Slashdot Mirror

← Back to Stories (view on slashdot.org)

DEF CON Hackers Unveil a New Way of Visualizing Web Vulnerabilities

Posted by timothy on from the follow-the-bouncing-ball dept.

punk2176 writes "Hacker and security researcher Alejandro Caceres (developer of the PunkSPIDER project) and 3D UI developer Teal Rogers unveiled a new free and open source tool at DEF CON 21 that could change the way that users view the web and its vulnerabilities. The project is a visualization system that combines the principles of offensive security, 3D data visualization, and 'big data' to allow users to understand the complex interconnections between websites. Using a highly distributed HBase back-end and a Hadoop-based vulnerability scanner and web crawler the project is meant to improve the average user's understanding of the unseen and potentially vulnerable underbelly of web applications that they own or use. The makers are calling this new method of visualization web 3.0. A free demo can be found here, where users can play with and navigate an early version of the tool via a web interface. More details can be found here and interested users can opt-in to the mailing list and eventually the closed beta here."

57 comments

  1. finally, enough jargon to be /. worthy by turkeydance · · Score: 0

    that's all.

    1. Re:finally, enough jargon to be /. worthy by Anonymous Coward · · Score: 0

      Fuck yes. 'bout time. It was getting dangerously close to finding a Kardashian story posted here, which of course is now the standard litmus test of stupidity.

    2. Re:finally, enough jargon to be /. worthy by Anonymous Coward · · Score: 0

      Yes, if it uses 3D data visualization, and Hadoop and Big Data it must be very advanced.

      Who else agrees that "I love data" is the 2013 equivalent of "highly motivated self-started
      with a focus on customer-oriented results"? Should be good for an extra $50K!

    3. Re:finally, enough jargon to be /. worthy by tqk · · Score: 1

      that's all.

      Well, I was going to pat Timothy on the back for a couple of great intros (this and the dark matter controversy), but now that you've gone and said it all ...

      Uh, thanks Timothy.

      --
      "Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.
  2. Yay slashvertisement by Anonymous Coward · · Score: 0

    from yet another hatted security guy. Why, how nice.

  3. Web 3.0 by Anonymous Coward · · Score: 0

    Do we really need another buzzword for an old idea just to trick more VCs out of cash?

    1. Re: Web 3.0 by Anonymous Coward · · Score: 0

      Big data, deep learning, social, cloud, and web 2.0 are wearing off.

    2. Re:Web 3.0 by oodaloop · · Score: 1

      I know. It's fucking ridiculous to call it Web 3.0. It's clearly 2.1.

      --
      Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
    3. Re: Web 3.0 by dnadoc · · Score: 1

      Enough of your disruptive crowdsourcing.

    4. Re:Web 3.0 by Anonymous Coward · · Score: 0

      I know. It's fucking ridiculous to call it Web 3.0. It's clearly 2.1.

      Call me when it hits Web 11

    5. Re:Web 3.0 by Anonymous Coward · · Score: 0

      If they start following the firefox release model we'll be at Web 16.0 by the end of next week!

    6. Re: Web 3.0 by robmv · · Score: 2

      Web 3.0 and uses a plugin? at least do something real web before starting new buzzwords

  4. Sounds like Acunetix by sgt+scrub · · Score: 1

    The front end is nifty but I'm not fond of buzzy names. I don't really need a pretty pretty GUI. I'm more interested in the back end. It'd be nice if there was a link or more info about it.

    --
    Having to work for a living is the root of all evil.
    1. Re:Sounds like Acunetix by punk2176 · · Score: 2

      Ask and you shall receive :-). I have more information on that than you'd probably like to know. The back-end is actually quite similar to the PunkSPIDER project's back-end and uses all of the same principles, most of the same open software as its base, and even reuses some of the code (in fact, once it's done I'll probably make the back-end of web 3.0 a part of PunkSPIDER 2.0 - free and open source of course). So with that said here's info on how PunkSPIDER was built, which should give you a solid start to how we're building the web 3.0 back-end:

      (1) A link to the talk at ShmooCon on PunkSPIDER which gives more info than you'd ever want to know about the back-end: http://www.hyperiongray.com/shmoocon
      (2) If you're in a rush you can read some basic stuff about it here: http://www.hyperiongray.com/node/18
      (3) If you really want to get into it you can download PunkSCAN (the PunkSPIDER back-end) on bitbucket and take a look: https://bitbucket.org/punkspider/punkscan

      And last but not least, if you want to know even more feel free to contact Hyperion Gray at punkspider@hyperiongray.com or follow me (Alejandro) at @DotSlashPunk on Twitter. Oh and thanks for the feedback on the buzzy name, it's meant to be a little over the top, but we'll keep your comment in mind!

