New York Web Design News March 20, 2007, the latest breaking New York Web design news brought to you by,
Web Designs Now,Website Designs Now,New York Web Design Homepage,Web Design Services for New York, Connecticut, Long Island,New York Web Design Client Testimonials,Website Portfolio of New York Web Design, About this New York Web Design Firm,Contact this New York Web Design Firm

Web Users Help Hackers?
Web Design & Technology News, March 20, 2007

Web Browser Firefox Updates
Web Users Help Hackers?
Web Impact: RH Releases EL 5
Citrix Web Client Flaw
RH Expands Web Dev Tools
Web Impact: Month of PHP Bugs
'Nondiscriminatory' Web
1/3 of US Web User Are Wireless
Web Impact: Mozilla Security Updates

More Web Design News:
2007 Current News
2007 May
2007 March
2006 November
2006 September
2006 August
2006 July
2006 June
2006 May
2006 April
2006 March
2006 February
2006 January
2005 December
2005 November
2005 October
2005 September
2005 August
2005 July
2005 June
2005 May
2005 April
2005 March
2005 February
2004 March
2004 February
2004 January
2003 December
2003 November
2003 October
2003 September
2003 August
2003 July
2003 June
2003 March - May


March 20, 2007

A security researcher has found a way hackers can make PCs of unsuspecting Web surfers do their dirty work, without having to actually commandeer the systems.
By Joris Evers

That's possible with a new security tool called Jikto. The tool is written in JavaScript and can make PCs of unknowing Web surfers hunt for flaws in Web sites, said Jikto creator Billy Hoffman, a researcher at Web security firm SPI Dynamics. Hoffman, who developed the tool as a way to advance Web security, plans to release Jikto publicly later this week at the ShmooCon hacker event in Washington, D.C.

"This is going to drastically change the scope of evil things you can do with JavaScript," Hoffman said. "Jikto turns any PC into my little drone. Your PC will start attacking Web sites on my behalf, and you're going to give me all the results."

With the advent of online applications, hackers have shown increased interest in breaching Web security. Though vulnerabilities such as cross-site scripting bugs and SQL injection flaws have been around for years, such security problems are increasingly being reported and exploited.

Jikto is a Web application vulnerability scanner. It can silently crawl and audit public Web sites, and then send the results to a third party, Hoffman said. Jikto can be embedded into an attacker's Web site or injected into trusted sites by exploiting a common Web security hole known as a cross-site scripting flaw, he said.

Vulnerability scanners by themselves aren't new. Hackers often use such tools to find holes that let them break into systems. Jikto is like Nikto, a Web application bug-scanning tool popular among hackers. The difference is that Nikto is a traditional PC application, while Jikto runs in a Web browser and distributes the bug-hunting task across multiple PCs.

Jikto can hunt for various common security holes and can connect back to its controller for instructions on which Web sites to hit and what flaws to look for, Hoffman said. For example, it could be programmed to scan major banking Web sites for SQL injection vulnerabilities. Such vulnerabilities could be serious and open databases to attack.

"Half of hacking is collecting information and then sorting it. An attacker can now distribute this job to many people," Hoffman said. As a bonus, the targeted Web site won't know the identity of the attacker because the site is being probed by the unsuspecting Web surfer who happened upon a Web page rigged with Jikto.

Jikto is an interesting example of how JavaScript can be used maliciously, but traditional vulnerability-scanning tools probably are a more efficient, said Fyodor Vaskovich, creator of Nmap Security Scanner, a tool widely used in the security community to find vulnerabilities.

"These JavaScript attacks are usually very slow to perform compared to the attacker scanning from an already compromised machine," Vaskovich said. "Hiding the attacker and distributing the scanning can be useful, but the reality is that attackers can generally scan pretty widely with impunity, or they just use a chain of proxies."

Because it is created in JavaScript, a scripting language commonly used on the Web, Jikto will run in most Web browsers without any warning. Internet users who hit a Web site with Jikto embedded likely won't even know what's happening. The tool will run as long as the browser is open and disappear without any obvious trace, or residual damage.

Jikto is different in that way from bots, a common method miscreants use to take control over PCs. Typically, bots compromise PCs through security holes in Web browsers or e-mail messages laden with a Trojan horse. Somebody with a patched browser, smart e-mail habits and updated security software would typically be protected against bot software.

"As a user you really can't do much against Jikto or other JavaScript-based threats," Hoffman said. "I am not giving you a Trojan or a traditional backdoor. I am not really compromising your computer. That is what makes this so scary. Antivirus is not going to help you."

JavaScript plays a major role in the Web 2.0 boom, which is causing a splash as it stretches the boundaries of what Web sites can do. But malicious JavaScript, especially in combination with the increasingly common Web site security flaws, could lead to insidious Web-based attacks, security experts have said.

Right now, Jikto only crawls and detects vulnerabilities. Hoffman is working on a next version that can also exploit vulnerabilities and extract data. That version may be presented at the Black Hat security conference in Las Vegas this summer, he said.

Web Designs Now
Back to the Top
 © Copyright 2007, All rights reserved  |  Privacy Web Design Forums  |  Web Design News  |  Advertise  |  About Us  |  Contact Us  |  W3C HTML 
 Related Websites: New-York-WebDesign.com