Clickjacking is the latest in a series of security threats to web surfers. The United States Computer Emergency Readiness Team (US-CERT) issued a warning about clickjacking on September 26, and the news has spread quickly. This is a crime in which hackers hide behind harmless-looking websites so that people who visit them might be accidentally revealing sensitive information to the hackers by clicking around the site. Matt Hines of Security Watchdescribes it like this: “Essentially, if hackers using a clickjacking attack tricked you into visiting one of their URLs, they could take control of your browser and begin secretly forcing the client to click on any links they desired. Scary stuff indeed!”

Clickjacking is a vulnerability that’s widespread across every major web browser and Adobe Flash player. One recently-revealed problem that can arise from clickjacking, for example, is that a hacker can remotely activate someone’s web camera and microphone without their knowledge via the Adobe Flash vulnerability. The ramifications of this sort of spying are powerful, and the industry is on high alert.

Robert Hansen, CEO of SecTheory, and Jeremiah Grossman, CTO of WhiteHat Security, discovered the vulnerability and were scheduled to speak about it at the Open Web Application Security Project NYC AppSec conference in New York last month. The talk was put off, however, until the various browser companies could take a stab at fixing the problem. There was no sense, after all, in tipping off hackers about the problem before there were solutions to be found.

So far, there is some success, albeit not as much as one might hope. The free Firefox add-on known as NoScript has been updated to combat clickjacking attempts. Italian developer Giorgio Maone calls the update “ClearClick,” meaning that it reveals anything that’s hidden or obstructed when a user tries to interact with a website. The ClearClick update stops the interaction from completing and points out the disguised content present, giving the user a chance to back away from the potentially-dangerous content. But NoScript only works with Firefox and other Mozilla-based browsers, so what about Adobe Flash player, Internet Explorer and others?  

Just the other day, Adobe released a workaround for the flaw in its Flash player in order to deny hackers access to web cams and microphones. They promise to release a true fix by the end of the month. US-CERT and others suggest disabling browser scripting and plug-ins on our individual browsers, but that can limit the functionality of many websites, and it’s still not a comprehensive fix. Joe Wilcox of Microsoft Watch notes that Microsoft’s reaction to the clickjacking threat has been somewhat tepid, but perhaps with reason. One difficulty with software companies and how they address the threat lies in the fact that so little information has been released; while that’s good for avoiding exploitation of the flaw, it’s not great for assessing the true risk (although US-CERT’s warning is dire enough to take clickjacking seriously). One thing everyone can agree on: The problem is real, but there’s no easy fix, at least for now.

Sources for this article: Yahoo! News, Computer World, PC Magazine, Adobe, US-CERT, Security Watch, Microsoft Watch  

According to security company MX Logic Inc., the spam attack traffic peaked on Thursday, with 11 million messages per hour. Even as the numbers have gone down slightly since then, it’s still in the millions of messages per hour. Security pros say that more than 1,000 hacked sites are hosting the fake Flash update, and they also say that hackers have gotten so cocky that they don’t bother trying to hide the sites they’ve hacked. The latest news is still worse: the spam has mutated since the news of the message first broke, claiming to be a CNN “MY Personal Alert” instead of a top 10 list and linking to several malware sites and filenames instead of just one. Some users even say that they’ve received the spam with subject lines that actually reference real articles on CNN, adding to the legitimacy of the message. The links in the email always lead somewhere that insists on a Flash upgrade, though.

Meanwhile, Adobe Systems Inc., source of the real Flash Player, warned people not to click on anything that didn’t come from Adobe directly. They pointed out that ALL software updates should originate with the company and not with a third-party site, so any questionable links should be avoided. If you want to be sure you’re downloading a real, non-malware update, go to the company’s website directly and look for upgrades to download from there. This may seem like too little, too late in terms of security warnings, but it’s one of those things that seems like a no-brainer to IT people but needs to be said (and said more than once) to the average email user.  

