But, in a change of plans, Hoffman did not publicly release Jikto. "The higher-ups first say we can, and then they change their mind," he said after his presentation. "We decided to focus on the educational message and show people the danger."
Another SPI Dynamics representative at ShmooCon said the company had decided not to release Jikto because that could play into the hands of cybercrooks. "We do not want to release anything that could be used for malicious purposes," said Michael Sutton, a security evangelist for the company, which sells Web security tools.
Hoffman said he demonstrated Jikto to raise awareness. Vulnerabilities in Web sites could be exploited to inject, which puts users at serious risk, he said. Jikto itself, for example, can be placed on a trusted site by exploiting a common Web security hole known as a cross-site scripting flaw, he said.
Jikto can hunt for common security holes and can connect back to its controller for instructions on which Web sites to hit and flaws to look for, Hoffman said. For example, Jikto could be programmed to scan major banking Web sites for SQL injection vulnerabilities. Such vulnerabilities could open databases to attack.
ShmooCon attendees asked Hoffman for the Jikto code, expecting it to be released at the event. But there didn't appear to be great disappointment when he said SPI Dynamics wouldn't release the tool.
"Once one person has talked about the ability to do it, it doesn't take that long for somebody else to come up with it," said one ShmooCon attendee who asked to remain anonymous. "It will come out."