DEF CON Hackers Unveil a New Way of Visualizing Web Vulnerabilities 57
punk2176 writes "Hacker and security researcher Alejandro Caceres (developer of the PunkSPIDER project) and 3D UI developer Teal Rogers unveiled a new free and open source tool at DEF CON 21 that could change the way that users view the web and its vulnerabilities. The project is a visualization system that combines the principles of offensive security, 3D data visualization, and 'big data' to allow users to understand the complex interconnections between websites. Using a highly distributed HBase back-end and a Hadoop-based vulnerability scanner and web crawler the project is meant to improve the average user's understanding of the unseen and potentially vulnerable underbelly of web applications that they own or use. The makers are calling this new method of visualization web 3.0. A free demo can be found here, where users can play with and navigate an early version of the tool via a web interface. More details can be found here and interested users can opt-in to the mailing list and eventually the closed beta here."
#checks it out, to see a whole new understanding. (Score:3)
Aah. It requires unity plgin. Okay.
##imagination runs wild#
After finding and installing the plugin, AND after a heated discussion with the wife about having lost one's job over some inappropriate tweets, AND having a talk with the Department of homeland security about pressure cookers, AND after receiving an Amazon gift subscription paid on my own credit card, along with a note that iif it doesn't suit, I can return it and the next purchase will be forbitcoins that will be used for a purchase from the Rayo
Re: (Score:2)
...that if someone burned down the building with all these hackers inside ...
It'd be easier to determine your whereabouts.
Re: (Score:2)
that's all.
Well, I was going to pat Timothy on the back for a couple of great intros (this and the dark matter controversy), but now that you've gone and said it all ...
Uh, thanks Timothy.
Re: Web 3.0 (Score:1)
Re: (Score:2)
Re: Web 3.0 (Score:3)
Web 3.0 and uses a plugin? at least do something real web before starting new buzzwords
Sounds like Acunetix (Score:2)
The front end is nifty but I'm not fond of buzzy names. I don't really need a pretty pretty GUI. I'm more interested in the back end. It'd be nice if there was a link or more info about it.
Re: (Score:2)
Re: (Score:2)
Very nice. It sounds like you could use it to create a dynamic high risk list that could be added to content filter or intrusion protection device. I'm going to have to take a closer look now. I'll try parsing the data into rules for the IPS. If the database is too large, which I suspect it is, I'll have to find a spamhaus style way of implementing it.
"Unity web player"? (Score:5, Informative)
When I visit the demo site it prompts me to install some software I never heard of, before showing the demo.
Seriously.... they make a malware visualization demo requiring me install some browser malware in order to view it?
Re: (Score:1)
And that is why malware propagates. Idiot.
Re: (Score:2)
Re: (Score:2)
Erm. Unity is a well-known 3D gaming engine, dude....
Could of fooled me. As far as I know, Unity is a very expensive product from Cisco for providing voicemail integrated with Microsoft Outlook and Exchange.
So apparently there is some niche product that is a 3D engine of some sort, and I get that. But the publisher should still not be doing something that requires me to install software, to view it.
If they're posting it online, they should use a standard format such as HTML5.
Re: (Score:2)
>could of
No attempt at sounding smart after writing that is going to work.
"Could've" ("could have") as "could of" just means they've picked it up from hearing it, not reading it. You should applaud their jumping back into the wrealm of the written word.
Re: (Score:3)
Erm. Unity is a well-known 3D gaming engine, dude....
Could of fooled me. As far as I know, Unity is a very expensive product from Cisco for providing voicemail integrated with Microsoft Outlook and Exchange.
So apparently there is some niche product that is a 3D engine of some sort, and I get that.
But the publisher should still not be doing something that requires me to install software, to view it.
If they're posting it online, they should use a standard format such as HTML5.
Nah Unity is the value subtracted interface to Gnome in the latest versions of Ubuntu
Re: (Score:2)
well, what they did was make a desktop software with available tools that has a web loader...
and publish it as a "web software" when it's just desktop sw with a launcher in all practicality. but since everything has to be web nowadays, then web it is.
