- 10 open source companies to watch
- Mythbuster busts his own tale
- $208 million petascale computer gets green light
- Sony recalls 73,000 Vaio laptops
- Chrome and Firefox and add-ons
Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:App Performance | On Demand Security | Networking Solution | SOA | Value of WDS
Software that could be used to turn a Web browser into an unwitting hacker's tool has been posted to the Internet, after it was downloaded by a quick-thinking attendee at last month's Shmoocon hacker conference.
The software, called Jitko was written by Billy Hoffman, lead researcher at Spy Dynamics Inc. Hoffman demonstrated the code on March 24 as part of a presentation on the dangers of JavaScript malware.
Hoffman had discovered a way to write a Web vulnerability scanner in JavaScript, a Web language that can run in any browser. This technique circumvents JavaScript's security restrictions and, concerned that his Jitko code could be misused, Hoffman says he took extra steps to prevent the code from getting out.
However, in order for his demonstration to work, he had to post the Jitko code somewhere on the Internet. "Very briefly you could see the original URL of where the Jitko code got fetched," Hoffman said.
That was enough for show attendee Mike Schroll to snag a copy.
"I was sitting pretty close to the front and had my laptop out already," said Schroll, an information security consultant with Security Management Partners, Inc. "The second I saw it i just started typing away."
Schroll posted the code to his Web site March 25, and submitted a link to the code on Digg.com. He removed the software several hours later at Hoffman's request.
Schroll said he posted the code because he thought it would be useful to other security professionals looking for ways to illustrate just how dangerous a scripting attack can be. "I was pretty interested in it because we do some engagements with clients where we do fake phishing sites," he said. "I wasn't trying to be nefarious or malicious."
The software was downloaded from his Web site about 100 times, Schroll said.
Over the past weekend, the code surfaced again, this time on the Sla.ckers.org online discussion forum.
With Jitko now public, security researchers worry it could be misused by criminals to scan internal networks for sensitive information, or to build a malicious botnet code. "This particular tool is designed to take control of the Web browser," said Jeremiah Grossman, chief technology officer with WhiteHat Security Inc. "It will crawl other Web sites and scan them, looking for vulnerabilities."

Gartner summarizes its view on Application Delivery Controllers, evaluates strengths and weaknesses...
Vulnerability Management For DummiesDownload this concise book "Vulnerability Management for Dummies," to learn about the simple steps...
The ROI and TCO Benefits of Data Deduplication for Data Protection in the EnterpriseThis paper examines and quantifies the costs and benefits of backup with deduplication storage as...

Life on the edge of your WAN has changed dramatically. With the need to deliver advanced services,...
PoE Plus: Impact on the PoE MarketThe standard for Power over Ethernet (PoE), IEEE Std. 802.3af(tm)-2003, advanced networking,...
Harnessing the power of communications to increase workplace performanceDue to the convergence of IT and telecommunications technologies, the business workplace has been...

We have so many holes punched in our firewalls today that many industry insiders question the value...
The self-managed networkWe aren't there yet, but advances in network and systems management tools are making it possible to...
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment