Comments on: Introducing Jikto

Introducing Jikto

scalefree — Wed, 28 Mar 2007 13:40:05 -0800

Klaatu barada...Jikto? First there was Nikto. Then along came Wikto. Last Saturday at Shmoocon Billy Hoffman introduced the world to Jitko, a client-side vulnerability scanner that exploits your browser & turns your PC into a platform for finding holes in computers across the Internet (or behind your firewall). Reactions were mixed. Does Jikto go too far?

By: chrominance

chrominance — Wed, 28 Mar 2007 13:54:34 -0800

The last link argues that Hoffman would have gone too far had he actually released the code for Nikto, as the author originally believed. But Hoffman does not intend to release Nikto into the wild, thus there's no real danger beyond showing people a potential vector for exploitation (but not exactly how to do it). In other words, we're back to the basic issue of publishing security vulnerabilities publicly versus privately.

By: scalefree

scalefree — Wed, 28 Mar 2007 14:05:55 -0800

Yeah I meant to mention that he didn't actually release the code, just demoed it. But still, it'll be interesting to see how long it takes for either the program itself to find its way into the wild or for someone to write an equivalent tool & release it now that the idea has been planted in people's heads.

By: peewinkle

peewinkle — Wed, 28 Mar 2007 14:46:20 -0800

YIKES!

By: Jairus

Jairus — Wed, 28 Mar 2007 15:16:37 -0800

aaaahahahaaahahaa

By: amberglow

amberglow — Wed, 28 Mar 2007 15:46:16 -0800

This actually is good, if it forces businesses and other site owners to actually get serious about security. I'm all for it--almost all fixes and patches and security problems are exposed by people like the ones behind this stuff. It's astonishing how unsecure so many sites and servers and machines are.

By: amberglow

amberglow — Wed, 28 Mar 2007 15:47:20 -0800

(and all our personal computers too)

By: phaedon

phaedon — Wed, 28 Mar 2007 15:48:57 -0800

I'll wait for the movie to come out. In the meantime: Gimme some sugar, baby.

By: inflatablekiwi

inflatablekiwi — Wed, 28 Mar 2007 17:32:44 -0800

Although the code for this tool has not been released, there are plenty of code snippets out there for doing similar things (Javascript browser keystroke loggers, port scanners etc). It was only a matter of time until these individual tools and techniques were refined and made into a general purpose assessment tool like Jikto. Jeremiah Grossman (see the last link in scalefree's post) gave a good presentation on using browser code to hack internal networks using similar techniques (video/slides and proof of concept code) at BlackHat 2006. If nothing else, another good example to show people how cross site scripting/inadequate data validation can come back to haunt you in weird and wonderful ways.

By: b1tr0t

b1tr0t — Wed, 28 Mar 2007 18:42:19 -0800

port scanning by img url (first port scanner link) is simultaneously amusing and scary.

By: Twang

Twang — Fri, 30 Mar 2007 02:28:45 -0800

Security ... it's such a tarbaby. Why doesn't someone think of a way to divide a computer into two parts: stuff that's visible/accessible/modifiable online, and stuff that's not, PERIOD. Can it *really* be so hard? You can't 'net into a computer that's not connected to the net. SO ... you make part of the computer that way. The net part, and the non-net part. Maybe that's a use for the new 8-core chips ... let them figure out how to pull it off. One chip is the COP.

By: b1tr0t

b1tr0t — Fri, 30 Mar 2007 06:09:03 -0800

In theory, that is how most modern systems are designed. In practices, it is easier to bribe the cop on some systems than others.