      Alex

    2. Re:Sounds like Acunetix by sgt+scrub · · Score: 1

      Very nice. It sounds like you could use it to create a dynamic high risk list that could be added to content filter or intrusion protection device. I'm going to have to take a closer look now. I'll try parsing the data into rules for the IPS. If the database is too large, which I suspect it is, I'll have to find a spamhaus style way of implementing it.

      --
      Having to work for a living is the root of all evil.
  5. "Unity web player"? by mysidia · · Score: 4, Informative

    When I visit the demo site it prompts me to install some software I never heard of, before showing the demo.

    Seriously.... they make a malware visualization demo requiring me install some browser malware in order to view it?

    1. Re:"Unity web player"? by jdharm · · Score: 1

      I stopped there. I just know when I install that software the first thing I will see is not some pretty graphic showing the complex relationship between websites but a simple statement in flashing letters:

      And that is why malware propagates. Idiot.

    2. Re:"Unity web player"? by punk2176 · · Score: 2

      Erm. Unity is a well-known 3D gaming engine, dude.... http://unity3d.com/

    3. Re:"Unity web player"? by ThatAblaze · · Score: 3, Informative

      A little research indicates that Unity is a 3D engine. It's used a lot for 3D games. http://unity3d.com/unity/

    4. Re:"Unity web player"? by mysidia · · Score: 1

      Erm. Unity is a well-known 3D gaming engine, dude....

      Could of fooled me. As far as I know, Unity is a very expensive product from Cisco for providing voicemail integrated with Microsoft Outlook and Exchange.

      So apparently there is some niche product that is a 3D engine of some sort, and I get that. But the publisher should still not be doing something that requires me to install software, to view it.

      If they're posting it online, they should use a standard format such as HTML5.

    5. Re:"Unity web player"? by Anonymous Coward · · Score: 1

      Erm. Unity is a well-known 3D gaming engine, dude.... http://unity3d.com/

      Sorry, but your statement here doesn't diminish the huge cloud of irony hanging over this. User must install plugin to see visualization about malware fed often via plugins. Uhhh, yeah...reminds me of that time I was taking a security course teaching about how to never click on pop-up windows...when the course was initiated via, you guessed it, a pop-up window.

    6. Re:"Unity web player"? by Anonymous Coward · · Score: 0, Troll

      >could of

      No attempt at sounding smart after writing that is going to work.

    7. Re:"Unity web player"? by bobstreo · · Score: 2

      Erm. Unity is a well-known 3D gaming engine, dude....

      Could of fooled me. As far as I know, Unity is a very expensive product from Cisco for providing voicemail integrated with Microsoft Outlook and Exchange.

      So apparently there is some niche product that is a 3D engine of some sort, and I get that.
      But the publisher should still not be doing something that requires me to install software, to view it.

      If they're posting it online, they should use a standard format such as HTML5.

      Nah Unity is the value subtracted interface to Gnome in the latest versions of Ubuntu

    8. Re:"Unity web player"? by gl4ss · · Score: 1

      well, what they did was make a desktop software with available tools that has a web loader...

      and publish it as a "web software" when it's just desktop sw with a launcher in all practicality. but since everything has to be web nowadays, then web it is.

      --
      world was created 5 seconds before this post as it is.
    9. Re:"Unity web player"? by Anonymous Coward · · Score: 0

      This doesn't visualize malware... visualizes websites and vulnerabilities

    10. Re:"Unity web player"? by jon3k · · Score: 1

      Don't worry there's Unity Connect now, runs on Linux.

    11. Re:"Unity web player"? by Anonymous Coward · · Score: 0

      Shhhhhhhhhhhh! Fucker!
      Stop giving it away!

