Tag Archives: Firefox

Preventing browser hijacking

Browser hijacking occurs when an intruder is able to successfully exploit a vulnerability in a user’s browser program.  When a browser is hijacked, the intruder is able to control how the browser operates. Examples include changing the default home page, as well as other settings.

Why is this a problem?

Some browser settings can cause all of the traffic between your browser and Internet web sites to be routed through the intruder’s system. This allows the intruder to follow your every move, and it may also allow the intruder to capture passwords you enter at sites such as online banking and e-mail.

Are you concerned yet?  You should be! If your browser has been hijacked, you could become a victim of fraud or identity theft.

Quick Fixes
(assumes you have a Windows computer)

  1. Turn on Automatic Updates. This will cause your system to automatically download and install all the latest security patches for Windows and Internet Explorer
  2. Install Microsoft Security Essentials or other anti-virus program.  AVG has a very good free anti-virus program.
  3. Scan your computer for malware using your on-board anti-virus program.
  4. Scan your computer for malware using one of several good web-based anti-virus programs, such as: Panda, Symantec, Trend Micro.
  5. Turn on Windows Firewall.
  6. Update to the latest version of Internet Explorer, which has a better design and better security controls.
  7. If you don’t want to update Internet Explorer (or if you already have the latest), reset your IE settings.
  8. Manage and disable add-ons. A lot of browser hijacking is the result of add-ons.

Even after you do these things, you’ll still be running a combination of software that is vulnerable by design and requires constant vigilance. Read on.

Long-Term Fixes

If you are running Windows, I highly recommend you stop running Internet Explorer altogether. Use it ONLY for running Microsoft Update, online virus scans (from step 4 above – most require IE), and those occasional website that do not render well in other browsers.

For greatest security when browsing on Windows, use Firefox with the NoScript and FlashBlock add-ons. This combination is the safest possible browsing when using Windows. You’ll still have to run anti-virus and automatic updates, though.

Paradigm Shift

Most people use Windows, but few people HAVE to. There are two excellent alternatives:

  • Linux. The “ubuntu” release of Linux is highly reliable, easy to use, and secure. If you have a good PC, you can download ubuntu, burn it onto a CD, and try it out on your own computer. If you really, really like it, you can install ubuntu Linux onto your computer and say goodbye to Windows forever. We have done this on two systems here. Linux runs so much faster on a PC than Windows that you will think you got a hardware upgrade!
  • Linux in a virtual machine. If you *have* to run Windows (because of that expensive software that runs only on Windows), then I recommend you download VirtualBox and install Linux as a guest. Then, do all of your Internet browsing from the Linux machine (running Firefox, Noscript, and Flashblock as described earlier). You can run it in full screen mode, which is the next best thing to running Linux on your hardware. Another nice thing about this method is that if you do get malware on your Linux system, you can reset your Linux system back to an earlier state (I have never had this happen, but if I did mess something up in the Linux system, reverting to a recent snapshot is still a nice feature).
  • Mac OS. If your PC is not that great and you want to upgrade to new hardware, this is a great time to buy a Mac. While they may initially seem more expensive, you get excellent value and performance. On Mac OS, you can download Open Office, which is free and compatible with Microsoft Office. We have three Macs at home (a Mac Mini, a MacBook, and a MacBook Pro) and are totally satisfied with them. They are great computers.

Note regarding purchasing a Mac computer: do not get caught up in feature comparisons (e.g. a Windows system with a larger screen for less money than a Mac).  A Windows system is still just a Windows system, vulnerable by design and more expensive in the long when when you consider all the time you have to spend to keep it secure / make it secure. These videos say it better than I can:

Stop “clickjacking” with Firefox and NoScript

Bookmark This (opens in new window)

Clickjacking is one of the newest and most dangerous web browser vulnerabilities discovered to date. Every browser is vulnerable, even those that can defend against the similar Cross Site Request Forgery (CSRF) vulnerability.

Clickjacking can be used to completely control your home PC or your home router, which can lead to a complete compromise of your private information and turn your PC into the latest conscript in a bot army.

How clickjacking works: when you visit a compromised web site, your browser loads an invisible button that hovers below the mouse pointer. When you visit a legitimate site like online banking or e-mail, when you click on a link, you’re actually clicking the invisible button placed there by the malicious code. As explained by Jeremiah Grossman, CEO of Whitehat Security:

“Think of any button on any Web site, internal or external, that you can get to appear between the browser walls. Wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc. The list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users’ mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to.”

Here is another example that is described by Robert Hansen, founder of SecTheory LLC:

“Say you have a home wireless router that you had authenticated prior to going to a [legitimate] Web site. “[The attacker] could place a tag under your mouse that frames in a single button an order to the router to, for example, delete all firewall rules. That would give them an advantage in an attack.”

In other words, an attacker can do pretty much anything that he or she wants to. He would have the same level of control as if he physically stole your computer.

So, short of turning off your PC, how can you defend against clickjacking?

Firefox and NoScript.  Unless you have been living under a rock, you know about Firefox, the popular browser from Mozilla. NoScript is a popular Firefox add-on that was originally designed to help the user block javascript and Flash animation from selected web site (such as advertising). NoScript, starting in version 1.8.2.1, blocks all clickjacking attacks as well.

Where to get Firefox: go here, to www.getfirefox.com

IE users – take heart: during installation, Firefox can import all of your hard-won and well organized favorites, automatically.

After you have installed Firefox, install NoScript by going here: www.noscript.net

Articles on clickjacking and the Firefox / NoScript defense:

http://www.networkworld.com/news/2008/092608-security-researchers-warn-of-new.html

http://www.networkworld.com/news/2008/100808-firefox-extension-blocks-dangerous-web.html

http://en.wikipedia.org/wiki/Clickjacking

NoScript was one of PC World’s best products of the year, ranked at #52. I have used NoScript for a few years now and really appreciate its ability to block all foreign scripting, allowing only what I want to see.

Clickjacking is not a vulnerability that can be fixed on web sites. This is strictly a browser vulnerability that can only be fixed by fixing the browser itself. Reportedly the major browser makers (Microsoft, Mozilla, and Apple) are working on it. But don’t hold your breath – fixes are not likely to be released soon. Until then, Firefox with NoScript is the only available defense.