[Hidden-tech] Beware the Facebook thingy-dingy redux

[Michael Billingsley]

The original posting - which under my signature tells Facebook's  
experience with "clickjacking" gives some of the details.  It depends  
upon the browser, and according to security experts, all browser apps  
including Firefox are vulnerable if you land on the wrong page or  
click on the wrong (deceptive) button.  Security people fault web  
browser developers for being entirely in a defensive/responsive mode  
instead of evolving a completely reworked approach to browser page  
viewing.

Here's an excerpt from an October 2008 article about "clickjacking"...

The clickjacking concept is nothing new, but the threat that Grossman  
and Hansen discovered is. It spans multiple browser families and  
doesn’t even require that a user click on anything. Just loading a  
compromised page sets off the attack, and clicking on that page will  
likely make things worse for the victim, they say. “And whether  
JavaScript is on or off, it will affect you,” he says.

The attacker can slide any malware underneath the mouse such that the  
user has no idea he or she is in the danger zone. So on the Website,  
a user could click on a bad link chosen by the attacker and the user  
would have no clue because the URL is invisible to them. A commonly  
used button on a Website could be loaded with this attack, for  
example, so that the user would be most likely to click on it and  
then get further compromised, the researchers say.

This is the "new" Internet.

Browser designers can design against it, but the outcome isn't going  
to make anyone happy... as another article says, our very commonplace  
expectation of flashmovies, pop-up tables and viewers, on-page  
interactivity, etc. gives all manner of openings for this new style  
of attack.  Firefox did develop a plug-in to help shield users to  
some extent, but it also involves "shutting off" interactivity to  
every new site you visit until you're sure that it, and its content,  
are safe.   (And that wouldn't have helped with respect to the  
following Facebook clickjack.)   Note that this is 14 months after  
the Grossman and Hanson article spelling out the problem.

And as an added irony, the clickjacking attack that occured directly  
on the Facebook site over last weekend affected only Chrome and  
Firefox browsers. (It gave a short movie download after "testing" if  
you are human... by asking you to click on one colour button out of a  
field of multiple others.  After which your successful "click" led to  
the page that invisibly loaded the scary micro-app while  
simultaneously "rewarding" each user by providing a YouTube video).   
This ain't nice 'ol Kansas anymore.

More here - http://www.darkreading.com/security/management/ 
showArticle.jhtml?articleID=211201251

Michael Cerulli Billingsley
Straight Arrow Recordings
802-254-3975/380-6408
The Cotton Mill, Brattleboro, Vermont
Location Recording - CD Mastering - Audio Solutions/FX

On  30 December 09, at 4:07 PM, R. David Murray wrote:

> On Wed, 30 Dec 2009 14:01:52 -0500, Michael Billingsley  
> <michaelb at sover.net> wrote:
>> Just a note that - I was my own guinea pig.  I presumed that the
>> Chilean source-server was identical to the Romanian one, so rather
>> than dangerously clicking on the URL in the email (which would have
>> obviously handed my computer to the "loader") I went instead to the
>> domain server directly, to see if it also self-identified as being
>> slaved to TeamViewer software.
>>
>> Rather than just say so (which the Romanian server did) it
>> proceeded... while showing a blank screen... "load"   I immediately
>> yanked my Ethernet cable and killed the page, with hopes that it
>> didn't get its packet into my machine and was only able to use those
>> few seconds to scan for my Operating System (OS).   However, for a
>> modern computer a few seconds are aeons and enable multiple back-and-
>> forth conversations and exchanges of data.  Certainly it got my
>> machine ID and domain address for future reference... not a good  
>> thing.
>>
>> My laptop (from which I'd done this... with all firewalls up and all
>> external drives disconnected) immediately began to act a little
>> dodgy.  The rest of the afternoon was marked by a duplicate
>> RealPlayer Downloader jumping in and acting in tandom (in other words
>> - duplicating and parallel downloading) every clip I encountered on
>> the Internet for the rest of the afternoon, ie. newsfeeds.   So I
>
> How can just going to a web page install software on your machine?
> Is OS X really that broken?  (I know Windows is, but I thought
> OS X was smarter than that).
>
> Makes me glad I'm running Linux :)  I've installed the firefox  
> noscript
> extension just in case, though.
>
> --
> R. David Murray                                      www.bitdance.com
> Business Process Automation - Network/Server Management - Routers/ 
> Firewalls

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20091230/5a5b9804/attachment.html