IT Brief New Zealand - Technology news for CIOs & IT decision-makers
Story image
Fri, 1st Oct 2010
FYI, this story is more than a year old

The web is not safe. We have known this for some time. It is a constant arms race between hackers and security experts to find and patch vulnerabilities.The web is expanding quickly and new issues are surfacing regularly, with the latest online security concerns being clickjacking and identity theft through location based services.

 "Cheerleaders gone wild” is the tempting title of a video doing the rounds on Facebook at the moment. Users who receive the video and click on the link, are asked to then click on a box saying they are over 18. Next comes a purported anti-spam mechanism that asks users to click buttons in a specific order. When they do, they get to watch a video of cheerleaders that’s not actually as wild as many people might be hoping.

What victims don’t realise is that in the background it displays this link in your news feed and also "likes” two other links. The buttons you think you are clicking on actually have invisible buttons sat on top, which have been created by iframes – this allows your browser window to be divided into segments.

Different things can be shown in different segments. You can’t see the different segments unfortunately. It’s kind of like opening what you think is the door to your house, but instead it swings open to a park.

This particular attack in Facebook was not especially damaging, except maybe to your pride when people see what you choose to view. Unfortunately however, this same form of attack can be used to collect user names and passwords. So how do you protect yourself from something you can’t even see?

The browser companies are coming to the rescue. Mozilla has just released new versions of Firefox which patch against this vulnerability. You can also go to your settings and click the ‘no script’ button in Firefox, or disable javascript in Internet Explorer.

The other important thing to do is to always log out of services when you have finished with them, don’t just shut the window down.

Unfortunately, Facebook is now also partly responsible for another current security concern. The next thing to worry about when you’re online is how much personal information you are giving away about yourself when it comes to your location. We all know the rules about signing up for things, but it seems that people choose to ignore this when it comes to location based gaming.

Becoming the Mayor of your local coffee shop seems to outweigh the downside that the notso- well-intentioned in society can use all of this publicly published information to build up your identity and then steal it. Criminals seek personal data for identity theft. Giving them location based information allows them to build more of a persona. They used to have to trick people into giving away this kind of information; now we do it for fun!

The security concern of identity theft goes beyond the rumours of people’s houses being burgled, because they inform the world that they are away from home. Games like Foursquare and Gowalla have had quite a bit of success, but now Facebook has stepped into the arena with Facebook places. The reach to a much larger audience will no doubt create the opportunity for more identity theft.

How do you protect yourself ? My advice is to be careful about how much you share. Check your security sessions and if in doubt, don’t post it. The web is becoming more social and we do need to be careful how much information is out there and also how we behave online. The age-old adage still rings true; if it seems too good to be true, it probably is.