    12. Re:"Unity web player"? by znrt · · Score: 1

      A little research indicates that Unity is a 3D engine. It's used a lot for 3D games. http://unity3d.com/unity/

      pretty overwhelming records show that third party browser plugins are a major source of vulnerabilities, even more so if they are closed source and maintenance restricted to private profit organizations whose due dilligence in the process simply cannot be assumed, or even have shown outright negligence. see sun, oracle, adobe, apple, microsoft ...

      this is not just ironic, it must be april fool's day in some random geeky tz somewhere.

    13. Re:"Unity web player"? by ThatAblaze · · Score: 1

      You make a good point, no one should ever use any non-open source browser plugins for anything. Down with shockwave! Down with flash! Down with iTunes! Down with Google Docs! It's time to go back to the dark ages because no one's source can be assumed to be secure unless you have the option to read it! Not that you would actually bother to go read it, any more than you would bother to go vote.. but that option simply must be there!

    14. Re:"Unity web player"? by mysidia · · Score: 1

      You make a good point, no one should ever use any non-open source browser plugins for anything. Down with shockwave! Down with flash! Down with iTunes! Down with Google Docs!

      I don't know about the last 2, but if you avoid the first two, then you have provided yourself some significant protection from malware which often exploits vulnerabilities in Flash, Shockwave, Adobe Abrocat reader plugin, Java plugin,.

      HTML5 with Javascript and WebGL is not the dark ages

    15. Re:"Unity web player"? by Anonymous Coward · · Score: 0

      This is hilarious indeed! So much for that project...

    16. Re:"Unity web player"? by ThatAblaze · · Score: 1

      I don't know about the last 2, but if you avoid the first two, then you have provided yourself some significant protection from malware which often exploits vulnerabilities in Flash, Shockwave, Adobe Abrocat reader plugin, Java plugin,.

      HTML5 with Javascript and WebGL is not the dark ages

      So you're saying you should avoid plugins with a track record of being exploited and go ahead and use plugins from an established company that don't have such a track record? That's excellent advice.

      I hate to break it to you but Unity falls into the latter category, not the former.

    17. Re:"Unity web player"? by znrt · · Score: 1

      i actually love this idea def-con puts out. as a former cyberpunk fan i started a proof of concept of "the matrix" myself, decades ago. didn't finish, of course. if i did it today i even might as well choose unity3d too (probably not, but it wouldn't be unreasonable). but what i certainly would not do is claim to be "educating people about dealing with vulnerabilities" while just shoving another major source of them in right their pants. epic fail.

      we definitely need a fresh perspective on the way we interact in the network. we are already deep in the dark ages, or didn't you get the news about government agencies routinely spying on absolutely everyone? and as much as malware is actually a plage, general public blissful ignorance is the real problem. but opensource doesn't mean we all have to read the source before running it, or start growing beards. it simply means it is publicly auditable, which in itslef has far reaching implications. assuming "company x will do good" is simply not acceptable. in part because they have proven otherwise more often than not. but nobody expects the spanish inquisition!

    18. Re:"Unity web player"? by tqk · · Score: 1

      >could of

      No attempt at sounding smart after writing that is going to work.

      "Could've" ("could have") as "could of" just means they've picked it up from hearing it, not reading it. You should applaud their jumping back into the wrealm of the written word.

      --
      "Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.
    19. Re:"Unity web player"? by Yvanhoe · · Score: 1

      Actually, the unity plugin is now pre-installed in chrome under windows. I fear it will quickly become the new flash runtime.

      I would not call it a malware, I do think that Google did a good job to clean it up, and that the Unity company really does need to stay clear of malware, given their business model, but I really despise the idea that we will have to indulge for yet another binary blob.

      --
      The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
  6. It occurs to me... by Anonymous Coward · · Score: 0

    ...that if someone burned down the building with all these hackers inside, Avast and all the other anti-virus, anti-phising, anti-malware,etc. makers would be out of business.

    1. Re:It occurs to me... by tqk · · Score: 1

      ...that if someone burned down the building with all these hackers inside ...

      It'd be easier to determine your whereabouts.

      --
      "Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.
  7. Neuromancer? by Anonymous Coward · · Score: 0

    Sounds a lot like what the hackers used in "Neuromancer." The Web 3.0 demo reminded me of the awesomeness in the book... would be so cool if they can really pull something like it off. Great nerdy game concept anyway.

  8. best used while listening to The Prodigy by ClassicASP · · Score: 1

    cool! just like in that 1995 movie "Hackers" ! http://www.youtube.com/watch?v=PZHG3pi9EDA

    1. Re:best used while listening to The Prodigy by BonThomme · · Score: 1

      Crash Override, is that you?

