Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
ClickJacking 1
- Thread starter 2ffat
- Start date
- Status
CaptainCommandLine
Technical User
I find it interesting that the article states that it "has nothing to do with JavaScript", but goes on to say, "the only fix is to disable browser scripting and plugins". This makes me wonder if the "NoScript" add-on for Firefox would help mitigate this threat.
CaptainCommandLine
Technical User
Another interesting read on this topic...
RedmonMag - Browser-Makers Seek Clickjacking Fix
...But they still don't really come out and say that NoScript will protect against clickjacking.
RedmonMag - Browser-Makers Seek Clickjacking Fix
...But they still don't really come out and say that NoScript will protect against clickjacking.
Well, now we've got to find another piece to computer protection.
So maybe our list now will look something like:
[ol][li]System Update[/li]
[li]Antivirus[/li]
[li]Firewall - Software[/li]
[li]Firewall - Hardware(Router)[/li]
[li]AniSpyware[/li]
[li]Anti-Phishing[/li]
[li]Anti-Rootkit[/li]
[li]Browser Hijack Protection[/li]
[li]Click-Jack protection[/li]
[li]Monitor-Jack protection[/li]
[li]Power-Supply-Jack protection[/li]
[li]Surge Protection[/li]
[li]Microsoft protection from Microsoft (Such as, "This program... by Microsoft... wants to run, are you sure you want to let it?" - Microsoft Windows - paraphrase[/li]
[li]Microsoft protection against maliciously clicking "allow" to the first prompt....[/li]
[li]BIOS Protection[/li]
[li]Back protection - special chairs and such[/li]
[li]Headache protection - Advil, Tylenol, Asprin, etc[/li][/ol]
Although, I probably missed something somewhere.![[wink]](/data/assets/smilies/wink.gif "[wink] [wink]")
--
"If to err is human, then I must be some kind of human!" -Me
So maybe our list now will look something like:
[ol][li]System Update[/li]
[li]Antivirus[/li]
[li]Firewall - Software[/li]
[li]Firewall - Hardware(Router)[/li]
[li]AniSpyware[/li]
[li]Anti-Phishing[/li]
[li]Anti-Rootkit[/li]
[li]Browser Hijack Protection[/li]
[li]Click-Jack protection[/li]
[li]Monitor-Jack protection[/li]
[li]Power-Supply-Jack protection[/li]
[li]Surge Protection[/li]
[li]Microsoft protection from Microsoft (Such as, "This program... by Microsoft... wants to run, are you sure you want to let it?" - Microsoft Windows - paraphrase[/li]
[li]Microsoft protection against maliciously clicking "allow" to the first prompt....[/li]
[li]BIOS Protection[/li]
[li]Back protection - special chairs and such[/li]
[li]Headache protection - Advil, Tylenol, Asprin, etc[/li][/ol]
Although, I probably missed something somewhere.
--
"If to err is human, then I must be some kind of human!" -Me
Isn't ClickJacking some kind of dance?
--
Tek-Tips Forums is Member Supported. Click Here to donate
<honk>*:O)</honk>
Tyres: Mine's a pint of the black stuff.
Mike: You can't drink a pint of Bovril.
--
Tek-Tips Forums is Member Supported. Click Here to donate
<honk>*:O)</honk>
Tyres: Mine's a pint of the black stuff.
Mike: You can't drink a pint of Bovril.
CaptainCommandLine
Technical User
I can't say that I agree with Mr. Strand on his perspective of clickjacking protection. In my opinion, his comments appear to be contradictory. If employees of a given organization are allowed to access the Internet for personal use (by company policy), then you can't really punish them for a malware infection which results from visiting a non-work related website, can you? Before an organization can take disciplinary action against an employee for their web browsing habits, I'd think they'd first need to have an established policy against using company computers for personal use. Furthermore, what about users who pick up an infection while visiting a business related website? Policy wouldn't prevent that. A policy against personal use of a company internet connection may help to reduce your risk, but I don't think it's going to "prevent" it. Anyone else agree or disagree? Do you think I'm missing Mr. Strand's point?
