DEF CON Hackers Unveil a New Way of Visualizing Web Vulnerabilities

punk2176 writes "Hacker and security researcher Alejandro Caceres (developer of the PunkSPIDER project) and 3D UI developer Teal Rogers unveiled a new free and open source tool at DEF CON 21 that could change the way that users view the web and its vulnerabilities. The project is a visualization system that combines the principles of offensive security, 3D data visualization, and 'big data' to allow users to understand the complex interconnections between websites. Using a highly distributed HBase back-end and a Hadoop-based vulnerability scanner and web crawler the project is meant to improve the average user's understanding of the unseen and potentially vulnerable underbelly of web applications that they own or use. The makers are calling this new method of visualization web 3.0. A free demo can be found here, where users can play with and navigate an early version of the tool via a web interface. More details can be found here and interested users can opt-in to the mailing list and eventually the closed beta here."

#checks it out, to see a whole new understanding.

[MickLinux]

Aah. It requires unity plgin. Okay.

##imagination runs wild#
After finding and installing the plugin, AND after a heated discussion with the wife about having lost one's job over some inappropriate tweets, AND having a talk with the Department of homeland security about pressure cookers, AND after receiving an Amazon gift subscription paid on my own credit card, along with a note that iif it doesn't suit, I can return it and the next purchase will be forbitcoins that will be used for a purchase from the Rayo

Re:

[tqk]

...that if someone burned down the building with all these hackers inside ...

It'd be easier to determine your whereabouts.

Re:

[tqk]

that's all.

Well, I was going to pat Timothy on the back for a couple of great intros (this and the dark matter controversy), but now that you've gone and said it all ...

Uh, thanks Timothy.

Re: Web 3.0

[dnadoc]

Enough of your disruptive crowdsourcing.

Re:

[oodaloop]

I know. It's fucking ridiculous to call it Web 3.0. It's clearly 2.1.

Re: Web 3.0

[robmv]

Web 3.0 and uses a plugin? at least do something real web before starting new buzzwords

Sounds like Acunetix

[sgt scrub]

The front end is nifty but I'm not fond of buzzy names. I don't really need a pretty pretty GUI. I'm more interested in the back end. It'd be nice if there was a link or more info about it.

Re:

[punk2176]

Ask and you shall receive :-). I have more information on that than you'd probably like to know. The back-end is actually quite similar to the PunkSPIDER project's back-end and uses all of the same principles, most of the same open software as its base, and even reuses some of the code (in fact, once it's done I'll probably make the back-end of web 3.0 a part of PunkSPIDER 2.0 - free and open source of course). So with that said here's info on how PunkSPIDER was built, which should give you a solid start to

Re:

[sgt scrub]

Very nice. It sounds like you could use it to create a dynamic high risk list that could be added to content filter or intrusion protection device. I'm going to have to take a closer look now. I'll try parsing the data into rules for the IPS. If the database is too large, which I suspect it is, I'll have to find a spamhaus style way of implementing it.

"Unity web player"?

[mysidia]

When I visit the demo site it prompts me to install some software I never heard of, before showing the demo.

Seriously.... they make a malware visualization demo requiring me install some browser malware in order to view it?

Re:

[jdharm]

I stopped there. I just know when I install that software the first thing I will see is not some pretty graphic showing the complex relationship between websites but a simple statement in flashing letters:

And that is why malware propagates. Idiot.

Re:

[punk2176]

Erm. Unity is a well-known 3D gaming engine, dude.... http://unity3d.com/ [unity3d.com]

Re:

[mysidia]

Erm. Unity is a well-known 3D gaming engine, dude....

Could of fooled me. As far as I know, Unity is a very expensive product from Cisco for providing voicemail integrated with Microsoft Outlook and Exchange.

So apparently there is some niche product that is a 3D engine of some sort, and I get that. But the publisher should still not be doing something that requires me to install software, to view it.

If they're posting it online, they should use a standard format such as HTML5.

Re:

[tqk]

>could of

No attempt at sounding smart after writing that is going to work.

"Could've" ("could have") as "could of" just means they've picked it up from hearing it, not reading it. You should applaud their jumping back into the wrealm of the written word.

Re:

[bobstreo]

Erm. Unity is a well-known 3D gaming engine, dude....

Could of fooled me. As far as I know, Unity is a very expensive product from Cisco for providing voicemail integrated with Microsoft Outlook and Exchange.

So apparently there is some niche product that is a 3D engine of some sort, and I get that.
But the publisher should still not be doing something that requires me to install software, to view it.

If they're posting it online, they should use a standard format such as HTML5.

Nah Unity is the value subtracted interface to Gnome in the latest versions of Ubuntu

Re:

[gl4ss]

well, what they did was make a desktop software with available tools that has a web loader...

and publish it as a "web software" when it's just desktop sw with a launcher in all practicality. but since everything has to be web nowadays, then web it is.

Re:

[jon3k]

Don't worry there's Unity Connect now, runs on Linux.

