Firesheep Countermeasure Tool BlackSheep

← Back to Stories (view on slashdot.org)

Firesheep Countermeasure Tool BlackSheep

Posted by CmdrTaco on Monday November 8, 2010 @01:43AM from the baa-ram-yew dept.

Orome1 writes "Slashdot already covered Firesheep, the Firefox extension that makes it easier to steal logins and take over social media and email accounts after users log in from a WiFi hotspot or even their own unprotected network. Zscaler researchers have created, and are now offering to every consumer, a free Firefox plugin called BlackSheep, which serves as a counter-measure. BlackSheep combats Firesheep by monitoring traffic and then alerting users if Firesheep is being used on the network. BlackSheep does this by dropping 'fake' session ID information on the wire and then monitors traffic to see if it has been hijacked."

122 comments

Min score:

Reason:

Sort:

or just use proper security by datapharmer · 2010-11-08 01:46 · Score: 4, Insightful

Or you could just force tls/ssl on sites that support it and render firesheep useless. Because you know, being alerted that your information just got stolen is much better than using proper security in the first place.... or not.

--
Get a web developer
1. Re:or just use proper security by iammani · 2010-11-08 01:57 · Score: 5, Informative
  
  Exactly, this is what EFF's Firefox Addon does
2. Re:or just use proper security by Jugalator · 2010-11-08 02:03 · Score: 1
  
  Much, much better solution than this "Blacksheep" tool if you ask me. Blacksheep simply isn't doing this right.
  
  --
  Beware: In C++, your friends can see your privates!
3. Re:or just use proper security by Spad · 2010-11-08 02:03 · Score: 1
  
  on sites that support it
  
  And therein lies the problem.
4. Re:or just use proper security by mounthood · 2010-11-08 02:06 · Score: 2, Funny
  
  Because you know, being alerted that your information just got stolen is much better than using proper security in the first place.... or not.
  But if we did have an Add-on which "alerted that your information just got stolen" we could call it "Wake Up Sheeple!"
  
  --
  tomorrow who's gonna fuss
5. Re:or just use proper security by tjlaxs · 2010-11-08 02:07 · Score: 1
  
  Forcing SSL on, for example, Facebook renders some features just unworking. :/ But yes, it's still better security to browse in some what nonworking environment.
  
  --
  tlax says: "Lol".
6. Re:or just use proper security by datapharmer · 2010-11-08 02:14 · Score: 2, Interesting
  
  well kind of... that plugin fails in that it requires you to add in each domain you want to use ssl for. I would recommend force-tls for firefox and KB SSL enforcer for chrome (the second is not completely secure due to chrome's design, but hoping that will be fixed soon).
  
  --
  Get a web developer
7. Re:or just use proper security by ObsessiveMathsFreak · 2010-11-08 02:23 · Score: 1
  
  Or you could just force tls/ssl on sites that support it and render firesheep useless.
  Firefox users are using software which actively discourages use of ssl and other secure connections. They're unlikely to set their browsers to use secure connections by default.
  
  --
  May the Maths Be with you!
8. Re:or just use proper security by iammani · 2010-11-08 02:24 · Score: 3, Informative
  
  Mmm neat, but force-tls is not helpful for wikipedia (and other similar sites), that need mapping from en.wikipedia.org/wiki/Google to secure.wikimedia.org/wikipedia/en/wiki/Google
9. Re:or just use proper security by jonescb · 2010-11-08 02:25 · Score: 1
  
  Or just tunnel through SSH whenever you're on an unsecured network. I was with some friends last week who were using Firesheep on each other (all in good fun), but I was tunneling all my traffic and nobody was able to get my cookies.
10. Re:or just use proper security by hitmark · 2010-11-08 02:25 · Score: 1
  
  Force-tls seems to depend on the page telling the browser to use tls, not sure how different that is from a frontpage that redirects to https. The EFF extension however alters any attempt to access one of the domains it is set up with to https, and do so based on user, rather then page, settings.
  
  --
  comment first, facts later. http://chem.tufts.edu/AnswersInScience/RelativityofWrong.htm
11. Re:or just use proper security by iammani · 2010-11-08 02:28 · Score: 3, Informative
  
  Mmm I have not pasted the link properly... EFF's plugin can map automatically from http://en.wikipedia.org/wiki/Google to https://secure.wikimedia.org/wikipedia/en/wiki/Google It is not possible with force-tls
12. Re:or just use proper security by fuzzyfuzzyfungus · 2010-11-08 02:30 · Score: 2, Informative
  
  Tools for detecting malicious actors certainly have their place(even if you are cryptographically protected from them, it's always nice to know what sort of neighborhood you are currently in); but the idea of playing cat-and-mouse when you could be playing cat and enciphered-such-that-it-will-be-inedible-long-after-the-sun-has-devoured-the-inner-planets-mouse is seriously head -> desk...
13. Re:or just use proper security by iammani · 2010-11-08 02:35 · Score: 3, Informative
  