The lesson is the same as we’ve talked about here before, regarding email, phishing and other spam attacks: Don’t click on a suspicious link or URL that you get in your email. Put your mouse over a link to see where it really goes before you click it. Have a healthy dose of skepticism when something you didn’t expect arrives in your inbox. And if all else fails, contact the company that the message claims to come from, just to be sure. Don’t just blindly click whatever you’re sent, or you’ll learn some hard lessons (and get some pretty major headaches in the process).

Sources for this article: IT World, ComputerWorld, Techspot, MX Logic

Part of the appeal of this conference (and its follow-up, the hacker conference DEFCON) is that the people who make a living protecting computers from malicious assault can indulge their less-than-heroic urges. In an effort to point out potential weaknesses in the current software and systems in use, the pros unveil their own codes and tricks that circumvent security and leave sensitive data vulnerable to attack.  Of course, the focus is on improved security to foil these attacks, but the real fun is in playing the bad guy (the “black hat”). This is why Black Hat declares itself positioned at the “intersection of network security and hacker ingenuity.”

Despite the creative efforts of security experts, one truth that routinely emerges from these conferences is that, no matter how good the mousetrap, someone will build a better mouse. This year’s Black Hat briefings indicate that the flaws and problems with our current systems are growing almost faster than security professionals can adapt to fix them. For example, web-based software (software that runs in a browser) has inherent weaknesses that are difficult to anticipate and correct, especially at the speed at which applications are being developed. 

Meanwhile, identity theft cases worth billions of dollars continue to come to light, usually with little response from those in the business. When the news broke during the conference that 11 people had been indicted for stealing 41 million credit and debit card numbers from a variety of retail systems (making it the largest hacking and identity theft case in history), the general consensus was not one of shock. Gathered professionals agreed that such crime will continue to persist, largely because it has been so successful and profitable for hackers. As one cyber crime expert for the Department of Defense told an AP reporter, “These guys were just persistent and lucky. And they got caught.” 

The reality is enough to make the average web merchant a little bit paranoid. Are our Internet security measures nothing more than Swiss cheese bricks just waiting for a clever hacker to slip through? Not necessarily. And the other important factor to keep in mind is that, as the need for security increases, the need to preserve privacy must also be considered. The Electronic Frontier Foundation (EFF) chose the Black Hat conference as the place to announce their new Coders’ Rights Project, which is an initiative designed to protect programmers and developers from legal threats that could interfere with their research. Above-board programmers shouldn’t have to worry that their latest, greatest development will lead to a lawsuit down the road; such a worry would have a serious chilling effect on technological advancement.

In the end, a persistent plea at Black Hat was one of collaboration. Working together, some claim, is the best way to thwart the hackers and protect our information. Rod Beckstrom, Director of the National Cyber Security Center in the U.S. Department of Homeland Security, gave a keynote address at Black Hat that walked participants back through history and drew parallels between historic events and the current situation with Internet security. While some of his analogies were elaborate, his message was simple: together, the developers and security professionals are more powerful than on their own. Whether that message will resonate remains to be seen. In the meantime, the best thing the average user or web merchant can do is be cognizant of what COULD happen, and vigilant in watching out for it.

Above all, resist the urge to turn to the “other side”… There may be lots of money to be had in stealing identities, but as Black Hat attendees prove, the efforts to reinforce the mousetrap are tireless and, in many cases, effective. There may never be complete and total security, but hackers don’t stand much of a chance when the guys working against them wear the black hat themselves on occasion.  

Sources for this article: NetworkWorld, Black Hat, PC World, Yahoo! News, InformationWeek

DNS is what takes the website names we type into a browser and translates them into the IP (numerical) addresses that actually take us to the websites we want. Since a web address (say, privacycouncil.org) is easier to remember than an IP address (such as 69.89.31.103), most people ignore the IP addresses and take for granted that the DNS will translate for them, if they give it any thought at all. Clearly, this is a major and vital part of the Internet.

