Yesterday, I emailed those on my newsletter and told them about Sandboxie. Why it’s so very important to use it in today’s environment. Just before sending, I received an email about the very same topic. But the email highlighted something that was so important I felt I must bring your attention to this. It is serious.
First. What is clickjacking? These are links that are cloaked as clickable buttons. We’re not going to get too technical. But it works by hiding behind actual buttons on a web site.
When you click the button to submit a form or to log in, you could be sending out information to somewhere else or giving the web site permission to access your computer’s resources such as camera or microphone (and eavesdrop or worse record). The bad news is, you’ll never know this is happening because the original form still gets submitted, the original links still work. It’s all very stealthy.
Here’s the kicker – it’s not just Windows folks. All you Mac and Linux users need to take a minute to read as well. All browsers are open to this exploit regardless of operating system. Even flash is susceptible but I hear they are working on this.
How to protect yourself as a user?
This is the confusing part. Some say disabling Javascript will do the trick others say it won’t. I would rather err on the side of being cautious. It sucks. Really does because in the Internet Marketing world, a lot of cool and good things are done via Javascript down to tracking stats.
Rather than turn it off completely, I installed Noscript on Firefox. Noscript will help you whitelist or blacklist certain sites from loading Javascript so you have a choice and it tells you where the Javascript is loading from. That helps your decision making.
2nd thing – don’t surf without a Sandbox. Granted, sandboxing won’t help you if the exploit is to trick you into sending information elsewhere but if it tries to secretly load a web site containing malicious software, then sandboxing definitely helps.
Stick to clean Internet neighborhoods. Chances are higher questionable web sites like porn, game or software cracking web sites may carry these (not saying you do visit them 😉 ). The down side is, that doesn’t mean all other web sites are automatically clean.
Check out this paper from US-CERT (part of Homeland Security) how to secure your browsers.
Finally, wait for the manufacturers to fix the browsers.
As a web master
Watch your web sites! Please, please, please be careful with your passwords.Check your sites regularly to make sure everything in it is there by your design. Don’t slack on your upgrades. I don’t like to do updates either but if it means a clean web site for my visitors, I’ll bite the bullet. It’s no longer about us, but our visitors, our potential customers.
Check your computers. Insist your contractors who log in to your site check theirs regularly too. The last thing you want is a key logger installed on a computer and being used that way to access your site. Use RoboForm all the time if you can. It’ll save you from manually entering passwords which can be a problem if you are unaware you have a key logger on your system.
