Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ClickJacking 1

Status
Not open for further replies.

2ffat

Programmer
Oct 23, 1998
4,811
US
Here's another security problem to worry about. This blog is courtesy of ZDNet.



James P. Cottingham
-----------------------------------------
[sup]I'm number 1,229!
I'm number 1,229![/sup]
 
I find it interesting that the article states that it "has nothing to do with JavaScript", but goes on to say, "the only fix is to disable browser scripting and plugins". This makes me wonder if the "NoScript" add-on for Firefox would help mitigate this threat.
 
Another interesting read on this topic...

RedmonMag - Browser-Makers Seek Clickjacking Fix

Experts say that NoScript, a security add-on to Firefox that blocks JavaScript execution, is designed to defend against most attack scenarios.

...But they still don't really come out and say that NoScript will protect against clickjacking.
 
Well, now we've got to find another piece to computer protection.

So maybe our list now will look something like:
[ol][li]System Update[/li]
[li]Antivirus[/li]
[li]Firewall - Software[/li]
[li]Firewall - Hardware(Router)[/li]
[li]AniSpyware[/li]
[li]Anti-Phishing[/li]
[li]Anti-Rootkit[/li]
[li]Browser Hijack Protection[/li]
[li]Click-Jack protection[/li]
[li]Monitor-Jack protection[/li]
[li]Power-Supply-Jack protection[/li]
[li]Surge Protection[/li]
[li]Microsoft protection from Microsoft (Such as, "This program... by Microsoft... wants to run, are you sure you want to let it?" - Microsoft Windows - paraphrase[/li]
[li]Microsoft protection against maliciously clicking "allow" to the first prompt....[/li]
[li]BIOS Protection[/li]
[li]Back protection - special chairs and such[/li]
[li]Headache protection - Advil, Tylenol, Asprin, etc[/li][/ol]

Although, I probably missed something somewhere. [wink]

--

"If to err is human, then I must be some kind of human!" -Me
 
Isn't ClickJacking some kind of dance?

--
Tek-Tips Forums is Member Supported. Click Here to donate

<honk>*:O)</honk>

Tyres: Mine's a pint of the black stuff.
Mike: You can't drink a pint of Bovril.


 
"In summary, the best recommendations for avoiding clickjacking attacks are not technical. If users are allowed to access the Internet as part of having a fun workplace, penalties should be established if a user's system gets compromised by visiting a non-work related site. An organization can decide what penalties will be enforced, but there must be some sort of consequence for a user's action if it leads to a compromise. If there are no penalties, employees and users may see no risk in going to sites that are not mission critical in order to perform their day-to-day job functions."

Strand, John. "How to prevent clickjacking attacks with security policy, not technology." SearchSecurity.com 18 Dec 2008. 26 Dec 2008. <

I can't say that I agree with Mr. Strand on his perspective of clickjacking protection. In my opinion, his comments appear to be contradictory. If employees of a given organization are allowed to access the Internet for personal use (by company policy), then you can't really punish them for a malware infection which results from visiting a non-work related website, can you? Before an organization can take disciplinary action against an employee for their web browsing habits, I'd think they'd first need to have an established policy against using company computers for personal use. Furthermore, what about users who pick up an infection while visiting a business related website? Policy wouldn't prevent that. A policy against personal use of a company internet connection may help to reduce your risk, but I don't think it's going to "prevent" it. Anyone else agree or disagree? Do you think I'm missing Mr. Strand's point?
 
I have to disagree there. Malware affects everybody on the company network, not just that person. Visiting questionable sites is one of the best ways to get infected, though with the proliferation of compromised adservers and websites, not the only way. Visiting even company-sanctioned websites can get you infected too. It is very much the responsibility of the person as well as the company to keep from getting infected.

How many times have we had to tell people to not open attachments they aren't expecting? How many times have we had to explain to people what phishing is and how to avoid it? And yet they still happily go on blindly clicking, then call us when they get infected ... Fortunately at my old job I had setup the network in such a way that I usually saw the malware on the network before the people called to say they were seeing funny things, but not all networks are created equal. ;)

As for NoScript, NoScript does indeed protect against ClickJacking now, but I'm guessing everybody knew that now.

----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt
 
It is very much the responsibility of the person as well as the company to keep from getting infected.

I totally agree! I also agree that one infected computer on the network threatens the rest of the network. I'll further agree that user education is very important. However, the point I was trying to make (and where I disagree with Mr. Strand) is that you can't solely blame the end user--especially if employees are *allowed* to surf for "fun", as he describes. If there is no policy in place stating that non-work related internet use is prohibited, then you can't easily discipline an end user for infecting their workstation. At that point, your defenses against malware must be completely technical because user responsibility has pretty much been negated by not having clear policies. In the same respect, if there is a policy in place which makes the user solely responsible for all workstation infections, then what of the user who is doing legitimate work-related internet activities and happens to stumble into a clickjacking scenario and pick up malware? I think there needs to be a balance of technical and policy--with clearly defined policies (so users know what is acceptable internet use and what isn't)--and an upper management that's willing to support enforcing the policies established. Am I making sense or just blowing smoke? :)
 
It's not just questionable sites anymore. One of our local banks found out its own site was "cracked" and someone put in a clickjacked link on their page.



James P. Cottingham
[sup]I'm number 1,229!
I'm number 1,229![/sup]
 
It's not just questionable sites anymore. One of our local banks found out its own site was "cracked" and someone put in a clickjacked link on their page.
News to me. When did this happen?

----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt
 
I forgot to mention that NoScript by default covers clickjacking for both disallowed and allowed sites.

----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt
 
In November.

James P. Cottingham
[sup]I'm number 1,229!
I'm number 1,229![/sup]
 
TechieMicheal, does NoScript start giving you lots of pop-ups to allow/disallow new sites with Flash content, etc, or does it mainly just work in the background? Basically I'm just wondering if it'll offer more annoyance than help - kinda like MS Vista's UAC.

--

"If to err is human, then I must be some kind of human!" -Me
 
It'll give you a yellow bar to click at the bottom of your browser to allow sites. Since it is a whitelist, setting it up at first can be a little annoy, but once you do, you'll be glad you did.

----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt
 
Doesn't sound too bad, I guess. I might give it a try sometime soon, myself, just to see. Sorry it took me so long to get back, but I didn't see the thread under "My Replies", and apparently I didn't look at this particular forum much since the 9th. [blush]

--

"If to err is human, then I must be some kind of human!" -Me
 
No problem. :)

----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top