Curiosity can kill the company

By Siyabonga Africa, ITWeb junior journalist
Security Summit 2009, 28 May 2009

Companies should raise awareness within their organisations of new forms of cyber attacks. Telspace Systems says new cyber attacks, such as “clickjacking”, could leave companies vulnerable to hackers who are after sensitive information.

Telspace CEO Dino Covotsos and Telspace senior security analyst Charlton Smith delivered their presentation, entitled “Clickjacking the client side”, at the ITWeb Security Summit, in Midrand, this week.

The pair highlighted the new form of cyber attack, which was discovered earlier this year by White Hat founder Jeremiah Grossman. Covotsos and Smith define clickjacking as a malicious technique of tricking Web users into revealing confidential information, or taking control of their computer while clicking on seemingly innocuous Web pages.

Covotsos added that clickjacking takes the form of embedded code or script that can execute an action without the user's knowledge, such as clicking on a button that appears to perform another function.

“Companies are definitely vulnerable to it and the easiest way it infiltrates the organisation is through people's own curiosity. Using clickjacking, you could access a company's mail server or sensitive content management system.”

Security Summit 2009 Expo

Visit the Security Summit Expo taking place from 26 to 28 May at Vodaworld, Midrand. Tickets cost R150 and more information is available online here.

Smith said clickjacking is a good point of attack for hackers, because it bypasses the main security measures, such as those for cross-site requests and forgery. He noted that the biggest danger clickjacking presents is the scope of creativity it provides to hackers.

“You can change people's account details on social networking sites. And imagine if someone could control your mouse, using embedded code, they could do anything that they want.”

Covotsos and Smith said browsers are now trying to eliminate the vulnerabilities opened up by clickjacking by installing simple JavaScripts such as “framekillers”, which can be used to prevent any other sites from including their pages in frames.