Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror

+ - Stupid Simple Security - a Chrome plugin for safer browsing

Submitted by shmaybebaby
shmaybebaby (3525763) writes "There's this free and open source searchable repository of web vulnerabilities across the entire Internet. It's called PunkSPIDER (http://punkspider.hyperiongray.com) and it's handy for looking up the websites you frequent to see if they have any egregious vulnerabilities that could compromise your privacy and identity. Here's a Slashdot article on PunkSPIDER from last year http://it.slashdot.org/story/1... — you can see from the comments that it was, uh, kind of controversial.

But turns out, it's not even close to being the WMD that people were afraid of (that's a "weapon of mass destruction," in case you were born after the year 2000) and is actually kind of useful, particularly for the security / hacker community. People have used it for penetration testing recon, for security research, for a quick check of their own website, or just for personal use. The thing is, unless you're a security researcher who keeps PunkSPIDER open in a tab in your browser, you probably won't remember to go there and check out a website to make sure it's safe before you give them your credit card info.

To make it more accessible to the average user, the team behind PunkSPIDER released a Chrome extension that sits in your nav bar and tells you if PunkSPIDER has found any vulnerabilities on the site you're on. If it does, you get a red x, if it doesn't, you get a green check. It's stupid simple and it's free.

Here's a link to dl the extension https://chrome.google.com/webs... and here's a demo video on how it works http://www.youtube.com/watch?v.... There are some other videos under the same account that you can watch if you want to know more about the PunkSPIDER project.

There are plans to release a Firefox plugin soon, too, which will be nice because it's arguably a more ubiquitous browser than Chrome. Still, I'm switching to Chrome now just for this extension."

Comment: Re:Sounds like Acunetix (Score 2) 57

by punk2176 (#44533003) Attached to: DEF CON Hackers Unveil a New Way of Visualizing Web Vulnerabilities
Ask and you shall receive :-). I have more information on that than you'd probably like to know. The back-end is actually quite similar to the PunkSPIDER project's back-end and uses all of the same principles, most of the same open software as its base, and even reuses some of the code (in fact, once it's done I'll probably make the back-end of web 3.0 a part of PunkSPIDER 2.0 - free and open source of course). So with that said here's info on how PunkSPIDER was built, which should give you a solid start to how we're building the web 3.0 back-end:

(1) A link to the talk at ShmooCon on PunkSPIDER which gives more info than you'd ever want to know about the back-end: http://www.hyperiongray.com/shmoocon
(2) If you're in a rush you can read some basic stuff about it here: http://www.hyperiongray.com/node/18
(3) If you really want to get into it you can download PunkSCAN (the PunkSPIDER back-end) on bitbucket and take a look: https://bitbucket.org/punkspider/punkscan

And last but not least, if you want to know even more feel free to contact Hyperion Gray at punkspider@hyperiongray.com or follow me (Alejandro) at @DotSlashPunk on Twitter. Oh and thanks for the feedback on the buzzy name, it's meant to be a little over the top, but we'll keep your comment in mind!

Alex

+ - Hackers Unveil A New Way of Visualizing Web Vulnerabilities at DEF CON 21

Submitted by punk2176
punk2176 (2840475) writes "Hacker and security researcher Alejandro Caceres (developer of the PunkSPIDER project) and 3D UI developer Teal Rogers unveiled a new free and open source tool at DEF CON 21 that could change the way that users view the web and its vulnerabilities. The project is a visualization system that combines the principles of offensive security, 3D data visualization, and "big data" to allow users to understand the complex interconnections between websites. Using a highly distributed HBase back-end and a Hadoop-based vulnerability scanner and web crawler the project is meant to improve the average user's understanding of the unseen and potentially vulnerable underbelly of web applications that they own or use. The makers are calling this new method of visualization web 3.0.

A free demo can be found here, where users can play with and navigate an early version of the tool via a web interface. More details can be found here and interested users can opt-in to the mailing list and eventually the closed beta here."

