Powerless over Clickjacking

I tend to have very little patience with people who don't take their computer security seriously. In my opinion, a large amount of the security problems on the Internet today would go away if most people simply avoided obviously dangerous attachments and Web sites, and followed basic security practices (such as keeping up with patching, anti-virus and application updating). I've even gone so far as to call people who don't follow good security practices "security idiots." So given that, one would think that the last thing I would tell someone to do when faced with a serious security problem is nothing. But sometimes a problem is so bad, so serious and so lacking in solutions that the only thing that people can do is hunker down and do their job. For example, back when Microsoft's Internet Information Services Web server was plagued with constant and very serious security issues, including worms directed at its many holes, we (and by "we" I mean eWEEK Labs) recommended that companies ditch the server altogether. But for many heavy Microsoft shops, this wasn't an option. So they left IIS in place, essentially doing nothing as far as the Web server itself was concerned but trying to shore up security in other areas. We may see this same kind of thing occur again, only this time on a much larger scale. My colleague Matt Hines, as well as many other security reporters and analysts, have been writing about a new threat called clickjacking.

Jim Rapoza

I tend to have very little patience with people who don't take their computer security seriously. In my opinion, a large amount of the security problems on the Internet today would go away if most people simply avoided obviously dangerous attachments and Web sites, and followed basic security practices (such as keeping up with patching, anti-virus and application updating).

I've even gone so far as to call people who don't follow good security practices "security idiots."

So given that, one would think that the last thing I would tell someone to do when faced with a serious security problem is nothing. But sometimes a problem is so bad, so serious and so lacking in solutions that the only thing that people can do is hunker down and do their job.

For example, back when Microsoft's Internet Information Services Web server was plagued with constant and very serious security issues, including worms directed at its many holes, we (and by "we" I mean eWEEK Labs) recommended that companies ditch the server altogether. But for many heavy Microsoft shops, this wasn't an option. So they left IIS in place, essentially doing nothing as far as the Web server itself was concerned but trying to shore up security in other areas.

We may see this same kind of thing occur again, only this time on a much larger scale. My colleague Matt Hines, as well as many other security reporters and analysts, have been writing about a new threat called clickjacking.

Clickjacking essentially makes it possible for a hacker to embed code in a Web site, forum or blog that will allow them to take over a browser and make it click any link, even without the knowledge of the browser user. All of the major browsers are susceptible to clickjacking, as is Adobe's Flash.

Worse, it's doubtful that a fix will be available anytime soon. So we are faced with one of the biggest browser threats we've ever seen, and users currently have no patch or update that they can load to fix the problem.

Some people have advised turning off scripting altogether in your browser. This is a good idea, unless you need to use any Web site or Web application written in the last 10 years. On Firefox, the NoScript extension is designed to provide a good amount of protection against clickjacking, but, while I personally like NoScript, I've seen many non-advanced users frustrated by it.

Of course, you can also choose not to surf the Web at all to avoid clickjacking, but, like avoiding driving to avoid carjacking, that's probably not an option these days.

That's why, when it comes to the browser itself, the only solution may be to do nothing: Just keep using your browser and going to the sites that you need to go to.

But when I say do nothing, I am referring only to the browser. Because this problem highlights the original need to not be a security idiot: If you have good anti-virus set up, have been diligent about patching applications and have a generally secure system, then you will be at much less risk from clickjacking than others.

And if you decide to stay a security idiot and leave your system unsecured, then get ready for a wild security ride as your browser and system get taken over by the wave of clickjacking sites that are sure to arise.