DEF CON Hackers Unveil a New Way of Visualizing Web Vulnerabilities

← Back to Stories (view on slashdot.org)

DEF CON Hackers Unveil a New Way of Visualizing Web Vulnerabilities

Posted by timothy on Saturday August 10, 2013 @09:33AM from the follow-the-bouncing-ball dept.

punk2176 writes "Hacker and security researcher Alejandro Caceres (developer of the PunkSPIDER project) and 3D UI developer Teal Rogers unveiled a new free and open source tool at DEF CON 21 that could change the way that users view the web and its vulnerabilities. The project is a visualization system that combines the principles of offensive security, 3D data visualization, and 'big data' to allow users to understand the complex interconnections between websites. Using a highly distributed HBase back-end and a Hadoop-based vulnerability scanner and web crawler the project is meant to improve the average user's understanding of the unseen and potentially vulnerable underbelly of web applications that they own or use. The makers are calling this new method of visualization web 3.0. A free demo can be found here, where users can play with and navigate an early version of the tool via a web interface. More details can be found here and interested users can opt-in to the mailing list and eventually the closed beta here."

37 of 57 comments (clear)

Min score:

Reason:

Sort:

Re:Web 3.0 by oodaloop · 2013-08-10 09:55 · Score: 1

I know. It's fucking ridiculous to call it Web 3.0. It's clearly 2.1.

--
Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
Re: Web 3.0 by dnadoc · 2013-08-10 10:03 · Score: 1

Enough of your disruptive crowdsourcing.
Sounds like Acunetix by sgt+scrub · 2013-08-10 10:23 · Score: 1

The front end is nifty but I'm not fond of buzzy names. I don't really need a pretty pretty GUI. I'm more interested in the back end. It'd be nice if there was a link or more info about it.

--
Having to work for a living is the root of all evil.
1. Re:Sounds like Acunetix by punk2176 · 2013-08-10 10:46 · Score: 2
  
  Ask and you shall receive :-). I have more information on that than you'd probably like to know. The back-end is actually quite similar to the PunkSPIDER project's back-end and uses all of the same principles, most of the same open software as its base, and even reuses some of the code (in fact, once it's done I'll probably make the back-end of web 3.0 a part of PunkSPIDER 2.0 - free and open source of course). So with that said here's info on how PunkSPIDER was built, which should give you a solid start to how we're building the web 3.0 back-end:
  
  (1) A link to the talk at ShmooCon on PunkSPIDER which gives more info than you'd ever want to know about the back-end: http://www.hyperiongray.com/shmoocon
  (2) If you're in a rush you can read some basic stuff about it here: http://www.hyperiongray.com/node/18
  (3) If you really want to get into it you can download PunkSCAN (the PunkSPIDER back-end) on bitbucket and take a look: https://bitbucket.org/punkspider/punkscan
  
  And last but not least, if you want to know even more feel free to contact Hyperion Gray at punkspider@hyperiongray.com or follow me (Alejandro) at @DotSlashPunk on Twitter. Oh and thanks for the feedback on the buzzy name, it's meant to be a little over the top, but we'll keep your comment in mind!
  
  Alex
2. Re:Sounds like Acunetix by sgt+scrub · 2013-08-10 12:48 · Score: 1
  
  Very nice. It sounds like you could use it to create a dynamic high risk list that could be added to content filter or intrusion protection device. I'm going to have to take a closer look now. I'll try parsing the data into rules for the IPS. If the database is too large, which I suspect it is, I'll have to find a spamhaus style way of implementing it.
  
  --
  Having to work for a living is the root of all evil.
"Unity web player"? by mysidia · 2013-08-10 10:26 · Score: 4, Informative

When I visit the demo site it prompts me to install some software I never heard of, before showing the demo.
Seriously.... they make a malware visualization demo requiring me install some browser malware in order to view it?
1. Re:"Unity web player"? by jdharm · 2013-08-10 10:39 · Score: 1
  
  I stopped there. I just know when I install that software the first thing I will see is not some pretty graphic showing the complex relationship between websites but a simple statement in flashing letters:
  
  And that is why malware propagates. Idiot.
2. Re:"Unity web player"? by punk2176 · 2013-08-10 10:49 · Score: 2
  
  Erm. Unity is a well-known 3D gaming engine, dude.... http://unity3d.com/
3. Re:"Unity web player"? by ThatAblaze · 2013-08-10 10:53 · Score: 3, Informative
  
  A little research indicates that Unity is a 3D engine. It's used a lot for 3D games. http://unity3d.com/unity/
4. Re:"Unity web player"? by mysidia · 2013-08-10 11:06 · Score: 1
  