  9. Easter Egg by ThatAblaze · · Score: 1

    Most sites I type in don't work, but I found something interesting by typing in bushofficial.com

  10. Wow by 93+Escort+Wagon · · Score: 1

    For some reason, I didn't think defcon would be receptive to guys shilling their new commercial products.

    --
    #DeleteChrome
    1. Re:Wow by punk2176 · · Score: 2

      Free and open source, dude. Just not released yet because it's funded by DARPA CFT and still ongoing research: http://www.wired.com/dangerroom/2011/11/darpa-fast-track/

  11. Screenshot anywhere? by manu0601 · · Score: 1

    Are there screenshots of the thing anywhere, for the one that cannot or do not want to install that Unity player?

    1. Re:Screenshot anywhere? by ThatAblaze · · Score: 1

      Several screenshots are posted at the demo link of the trinarysoftware website.

  12. Clever it might be, but the UI sucks big time by davesag · · Score: 1

    I mean seriously, you can't even edit the goddam URL field; hovering over nodes makes them glow (wooo) but clicking does nothing. Maybe it's an issue with the Unity plugin (yeah, Unity! seriously. FFS)

    File this under "utter shite"

    --
    I used to have a better sig than this, but I got tired of it
    1. Re:Clever it might be, but the UI sucks big time by ThatAblaze · · Score: 1

      Double clicking and dragging work.

    2. Re:Clever it might be, but the UI sucks big time by davesag · · Score: 2

      Be that as it may, it's profoundly useless if you can't edit the root URL however.

      Also, given the UI swiftly becomes a morass of swirling links, pinning one down to doubly click on it is next to impossible. The back end of this might be great but the UI is total shit.

      --
      I used to have a better sig than this, but I got tired of it
    3. Re:Clever it might be, but the UI sucks big time by Anonymous Coward · · Score: 0

      Nobody is stopping you from making a GUI in Visual Basic!!!

    4. Re:Clever it might be, but the UI sucks big time by Anonymous Coward · · Score: 0

      Double clicking and dragging work.

      Double clicking, how exactly? The damned links won't stop moving around. The interaction model is worse than amateur.

  13. Research deeper... by Anonymous Coward · · Score: 0

    Take a look at Trinary Software's "About Us" page. Would you trust a software company that doesn't spell check their website? The name of the company in Mr. Rogers' image is spelled different than most other references on the website. I also wouldn't call the image setting appropriate. Mr. Rogers looks as if he is in a apartment, sitting on a sofa, dressed in a t-shirt and leather jacket. While Mr. Rogers may be a fine person, very capable of producing exceptional software, first impression from that page does not lead me to that conclusion.

  14. black hat and def con are NOT hackers by Anonymous Coward · · Score: 0

    these sellouts are security coppers at heart....i dont care what any of you say its a lie to say otherwise....
    and when you hav eto use 3d tech to spruce up your bullshit you might as well bend over to obuma and friends...

  15. #checks it out, to see a whole new understanding. by MickLinux · · Score: 2

    Aah. It requires unity plgin. Okay.

    ##imagination runs wild#
    After finding and installing the plugin, AND after a heated discussion with the wife about having lost one's job over some inappropriate tweets, AND having a talk with the Department of homeland security about pressure cookers, AND after receiving an Amazon gift subscription paid on my own credit card, along with a note that iif it doesn't suit, I can return it and the next purchase will be forbitcoins that will be used for a purchase from the Rayon Way,

    Why yes, yes, I can see how this would work to help me visualize security in a whole new way.

    --
    Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
  16. But, there's a good idea here. by tqk · · Score: 1

    Irrespective of all the "installing a plugin to determine secuity status" comments I've read so far , ...

    I'd just like to say that a strip window in the bottom of my browser that spits a running commentary (a la XConsole)of what the browser's doing in the background and who it's talking to, would be cool. I want what it spits out to be user selectable and configurable. Get on it. You know you want to.

    --
    "Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.
    1. Re:But, there's a good idea here. by ThatAblaze · · Score: 1

      Get on it. You know you want to.

      I do.

  17. DEFCON Presentations by Anonymous Coward · · Score: 0

    DEFCON must of been pretty weak this year.