Don’t believe the hype

While browsing forums I often encounter statements from people spreading false information, often unintentionally, about clickjacking and other computer security issues. Here is a forum post that I ran into the other day:

I became aware of another internet security problem, today. It is called “clickjacking” and I don’t really understand what it is, but security experts are using the term “very scary” to describe it. Clickjacking is considered to be a “zero day” defect, which I think means it is already out in the wild doing damage at the time the security researchers discover it.

Fortunately, I also discovered a way to protect 100% against this threat. It is to use the Firefox browser with the Noscript extension installed and an option selected in the Noscript add-on called “Plugins|Forbid <IFRAME>”. The Noscript extension has been highly recommended for several years, but today was my initial installation of it.

Since I am upfront in saying I have little understanding of any of this mess, I don’t expect anyone to take my word on it. But I do strongly recommend doing your own research on it and I think you may take the same defensive actions as I have. Search on terms such as “clickjack” and “noscript”.

The person who wrote this is correct in some ways, but painfully wrong in others.

Yes, clickjacking attacks are currently out there in the wild. The proofs of concept that you find online are just a tiny tip of  a big iceberg. An iceberg that’s heading right towards your fragile boat. The truth is that there are countless sites that intentionally try to trick users into clicking on false links. Even some popular sites have pages where clickjacking could cause serious problems.

The poster, however, is dead wrong when he states that he’s “discovered a way to protect 100% against this threat.” How do I know? Mostly because he admits that he doesn’t know much about the issue. And also because even security specialists haven’t been able to create a foolproof protection. Even the Firefox/NoScript combo, which I use, offers complete protection. Security specialists continue to find new ways to get around Java blocking frame-busting techniques.

I’m not pointing out the writer’s mistake to be mean. He’s not a security specialist, so he probably doesn’t even know how little he knows about the subject. It is important, though, to point out these fallacies. If you believe that you’re protected, then you’ll act like you’re protected. This delusion won’t do you any favors in the long run. The next clickjack attack could be on the next page. I think that you should be prepared for that possibility.

Explore posts in the same categories: Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: