Fast-typing attendee has a naive moment, and then Digg kicked in
IDG News Service - Software that could be used to turn a Web browser into an unwitting hacker's tool has been posted to the Internet, after it was downloaded by a quick-thinking attendee at last month's Shmoocon hacker conference.
However, in order for his demonstration to work, he had to post the Jikto code somewhere on the Internet. "Very briefly you could see the original URL of where the Jikto code got fetched," Hoffman said.
That was enough for show attendee Mike Schroll to snag a copy.
"I was sitting pretty close to the front and had my laptop out already," said Schroll, an information security consultant at Security Management Partners Inc. "The second I saw it i just started typing away."
Schroll posted the code on his Web site March 25, and submitted a link to the code on Digg.com. He removed the software several hours later at Hoffman's request.
Schroll said he posted the code because he thought it would be useful to other security professionals looking for ways to illustrate just how dangerous a scripting attack can be. "I was pretty interested in it because we do some engagements with clients where we do fake phishing sites," he said. "I wasn't trying to be nefarious or malicious."
The software was downloaded from his Web site about 100 times, Schroll said.
Over the past weekend, the code surfaced again, this time on the Sla.ckers.org online discussion forum.
With Jikto now public, security researchers worry it could be misused by criminals to scan internal networks for sensitive information, or to build a malicious botnet code. "This particular tool is designed to take control of the Web browser," said Jeremiah Grossman, chief technology officer at WhiteHat Security Inc. "It will crawl other Web sites and scan them, looking for vulnerabilities."
Hoffman was sanguine about the release of his tool, saying that criminals would probably have been able to develop something similar to his short, 800-line application.
"It's kind of a tragedy that this ended up getting released," Hoffman said. "But in reality the bad guys probably knew this and even if they didn't have it they were probably a couple of months away."
He said he's not angry at Schroll for snagging and releasing the Jikto code. "He probably did what any curious individual would have done," Hoffman said. "I really can't fault someone for being curious because that's what my job is."
[Editor's note: This story was originally posted with an incorrect spelling of the word Jikto. It was updated on April 2 to correct the spelling.]
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts