Infomedia News-Blog

Jan 29
2009

From IE 8 to Google Chrome, Keep an Eye on Clickjacking
in security

Share

First Microsoft touts clickjacking protections in Internet Explorer 8, then a security researcher releases a proof of concept for a clickjacking attack targeting the Google Chrome Web browser. Clickjacking, some say, remains an issue that will require cooperation in the security community.

Clickjacking is not going away.

The same week Microsoft announced on Jan. 26 it had put protections against clickjacking in Internet Explorer 8, security researcher Aditya Sood posted on BugTraq on Jan. 29 a new clickjacking advisory for the Google Chrome browser, with a link to a proof of concept.

Officials at Google said they are aware of the issue, which affects Chrome versions 1.0.154.43 and earlier. So far, Google says it has not seen any attempts to exploit this vulnerability in the wild. Though the posted advisory only mentions Google Chrome, there are reports that the same vulnerability affects Mozilla's Firefox 3.0.5 as well—though this can be mitigated by using the ClearClick anti-clickjacking feature contained in the NoScript plug-in for Firefox.

Internet Explorer 7 does not seem to be affected by Sood's method.

Still, clickjacking has affected all the major browsers. The technique was publicized in 2008 by security researchers Jeremiah Grossman, CTO of WhiteHat Security, and Robert Hansen. If done successfully, clickjacking can trick users into clicking on links without their knowledge and effectively circumvents cross-site request forgery protections that attempt to confirm transactions with the user.

In Sood's proof of concept, available here, users click on what appears to be a link to Yahoo.com, but actually directs them to a site about cross-site scripting. Sood wrote:

A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers show a set of dummy buttons, then load another page over it in a transparent layer. The user thinks he is clicking the visible buttons, while he/she is actually performing actions on the hidden page.

The hidden page may be an authentic page, and therefore the attackers can trick users into performing actions which the users never intended to do and there is no way of tracing such actions later, as the user was genuinely authenticated on the other page.

While Sood's post focused on Google Chrome, a Google spokesperson was quick to point out that clickjacking is a larger issue that affects all Web browsers.

"The issue is tied to the way the Web and Web pages were designed to work, and there is no simple fix for any particular browser," the spokesperson said. "We are working with other stakeholders to come up with a standardized long-term mitigation approach."

Although Microsoft put protection against clickjacking in the release candidate for Internet Explorer 8, critics contend that Microsoft's IE 8 RC 1 clickjacking solution is only a band-aid.

"While it's positive that Microsoft has chosen to do something to safeguard against clickjacking, the new security feature offers very limited protections," Grossman said. "Web site owners can do more to protect their visitors, but unfortunately the average Web citizen still has no way to defend themselves on their own. So most experts will agree the anti-clickjacking feature will do little to stem the near-term risk."

Grossman suggested browser vendors consider bundling in the NoScript Firefox plug-in by default.

"NoScript has powerful security features that can prevent clickjacking as well as many other Web-based attacks, which also allows users to tune their own level of desired security," he added. "For Internet Explorer, Opera, Google Chrome, etc., they should embed similar features and functionality in their products."

Johnathan Nightingale, a security researcher for Mozilla, said Mozilla's efforts around preventing clickjacking have been more focused on comprehensive solutions like its Content Security Policy proposal and implementing the Origin header to thwart cross-site request forgery attacks.

"We've discussed these publicly with other browser makers and the broader Web security community to ensure that we are helping them prevent the attacks they're concerned about, and to benefit from their experience," Nightingale said. "Changing the way we do security on the Internet needs to be a group effort, and we'd welcome the participation of the IE team in that work."

Click here for full article.

Source: eweek.com

by Brian Prince
Jan 20
2009

Massive Theft of Credit Card Numbers Reported
in security

Share

Jan 20, 2009 2:02 pm

A payment processor responsible for handling about 100 million credit card transactions every month disclosed today that thieves had used malicious software in its network in 2008 to steal an unknown number of credit card numbers.

The company's information site on the incident,http://2008breach.com/, attempts to downplay the loss of data by asserting that no Social Security numbers, unencrypted PINs or other types of data were stolen. But according to some good reporting from Brian Krebs at the Washington Post, Heartland's CEO says a piece of spyware stole payment card data as it passed through the company network, including the data from the magnetic stripe that can be used to create counterfeit cards.

Heartland says it didn't discover the breach until Visa and Mastercard came knocking about suspicious activity involving card numbers processed by Heartland. Disheartening, to say the least.

It's all the more sad that we as consumers really can't do a darn thing to protect ourselves against this kind of theft. We can be incredibly careful with our own PC and data, but we have no control over how it's handled by the plethora of companies that store and process our information. All you can do is to keep an extra close eye on your credit card statements and credit reports for anything suspicious.

You can pick up free credit reports fromhttps://www.annualcreditreport.com (avoid those slimy sites that try to get you to pay for them). Also, as you scan your credit card statements, be on the lookout even for small charges, possibly even less than a dollar. Such charges can be a sign that thieves are testing the account to see if they can pass a fradulent charge, and may signal a much larger charge to come.

For more info on the Heartland theft, see Krebs' Security Fix posting and the Heartland disclosure site. And yes, you have to wonder about disclosing this on a day when most everyone's attention is focused elsewhere.

