How to prevent clickjacking attacks with security policy, not technology

Don't miss need-to-know info! Security pros can't afford to be the last to know. Sign up for email updates from SearchSecurity.com and you'll never be behind the curve!

We also tend to look at the Internet in terms of how we view real life. There are certain neighborhoods and places in our town that we just don't go to, for example, because there is a perceived risk of crime in the area. Many people believe that if they stay away from the shady areas of the Internet, they should be ok.

Unfortunately, attacks like clickjacking are changing this perception.

What is clickjacking?
First let's differentiate clickjacking from other Web-based attacks. Clickjacking is not cross-site scripting (XSS). In an XSS attack, malicious content is reflected back to a browser where it is then executed. It is not cross-site request forgery, either. With XSRF, a user views a page that contains a reference to a Web resource, like a picture hosted on another site. Instead of loading the picture, however, the browser is manipulated to execute a command, like a balance transfer.

Clickjacking is different; the attack is conducted by transparently overlaying the malicious function over something apparently benign. This type of misdirection is dangerous because the user interacts with a website that appears to be totally legitimate. Users who are clicking on a link or a button in a Flash game, for example, are, in fact, executing malicious code on the site. From the browser's perspective, the code execution is an authorized request from the user, so the browser carries out the order unimpeded.

The clickjacking approach can perform a lot of interesting, if not malicious, actions on a victim's browser. For example, it had been demonstrated that, via clickjacking, an attacker could trick a user to click on seemingly innocent buttons that, in actuality, could grant site access to the computer's webcam and microphone.

Because the action appears to be a request from the user, the browser will do pretty much whatever it is requested. An attacker could dump cached credentials to steal usernames and passwords, Web history, searches and potentially engage in malicious transactions.

But clickjacking is not limited simply to Web content. Web researchers Jeremiah Grossman and Robert "RSnake" Hansen -- who, at Adobe Systems Inc.'s request, actually delayed their clickjacking presentation at the recent OWASP USA security conference in New York -- discovered this attack vector and also found a way to execute the same kind of attack in Flash files.

For more information on clickjacking The browser attack technique has more far-reaching implications than previously thought.   Learn how Adobe addressed clickjacking in the latest Flash player.

Clickjacking and the enterprise
How can enterprise environments protect against this attack? First, to defend against the Flash-based vector, set the "Always Deny" option in the Global Privacy Settings of your Flash player. Doing so will prevent Flash from accessing resources like your video camera and your microphone. Adobe has released a patch so make sure to verify your patch level on non-Microsoft Applications.

It is a bit more difficult to protect the browser. Because of the many attack vectors, simply disabling JavaScript will not completely defend against clickjacking. I would strongly recommend that organizations tell their users to use the Firefox browser along with the NoScript plug-in, which provides preemptive script blocking and enables users to "see" transparent or hidden windows. This new feature in NoScript, called ClearClick, reveals disguised, embedded elements and prevents their execution.

But even if users were able to see the potentially malicious content, would they know what is malicious and what is benign? User education is key here and, due to the nature of today's attacks, must be considered in different terms. Rather then simply trying to tell users not to click on links from strangers, or avoid non-approved binaries, security staffs need to look for ways to hold users accountable for what happens on their systems.

From a technical perspective, clickjacking is different from XSS or XSRF, but the attacks are all roughly similar when looked at from an enterprise risk-assessment perspective. When it comes to cross-site scripting, cross-site request forgery and clickjacking, the first action that leads to system compromise is likely the same: the user went to a site that was not work related.

Conclusion
In summary, the best recommendations for avoiding clickjacking attacks are not technical. If users are allowed to access the Internet as part of having a fun workplace, penalties should be established if a user's system gets compromised by visiting a non-work related site. An organization can decide what penalties will be enforced, but there must be some sort of consequence for a user's action if it leads to a compromise. If there are no penalties, employees and users may see no risk in going to sites that are not mission critical in order to perform their day-to-day job functions. Even if the risk is immense to the organization, the user will continue to partake in risky Web surfing if they are not directly impacted. There will never be an end of new attack vectors like clickjacking, cross-site scripting and cross-site request forgery so we need to keep our users educated and ready.

About the author:
John Strand currently is a Senior Security Researcher with his company Black Hills Information Security, and a consultant with Argotek, Inc for TS/SCI programs. He teaches the SANS 504 "Hacker Techniques, Exploits and Incident Handling," 517, "Cutting Edge Hacking Techniques," and 560 "Network Penetration Testing" classes as a Certified SANS Instructor. Strand also answers your questions on information security threats.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Threat Monitor,   Emerging Information Security Threats,   Application and Platform Security,   Application Attacks (Buffer Overflows, Cross-Site Scripting),   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Threat Monitor Cut down on calls to help desk with cybersecurity awareness training How to detect software tampering How to prevent phishing attacks with social engineering tests An enterprise strategy for Web application security threats How SSL-encrypted Web connections are intercepted How a corporate Twitter policy can combat social network threats Cyberwarfare and the enterprise: Is the threat real? Software security threats and employee awareness training Newest malware threats How to defend against rogue DHCP server malware Emerging Information Security Threats Hackers to sharpen malware, malicious software in 2010 Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training US-CERT warns of BlackBerry snooping software Marcus Ranum on cyberwarfare, infosec careers Researchers find thousands of flawed embedded devices Enterprise botnets contain thousands of malware variants Nuke and pave to eradicate botnets Rand study urges caution on cyberwarfare attacks Application Attacks (Buffer Overflows, Cross-Site Scripting) Quiz: How to build secure applications Black box and white box testing: Which is best? Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Application Attacks (Buffer Overflows, Cross-Site Scripting) Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary DNS rebinding attack  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) man in the browser  (SearchSecurity.com) phlashing  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) pulsing zombie  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.