+ - Scientists Uncover First Hundred Thousand Years of Our Universe

Submitted by Anonymous Coward
An anonymous reader writes "In order to solve a mystery, you need to revisit the scene of the crime. In the case of the Big Bang, though, that's a little difficult. That's why scientists are using cosmic microwave background (SMB) radiation data to look back at the origins of our universe. Now, they've managed to get their furthest look back through time yet, catching a glimpse of the universe a mere 100 to 300,000 years after its birth."

+ - Researcher (ab)uses Big Data tech for large-scale attacks 1

Submitted by punk2176
punk2176 (2840475) writes "Security researcher Alejandro Caceres demonstrated techniques and released open source tools to attack large (e.g. country sized) beds of targets using "Big Data" technologies at this year's DEF CON 21 hacking conference. Caceres is best known for the controversial PunkSPIDER project, a project to vulnerability scan the entire Internet's websites and make them searchable by the general public.

The new techniques revolve around using an Apache Hadoop cluster and cloud technologies, such as Amazon's Elastic MapReduce, to conduct large, coordinated attacks. The researcher showed that by leveraging the MapReduce parallel programming concept, such techniques can be extremely effective. He demonstrated several use cases, including a coordinated, automated SQL injection attack that was able to steal system hashes at a rate of 1 target every .75 seconds, approximately 70 times faster than with conventional means. These techniques may allow a single attacker to conduct massive attacks against hundreds of thousands or even millions of targets, a task which would otherwise be too time-consuming, costly or complex for an attacker. More details on the talk can be found on the DEF CON website or at open source R&D organization Hyperion Gray's website."

+ - Lon Snowden, former Coast Guard officer, is on the way to Moscow

Submitted by Max_W
Max_W (812974) writes "Lon Snowden, the father of Edward Snowden, gave an interview to the Reuters: http://www.reuters.com/article/2013/08/07/us-usa-security-snowden-idUSBRE97617S20130807 He is also practically on the way to Russia, to visit his fugitive son. He applied for the Russian Federation entry visa already.

Edward Snowden's deeds could be debatable, but I am absolutely fascinated by his father's courage. He is calm and absolutely fearless in trying to save his son. Is it a former Coast Guard character? As we know Coast Guard officers are facing grave danger on a daily basis. Or would anybody act like this in his place?"

+ - IBM Builds Programming Model For Brain-Like Computing ->

Submitted by judgecorp
judgecorp (778838) writes "IBM is working on a programming model for cognitive applications, which it hopes will provide something like a high-level language for producing brain-like programs, enabling "anyone" to make cognitive applications, just as FORTRAN did for conventional computing. IBM plans to build a brain with 10 billion neurons (about one tenth the number in the human brain.The project surely wins Acronym of the Week: it's called SyNAPSE (Systems of Neuromorphic Adaptive Plastic Scalable Electronics)."
Link to Original Source

+ - Conflicting Views on the Science of Pain

Submitted by ZahrGnosis
ZahrGnosis (66741) writes "Popular Science, a stalwart of the scientific literature community, posted a couple of articles about pain research recently that are causing a bit of controversy. First, they posted an article titled Fetal Pain Is A Lie: How Phony Science Took Over The Abortion Debate that argues fetuses don't feel pain at 20 weeks due to a scientific consensus that the nervous system is underdeveloped at that point. Ironically, this argument has been used for years in a different setting: to claim that crustaceans don't feel pain (justifying among other things the live boiling of lobster). But PopSci also posted an article titled Crabs And Lobsters Probably Do Feel Pain, According To New Experiments. And now there's mild internet flaming going on. I know Slashdot doesn't venture into the abortion arena much, and I'm not trying to wade into political territory so much as understand the competing scientific commentaries (in so much as fetuses and lobster can be compared). But mostly I'm just curious what the Slashdot crowd thought."

