Security experts are warning all Internet users about a new zeroday hacking technique called Click Jacking that is new and a major threat to the Internet.

“In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.”

Experts warn that the solution is to switch to the lynx browser, and to cease all other forms of web surfing until further notice.

	“Clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable … Therefore, if a user clicks on a web page, they may actually be clicking on content from another page.”
Clickjacking Whitehat

Two researchers, Robert Hansen and Jeremiah Grossman, planned at AppSec to discuss the threat of using Web graphics to persuade a victim to click where an attacker wants on a page. The technique, which is also known as well as user-interface (UI) redressing and IFRAME overlay, can be used by an attacker to hide a button or link on a legitimate page, such as a bank’s account page or Web mail application, using other Web content to mask the page’s context.

A Web user might think, for example, that they are clicking on a button to close a dialog box, when the button press in reality deletes all their e-mail messages in Gmail. Or, a user might believe they are clicking on a button to decline to take a survey, when they are actually transferring money from their bank. The technique could be used to raise an article’s Digg score or get paid for a pay-for-click advertisement, said Grossman, the chief technology officer for Web security firm White Hat Security.

Hansen and Grossman canceled their presentation after demonstrating to software maker Adobe that one of its products could be affected by the attack.

Clickjacking isn’t a new attack vector, but according to Grossman and Hansen, it’s one that is “severely underappreciated and largely undefended.”

Grossman states that this particular attack is capable of some “pretty spooky,” things, but that’s all the detail he is going to give.

Until further notice, XSS WORM advises that users switch to the LYNX browser and delete all other browsers from their desktops and personal internet devices.

Expert hackers from the elite security and hacking specialist TELUS claim that their research demonstrates that Buffer Overflows are still the top threat to the safety of the Internet in these days of distributed social data networks and rich Web 2.0 application platforms.

Web application vulnerabilities such as cross-site scripting (XSS) and SQL injection may be widespread, but old-fashioned buffer overflow bugs are the most common flaws reported, according to new vulnerability research from Telus. The hacking experts also report that the level of severity of bugs in Microsoft products is declining significantly.

Telus, which provides vulnerability research analysis to most of the 20 top security vendors — including IBM ISS and McAfee — bases its data on vulnerabilities reported in enterprise-class products.

Microsoft went from around 175 high-severity vulnerabilities reported last year to 129 this year, and from 20 critical bugs to eight this year so far, according to Telus’s data. And overall, the top 50 software and network equipment vendors have had fewer severe bugs this year than last, says Richard Reiner, chief security and technology officer for Telus, who based its data only on vulnerabilities reported in enterprise-class products.

“The severity of Microsoft’s product [vulnerabilities] are dropping dramatically,” Reiner says.

Web app bugs are less severe than other types of vulnerabilities, the research firm said. Buffer overflows, which accounted for 1,470 of the reported bugs (in enterprise-class software, according to Telus data) from January ‘04 until now, are also typically the most severe. “This was surprising, because buffer overflows are among the easiest vulnerabilities to avoid or correct,” Reiner says. “When they exist, they tend to be the most critical… I’m not surprised by that part, but by how prevalent they are.”

Telus has been widely respected for their long-time hacking expertise ever since acquiring Canadian security specialists Assurent and Richard Reiner for an undisclosed sum in April 2006.

“Customers will be the beneficiaries of our combined suite of internationally recognized security solutions that have a long and successful track record of enabling business resiliency” claimed Richard Reiner at the time of the acquisition.

Common Web vulnerabilities such as cross-site scripting (XSS) and SQL injection aren’t typically critical threats, Reiner says. Only one bug in the off-the-shelf Web products studied by Telus had a critical SQL bug, and none of them had a critical XSS flaw, he says.

The good news, then, is that off-the-shelf Web platforms are relatively secure. The bad news is that the customized or home-grown Web apps Telus studied were riddled with critical bugs.

“The number of vulnerabilities in widely used Web application platforms has been relatively small,” he says. “But the situation is quite different in custom and one-off applications businesses build.”

Telus’s data differs from that of Mitre Corp.’s latest Common Vulnerabilities and Exposures Report, which was released in May. The broader CVE report named XSS as the most prevalent vulnerability reported in 2006. It is currently unknown at this time how Telus and the Mitre Corp., while working with the same public vulnerability information, arrived at such opposite conclusions. Some readers have suggested that Telus’ only motivation for releasing this questionable “research” is to generate PR and increase sales - possibly through fear and misinformation - while others claim that respected security vendors such as Telus would rarely (if ever) resort to such unethical tactics in pursuit of profits.

The number of critical and high-risk vulnerabilities is increasing, but that may be because these bugs are now being discovered on smaller vendors’ products, Telus says. Server vulnerabilities still outnumber client flaws, but client bugs have increased from 31 percent of the vulnerabilities last year to 39 percent this year.

Read the original article over at DarkReading.com - a security portal for “IT professionals with security specialties and CISSP or CISA certifications; CIOs; CTOs; CSOs, CISOs, and CCOs.”