-
1
- #7
MichealC4
Programmer
- Jun 26, 2003
- 457
- 0
- 0
I have to disagree there. Malware affects everybody on the company network, not just that person. Visiting questionable sites is one of the best ways to get infected, though with the proliferation of compromised adservers and websites, not the only way. Visiting even company-sanctioned websites can get you infected too. It is very much the responsibility of the person as well as the company to keep from getting infected.
How many times have we had to tell people to not open attachments they aren't expecting? How many times have we had to explain to people what phishing is and how to avoid it? And yet they still happily go on blindly clicking, then call us when they get infected ... Fortunately at my old job I had setup the network in such a way that I usually saw the malware on the network before the people called to say they were seeing funny things, but not all networks are created equal.
As for NoScript, NoScript does indeed protect against ClickJacking now, but I'm guessing everybody knew that now.
----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt
How many times have we had to tell people to not open attachments they aren't expecting? How many times have we had to explain to people what phishing is and how to avoid it? And yet they still happily go on blindly clicking, then call us when they get infected ... Fortunately at my old job I had setup the network in such a way that I usually saw the malware on the network before the people called to say they were seeing funny things, but not all networks are created equal.
As for NoScript, NoScript does indeed protect against ClickJacking now, but I'm guessing everybody knew that now.
----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt
CaptainCommandLine
Technical User
I totally agree! I also agree that one infected computer on the network threatens the rest of the network. I'll further agree that user education is very important. However, the point I was trying to make (and where I disagree with Mr. Strand) is that you can't solely blame the end user--especially if employees are *allowed* to surf for "fun", as he describes. If there is no policy in place stating that non-work related internet use is prohibited, then you can't easily discipline an end user for infecting their workstation. At that point, your defenses against malware must be completely technical because user responsibility has pretty much been negated by not having clear policies. In the same respect, if there is a policy in place which makes the user solely responsible for all workstation infections, then what of the user who is doing legitimate work-related internet activities and happens to stumble into a clickjacking scenario and pick up malware? I think there needs to be a balance of technical and policy--with clearly defined policies (so users know what is acceptable internet use and what isn't)--and an upper management that's willing to support enforcing the policies established. Am I making sense or just blowing smoke?
- Thread starter
- #9
MichealC4
Programmer
- Jun 26, 2003
- 457
- 0
- 0
News to me. When did this happen?
----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt
MichealC4
Programmer
- Jun 26, 2003
- 457
- 0
- 0
I forgot to mention that NoScript by default covers clickjacking for both disallowed and allowed sites.
----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt
----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt
- Thread starter
- #12
TechieMicheal, does NoScript start giving you lots of pop-ups to allow/disallow new sites with Flash content, etc, or does it mainly just work in the background? Basically I'm just wondering if it'll offer more annoyance than help - kinda like MS Vista's UAC.
--
"If to err is human, then I must be some kind of human!" -Me
--
"If to err is human, then I must be some kind of human!" -Me
MichealC4
Programmer
- Jun 26, 2003
- 457
- 0
- 0
It'll give you a yellow bar to click at the bottom of your browser to allow sites. Since it is a whitelist, setting it up at first can be a little annoy, but once you do, you'll be glad you did.
----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt
----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt
Doesn't sound too bad, I guess. I might give it a try sometime soon, myself, just to see. Sorry it took me so long to get back, but I didn't see the thread under "My Replies", and apparently I didn't look at this particular forum much since the 9th. ![[blush]](/data/assets/smilies/blush.gif "[blush] [blush]")
--
"If to err is human, then I must be some kind of human!" -Me
--
"If to err is human, then I must be some kind of human!" -Me
MichealC4
Programmer
- Jun 26, 2003
- 457
- 0
- 0
No problem.
----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt
----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt
- Status