+ - NVIDIA open sources SHIELD's operating system->

Submitted by hypnosec
hypnosec (2231454) writes "NVidia has now open-sourced the operating system that powers the gaming console to encourage its modification and further development. Powered by NVidia’s homegrown Tegra 4 processor, the console runs Android, which shouldn't surprise many as the company moves ahead with its opensourcing intentions. The GPU company has said that the SHIELD is an ‘open gaming platform’ that allows for ‘an open ecosystem’ enabling developers to develop content as well as applications that takes advantage of the underlying hardware and which can be enjoyed on bigger displays as well as mobile screen."
Link to Original Source

+ - Stop fixing all security vulnerabilities. ->

Submitted by PMcGovern
PMcGovern (13300) writes "At BSidesLV in Las Vegas, Ed Bellis and Data Scientist Michael Roytman gave a talk explaining how security vulnerability statistics should be done. " Don't fix all security issues. Fix the security issues that matter, based on statistical relevance." They looked at 23,000,000 live vulnerabilities across 1,000,000 real assets, which belonged to 9,500 clients to explain their thesis."
Link to Original Source

+ - Elon Musk Admits he is Too Busy to Build Hyperloop->

Submitted by DavidGilbert99
DavidGilbert99 (2607235) writes "It sounded like the future — a 600mph train taking people from San Francisco to Los Angeles in just 30mins. In fact it sounded like a future too good to be true. And so it seems to have proven. As Alistair Charlton at IBTimes reports, Elon Musk, the man behind PayPal, Tesla and Space X has admitted that Hyperloop is a step too far and he should never have mentioned it in the first place — "I think I shot myself in the foot by ever mentioning the Hyperloop. I'm too strung out." Oh well, let's hope SpaceX works out a bit better....."
Link to Original Source

Comment: Re:Ethics (Score 2, Informative) 85

by punk2176 (#42994233) Attached to: PunkSPIDER Project Puts Vulnerabilities On (Searchable) Display
Hmm, a few issues with this...

1) The statement that we "just run Nessus" is incorrect. We wrote our own scanner that works on a Hadoop cluster. Why is this important? It means that we can handle a lot more scans than anyone else (several thousand per day with a small cluster) and it's also specifically made for mass scans. This is important in point 2 below.

2) The process you're describing is for finding a vulnerability in a piece of software in general (e.g. a common CMS), not a specific vulnerability in an implementation of a piece of software (e.g. a specific website). That's a huge difference. You wouldn't put a CVE up for a SQL injection bug in a specific implementation of a site (you would only if it was common to an entire CMS for example). Anyway, what we hope is to build a community of like-minded security folks that can help those website owners fix their *specific issues* first and if applicable go through the process you describe when needed. We also want to provide this for free.

3) What if the vulnerability is in a custom built site that no one cares enough about to do security research on. Who's letting them know their issues? We hope to provide a view of this to the website owner and yes, push them a little to get their security ducks in a row.

4) We're not attention whores or jackasses. Calling people names isn't nice and makes us sad.

Comment: Re:Couldn't find any - the results so far ARE pret (Score 3, Informative) 85

by punk2176 (#42994109) Attached to: PunkSPIDER Project Puts Vulnerabilities On (Searchable) Display
So one thing that we've been trying to make clear is that the project is *on track* to scan the entire Internet, we haven't scanned everything yet. We have scanned about 70k sites and have under 4 million indexed. Our next version is going to be clearer on what is and is not scanned - currently we just say 0 vulnerabilities if we haven't scanned it, indicating that we have not found vulnerabilities in it yet - not necessarily that it doesn't have any. This was all part of our ShmooCon presentation which just hasn't been released to everyone yet! The system is self-sustaining at this point so these numbers are constantly going up. The "not pretty" comes from the fact that we have over 100,000 vulnerabilities from just scanning about 70,000 sites (some sites have multiple vulnerabilities).

Wishing without work is like fishing without bait. -- Frank Tyger

Working...