Posted tagged ‘firefox’

A New Clickjack Protection

September 20, 2011

Clickjacking has been a huge problem because it takes advantage of security problems inherent in the Internet’s basic structure. It’s really difficult to tell whether a link or video is pulling a fast one on you. For a long time, Internet users could rely on NoScript, an app that worked with Firefox. It’s a pretty useful app, but it’s hard to rely on a single source of protection. Plus, the problem with having a single form of protection is that you never create competition that encourages NoScript to improve its service.

Now that competition has started.

Zscaler is a new widget that blocks clickjacked objects from unleashing their attacks on you. Unlike NoScript, which only works with Firefox, Zscaler works with Firefox, Chrome, and Safari.

It’s uncertain whether Zscaler actually works better than NoScript.

Actually, whether it’s better is only part of the point.What’s really important is that NoScript now has some competition. It also means that Internet users now have two options to protect them from clickjackers.

There’s just one potential problem with this. The more tools we have to protect ourselves, the more open we are to social manipulation. We begin to think that the apps and widgets will protect us no matter what. But they won’t. Clickjackers are always one step away from figuring out how to bypass even the latest security. That means each person has to pay attention to what actions they take online.Even with all the security tools, it’s still up to you to make smart, informed decision when you’re online.



Internet Explorer 8 Tops Security List

December 28, 2010

NSS Labs has released a surprising report showing that Internet Explorer 8 blocks social engineered malware (malware that tricks people into performing tasks or allowing functions unknowingly). According to their report, IE 8 offered more protection than Firefox 3.6. Safari 5, Chrome 6, or Opera 10.

Ask pretty much any computer nerd and he (or she) is going to tell you that there is something bogus about this survey. No one in the know would consider using Internet Explorer.

What the report could reveal, though, is that IE 8 works better than previously thought. The reason that computer nerds go for Firefox and less popular internet browsers could have something to do with their specific needs. In general, hackers are not using clickjacks, phishing, and other types of social engineered malware to attack people who know  a lot about computers. They want to target people who, quite frankly, don’t know what’s going on and are very naive. They are easy targets.

While it is commonly held that Firefox offers better protection than Internet Explorer, it could be that IE actually offers better protection for the average user. Firefox users typically install additional applications that customize their experiences. Installing additional security makes Firefox safer, but average people who don’t know much about internet security technology probably don’t know how to maximize that protection. For these people, IE works well right “out of the box.” They don’t have to worry about setting up anything extra. They just open the program and start surfing the web.

In bare bones versions, IE might beat its competitors. Thinking that you are really safe by using the basic IE 8, however, could lead you to fall for clickjacks and phishing schemes that you can only prevent by knowing how to spot them.

Let me clue you in

September 28, 2010

Let me clue you in on something.

There’s no guarantee that you’re going to avoid clickjacking attacked… unless you never ever click on a link. Just avoid the whole internet. That should keep you safe.

Even if you are using Firefox or some other security-enhanced Web browser in conjunction with NoScript, you could still fall victim to a clickjacking plot. You can only protect yourself to a certain extent. Even if you keep your wits about you, there’s a good chance that  you’re going to get clickjacked at some point. All it takes is one mistake, and hackers are very good at encouraging you to make mistakes long before you realize what you have done.

So, you’re at least somewhat screwed here.

That’s why it’s important to use third-party software to make sure that your computer doesn’t have any malware installed on it. In fact, if you really want to play it safe, then you’ll install two pieces of antivirus software and you’ll run them both daily.

Does that sound like a lot? I spend a large chunk of my day online because of work. That means I probably have a larger chance of running into clickjacks and malware than you, unless, of course, you’re a bigger dork than I am. At the same time, knowing a lot about computer security means that I should be able to protect myself from exposure. Even with my level of expertise, though, I frequently find that some piece of malware has slipped through my defenses. I certainly don’t find security risks every time I run my antivirus protection. But I find something fishy at least once a week.

If I’m vulnerable to these attacks, then just imagine your own risk.