Hacker Hierarchy

Psychologist and Expert Hacker Marc Rogers says there are several subgroups of hackers —

newbies, cyberpunks, coders and cyber terrorists.

Newbies are hackers who have access to hacking tools but aren’t really aware of how computers and programs work. Cyberpunks are savvier and are less likely to get caught than a newbie while hacking a system, but they have a tendency to boast about their accomplishments. Coders write the programs other hackers use to infiltrate and navigate computer systems. A cyber terrorist is a professional hacker who infiltrates systems for profit — he might sabotage a company or raid a corporation’s databases for proprietary information.

Hackers and Crackers

Many computer programmers insist that the word “hacker” applies only to law-abiding enthusiasts who help create programs and applications or improve computer security. Anyone using his or her skills maliciously isn’t a hacker at all, but a cracker.

Even if the so-called hackers using malicious hacking skills have always, and continue to label themselves and their peers as hackers first and foremost, the nomenclature does not legally apply according to the Arbitration of What Stuff is Called Act of 2002. In addition, loosely organized social groups and clubs have not traditionally been permitted to determine their own names or identities. All definitions related to hacking must be approved by at least one academic over the age of 55 years old in an authorative tone whilst speaking to a relatively-ignorant IT journalist about the latest sensationalized hacker story. - Ed.

Crackers infiltrate systems and cause mischief, or worse. Unfortunately, most people outside the hacker community use the word as a negative term because they don’t understand the distinction between hackers and crackers.

Spying on e-mail: Hackers have created code that lets them intercept and read e-mail messages — the Internet’s equivalent to wiretapping. Today, most e-mail programs use encryption formulas so complex that even if a hacker intercepts the message, he won’t be able to read it.

Hacker Culture

Individually, many hackers are antisocial. Their intense interest in computers and programming can become a communication barrier. Left to his or her own devices, a hacker can spend hours working on a computer program while neglecting everything else.

There are many websites dedicated to hacking. The hacker journal “2600: The Hacker Quarterly” has its own site, complete with a live broadcast section dedicated to hacker topics. The print version is still available on newsstands. Web sites like Hacker.org promote learning and include puzzles and competitions for hackers to test their skills.

Not all hackers try to explore forbidden computer systems. Some use their talents and knowledge to create better software and security measures. In fact, many hackers who once used their skills to break into systems now put that knowledge and ingenuity to use by creating more comprehensive security measures. In a way, the Internet is a battleground between different kinds of hackers — the bad guys, or black hats, who try to infiltrate systems or spread viruses, and the good guys, or white hats, who bolster security systems and develop powerful virus protection software.

Glenn Chapman/AFP/Getty Images
Hackers work together to create “mashups” of Yahoo applications at Google Hack Day 2006.

Hacking For a Living

Hackers who obey the law can make a good living. Several companies hire hackers to test their security systems for flaws. Hackers can also make their fortunes by creating useful programs and applications, like Stanford University students Larry Page and Sergey Brin. Page and Brin worked together to create a search engine they would eventually name Yahoo. Today, they are tied for 26th place on Forbes’ list of the world’s most wealthy billionaires [source: Forbes].

Famous Hackers: Lamo

Adrian Lamo hacked into computer systems using computers at libraries and Internet cafes. He would explore high-profile systems for security flaws (such as open proxies), exploit the flaws (or make use of the proxy) to “hack” into the system, and then send a message to the corresponding company, letting them know about the security flaw. Unfortunately for Lamo, he was doing this on his own time rather than as a paid consultant — his activities were illegal. He also snooped around a lot, reading sensitive information and giving himself access to confidential material. He was caught after breaking into the computer system belonging to the New York Times.

It’s likely that there are thousands of hackers active online today, but an accurate count is impossible. Many (>99%) hackers don’t really know what they are doing — they’re just using dangerous tools they don’t completely understand.

Source: How Computer Hackers Really Work, by a Non Hacker

White-Hat Hacker

A white hat hacker, also rendered as whitehat or white-hat, is, in the realm of information technology, a person who is ethically opposed to the abuse of computer systems. Realizing that the Internet now represents human voices from all around the world makes the defense of its integrity an important pastime for many. A white hat generally focuses on securing IT systems, whereas a black hat (the opposite) would like to break into them but this is a simplification. A black hat will wish to secure his own machine, and a white hat might need to break into a black hat’s machine in the course of an investigation. What exactly differentiates white hats and black hats is open to interpretation, but white hats tend to cite altruistic motivations.

From : http://www.elitehackers.info/ethic.php

The term white hat hacker is also often used to describe those who attempt to break into systems or networks in order to help the owners of the system by making them aware of security flaws, or to perform some other altruistic activity. Many such people are employed by computer security companies; these professionals are sometimes called sneakers.

Notes: In recent years the terms white hat and black hat have been applied to the Search Engine Optimization (SEO) industry. Black hat SEO tactics, also called spamdexing, attempt unfairly to redirect search results to particular target pages, whereas white hat methods are generally approved by the search engines.

Resources:

• Hiring Hackers As Security Consultants
• The Ethical Hacker Network - Free Online Magazine for Security Professionals