Click here for full article.

by Erik Larkin
Jan 14
2009

Search Engine Marketing and Optimization: What Is It, and How Can It Help You?
in Search Engine Optimization , Web Marketing

Share

The bottom line is the most important line these days. Everyone is trying to stay out of the red and maintain the black. If you think you are the only one, you are mistaken; even your customers and potential customers want to do the same. They have checkbooks too, and for their needs and services, they want you to serve them at the best cost they can find.

How can you do this? We have the solutions that will best serve you in these times. With the right tactics for online marketing, you can thrive during this downturn and reach potential customers, who are using the Internet more feverishly now than they were 12 months ago. With a strong marketing strategy, whether it is Pay Per Click, Search Engine Optimization or Social Media Marketing, we can launch your business back into the black with proven techniques in search engine marketing.

Now is the time to cut costs, but increase leads, conversions and sales. Internet users are becoming savvier. They also tend to trust the search engines and place a high degree of confindence in their findings. These users find most of their information on the Internet instead of from print or television. 80% of Internet users age 17 and older consider the Internet to be an important source of information, up from 60% in 2006 . Is your website giving these users the information that they need?

Search Engine Optimization is the practice that improves volume and traffic to a website through natural rankings in the search engines. Our highly trained and professional staff will work with your website to make all the necessary changes that follow a strict code of ethics, and will consistently manage your site to maintain and increase your rankings within the search engines. Cost per acquisition is lowest with this type of marketing. It's not just the amount of words you have on your website, it's about the quality of the content, your call to action, and why what you offer is better than your competitors. Overall, it is more work than a Pay Per Click campaign, but the click through rates are higher, and visitors generally stay longer, creating returning customers.

A Pay Per Click (PPC) campaign is strongly suggested with new sites, or with sites that are changing domain names. As with moving to a new city, people won't know who you are unless you take the time to introduce yourself. PPC is a great way to introduce yourself to your community, as well as to your competitors. With times as they are, cutting out the fat is what we all need to do. We have ways to market your site while cutting out the fat and increasing the quality of your traffic and the quality of your leads. We help you focus on what your potential clients need. We search for your niche, research what potential customers are searching for, and create an optimized campaign that will yield the quality leads you need.

Online consumer spending will continue to grow. Retail spending is expected to increase by 1.5% by the end of this year, but online spending is expected to increase by 12% . We want you to have your cake and eat it, too. And we will be able to assist you with the best marketing strategy that best fits your business. Like a custom suit, we tailor our custom web marketing solutions to fit you perfecly.

by Rebecca Morrow

Jan 2
2009

Zombies and botnets: Help keep your computer under your control

in security , technology

Published: January 3, 2007 | Updated: January 2, 2009

Online criminals can use a virus to take control of large numbers of computers at a time, and turn them into "zombies" that can work together as a powerful "botnet" to perform malicious tasks.

Botnets, which can include as many as 100,000 individual "zombie" computers, can distribute spam e-mail, spread viruses, attack other computers and servers, and commit other kinds of crime and fraud.

Botnets are highly valued by online criminals, and have become a serious problem on the Internet.

How to tell if your computer has been infected

A virus that makes your computer into a zombie might cause your computer to slow down, display mysterious messages, or work in an unexpected manner.

These viruses usually do not disable your computer, because zombie computers must be plugged in and connected to the Internet in order for the botnet to work.

You can get a free virus scan with the Windows Live OneCare safety scanner. If you want continuous protection, you should use antivirus software such as Windows Live OneCare, which is free for 90 days.

Read other ways to tell if a virus has infected your computer.

What to do if your computer is infected

If your computer shows symptoms of virus infection, first make sure that the software on your computer is up to date. Then run the Microsoft Malicious Software Removal Tool. The Malicious Software Removal Tool checks computers running Windows Vista, Windows XP, Windows 2000, and Windows Server 2003 for infections by specific, prevalent malicious software and helps remove any infection found.

Read detailed information about how to help remove a virus.

5 ways to help keep your computer from becoming a zombie

1.	Never open an attachment in an e-mail, instant , or mobile message unless you know exactly what the attachment is, even if it's from someone that you know. Attachments can contain e-mail viruses.
2.	Use an Internet firewall. Note: Windows Vista and Windows XP have a firewall already built-in and active.
3.	Stay up to date. Visit Microsoft Update and turn on Automatic Updates. Note: If you've installed the 2007 Microsoft Office System, Microsoft Office 2003 or Microsoft Office XP, Automatic Updates will also update your Office programs. If you have an earlier version of Microsoft Office, use Microsoft Office Update.
4.	Subscribe to industry standard antivirus software and antispyware software, and keep them current. Microsoft offers Windows Live OneCare, which is free for 90 days and Windows Defender. Windows Defender comes with Windows Vista. If you use Windows XP SP2, you can download Windows Defender for no charge.
5.	Use licensed software products. Botnets are often comprised mostly of computers that run illegally copied versions of operating system and productivity software. Unlicensed software can be more susceptible to viruses, and can even come with viruses already installed without your knowledge.

VIEW FULL ARTICLE HERE

by Microsoft

Pages : << Previous 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 Next >>