A controversial tool called thousands of hackable websites


Caceres frankly admits that a malicious hacker can use PunkSpider to identify the website to be hacked. But he believes that scanners that find network vulnerabilities have always existed. This is just to make the results public. “You know that your customers can see it, and your investors can see it, so you will solve this problem quickly,” Cáceres said.

Take two

The Defcon conversation between Caceres and Hopper marked the second incarnation of PunkSpider.The idea of ​​the tool was born Ten years agoIn the summer of 2011, as the hacker group Anonymous and its split organization LulzSec were in the midst of rampant data theft and tampering, most of them were achieved through simple Web vulnerabilities. (“Why are there SQL injections everywhere?” A LulzSec Tribute Hip Hop Song.)

Cáceres pointed out at the time that even relatively unskilled hackers seem to be able to easily find a large number of network vulnerabilities. He began to wonder whether the only solution might be to reveal every network vulnerability in a large-scale cleanup. So in 2012, he started building PunkSpider to do this; he showed it at the Shmoocon hacker conference in early 2013.His small security R&D company Hyperion Gray also Get funding from Darpa.

However, the project faced challenges from the beginning. Shmoocon viewers questioned whether Caceres supports black hat hackers-and violated the Computer Fraud and Abuse Act in the process. Soon after receiving an abuse report from an angry web administrator, Amazon repeatedly led him from the Amazon Web Services account he used to support the search engine. He was forced to constantly create new burner accounts to keep it running.

By 2015, Caceres will only scan the network once a year to find new vulnerabilities. He worked hard to keep PunkSpider online and pay its costs. Soon after, he failed the project.

However, earlier this year, Hyperion Gray Acquired by QOMPLX, The larger startup agreed to restore a new and improved version of his Internet hacker search engine. Now Caceres and Hopper say that their improved tool scans a cloud-based cluster consisting of hundreds of machines. It can scan hundreds of millions of sites every day—rolling the results of the entire network, or scanning the target URL for a user Request. The old PunkSpider’s annual scan of the entire network took nearly a week to complete.

Cáceres declined to disclose the name of his current hosting provider, but he said he has reached a consensus with the company on PunkSpider’s motives, which he hopes will prevent his account from being banned again. Although reluctant, he also added a feature that allows network administrators to discover PunkSpider’s detection based on user agents that help identify website visitors, and added an email address and an opt-out feature that allows websites to remove themselves from the tool Search. “To be honest, I’m not satisfied with it,” Cáceres said. “I don’t like the idea of ​​people being able to opt out of security matters and bury their heads in the sand. But this is a sustainable and balanced thing.”

Punk Spider Web

The reincarnation version of PunkSpider has exposed the real flaws of the main website. Caceres showed a screenshot of WIRED, showing the cross-site scripting vulnerabilities in both Kickstarter.com and LendingTree.comIn LendingTree’s case, Caceres stated that the vulnerability can be used to create links, and if users are tricked into clicking on these links, malware will be hosted on the website or phishing tips will be displayed on LendingTree’s own website. Cáceres said that the Kickstarter vulnerability would allow hackers to create a link that, if the victim clicks on the link, could similarly display a phishing prompt or automatically pay the Kickstarter project from their credit card.

“LendingTree uses multiple layers of control to protect the confidentiality and integrity of our website and consumer data,” the company said in a statement. “This includes web application firewalls, outside-in penetration testing, and static/dynamic code reviews to identify and fix vulnerabilities. In addition, we will take any reported security vulnerabilities seriously and promptly investigate and resolve any issues found.” KickStarter It wrote in an email to WIRED that it is “actively addressing” its network flaws.


Source link