Enterprise Newsletter
 
NEWSLETTERS
 

CIO.com updates, insights and advice on technology, management and your career.

 CIO ERP
 CIO Enterprise Applications
 CIO Strategy & Innovation
 CIO Project Management
More Newsletters | Edit Profile
 
RSS Feeds »
 
 
LEADERSHIP
 
CIO Executive Programs
The Leader in Face-to-Face Education for Senior Executives

Offering regional and national programs, CIO (and CSO) events bring together some of the most respected names and thought leaders in information technology and security. Presented by CIOs and other senior level executives, these invitation-only programs offer timely topics and strong networking. Learn More »

 
CIO Executive Council
A Peer-Advisory Service and Professional Association for CIOs

Turn Geeks into Leaders

June 17, 11:30 AM - 12:30 PM U.S./ET (GMT-4)

Larry Bonfante, CIO of the U.S. Tennis Association, will discuss the skills and approaches that your rising IT leaders must learn to be effective in an executive capacity.

How to Handle Your New CEO: Managing Turnover at the Top

June 18, 11:00 AM - 12:00 PM U.S./Eastern (GMT-4)

Turbulent times have increased turnover at the top. Find out what Council CIOs have done to "break in" new CEOs—build relationships, set expectations, educate on the role of IT.

Mid-Market CIO Panel: Tips and Techniques for Improving Vendor Relationships

July 15, 4:00 PM - 5:00 PM U.S./Eastern (GMT-4)

We'll highlight relationship priorities and best practices identified in a Council study, and we'll interact with a CIO panel on the approaches they've used to improve strategic vendor partnerships.

Executive Competencies Assessment Tool

Assess Your Business Leadership Skills with the Council's new benchmarking tool. Rate yourself in change leadership, strategy, customer focus and more.

More / Register »

Learn more about the CIO Executive Council »



 
 
RESOURCE CENTER
 

buy a link »

Ads by TechWords
 
 
SUBSCRIBE TO CIO
 
Are you involved in setting the direction for your company's IT budget or strategy?

Apply today for a FREE subscription to CIO Magazine!

Subscription Services »
Reprints »

 
 
News
 

At Adobe's Request, Hackers Nix 'clickjacking' Talk

After Adobe Systems asked them to keep quiet about their findings, two security researchers have pulled out of a technical talk where they were going to demonstrate how they could seize control of a victim's browser using an online attack called 'clickjacking.'

 

By Robert McMillan

September 16, 2008 — IDG News Service —

After Adobe Systems asked them to keep quiet about their findings, two security researchers have pulled out of a technical talk where they were going to demonstrate how they could seize control of a victim's browser using an online attack called 'clickjacking.'

Robert Hansen and Jeremiah Grossman had been set to deliver their talk next week at the OWASP (Open Web Application Security Project) conference in New York. But the proof of concept code they'd developed to show how their clickjacking attack worked divulged a bug in one of Adobe's products. After a week of discussions with Adobe, the researchers decided last Friday to pull the talk.

Although Hansen and Grossman believe that the clickjacking flaw ultimately lies in the way that Internet browsers are designed, Adobe convinced them to hold off on their discussion until they could release a patch. "Adobe thinks they can do something to make the hack harder," said Grossman, CTO with White Hat Security, in an interview.

In a clickjacking attack, the attacker tricks the victim into clicking on malicious Web links without realizing it. This type of attack has been known for years, but had not been considered to be particularly dangerous. Security experts had thought it could be used to commit advertising click fraud or to inflate Digg ratings for a Web page, for example.

However, in writing their proof-of-concept code, Hansen and Grossman realized that clickjacking was actually more serious than they'd first thought.

"When we finally built it and got the proof of concept it was quite nasty," said Grossman. "If I control what you click on, how much bad can I do? It turns out you can do a number of really, really bad things."

Neither Grossman nor Hansen, CEO of consultancy SecTheory, wanted to get into specifics of their attack. However, Tom Brennan, the OWASP conference organizer said that he has seen the attack code demonstrated and that it allows the attacker to take complete control of the victim's desktop.

The researchers say that they were not pressured by Adobe to drop their talk. "This is not an evil 'the man is trying to keep us hackers down' situation," Hansen wrote Monday on his blog.

Late Monday, Adobe posted a note, thanking the researchers for keeping the bug private and indicating that the company is working on patching the problem.

Even if disclosing the bug may help attackers, OWASP's Brennan said that the researchers should still go ahead and give their talk in order to give IT professionals an opportunity to understand the real nature of the threat. "There is a zero-day problem in browsers that is affecting millions of people today," he said. "When a person discusses it, it puts everyone on the same playing field."

