Archive for the Security Category

Last week a couple of interesting and novel Clickjacking techniques have been published:

  1. Cross-domain content extraction via framed view-source
  2. Double-clickjacking (or, as I prefer to call it, Rapid fire cross-site interaction)

Both involve a tiny amount of social engineering (#2 requires JavaScript, too), but as you can see they are totally feasible.

Needless to say, recent NoScript versions neutralize them no matter if JavaScript is enabled or not, thanks to specific enhancements in NoScript’s unique anti-Clickjacking protection module, ClearClick.

ClearClick anti-Clickjacking on Android

NoScript 3.0a3 for Firefox Mobile is out, bringing three of the major “classic” NoScript features to your Android smartphones:

  1. Easy per-site active content permissions management.
  2. The first and most powerful anti-XSS (cross-site scripting) filter available in a web browser.
  3. ClearClick, the one and only effective client-side protection against Clickjackings available on the client side.

Still some road ahead for convergence between the desktop and the mobile versions, but we’re already past the biggest challenges…

A huge thanks to the NLNet foundation, and to many individuals, institutions and companies using NoScript, for their generous support to this project.

Am I alone in fearing that lust for shrinking down the browser will get us in more troubles like this (or just make plain old-school phishing more effective)?

NSA endorses NoScript
Some weeks ago I read on Forbes’ technology blog that

Access Now, a non-profit that’s focused on digital civil liberties in the Middle East, has published a concise guide to staying safe online, aimed at “citizens in the Middle East, North Africa, and beyond.”
[…]
Aside from the usual advice about running antivirus, using strong passwords, and staying wary of USB drives, it delves into a few less obvious practices:

  • Run the NoScript plug-in for Firefox, which can block scripts on Web pages that you don’t authorize.

I don’t know if this puts me in any middle-eastern dictator’s blacklist, but it seems “internet security guides” with various political spins are flourishing, and they obviously share most of their endorsements, no matter the ideology.

USA’s National Security Agency (NSA) is doing its part as well, as I found out yesterday: look at page 7 (“Enhanced Protection Recommendations”) of this Best Practices for Keeping Your Home Network Secure PDF…

Amazing coincidence, just a few hours earlier my own NSA project had exited “stealth mode” to official become NoScript 3.0a1 for Firefox Mobile.
Adventurous Android Alpha (AAA) testers are welcome :)

It’s getting boring.

Current Flash Player version (10.2.153.1 for the general public, 10.2.154.25 for Chrome users) is affected by a remote code execution vulnerability which is reported as being exploited in the wild.

Since Adobe Reader X (the newest version with “protected” mode) is vulnerable but not exploitable, Adobe doesn’t plan an out-of-band patch: looks like browser users are second-class citizens.

As usual, you can outright disable the Flash plugin or use NoScript’s active content blocking (not FlashBlock, please).

Yawn…

Bad Behavior has blocked 3673 access attempts in the last 7 days.