[IS&T Security-FYI] SFYI Newsletter, March 9, 2009

Monique Yeaton myeaton at MIT.EDU
Mon Mar 9 13:44:42 EDT 2009 

In this issue:

1. Worm Invades Facebook and MySpace
2. Clickjacking


-----------------------------------------------------
1. Worm Invades Facebook and MySpace
-----------------------------------------------------

Facebook, MySpace and other social networking communities are under  
attack by a new strain of the Koobface worm, which spreads by tricking  
users into responding to a message, apparently sent by one of their  
friends.

The message invites the recipient to click on a link and view a video  
at a counterfeit YouTube site. Visitors are told they need to install  
a bogus Adobe Flash plug-in to view the video. The bogus plug-in  
installs a Trojan horse program that gives Koobface author(s) control  
over the infected user's computer, hijacks the victim's social  
networking account and uses it to send out additional invites to  
spread the worm to the victim's friends and contacts.

The worm currently is spreading across other social networks as well,  
including hi5.com, friendster.com, myyearbook.com, bebo.com, and  
livejournal.com.

More information:
<http://voices.washingtonpost.com/securityfix/2009/03/koobface_worm_resurfaces_on_fa.html 
 >

[Article source: SANS]


------------------
2. Clickjacking
------------------

Clickjacking.  One of the newest and most talked about, yet at the  
same time one of the most secretive new buzz words in Internet  
Security.  Clickjacking is actually a rebrand of what was originally  
called "UI (user-interface) Redress" and is an exploit in which  
malicious coding is hidden beneath apparently legitimate buttons or  
other clickable content on a Web site.

Clickjacking occurs when a malicious program is embedded into a Web  
site. This program hovers invisibly under the user's mouse. Once the  
user clicks, usually on a link but it can be anywhere on the page, a  
new Web site may appear or software may be downloaded and clickjacking  
has occurred. In some cases, the user may be able to recognize this  
immediately; in other cases, the user may be totally unaware of what  
took place.

There are a number of things that have major Web sites and companies  
especially alarmed:

1) The program can run on virtually any Web site without the Web site  
owner's knowledge or ability to stop it.

2) Clickjacking can take the user to a mirror site while still making  
them believe they are on the Web site of the company and mine personal  
information, often which is freely given.

3) No browser, except the very few that are not based on graphics  
(such as the text-based browser Lynx™), is spared from these attacks  
or comes with a way to protect the user from possible jeopardy.

In addition to stealing personal data, such as bank account  
information, credit card information and Social Security numbers,  
clickjacking can also install a number of software applications  
(including harmful viruses, spyware or adware) on a computer without  
the user's knowledge.

Details on how clickjacking works, other than the basic information  
already listed, are being closely guarded. Browsers and Internet  
security software companies are working on a security patch that would  
help correct the situation. However, that may take some time. At the  
moment, the onus seems to be on the web developers, to avoid writing  
the type of scripts that can be exploited.

Users employing some sort of a solution will find that Internet  
browsing will become different than what they are used to. There are  
applications, such as NoScript™, that can block Java and script  
applications from running on a browser, but this would render some Web  
sites virtually useless, and you'd have to live with the consequences  
of enabling Java or Flash when visiting Web sites that can't be viewed  
without it.

Clickjacking was used to attack Twitter a few weeks ago:
<http://www.theregister.co.uk/2009/02/26/twitter_clickjack_attack/>

For tips on securing your web browser see the information provided by  
CERT:
<http://www.cert.org/tech_tips/securing_browser/>

More information about clickjacking:
<http://www.brighthub.com/internet/security-privacy/articles/9740.aspx>


=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security

---------------------------------------
Important: DO NOT GIVE OUT YOUR PASSWORDS!
Ignore emails asking you to provide yours. IS&T will *NEVER* ask you  
for your password.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20090309/f2918f52/attachment.htm

More information about the ist-security-fyi mailing list