Re:

[Anonymous Coward]

Erm. Unity is a well-known 3D gaming engine, dude.... http://unity3d.com/ [unity3d.com]

Sorry, but your statement here doesn't diminish the huge cloud of irony hanging over this. User must install plugin to see visualization about malware fed often via plugins. Uhhh, yeah...reminds me of that time I was taking a security course teaching about how to never click on pop-up windows...when the course was initiated via, you guessed it, a pop-up window.

Re:

[ThatAblaze]

A little research indicates that Unity is a 3D engine. It's used a lot for 3D games. http://unity3d.com/unity/ [unity3d.com]

Re:

[znrt]

A little research indicates that Unity is a 3D engine. It's used a lot for 3D games. http://unity3d.com/unity/ [unity3d.com]

pretty overwhelming records show that third party browser plugins are a major source of vulnerabilities, even more so if they are closed source and maintenance restricted to private profit organizations whose due dilligence in the process simply cannot be assumed, or even have shown outright negligence. see sun, oracle, adobe, apple, microsoft ...

this is not just ironic, it must be april fool's day in some random geeky tz somewhere.

Re:

[ThatAblaze]

You make a good point, no one should ever use any non-open source browser plugins for anything. Down with shockwave! Down with flash! Down with iTunes! Down with Google Docs! It's time to go back to the dark ages because no one's source can be assumed to be secure unless you have the option to read it! Not that you would actually bother to go read it, any more than you would bother to go vote.. but that option simply must be there!

Re:

[mysidia]

You make a good point, no one should ever use any non-open source browser plugins for anything. Down with shockwave! Down with flash! Down with iTunes! Down with Google Docs!

I don't know about the last 2, but if you avoid the first two, then you have provided yourself some significant protection from malware which often exploits vulnerabilities in Flash, Shockwave, Adobe Abrocat reader plugin, Java plugin,.

HTML5 with Javascript and WebGL is not the dark ages

Re:

[ThatAblaze]

I don't know about the last 2, but if you avoid the first two, then you have provided yourself some significant protection from malware which often exploits vulnerabilities in Flash, Shockwave, Adobe Abrocat reader plugin, Java plugin,.

HTML5 with Javascript and WebGL is not the dark ages

So you're saying you should avoid plugins with a track record of being exploited and go ahead and use plugins from an established company that don't have such a track record? That's excellent advice.

I hate to break it to you but Unity falls into the latter category, not the former.

Re:

[znrt]

i actually love this idea def-con puts out. as a former cyberpunk fan i started a proof of concept of "the matrix" myself, decades ago. didn't finish, of course. if i did it today i even might as well choose unity3d too (probably not, but it wouldn't be unreasonable). but what i certainly would not do is claim to be "educating people about dealing with vulnerabilities" while just shoving another major source of them in right their pants. epic fail.

we definitely need a fresh perspective on the way we interac

Re:

[Yvanhoe]

Actually, the unity plugin is now pre-installed in chrome under windows. I fear it will quickly become the new flash runtime.

I would not call it a malware, I do think that Google did a good job to clean it up, and that the Unity company really does need to stay clear of malware, given their business model, but I really despise the idea that we will have to indulge for yet another binary blob.

best used while listening to The Prodigy

[ClassicASP]

cool! just like in that 1995 movie "Hackers" ! http://www.youtube.com/watch?v=PZHG3pi9EDA [youtube.com]

Re:

[BonThomme]

Crash Override, is that you?

Easter Egg

[ThatAblaze]

Most sites I type in don't work, but I found something interesting by typing in bushofficial.com

Wow

[93 Escort Wagon]

For some reason, I didn't think defcon would be receptive to guys shilling their new commercial products.

Re:

[punk2176]

Free and open source, dude. Just not released yet because it's funded by DARPA CFT and still ongoing research: http://www.wired.com/dangerroom/2011/11/darpa-fast-track/ [wired.com]

Screenshot anywhere?

[manu0601]

Are there screenshots of the thing anywhere, for the one that cannot or do not want to install that Unity player?

Re:

[ThatAblaze]

Several screenshots are posted at the demo link of the trinarysoftware website.

Clever it might be, but the UI sucks big time

[davesag]

I mean seriously, you can't even edit the goddam URL field; hovering over nodes makes them glow (wooo) but clicking does nothing. Maybe it's an issue with the Unity plugin (yeah, Unity! seriously. FFS)

File this under "utter shite"

Re:

[ThatAblaze]

Double clicking and dragging work.

Re:

[davesag]

Be that as it may, it's profoundly useless if you can't edit the root URL however.

Also, given the UI swiftly becomes a morass of swirling links, pinning one down to doubly click on it is next to impossible. The back end of this might be great but the UI is total shit.

But, there's a good idea here.

[tqk]

Irrespective of all the "installing a plugin to determine secuity status" comments I've read so far , ...

I'd just like to say that a strip window in the bottom of my browser that spits a running commentary (a la XConsole)of what the browser's doing in the background and who it's talking to, would be cool. I want what it spits out to be user selectable and configurable. Get on it. You know you want to.

Re:

[ThatAblaze]

Get on it. You know you want to.

I do. [youtube.com]