 
 
Loading...
 
WHITE PAPERS

Investing in Business Analytics Technology

Find the answers to your questions about business anyalytics initiatives.
 

Document-Sharing Solutions

Examine the benefits and challenges that IT executives are facing and how they plan to control the changes.
 

How Can Your Organization Weather This Economic Storm?

IT executives are under intense pressure to cut costs, and that pressure is significantly increased by the current grim economic outlook.
 

Deliver Higher-Performing Technology Services with ITIL

Enable the business and your IT organization to cope with the effects of economic stress.
 

Making Data Center Infrastructures More Adaptive

Learn how administrators can tackle problems in ways that were previously impossible.
 

Server Management Tools Automate Capabilities and Improve Efficiency

In this white paper, Info-Tech covers the key considerations of server management tools to take the pain out of day-to-day provisioning, patching and operational support.
 

WEBCASTS

Webcast with Dan Vesset: Investing in Business Analytics Technology

What exactly is business analytics and why should you care? Dan Vesset of IDC and Gaurav Verma of SAS answer this a...
 

Enterprise Cloud Computing: Ready for Primetime?

The progression toward enterprise cloud computing is happening today, as industry leaders deploy technologies that ...
 

Preparing Your Business Services for the Future

Would you trust your network monitoring tools enough to know when something is truly halting a business service? Wh...
 

Enterprise System Management Challenges in Big Organizations with Eli Almog

In this Podcast with Eli Almog, Corporate Architect in BMC's CTO Office, discusses how IT managers can know when it...
 

A Down-to-Earth look at Cloud Computing

Is cloud computing going to take over the data center as we know it? Join us as we talk about cloud computing with...
 

BSM in the Field, Practical Insights from Peter Armaly

Have you thought about BSM, but haven't quite gotten the buy-in you need? Get down and dirty with BSM installations...
 

Resource Alerts

Get instant email notifications by topic when white papers, webcasts, and case studies are added to our library.

 
FEATURED SPONSORS
 
 
 
SPONSORED LINKS
 

Seven Ways ITIL Can Help You in an Economic Downturn

Maximizing the Business Value of the PC Infrastructure

Using Open Source to Deploy Web Applications

How Interactive Viewer Reduces the Effort to Meet Visualization Requirements

White Paper: 8 Key Ingredients to Building an Internal Cloud

Software Executives: Take Control of Your Organization's Code Quality

BPM ROI calculator

Oracle's Application Grid Technical Demo

Next-Generation Application Servers and Infrastructure

Application Infrastructure at Enterprise Organizations

Achieving Business Agility with Application Grid

Craft a Strategy to Lower Your Total Cost of Ownership

A Natural User Interface for Enterprise Applications

On-Demand HR for a Global Organization

Four steps to populate your CMDB.

Delivering Secure and Reliable Data through Spreadsheet Automation

Open Source BI: Inexpensive Solutions for Developers

Gartner Shares Predictions for 2009

Introducing the new HP ProLiant G6 server family

Accenture: Outsourcing for Competitive Advantage. More...

Better spam protection with Postini for just $1/user/mo

Introducing the new HP ProLiant G6 server family

infoBOOM! - The Mid-Sized Company CIO's Exclusive Community

Accenture IT Consulting: Logical meets technological. More . . .

The Fraudster Economy Model: Operating a Business in the Underground

Revolutionizing Enterprise Application Deployment

Learn how to managing client systems in the enterprise.

Cloud Computing: Read about VMware's compelling vision & set of products

Top-line Performance that's Bottom-line Efficient

How Open Source is Changing the Face of Enterprise Software

BPM Survey Results: The Real-World Analysis

Ready to Act: 3 Recommendations for Agile Processes

Oracle WebLogic Server Technical Demo

Data Grids and Service-Oriented Architecture

Achieving the Impossible: Unlimited Application Scalability

A Middleware Foundation for Application Grid

Next Generation Enterprise Applications

A Truly Global HCM System

Learn how to provide complete Business Service Management.

Increase ROI of Your Application Portfolio

Financial Institutions Need Rich Internet Applicatons

Forrester: Implementing Rich Internet Applications

"Enterprise-Proven" is the Prerequisite for Enterprise SaaS Portal Solutions

Accenture IT Consulting: Enabling high performance. More...

Top Five CIO Challenges

Insight makes it easy to spend your Microsoft subsidy check.

Five minute business analytics assessment. Immediate results.

Dangerous Collaboration Practices: 5 Ways IT Can Minimize Risk

Accenture: Outsourcing for uncertain times. Click to learn more.

The Case for Investing in Business Analytics Technology. Read white paper.