Monday mornings I'm on the air sharing more stories about how people are living better through computers. I'll tuck field notes from those shows right here. You'll also be able to dig into the archives to explore previous shows as I determine how best to share some of the highlights of the past 9 year's worth of adventures.
Free and Easy Ways to Protect Yourself …
Monday, September 29, 2008
Clickjacking: Serious New Net Threat and Three Free and Easy Ways to Protect Yourself
This week top Internet security experts issued a dire warning about a new cross-browser threat called "clickjacking", suggesting it's not only one of the most virulent Internet threats to evolve but almost impossible to solve. What makes this particularly troublesome is the "gag order" that top Internet organizations put on analysts in order to buy time to come up with patches and solutions for the exploit. While some people suggest that warnings about the clickjacking threat are merely speculation and fear-mongering, key security analysts at WhiteHat Security, SecTheory and Kaspersky Lab stepped forward and offered just enough information about the nature of the threat and the potential damage it may cause and why it should be taken seriously.
Referred to as a "zero-day problem" in browsers (a computer threat that tries to exploit unknown, undisclosed or unpatched computer application vulnerabilities), those viewing the proof-of-concept demonstration watched the attack code demonstrated, including it's ability to allows the attacker to take complete control of the victim's computer desktop.
The threat was revealed last Wednesday at a web application security talk given at the OWASP AppSec NYC 2008 conference. While the intended presentation was cancelled at the request of vulnerable vendor, Adobe (asking for time to come up with a patch for their vulnerable code), Jeremiah Grossman (founder and Chief Technology Officer of WhiteHat Security) and Robert Hansen (CEO of consultancy SecTheory) proceeded with parts of the talk anyway.
For People Who Want to Know the Nitty-Gritty
Jeremiah offers additional insight on this in his blog:
http://jeremiahgrossman.blogspot.com/2008/09/cancelled-clickjacking-owasp-appsec.html
Tod Beardsley from BreakingPoint has posted a few proof-of-concept exploits with his own speculation about the clickjacking problem.
Want to protect your own web site from being hijacked?
Here's a code snippet you can embed into the header of your web documents to ensure they cannot be embedded into frames by other web sites:
<script language="javascript">
if ((top != self))
{
top.location = self.location;
}
</script>
Protecting Yourself
So, how exactly do you arm yourself against a virtually unknown invader that can arrive through almost any web site and cause you to click on any link without you ever seeing or knowing you're doing it, possibly bidding on eBay or draining your bank account? While web masters can add javascript "frame-buster" code to their site to ensure that they cannot be embedded into another web site (the manner in which many malicious web sites channel and hide threats), not all web sites will be protected in this manner. The onus is on individuals now more than ever to ensure they are equipping themselves with knowledge and tools to avoid falling victim to an ever-growing host of net nasties.
So, how can you best protect yourself against clickjacking while waiting for the industry gurus to offer specific remedies? I've got three free powerhouse tools to help you lock down the fort without hobbling your Internet adventures:
1. Firefox 3 + NoScripts Add-On
What is it?
Firefox 3 is one of the safest browsers on the net, having significantly reduced vulnerabilities to the typical IE browser exploits that plague us. NoScript is a FireFox add-on that assesses the web sites you visit in your browser and uses a whitelist based pre-emptive script blocking approach to prevent the exploitation of browser security vulnerabilities (known and unknown).
How does it work?
Using the latest version of Firefox along with the free "NoScript" add-on will prevent scripts from running on web sites until you give permission. NoScript is simple to install, and adds an easy toolbar to the bottom of new web pages, alerting you to known problems, and giving you options.
Where can I get it?
Firefox: http://getfirefox.com/
NoScript Add-on: http://noscript.net/
2. McAfee Site Advisor
What is it?
Site Advisor is a free browser add-on that you can download from security guru McAfee, offering visual cues about the safety of web sites.
How does it work?
Site Advisor is a system of automated testers which continually patrol the Web to browse sites, download files, and enter information on sign-up forms. The testers document these results and supplement them with feedback from users, comments from Web site owners, and analysis from McAfee employees.
Site Advisor shows up as a small icon on a toolbar at the bottom of your browser. As you visit web sites the icon changes colour to indicate the safety of the site (green for safe, yellow for a potential threat, red for known high risk, and gray for unknown/no feedback available yet). Site Advisor also works in partnership with search engines. As you search for sites in Google, Site Advisor will put a coloured checkmark beside links that are returned, again giving immediate visual cues to help you discern the safety of a web site and to avoid clicking on malicious web sites. While Site Advisor cannot protect you from every threat, it does offer reliable feedback on a very high percentage of web sites and eliminates the guess work on some of the true nasties.
Where can I get it?
3. KeyScrambler
What is it?
KeyScrambler is an anti-keylogging browser add-on that protects the IE, Firefox and Flock browsers against keyloggers.
How does it work?
It encrypts everything you type into a web page, including logins, account numbers, addresses, email messages, and more. People may remember the security breach that emptied bank accounts earlier in the year because of malicious web site code that captured keystrokes, including bank account access codes and passwords. This type of tool circumvents that particularly frightening and difficult-to-detect threat.
Where can I get it?
http://www.qfxsoftware.com/Download.htm