  Spot-on, Force-tls actually prevents DNS spoffing attacks and nothing more. Say you try to visit http://www.bankofamerica.com/ from starbucks, someone might spoof the dns and redirect you to their own page rather than https://www.bankofamerica.com/ . Force-tls prevents this by not requesting for the http page and directly requesting for the secure page (it knows for what pages it has to request using https, by remembering the last time you visited the site (to be more specific, whether the site had sent a X-Force-TLS when you had visited them before)).
14. Re:or just use proper security by gad_zuki! · 2010-11-08 02:38 · Score: 1
  
  Some sites dont support SSL. Hotmail for instance.
15. Re:or just use proper security by IB4Student · 2010-11-08 02:40 · Score: 1
  
  Firefox 4 comes with HSTS
16. Re:or just use proper security by IB4Student · 2010-11-08 02:42 · Score: 1
  
  If you are alerted that someone is using firesheep on you, then you at least know and can use a "logout all other sessions".
  http://www.facebook.com/notes/facebook-security/forget-to-log-out-help-is-on-the-way/425136200765
17. Re:or just use proper security by iammani · 2010-11-08 02:44 · Score: 1
  
  Hotmail has had HTTPS support for a while now. All you have to do is visit https://www.hotmail.com/ and as soon as it logs on click on always https (hotmails prompts you for it).
  And most websites I use support https (if not they lose the tinfoil market)
18. Re:or just use proper security by Monkeedude1212 · 2010-11-08 03:18 · Score: 1
  
  Speaking of which - what does Slashdot use? I don't see an HTTPS in my urls...
  Couldn't someone sidejack a Slashdot Session?
19. Re:or just use proper security by gad_zuki! · 2010-11-08 03:21 · Score: 1
  
  Actually, that doesn't work. I'm able to log in but then it fails on the next page load.
  The issue is that if you login without https it redirects you to a https page FOR LOGIN ONLY. Everything else in unencrypted past that point. The trick you supplied is forcing it to use https after login and that is not supported. At least on Firefox.
20. Re:or just use proper security by muckracer · 2010-11-08 03:27 · Score: 1
  
  > https://www.hotmail.com/
  Hmm...I get a warning thrown up by the SSLPasswdWarning FF plugin (actually on the hotmail-redirected login.live.com):
  Warning!!!
  The password field you have selected will transmit your information over an unencrypted and insecure connection.
  The form submits to:
  UNKNOWN (or handled in Javascript)
  Anybody verified, that this actually gets handled via SSL (in JS or whatever)?
21. Re:or just use proper security by iammani · 2010-11-08 03:32 · Score: 1
  
  It does work for me (with out using EFF's addon). Do try visiting https://account.live.com/ManageSSL , where you can set this up. Not sure why simply visiting https://www.hotmail.com/ does not work for you.
  And I do understand what you looking for is https even beyond logon. The one I had mentioned (in this post and the prev post) is exactly for this purpose.
22. Re:or just use proper security by iammani · 2010-11-08 03:37 · Score: 1
  
  Oopsie, I forgot to mention, you need a live plus account to be able to change settings at https://account.live.com/ManageSSL . But still visiting https://www.hotmail.com/ should still work for non-paying users. Here is a source if you are interested... http://lifehacker.com/5684326/hotmail-adds-always+on-secure-https-connection-option
23. Re:or just use proper security by muckracer · 2010-11-08 03:38 · Score: 1
  
  In recent threads about Firesheep in regards to Slashdot I had seen several times the suggestion to use:
  https://slashdot.org/my/login
  Yes, there is an SSL-page for login. After login it the re-directs to the main /. page (http).
  So far so good except...I am still NOT logged in! Anybody know, what the deal is with that?
24. Re:or just use proper security by Monkeedude1212 · 2010-11-08 03:59 · Score: 2, Insightful
  
  I suppose thats an equally effective countermeasure.
25. Re:or just use proper security by RaymondKurzweil · 2010-11-08 04:51 · Score: 1
  
  Firesheep users are generally not malicious actors... just pranksters. Ironically, a real malicious actor would just use Firesheep to just grab sessions and then use SSL as described to actually use them, which would be beyond what BlackSheep could deal with. I wonder if that is already doable with the install of the EFF extension and Firesheep and no other modification.
26. Re:or just use proper security by gad_zuki! · 2010-11-08 05:18 · Score: 1
  
  Important note: Turning on HTTPS will work for Hotmail over the web, but it will cause errors if you try to access Hotmail through programs like:
  * Outlook Hotmail Connector
  MS is really screwing this up. I use the Outlook connector on a different computer. So now I can have either HTTPS or the connector.
27. Re:or just use proper security by fuzzyfuzzyfungus · 2010-11-08 08:16 · Score: 1
  
  My bigger concern would not be firesheep users as such, as they are likely to be pranksters, kiddies, and the assorted merely curious. Not harmless; but hardly evil masterminds. Nor, for its part, is firesheep a terribly refined tool for doing real damage. Too manual, too slow, GUI oriented. A lot of harassment and petty pranksterism will likely occur; but that is about it.
  