  Erm. Unity is a well-known 3D gaming engine, dude....
  Could of fooled me. As far as I know, Unity is a very expensive product from Cisco for providing voicemail integrated with Microsoft Outlook and Exchange.
  So apparently there is some niche product that is a 3D engine of some sort, and I get that. But the publisher should still not be doing something that requires me to install software, to view it.
  If they're posting it online, they should use a standard format such as HTML5.
5. Re:"Unity web player"? by Anonymous Coward · 2013-08-10 11:14 · Score: 1
  
  Erm. Unity is a well-known 3D gaming engine, dude.... http://unity3d.com/
  
  Sorry, but your statement here doesn't diminish the huge cloud of irony hanging over this. User must install plugin to see visualization about malware fed often via plugins. Uhhh, yeah...reminds me of that time I was taking a security course teaching about how to never click on pop-up windows...when the course was initiated via, you guessed it, a pop-up window.
6. Re:"Unity web player"? by bobstreo · 2013-08-10 11:32 · Score: 2
  
  Erm. Unity is a well-known 3D gaming engine, dude....
  Could of fooled me. As far as I know, Unity is a very expensive product from Cisco for providing voicemail integrated with Microsoft Outlook and Exchange.
  So apparently there is some niche product that is a 3D engine of some sort, and I get that.
  But the publisher should still not be doing something that requires me to install software, to view it.
  If they're posting it online, they should use a standard format such as HTML5.
  Nah Unity is the value subtracted interface to Gnome in the latest versions of Ubuntu
7. Re:"Unity web player"? by gl4ss · 2013-08-10 11:39 · Score: 1
  
  well, what they did was make a desktop software with available tools that has a web loader...
  and publish it as a "web software" when it's just desktop sw with a launcher in all practicality. but since everything has to be web nowadays, then web it is.
  
  --
  world was created 5 seconds before this post as it is.
8. Re:"Unity web player"? by jon3k · 2013-08-10 12:36 · Score: 1
  
  Don't worry there's Unity Connect now, runs on Linux.
9. Re:"Unity web player"? by znrt · 2013-08-10 19:56 · Score: 1
  
  A little research indicates that Unity is a 3D engine. It's used a lot for 3D games. http://unity3d.com/unity/
  
  pretty overwhelming records show that third party browser plugins are a major source of vulnerabilities, even more so if they are closed source and maintenance restricted to private profit organizations whose due dilligence in the process simply cannot be assumed, or even have shown outright negligence. see sun, oracle, adobe, apple, microsoft ...
  this is not just ironic, it must be april fool's day in some random geeky tz somewhere.
10. Re:"Unity web player"? by ThatAblaze · 2013-08-10 21:20 · Score: 1
  
  You make a good point, no one should ever use any non-open source browser plugins for anything. Down with shockwave! Down with flash! Down with iTunes! Down with Google Docs! It's time to go back to the dark ages because no one's source can be assumed to be secure unless you have the option to read it! Not that you would actually bother to go read it, any more than you would bother to go vote.. but that option simply must be there!
11. Re:"Unity web player"? by mysidia · 2013-08-10 23:16 · Score: 1
  
  You make a good point, no one should ever use any non-open source browser plugins for anything. Down with shockwave! Down with flash! Down with iTunes! Down with Google Docs!
  I don't know about the last 2, but if you avoid the first two, then you have provided yourself some significant protection from malware which often exploits vulnerabilities in Flash, Shockwave, Adobe Abrocat reader plugin, Java plugin,.
  HTML5 with Javascript and WebGL is not the dark ages
12. Re:"Unity web player"? by ThatAblaze · 2013-08-11 06:01 · Score: 1
  
  I don't know about the last 2, but if you avoid the first two, then you have provided yourself some significant protection from malware which often exploits vulnerabilities in Flash, Shockwave, Adobe Abrocat reader plugin, Java plugin,.
  HTML5 with Javascript and WebGL is not the dark ages
  So you're saying you should avoid plugins with a track record of being exploited and go ahead and use plugins from an established company that don't have such a track record? That's excellent advice.
  I hate to break it to you but Unity falls into the latter category, not the former.
13. Re:"Unity web player"? by znrt · 2013-08-11 07:55 · Score: 1
  
  i actually love this idea def-con puts out. as a former cyberpunk fan i started a proof of concept of "the matrix" myself, decades ago. didn't finish, of course. if i did it today i even might as well choose unity3d too (probably not, but it wouldn't be unreasonable). but what i certainly would not do is claim to be "educating people about dealing with vulnerabilities" while just shoving another major source of them in right their pants. epic fail.
  we definitely need a fresh perspective on the way we interact in the network. we are already deep in the dark ages, or didn't you get the news about government agencies routinely spying on absolutely everyone? and as much as malware is actually a plage, general public blissful ignorance is the real problem. but opensource doesn't mean we all have to read the source before running it, or start growing beards. it simply means it is publicly auditable, which in itslef has far reaching implications. assuming "company x will do good" is simply not acceptable. in part because they have proven otherwise more often than not. but nobody expects the spanish inquisition!
14. Re:"Unity web player"? by tqk · 2013-08-11 09:09 · Score: 1
  
  >could of
  No attempt at sounding smart after writing that is going to work.
  "Could've" ("could have") as "could of" just means they've picked it up from hearing it, not reading it. You should applaud their jumping back into the wrealm of the written word.
  
