Posted tagged ‘chrome’

A New Clickjack Protection

September 20, 2011

Clickjacking has been a huge problem because it takes advantage of security problems inherent in the Internet’s basic structure. It’s really difficult to tell whether a link or video is pulling a fast one on you. For a long time, Internet users could rely on NoScript, an app that worked with Firefox. It’s a pretty useful app, but it’s hard to rely on a single source of protection. Plus, the problem with having a single form of protection is that you never create competition that encourages NoScript to improve its service.

Now that competition has started.

Zscaler is a new widget that blocks clickjacked objects from unleashing their attacks on you. Unlike NoScript, which only works with Firefox, Zscaler works with Firefox, Chrome, and Safari.

It’s uncertain whether Zscaler actually works better than NoScript.

Actually, whether it’s better is only part of the point.What’s really important is that NoScript now has some competition. It also means that Internet users now have two options to protect them from clickjackers.

There’s just one potential problem with this. The more tools we have to protect ourselves, the more open we are to social manipulation. We begin to think that the apps and widgets will protect us no matter what. But they won’t. Clickjackers are always one step away from figuring out how to bypass even the latest security. That means each person has to pay attention to what actions they take online.Even with all the security tools, it’s still up to you to make smart, informed decision when you’re online.

 

Advertisements

Internet Explorer 8 Tops Security List

December 28, 2010

NSS Labs has released a surprising report showing that Internet Explorer 8 blocks social engineered malware (malware that tricks people into performing tasks or allowing functions unknowingly). According to their report, IE 8 offered more protection than Firefox 3.6. Safari 5, Chrome 6, or Opera 10.

Ask pretty much any computer nerd and he (or she) is going to tell you that there is something bogus about this survey. No one in the know would consider using Internet Explorer.

What the report could reveal, though, is that IE 8 works better than previously thought. The reason that computer nerds go for Firefox and less popular internet browsers could have something to do with their specific needs. In general, hackers are not using clickjacks, phishing, and other types of social engineered malware to attack people who know  a lot about computers. They want to target people who, quite frankly, don’t know what’s going on and are very naive. They are easy targets.

While it is commonly held that Firefox offers better protection than Internet Explorer, it could be that IE actually offers better protection for the average user. Firefox users typically install additional applications that customize their experiences. Installing additional security makes Firefox safer, but average people who don’t know much about internet security technology probably don’t know how to maximize that protection. For these people, IE works well right “out of the box.” They don’t have to worry about setting up anything extra. They just open the program and start surfing the web.

In bare bones versions, IE might beat its competitors. Thinking that you are really safe by using the basic IE 8, however, could lead you to fall for clickjacks and phishing schemes that you can only prevent by knowing how to spot them.

X-FRAME Denied

June 23, 2010

Facebook, Twitter, and many other popular websites claim that they protect users from clickjacking attacks by including the “X-FRAME-OPTIONS:DENY” tag that prevents browsers from hiding links in invisible frames. This sounds like a great step forward, but does it really help that much?

Including the tag is pretty much the best thing that a website can do to protect internet users from clickjack attacks, but it certainly does not protect everyone. This tag only works in conjunction with the latest browsers. If you’re using IE 8, Chrome 2, or Safari 4, then you’re probably in good shape. If you’re using an older version of these web browsers, then you are susceptible to clickjack attacks. Currently, the latest edition of Firefox does not even acknowledge the tag. Firefox does plan to improve security by recognizing the tag in future versions. Plus, Firefox has the optional NoScript plug-in that can help prevent clickjacks.

The point here isn’t that Facebook, Twitter, and other sites aren’t doing what is in their power to prevent clickjacks. The point is that it’s dangerous for them to make claims that aren’t true for many visitors. Including the “X-FRAME-OPTIONS:DENY” tag does qualify as improved security, but putting this at the center of your security-focused marketing encourages people to feel safer than they really are.

It’s not necessarily inaccurate. It’s not even necessarily disingenuous. But it is dangerous for the millions of people who use Firefox and older browsers. Many of them think that they are protected from clickjacking, but the truth is that they are victims in waiting.

Are Google Chrome Users Safe from Clickjacking?

March 12, 2010

Google claims that its web browser, Chrome, offers improved security for those surfing the internet. Google Chrome users, however, might not be as protected as they think.

Late last year, CNET reported that version 1.0.154.43 and earlier editions are vulnerable to clickjacking. You can read the original CNET news report here.

Google has acknowledged that there are some clickjacking security issues. Some individuals in the company have pointed out that clickjacking remains a significant issue for all browsers. The particular clickjacking technique that revealed Chrome’s vulnerability, however, was not effective against Internet Explorer 8 and Opera 9.63.

Firefox 3.0.5, however, was just as vulnerable to this clickjacking technique as Chrome.

Just because IE and Opera were not vulnerable to this specific type of clickjacking, however, does not necessarily mean that they aren’t susceptible to other techniques.

As is common in the world of security technology, companies keep making tougher products and criminals keep figuring out ways to break them. It’s an ongoing process. Even though there are security vulnerabilities with pretty much all web browsers, using the most updated version of your preferred browser will generally provide the tightest security.

Clickjacking presents a particularly difficult security issue for programmers because it takes advantage of the ways that web sites and the internet were designed to work. Perhaps it was an oversight made by early internet innovators, but it seems that we’re currently stuck with the problem.