My concern over clickjacking (that I posted late last month on the Tekblog) appears to be resolved for safe surfing in Firefox with the upgrade of a security tool called NoScript with clearclick. BTW, I strongly believe that Firefox is one of the most secure web browsers on the internet today.

Google, IBM Internet Security Services, and the Swiss Federal Institute of Technology conducted a study “Understanding the Web browser threat: Examination of vulnerable online Web browser populations and the “insecurity iceberg.” The study concluded that of the hundreds of millions of users accessing Web browsers worldwide, more than 600 million were at risk of attack for not running the latest, most secure Web browser version as of June 2008.

You should check out US-Cert to read about how you can secure your web browser for safer internet surfing.  Ultimately, we must all remember that we are all responsible for contributing toward a safe internet community.  Just as you would not attempt to drive a car across country with bald tires, you should not attempt to navigate the internet with a bald browser.

I will admit that the NoScript addon can be a real PITA at times because you have to allow or forbid and decide what options will work best with that particular website.

As an example:  Clearclick blocked the home page of Teksquisite.com

scripts-forbidden

Giorgio Maone from hackademix.net states that  “whenever you click or otherwise interact, through your mouse or your keyboard, with an embedded element which is partially obstructed, transparent or otherwise disguised,  NoScript prevents the interaction from completing and reveals you the real thing in “clear”. At that point you can evaluate if the click target was actually the intended one, and decide if keeping it locked or unlock it for free interaction.”

In order to allow all JavaScript menus to operate freely with clearclick I had to allow teksquisite.com

You can get the latest stable version of NoScript 1.8.2.1 here.   Supported browsers: Firefox 1.5.0.6 and above, SeaMonkey 1.0.5 and above, Flock, IceWeasel, and Minefield.  Don’t go on the internet without it!

Happy surfing

Details of Clickjacking Attack Revealed With Online Spying Demo!

“A researcher has “hacked” the mysterious clickjacking attack and today posted a demonstration in his blog on how the Web-borne attack works.”

Update on Clickjacking from Network World on 10-9-2008

“For the moment, there’s little that end users can do to protect themselves and maintain the Internet’s usability, said Hansen. One tactic, only available for Firefox users, is to install the NoScript add-on, he said. “NoScript does a great job of supplementing [Mozilla's] slowness in patching, but it’s not really the best way to protect users,” Hansen said, referring to NoScript’s content blocking, which can render some sites unusable.”

“Finding a solution for clickjacking will be very complicated, which is why we don’t see a quick solution,” Hansen said. “But if we don’t give it the attention it deserves now, it could be used in the future for much more effective targeted attacks.” Robert Hansen, founder and CEO of SecTheory LLC

Last Friday US-CERT warned network administrators to beware of clickjacking.  This is a fairly new threat that affects Microsoft Internet Explorer, Firefox, Safari, Opera, Chrome, and Adobe Flash.  I can honestly say that if it is anything like the iFrame exploits from last winter that haunted all of my wordpress domains,  I’ll be ripped and then ripped some more…

Update October 07, 2008

Interview: Jeremiah Grossman provides more details on clickjacking attack