  --
  "Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.
15. Re:"Unity web player"? by Yvanhoe · 2013-08-11 14:56 · Score: 1
  
  Actually, the unity plugin is now pre-installed in chrome under windows. I fear it will quickly become the new flash runtime.
  
  I would not call it a malware, I do think that Google did a good job to clean it up, and that the Unity company really does need to stay clear of malware, given their business model, but I really despise the idea that we will have to indulge for yet another binary blob.
  
  --
  The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
Re: Web 3.0 by robmv · 2013-08-10 10:46 · Score: 2

Web 3.0 and uses a plugin? at least do something real web before starting new buzzwords
best used while listening to The Prodigy by ClassicASP · 2013-08-10 11:22 · Score: 1

cool! just like in that 1995 movie "Hackers" ! http://www.youtube.com/watch?v=PZHG3pi9EDA
1. Re:best used while listening to The Prodigy by BonThomme · 2013-08-11 01:50 · Score: 1
  
  Crash Override, is that you?
Easter Egg by ThatAblaze · 2013-08-10 11:26 · Score: 1

Most sites I type in don't work, but I found something interesting by typing in bushofficial.com
Wow by 93+Escort+Wagon · 2013-08-10 11:27 · Score: 1

For some reason, I didn't think defcon would be receptive to guys shilling their new commercial products.

--
#DeleteChrome
1. Re:Wow by punk2176 · 2013-08-10 11:43 · Score: 2
  
  Free and open source, dude. Just not released yet because it's funded by DARPA CFT and still ongoing research: http://www.wired.com/dangerroom/2011/11/darpa-fast-track/
Screenshot anywhere? by manu0601 · 2013-08-10 13:02 · Score: 1

Are there screenshots of the thing anywhere, for the one that cannot or do not want to install that Unity player?
1. Re:Screenshot anywhere? by ThatAblaze · 2013-08-10 13:38 · Score: 1
  
  Several screenshots are posted at the demo link of the trinarysoftware website.
Clever it might be, but the UI sucks big time by davesag · 2013-08-10 13:25 · Score: 1

I mean seriously, you can't even edit the goddam URL field; hovering over nodes makes them glow (wooo) but clicking does nothing. Maybe it's an issue with the Unity plugin (yeah, Unity! seriously. FFS)
File this under "utter shite"

--
I used to have a better sig than this, but I got tired of it
1. Re:Clever it might be, but the UI sucks big time by ThatAblaze · 2013-08-10 13:35 · Score: 1
  
  Double clicking and dragging work.
2. Re:Clever it might be, but the UI sucks big time by davesag · 2013-08-10 14:22 · Score: 2
  
  Be that as it may, it's profoundly useless if you can't edit the root URL however.
  Also, given the UI swiftly becomes a morass of swirling links, pinning one down to doubly click on it is next to impossible. The back end of this might be great but the UI is total shit.
  
  --
  I used to have a better sig than this, but I got tired of it
#checks it out, to see a whole new understanding. by MickLinux · 2013-08-11 01:45 · Score: 2

Aah. It requires unity plgin. Okay.
##imagination runs wild#
After finding and installing the plugin, AND after a heated discussion with the wife about having lost one's job over some inappropriate tweets, AND having a talk with the Department of homeland security about pressure cookers, AND after receiving an Amazon gift subscription paid on my own credit card, along with a note that iif it doesn't suit, I can return it and the next purchase will be forbitcoins that will be used for a purchase from the Rayon Way,
Why yes, yes, I can see how this would work to help me visualize security in a whole new way.

--
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
Re:finally, enough jargon to be /. worthy by tqk · 2013-08-11 08:59 · Score: 1

that's all.
Well, I was going to pat Timothy on the back for a couple of great intros (this and the dark matter controversy), but now that you've gone and said it all ...
Uh, thanks Timothy.

--
"Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.
Re:It occurs to me... by tqk · 2013-08-11 09:02 · Score: 1

...that if someone burned down the building with all these hackers inside ...
It'd be easier to determine your whereabouts.

--
"Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.
But, there's a good idea here. by tqk · 2013-08-11 09:25 · Score: 1

Irrespective of all the "installing a plugin to determine secuity status" comments I've read so far , ...
I'd just like to say that a strip window in the bottom of my browser that spits a running commentary (a la XConsole)of what the browser's doing in the background and who it's talking to, would be cool. I want what it spits out to be user selectable and configurable. Get on it. You know you want to.

--
"Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.
1. Re:But, there's a good idea here. by ThatAblaze · 2013-08-11 09:41 · Score: 1
  
  Get on it. You know you want to.
  I do.