X-FRAME Denied

June 23, 2010

Facebook, Twitter, and many other popular websites claim that they protect users from clickjacking attacks by including the “X-FRAME-OPTIONS:DENY” tag that prevents browsers from hiding links in invisible frames. This sounds like a great step forward, but does it really help that much?

Including the tag is pretty much the best thing that a website can do to protect internet users from clickjack attacks, but it certainly does not protect everyone. This tag only works in conjunction with the latest browsers. If you’re using IE 8, Chrome 2, or Safari 4, then you’re probably in good shape. If you’re using an older version of these web browsers, then you are susceptible to clickjack attacks. Currently, the latest edition of Firefox does not even acknowledge the tag. Firefox does plan to improve security by recognizing the tag in future versions. Plus, Firefox has the optional NoScript plug-in that can help prevent clickjacks.

The point here isn’t that Facebook, Twitter, and other sites aren’t doing what is in their power to prevent clickjacks. The point is that it’s dangerous for them to make claims that aren’t true for many visitors. Including the “X-FRAME-OPTIONS:DENY” tag does qualify as improved security, but putting this at the center of your security-focused marketing encourages people to feel safer than they really are.

It’s not necessarily inaccurate. It’s not even necessarily disingenuous. But it is dangerous for the millions of people who use Firefox and older browsers. Many of them think that they are protected from clickjacking, but the truth is that they are victims in waiting.

Is IE8 protecting you from clickjackers?

May 19, 2010

When Internet Explorer 8 was released, it promised to contain security features that would protect users from clickjacking attacks. It is certainly helpful that Microsoft included some protection from clickjackers in IE8, but many security specialists have learned that the strategies are not completely effective.

In fact, IE8’s clickjack protection relies on the efforts of webmasters to secure their pages with special tags that create errors when clickjacking strategies are used. That means webmasters would not only have to go through the trouble of including tags in every page that they create, but also the millions of pages that already exist on the internet. There is basically no way that that’s going to happen.

Internet users, however, don’t have any foolproof ways to protect themselves. Many security specialists believe that a combination of Firefox and NoScript offers the best protection. Even that dynamic duo has its faults. In fact, every browser is susceptible to some version of clickjacking. If you want absolute safety, then you’d better not use the web at all.

If, however, you are willing to take a slight risk,  then you can use an updated web browser, frequently scan your system for malware, and pay attention to every link that you click. The best defense so far is common sense and skepticism. Using those tools, you can limit the amount of clickjacking strategies that you are exposed to.

Don’t knock on IE too hard

April 23, 2010

Those of us who use computers a lot and know a fair bit about how they work often find ourselves avoiding Microsoft products. There are several reasons for choosing operating systems, browsers, and software made by other companies, but my recent research has led me to believe that low security standards is not something that we can really blame on Internet Explorer’s developers.

Is IE open to clickjacking attacks and malware more than browsers like Chrome and Firefox. Well, that largely depends on what type of attacks we are talking about. In general, though, I have to say that I have had more problems using IE than other browsers. The problems, however, don’t stem from low security standards. Instead, they are a result of Microsoft’s market dominance.

Cybercriminals know that most people use IE, so they focus on attacks that can infiltrate that browser’s security standards. Of course there are plenty of people who use Firefox and Google Chrome, but the vast majority use IE. Recognizing this and focusing their efforts on IE security allows cybercriminals to dupe more people into installing malware and clicking on objects hidden in invisible frames.

The truth is that Microsoft has done a lot to prevent clickjacking attacks in IE8. You can learn more about the innovative steps that they have taken at the IEBlog. You might notice that the security protocols developed by Microsoft in 2008 are the same measures being used by other developers now.

What does this mean for Microsoft? It means that they have a difficult fight ahead of them. Staying at the top of the industry means that more hackers will concentrate on their products. Which in turn means that Microsoft looks like it has poor security options to many internet users.

I guess it’s hard to be on top. I feel some sympathy for Microsoft. At the same time, I also agree with critics who have cited the company’s non-competitive tactics as a reason that IE is a prime target.

I’ll continue using non-Microsoft browsers for the foreseeable future to give myself increased protection. After spending a few days reading about Microsoft’s security issues, though, I won’t be so quick to blame them for clickjacking attacks and maleware susceptibility.