Introducing Jikto
March 28, 2007 1:40 PM Subscribe
Klaatu barada...Jikto? First there was Nikto. Then along came Wikto. Last Saturday at Shmoocon Billy Hoffman introduced the world to Jitko, a client-side vulnerability scanner that exploits your browser & turns your PC into a platform for finding holes in computers across the Internet (or behind your firewall). Reactions were mixed. Does Jikto go too far?
Yeah I meant to mention that he didn't actually release the code, just demoed it. But still, it'll be interesting to see how long it takes for either the program itself to find its way into the wild or for someone to write an equivalent tool & release it now that the idea has been planted in people's heads.
posted by scalefree at 2:05 PM on March 28, 2007
posted by scalefree at 2:05 PM on March 28, 2007
This actually is good, if it forces businesses and other site owners to actually get serious about security.
I'm all for it--almost all fixes and patches and security problems are exposed by people like the ones behind this stuff. It's astonishing how unsecure so many sites and servers and machines are.
posted by amberglow at 3:46 PM on March 28, 2007
I'm all for it--almost all fixes and patches and security problems are exposed by people like the ones behind this stuff. It's astonishing how unsecure so many sites and servers and machines are.
posted by amberglow at 3:46 PM on March 28, 2007
I'll wait for the movie to come out. In the meantime:
Gimme some sugar, baby.
posted by phaedon at 3:48 PM on March 28, 2007
Gimme some sugar, baby.
posted by phaedon at 3:48 PM on March 28, 2007
Although the code for this tool has not been released, there are plenty of code snippets out there for doing similar things (Javascript browser keystroke loggers, port scanners etc). It was only a matter of time until these individual tools and techniques were refined and made into a general purpose assessment tool like Jikto.
Jeremiah Grossman (see the last link in scalefree's post) gave a good presentation on using browser code to hack internal networks using similar techniques (video/slides and proof of concept code) at BlackHat 2006.
If nothing else, another good example to show people how cross site scripting/inadequate data validation can come back to haunt you in weird and wonderful ways.
posted by inflatablekiwi at 5:32 PM on March 28, 2007
Jeremiah Grossman (see the last link in scalefree's post) gave a good presentation on using browser code to hack internal networks using similar techniques (video/slides and proof of concept code) at BlackHat 2006.
If nothing else, another good example to show people how cross site scripting/inadequate data validation can come back to haunt you in weird and wonderful ways.
posted by inflatablekiwi at 5:32 PM on March 28, 2007
Security ... it's such a tarbaby.
Why doesn't someone think of a way to divide a computer into two parts: stuff that's visible/accessible/modifiable online, and stuff that's not, PERIOD. Can it *really* be so hard?
You can't 'net into a computer that's not connected to the net. SO ... you make part of the computer that way. The net part, and the non-net part.
Maybe that's a use for the new 8-core chips ... let them figure out how to pull it off. One chip is the COP.
posted by Twang at 2:28 AM on March 30, 2007
Why doesn't someone think of a way to divide a computer into two parts: stuff that's visible/accessible/modifiable online, and stuff that's not, PERIOD. Can it *really* be so hard?
You can't 'net into a computer that's not connected to the net. SO ... you make part of the computer that way. The net part, and the non-net part.
Maybe that's a use for the new 8-core chips ... let them figure out how to pull it off. One chip is the COP.
posted by Twang at 2:28 AM on March 30, 2007
« Older Freedom of Sights and Sounds | Who's your (tax) daddy Newer »
This thread has been archived and is closed to new comments
posted by chrominance at 1:54 PM on March 28, 2007