Re: (Score:2)
Re: (Score:1)
Erm. Unity is a well-known 3D gaming engine, dude.... http://unity3d.com/ [unity3d.com]
Sorry, but your statement here doesn't diminish the huge cloud of irony hanging over this. User must install plugin to see visualization about malware fed often via plugins. Uhhh, yeah...reminds me of that time I was taking a security course teaching about how to never click on pop-up windows...when the course was initiated via, you guessed it, a pop-up window.
Re: (Score:3, Informative)
Re: (Score:1)
A little research indicates that Unity is a 3D engine. It's used a lot for 3D games. http://unity3d.com/unity/ [unity3d.com]
pretty overwhelming records show that third party browser plugins are a major source of vulnerabilities, even more so if they are closed source and maintenance restricted to private profit organizations whose due dilligence in the process simply cannot be assumed, or even have shown outright negligence. see sun, oracle, adobe, apple, microsoft ...
this is not just ironic, it must be april fool's day in some random geeky tz somewhere.
Re: (Score:1)
Re: (Score:2)
You make a good point, no one should ever use any non-open source browser plugins for anything. Down with shockwave! Down with flash! Down with iTunes! Down with Google Docs!
I don't know about the last 2, but if you avoid the first two, then you have provided yourself some significant protection from malware which often exploits vulnerabilities in Flash, Shockwave, Adobe Abrocat reader plugin, Java plugin,.
HTML5 with Javascript and WebGL is not the dark ages
Re: (Score:1)
I don't know about the last 2, but if you avoid the first two, then you have provided yourself some significant protection from malware which often exploits vulnerabilities in Flash, Shockwave, Adobe Abrocat reader plugin, Java plugin,.
HTML5 with Javascript and WebGL is not the dark ages
So you're saying you should avoid plugins with a track record of being exploited and go ahead and use plugins from an established company that don't have such a track record? That's excellent advice.
I hate to break it to you but Unity falls into the latter category, not the former.
Re: (Score:1)
i actually love this idea def-con puts out. as a former cyberpunk fan i started a proof of concept of "the matrix" myself, decades ago. didn't finish, of course. if i did it today i even might as well choose unity3d too (probably not, but it wouldn't be unreasonable). but what i certainly would not do is claim to be "educating people about dealing with vulnerabilities" while just shoving another major source of them in right their pants. epic fail.
we definitely need a fresh perspective on the way we interac
Re: (Score:2)
I would not call it a malware, I do think that Google did a good job to clean it up, and that the Unity company really does need to stay clear of malware, given their business model, but I really despise the idea that we will have to indulge for yet another binary blob.
best used while listening to The Prodigy (Score:1)
Re: (Score:2)
Crash Override, is that you?
Easter Egg (Score:1)
Wow (Score:2)
For some reason, I didn't think defcon would be receptive to guys shilling their new commercial products.
Re: (Score:2)
Screenshot anywhere? (Score:2)
Re: (Score:1)
Clever it might be, but the UI sucks big time (Score:2)
I mean seriously, you can't even edit the goddam URL field; hovering over nodes makes them glow (wooo) but clicking does nothing. Maybe it's an issue with the Unity plugin (yeah, Unity! seriously. FFS)
File this under "utter shite"
Re: (Score:1)
Re: (Score:3)
Be that as it may, it's profoundly useless if you can't edit the root URL however.
Also, given the UI swiftly becomes a morass of swirling links, pinning one down to doubly click on it is next to impossible. The back end of this might be great but the UI is total shit.
But, there's a good idea here. (Score:2)
Irrespective of all the "installing a plugin to determine secuity status" comments I've read so far , ...
I'd just like to say that a strip window in the bottom of my browser that spits a running commentary (a la XConsole)of what the browser's doing in the background and who it's talking to, would be cool. I want what it spits out to be user selectable and configurable. Get on it. You know you want to.
Re: (Score:1)
Get on it. You know you want to.
I do. [youtube.com]