News
Information Technology
:: Jikto - eine neue Qualität der Bedrohung für die Unternehmens-Sicherheit ::
(969 _READS)
_POSTEDBY hjensen on Friday, July 04, 2008 - 10:21 PM
Jikto - eine neue Qualität der Bedrohung für die Unternehmens-Sicherheit
A security researcher has found a way hackers can make PCs of unsuspecting Web surfers do their dirty work, without having to actually commandeer the systems.
Jikto JavaScript-Scanner !
A security researcher has found a way hackers can make PCs of unsuspecting Web surfers do their dirty work, without having to actually commandeer the systems.
That's possible with a new security tool called Jikto. The tool is written in JavaScript and can make PCs of unknowing Web surfers hunt for flaws in Web sites, said Jikto creator Billy Hoffman, a researcher at Web security firm SPI Dynamics
Jikto is a Web application vulnerability scanner. It can silently crawl and audit public Web sites, and then send the results to a third party. Jikto can be embedded into an attacker's Web site or injected into trusted sites by exploiting a common Web security hole known as a cross-site scripting flaw, he said.
Vulnerability scanners by themselves aren't new. Hackers often use such tools to find holes that let them break into systems. Jikto is like Nikto, a Web application bug-scanning tool popular among hackers. The difference is that Nikto is a traditional PC application, while Jikto runs in a Web browser and distributes the bug-hunting task across multiple PCs.
Jikto can hunt for various common security holes and can connect back to its controller for instructions on which Web sites to hit and what flaws to look for. For example, it could be programmed to scan major banking Web sites for SQL injection vulnerabilities. Such vulnerabilities could be serious and open databases to attack.
Half of hacking is collecting information and then sorting it. An attacker can now distribute this job to many people. As a bonus, the targeted Web site won't know the identity of the attacker because the site is being probed by the unsuspecting Web surfer who happened upon a Web page rigged with Jikto.
Jikto is an interesting example of how JavaScript can be used maliciously, but traditional vulnerability-scanning tools probably are a more efficient, said Fyodor Vaskovich, creator of Nmap Security Scanner, a tool widely used in the security community to find vulnerabilities.
"These JavaScript attacks are usually very slow to perform compared to the attacker scanning from an already compromised machine," Vaskovich said. "Hiding the attacker and distributing the scanning can be useful, but the reality is that attackers can generally scan pretty widely with impunity, or they just use a chain of proxies."
Because it is created in JavaScript, a scripting language commonly used on the Web, Jikto will run in most Web browsers without any warning. Internet users who hit a Web site with Jikto embedded likely won't even know what's happening. The tool will run as long as the browser is open and disappear without any obvious trace, or residual damage.
Jikto is different in that way from bots, a common method miscreants use to take control over PCs. Typically, bots compromise PCs through security holes in Web browsers or e-mail messages laden with a Trojan horse. Somebody with a patched browser, smart e-mail habits and updated security software would typically be protected against bot software.
"As a user you really can't do much against Jikto or other JavaScript-based threats," Hoffman said. "I am not giving you a Trojan or a traditional backdoor. I am not really compromising your computer. That is what makes this so scary. Antivirus is not going to help you."
JavaScript plays a major role in the Web 2.0 boom, which is causing a splash as it stretches the boundaries of what Web sites can do. But malicious JavaScript, especially in combination with the increasingly common Web site security flaws, could lead to insidious Web-based attacks, security experts have said.
Right now, Jikto only crawls and detects vulnerabilities. Hoffman is working on a next version that can also exploit vulnerabilities and extract data. That version may be presented at the Black Hat security conference in Las Vegas this summer, he said.
_POSTEDBY hjensen on Friday, July 04, 2008 - 10:21 PM
Jikto - eine neue Qualität der Bedrohung für die Unternehmens-Sicherheit
A security researcher has found a way hackers can make PCs of unsuspecting Web surfers do their dirty work, without having to actually commandeer the systems.
Jikto JavaScript-Scanner !
A security researcher has found a way hackers can make PCs of unsuspecting Web surfers do their dirty work, without having to actually commandeer the systems.
That's possible with a new security tool called Jikto. The tool is written in JavaScript and can make PCs of unknowing Web surfers hunt for flaws in Web sites, said Jikto creator Billy Hoffman, a researcher at Web security firm SPI Dynamics
Jikto is a Web application vulnerability scanner. It can silently crawl and audit public Web sites, and then send the results to a third party. Jikto can be embedded into an attacker's Web site or injected into trusted sites by exploiting a common Web security hole known as a cross-site scripting flaw, he said.
Vulnerability scanners by themselves aren't new. Hackers often use such tools to find holes that let them break into systems. Jikto is like Nikto, a Web application bug-scanning tool popular among hackers. The difference is that Nikto is a traditional PC application, while Jikto runs in a Web browser and distributes the bug-hunting task across multiple PCs.
Jikto can hunt for various common security holes and can connect back to its controller for instructions on which Web sites to hit and what flaws to look for. For example, it could be programmed to scan major banking Web sites for SQL injection vulnerabilities. Such vulnerabilities could be serious and open databases to attack.
Half of hacking is collecting information and then sorting it. An attacker can now distribute this job to many people. As a bonus, the targeted Web site won't know the identity of the attacker because the site is being probed by the unsuspecting Web surfer who happened upon a Web page rigged with Jikto.
Jikto is an interesting example of how JavaScript can be used maliciously, but traditional vulnerability-scanning tools probably are a more efficient, said Fyodor Vaskovich, creator of Nmap Security Scanner, a tool widely used in the security community to find vulnerabilities.
"These JavaScript attacks are usually very slow to perform compared to the attacker scanning from an already compromised machine," Vaskovich said. "Hiding the attacker and distributing the scanning can be useful, but the reality is that attackers can generally scan pretty widely with impunity, or they just use a chain of proxies."
Because it is created in JavaScript, a scripting language commonly used on the Web, Jikto will run in most Web browsers without any warning. Internet users who hit a Web site with Jikto embedded likely won't even know what's happening. The tool will run as long as the browser is open and disappear without any obvious trace, or residual damage.
Jikto is different in that way from bots, a common method miscreants use to take control over PCs. Typically, bots compromise PCs through security holes in Web browsers or e-mail messages laden with a Trojan horse. Somebody with a patched browser, smart e-mail habits and updated security software would typically be protected against bot software.
"As a user you really can't do much against Jikto or other JavaScript-based threats," Hoffman said. "I am not giving you a Trojan or a traditional backdoor. I am not really compromising your computer. That is what makes this so scary. Antivirus is not going to help you."
JavaScript plays a major role in the Web 2.0 boom, which is causing a splash as it stretches the boundaries of what Web sites can do. But malicious JavaScript, especially in combination with the increasingly common Web site security flaws, could lead to insidious Web-based attacks, security experts have said.
Right now, Jikto only crawls and detects vulnerabilities. Hoffman is working on a next version that can also exploit vulnerabilities and extract data. That version may be presented at the Black Hat security conference in Las Vegas this summer, he said.
[
]
]