the only one who can protect your system and your privacy. Don't go to any site you even think might not be run well, and watch for unexpected messages and pop-ups.

Above all, use your "video-mute" - the lens cap that should have come with your camera - or make one, or hang a cloth over it when not in use.

As an aside, maybe this will get the various computer and video-camera vendors to put real switches on these functions instead of "soft" switches that can be subverted by script hijacking.

Some computers do have physical switches on the cameras (and wireless links) but few have them on the microphone. In some cases you can turn off the built-in microphone by plugging in an external one - so if you want to turn off the microphone totally, just purchase a plug that fits the external microphone hole (3.5mm is typical size) but does not have a mic on it.

For those of you who are parents with kids - I KNOW you don't allow them to have a computer in their bedroom - but if for some reason they've got one, you had best tell them about this current problem and make sure that any web-cam and microphone is OFF/muted.

richard

What's Related

Story Options

Trackback

Trackback URL for this entry: http://digital-rag.com/trackback.php/ClickJacking2008

No trackback comments for this entry.

0 comments

The following comments are owned by whomever posted them. This site is not responsible for what they say.

Navigation

?

Search


Advanced Search 

Popular tags at this site

What's New

Stories


Comments last 2 days


Trackbacks last 2 days

No new trackbacks

Older Stories

Thursday 18-Feb


Wednesday 17-Feb


Tuesday 16-Feb


Monday 15-Feb


Sunday 14-Feb


Saturday 13-Feb


Friday 12-Feb


Thursday 11-Feb


Wednesday 10-Feb

Ad

RSS Feed

Feed from the Whole Site
Link Me To:
The Latest Pacdat News Postings

Sponsors

Subscribe to: The Digital Rag Newsletters
Pacific Data Capture

Also, See Richard's Main Web Site

  • US Work Visa Advice
  • Hand Crafted Solid Maple Furniture
  • Vacation Bliss - a Villa in Jamaica
  • The Taxman - Cross-border Guru
  • Bannerline Communications

    • Poll

    How Do You Like To Read News About Internet/Computers?

    How do you like to find out news about the internet and computers?

    •  Newspaper
    •  Radio
    •  TV
    •  Web Search
    •  Favourite Web Site(s)
    •  Pod Cast
    •  Video Online
    •  Email List(s)
    •  RSS - Syndication
    •  Word of mouth
    This poll has 0 more questions.
    Results
    Other polls | 3 votes | 0 comments