Wednesday, November 19, 2008

Security: What is Clickjacking?

If malware, spam, phishing, and other threats were not bad enough, the latest Internet security threat is called Clickjacking. Basically its a way of tricking you to click on disguised Web links, so that an action is performed on your local computer without your knowledge.

For example, using this exploit you can be tricked into turning on your web cam, or installing malware. All browsers are vulnerable to this type of threat, so this is not just isolated to I.E., Firefox, etc.

The way the attack works is you go to a site that has been modified by a malicious attacker, then the content (i.e.: web pages, flash animation, etc.) of the site tries to trick you into clicking links and buttons that you might not realize you're clicking. They do this by disguising the content to look like something else.

If you're really worried about this type of attack, then you need to disable scripting technologies like Javascript, and Flash for all sites in your browser. Then you need to enable it for approved sites only. The drawback is that many sites rely on this technology to make them more interactive. Thus disabling this technology can cripple a web site's experience.

To help protect you, here are some resources:
  • For Firefox there is a free open-source plug-in called NoScript that can block the execution of JavaScript except for sites that you approve.
  • For Internet Explorer, under Internet Options... in the Security tab you can set the Internet security slider to high. This should block all scripting technologies from running on any web pages you visit. If you want grant permissions to specific web site, you need to add them to your Trusted Site list.

No comments: