Another reason to be paranoid online
KUALA LUMPUR: You have installed a new self-updating antivirus program, have the latest firewall, and you do not open any dodgy looking e-mail messages. You think you are reasonably safe from a lot of the harmful content on the Internet. Unfortunately, you are not.
On top of the newer and deadlier versions of the same kind of threats that are out there, there is now a new type of danger altogether — “click-jacking.”
At the Hack-in-the-Box security conference (HITBSecConf) 2008 here last week, click-jacking was the focus of a keynote speech by the founder and chief technology officer of WhiteHat Security, Jeremiah Grossman.
“Think of any button on any website that you can click on,” said Grossman. “Now consider that an attack can invisibly hover over these buttons and below a user’s mouse, so that when the user clicks on something he sees, he is actually clicking on something the attacker wants him or her to.”
An attacker, for example, can make you click on an “activate webcam” button when you intended to click the “news” button, he explained.
This means that a home user’s web browser can be covertly infiltrated with shadow buttons that lie invisibly over legitimate buttons.
According to Grossman, the “bad guy” hacker can access a web browser this way through the existing Java script or Flash player and it is relatively easy. Exact details on how this is done are confidential for security reasons.
“We have only known about this for a very short period of time; it is still unclear if there are any effective defences against this newfound threat,” he said.
Grossman recommends making sure the web browser security features are installed and up to date, especially with the more popular web browsers.
“If you want to use a popular web browser, you have to install every security add-on you can find. The less popular web browsers are less likely to be targeted by attackers. In any case, I would recommend you unplug or tape-up your webcam lens and disable or mute your microphone,” he said.
Grossman said that is it unclear what the web browser companies themselves can do about click-jacking right now. “Given that it is a very new type of threat, not much is known right now. We are looking into it,” he added.
HITBSecConf is Asia’s largest network security conference and is organised by Hack In The Box (M) Sdn Bhd; the event is in its sixth year.
That HITBSecConf is expanding year after year underscores how critical network security as a subject matter has become in Malaysia, said Dhillon Andrew Kannabhiran, founder and CEO of Hack In The Box, when announcing this year’s conference last month.
He had also said that it shows IT decision makers in local organisations and network security professionals worldwide acknowledge the value that HITBSecConf offers in terms of hands-on training, deep technical information, and insights into security trends.
The event is endorsed by the Malaysian Communications and Multimedia Commission; Malaysian Administrative Modernisation and Management Planning Unit; Malaysian National Computer Confederation; and Multimedia Development Corporation.
Code:
http://star-techcentral.com/tech/story.asp?file=/2008/10/31/technology/20081031115419&sec=technology
Code:
http://www.bdafrica.com/index.php?option=com_content&task=view&id=10619&Itemid=5843
Tuesday, November 4, 2008
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment