Introducing Jikto
March 28, 2007 1:40 PM   Subscribe

Klaatu barada...Jikto? First there was Nikto. Then along came Wikto. Last Saturday at Shmoocon Billy Hoffman introduced the world to Jitko, a client-side vulnerability scanner that exploits your browser & turns your PC into a platform for finding holes in computers across the Internet (or behind your firewall). Reactions were mixed. Does Jikto go too far?
posted by scalefree (11 comments total) 3 users marked this as a favorite
The last link argues that Hoffman would have gone too far had he actually released the code for Nikto, as the author originally believed. But Hoffman does not intend to release Nikto into the wild, thus there's no real danger beyond showing people a potential vector for exploitation (but not exactly how to do it). In other words, we're back to the basic issue of publishing security vulnerabilities publicly versus privately.
posted by chrominance at 1:54 PM on March 28, 2007

Yeah I meant to mention that he didn't actually release the code, just demoed it. But still, it'll be interesting to see how long it takes for either the program itself to find its way into the wild or for someone to write an equivalent tool & release it now that the idea has been planted in people's heads.
posted by scalefree at 2:05 PM on March 28, 2007

posted by peewinkle at 2:46 PM on March 28, 2007

posted by Jairus at 3:16 PM on March 28, 2007

This actually is good, if it forces businesses and other site owners to actually get serious about security.

I'm all for it--almost all fixes and patches and security problems are exposed by people like the ones behind this stuff. It's astonishing how unsecure so many sites and servers and machines are.
posted by amberglow at 3:46 PM on March 28, 2007

(and all our personal computers too)
posted by amberglow at 3:47 PM on March 28, 2007

I'll wait for the movie to come out. In the meantime:

Gimme some sugar, baby.
posted by phaedon at 3:48 PM on March 28, 2007

Although the code for this tool has not been released, there are plenty of code snippets out there for doing similar things (Javascript browser keystroke loggers, port scanners etc). It was only a matter of time until these individual tools and techniques were refined and made into a general purpose assessment tool like Jikto.

Jeremiah Grossman (see the last link in scalefree's post) gave a good presentation on using browser code to hack internal networks using similar techniques (video/slides and proof of concept code) at BlackHat 2006.

If nothing else, another good example to show people how cross site scripting/inadequate data validation can come back to haunt you in weird and wonderful ways.
posted by inflatablekiwi at 5:32 PM on March 28, 2007

port scanning by img url (first port scanner link) is simultaneously amusing and scary.
posted by b1tr0t at 6:42 PM on March 28, 2007

Security ... it's such a tarbaby.

Why doesn't someone think of a way to divide a computer into two parts: stuff that's visible/accessible/modifiable online, and stuff that's not, PERIOD. Can it *really* be so hard?

You can't 'net into a computer that's not connected to the net. SO ... you make part of the computer that way. The net part, and the non-net part.

Maybe that's a use for the new 8-core chips ... let them figure out how to pull it off. One chip is the COP.
posted by Twang at 2:28 AM on March 30, 2007

In theory, that is how most modern systems are designed. In practices, it is easier to bribe the cop on some systems than others.
posted by b1tr0t at 6:09 AM on March 30, 2007

« Older Freedom of Sights and Sounds   |   Who's your (tax) daddy Newer »

This thread has been archived and is closed to new comments