Resources > Computer Support > Safe Computing

Main | Secure Global Desktop | VPN | Computer Backup Policies | Safe Computing | Documentation | MS Office Tips

Latest News

What is clickjacking and why should I worry? (10 February, 2009)

Clickjacking is a method of compromising your information that was recently discovered that is now being exploited by software criminals. In a clickjack attack, you click on and enter information into what seems like a normal web page. You will not see anything different because the attack is camouflaged. The figure below illustrates how the attack works.

Visualization of a clickjacking attack.
Visualization of a clickjacking attack.

Unlike a virus, trojan, or other malware that compromises your computer by exploiting a deficiency in an application or the operating system, the attacker simply takes advantage of a standard practice in web page design called UI Redressing. To make interactive and engaging web pages, it is possible to hide certain content and then display it when needed. One can place something like a fill in box on top of something else on the page. If you tell the browser to make that box transparent, all you will see is the box below it. When you enter text, it will actually go into the hidden area and then be sent to the attacker. There are many clever variations on how this can be done. A good explanation with more detail is available in this article on the SecTheory web site. If you search in Google you will find lots of information.

What's important is how to protect yourself. All browsers are vulnerable to this and it does not matter what operating system you run. While version 8 of Internet Explorer tries to protect against this partially, it has been shown that it is easily circumvented. The only known protection for now is to use the NoScript extension with Mozilla Firefox . It is a free extension that allows JavaScript, Java and Flash and other plugins to be executed only by trusted web sites that you choose. This does mean, of course, that you now have to explicitly tell the extension to allow each new web site you want to visit. This is inconvenient but less so than having your identity stolen and that is the reality of this attack.

The good news is that the NoScript extension is very easy to install and use (Watch video). You can enable a site temporarily, permanently, or forbid it to run potentially dangerous content.

What do I need to do?

  • Install NoScript on your LLE office computers
  • Install NoScript on your home computers
  • Stop using other browsers such as Internet Explorer unless absolutely necessary (For example, a web site that uses ActiveX controls. It would however be advisable to avoid such sites.)

Firefox is LLE's default browser and is installed automatically. Do not install Firefox yourself on your work PC! If you can't find it or are having trouble, please contact computer support.

NoScript demonstration
Watch a video on how to install and use the NoScript extension

SPECIAL NOTE! VPN users are required to use Firefox with NoScript. All LLE staff are responsible for protecting LLE's intelectual property. If you don't have them, install them now. If you have trouble contact computer support for help.

Firefox and NoScript can be downloaded from the following links:

Mozilla Firefox - http://www.mozilla.com/en-US/

NoScript - http://noscript.net/

 

Virus Information

Frequently Asked Questions About Viruses (21 May, 2002)

Virus Information Sources and LLE Computer Security Advice