But earlier this year, Dan Kaminsky, director of penetration testing for IOActive, found a pretty major flaw in the system: It’s vulnerable to hackers who could, in theory, change the IP address that correlates to a website name for their own benefit. A possible result of this tampering could be that the average user who types in his bank’s website address correctly could end up being redirected to a fake website that looks exactly like his bank’s page. The user could then type in his username and password as he always does, totally unaware that he just gave his personal login information to a hacker.

This method of address redirection is not the same as phishing, which tricks people into visiting fraudulent websites through faulty links and bogus emails. No, this flaw, known as “cache poisoning,” is more sinister: it could victimize people who do everything right, simply by changing the IP address that is related to a typed-in website address. According to Kaminsky, this flaw has been around for almost two decades. It had simply gone unnoticed until now, by users and hackers alike, until he stumbled on it in February.

Kaminsky didn’t give many details of the flaw when he first publicly mentioned its existence on July 8; he didn’t want to give damning information to the hackers. In his announcement, he encouraged those who operate DNS machines to get a patch that would fix the flaw before it became a full-blown problem (a multivendor patch was released that same day). But last week, computer security firm Matasano published (apparently in error) some of the details of the flaw online, prompting fears that the affected computers, perhaps as many as 9 million, wouldn’t be fixed before the hackers used this new information and struck. This week, Kaminsky spoke out again, pushing companies to look to their own weaknesses. He plans to share more details of the flaw at a security conference in Las Vegas next week, hoping to motivate any remaining affected companies to take action.

Kaminsky said that, while 86 percent of people testing their systems on his website were vulnerable to the flaw just a few weeks ago, that number is down to 52 percent now. Another estimate puts the percentage of the Internet that’s unprotected at 41 percent. But just as this news has led companies to swiftly address their DNS weaknesses, it has also motivated hackers to start looking for ways to exploit those weaknesses. And this week, thanks to the leaked details of the flaw, they made progress.

The developers of the Metasploit hacking toolkit released an attack code this week that takes advantage of the DNS flaw. Systems that have not yet patched up the problem could face trouble from hackers wielding this new code, and again, the user at home on his computer would probably not notice anything wrong until it was too late. Computer security experts are already expressing concern that this code will be used in attacks, some of which might go unnoticed for a while if the hackers are careful enough. Thanks to the new attack code, it’s now a race against time for companies to update their systems and repair the flaw before they fall victim to hackers.

Kaminsky’s message is simple: Companies must patch their systems NOW. The patch can take time to work through the testing process, be fully implemented on a system and eliminate weaknesses caused by the flaw, and the longer a company delays, the more likely they are to suffer an attack from hackers. Word is spreading about the need for the patch, but it’s difficult to know how many companies have still not addressed the problem on their own computers. Most major Internet providers in the U.S. have already put the patch in place or are in the process of implementing it. But many other companies and smaller ISPs might still be at risk.

By now, it should go without saying that, if you own a company with a web presence, you need to make sure your system is flaw-free, as fast as possible. But should the home user panic? Not necessarily. For one thing, 15 percent of American computer systems and 40 percent of European computer systems are immune because they run software from a Dutch company called PowerDNS, which doesn’t contain the flaw. Also, there are ways for you at home to find out whether your system is vulnerable. A DNS checker, such as doxpara.com, DNS-OARC and DNSStuff, can help you determine whether your system is okay. If it is, you should be in the clear. If it’s not, contact your ISP or system administrator and let them know.

If your system is vulnerable (or if you’re just paranoid), you can get around your system’s DNS with sites like opendns.com, where you use their DNS server instead of your own. Don’t waste the time unless you have a legitimate fear of a security breach, though. And remember the good news: As you read this, more and more systems are being patched to fix the flaw. With any luck, the “good guys” will win this race.   

Sources for this article: CNET, CBS News, The New York Times