  My concern would be exploitation of the vector that firesheep draws attention to. If your machine is 0wned and part of a botnet, this is one more thing it could be doing silently in the background, especially now that more and more machines are laptops. The user wouldn't have to be malicious, or even aware, just infected. Walk into a coffee shop, and suddenly half the patrons in the place are tweeting url-shortened links to attack sites and penis pill peddlers and so forth...
28. Re:or just use proper security by flowwolf · 2010-11-08 09:17 · Score: 1
  
  This tool is targeted towards network administrators, not individual users. It's a threat diagnostic tool, not a prevention. You can't make everyone on your network suddenly be a guru of security. That's the admin's job. Writing this off as useless is ignorant.
29. Re:or just use proper security by flowwolf · 2010-11-08 09:21 · Score: 1
  
  I thought EFF extension was the greater of the two, but now we know that it could be getting used by the enemy for greater exploit? Classic.
30. Re:or just use proper security by maxwell+demon · 2010-11-08 12:23 · Score: 1
  
  You can't make everyone on your network suddenly be a guru of security. That's the admin's job.
  The admin's job is to make everyone on your network suddenly a guru of security? :-)
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
31. Re:or just use proper security by maxwell+demon · 2010-11-08 12:26 · Score: 1
  
  Firefox 4 comes with HSTS
  Sorry, but that's an AIDU.
  (I admit I'm now TLTG)
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
32. Re:or just use proper security by IB4Student · 2010-11-08 15:39 · Score: 1
  
  https://secure.wikimedia.org/wikipedia/en/wiki/Strict_Transport_Security
33. Re:or just use proper security by hitmark · 2010-11-08 16:02 · Score: 1
  
  And if one where to click the http link above, would force-tls then convert that to a https?
  could it convert a random http facebook or wikipedia url to a https url?
  If it can, perhaps EFF should get in touch with the creator of the extension and combine efforts. This basically by having the EFF provide the extension with a preset of pages that will use https indefinitely.
  
  --
  comment first, facts later. http://chem.tufts.edu/AnswersInScience/RelativityofWrong.htm
Since this thing attacks Firesheep by Spy+Handler · 2010-11-08 01:46 · Score: 4, Funny

shouldn't it be called Firefox?

Oh wait...
1. Re:Since this thing attacks Firesheep by Lord+Lode · 2010-11-08 01:49 · Score: 1
  
  More like Firewolf!
2. Re:Since this thing attacks Firesheep by Faatal · 2010-11-08 02:29 · Score: 1
  
  It's a wolf in sheeps clothing
3. Re:Since this thing attacks Firesheep by M.+Baranczak · 2010-11-08 03:35 · Score: 2, Funny
  
  Airwolf.
4. Re:Since this thing attacks Firesheep by wowbagger · 2010-11-08 04:02 · Score: 1
  
  Firesheep is attacked by Icewolf, working in conjunction with Iceweasel.
  
  --
  www.eFax.com are spammers
5. Re:Since this thing attacks Firesheep by karstdiver · 2010-11-08 04:08 · Score: 1
  
  Ralph E. Wolf vs. Sam Sheepdog
6. Re:Since this thing attacks Firesheep by Anonymous Coward · 2010-11-08 04:44 · Score: 1, Funny
  
  LibreSheep!!
7. Re:Since this thing attacks Firesheep by Anonymous Coward · 2010-11-08 04:55 · Score: 0
  
  I think you meant FireScot.
8. Re:Since this thing attacks Firesheep by CarpetShark · 2010-11-08 05:04 · Score: 1
  
  Great Scott! Why would you want to fire him?!
9. Re:Since this thing attacks Firesheep by Stregano · 2010-11-08 05:19 · Score: 1
  
  For some odd reason, this makes me want to bust out some Pokemon Blue
  
  --
  The world is how you make it
10. Re:Since this thing attacks Firesheep by qubezz · 2010-11-08 06:07 · Score: 2, Interesting
  
  It should have been named white sheep, to prevent against black [hat/sheep] hackers.
11. Re:Since this thing attacks Firesheep by gmhowell · 2010-11-08 14:38 · Score: 1
  
  Airwolf.
  An alcohol fueled browser?
  
  --
  Jesus was all right but his disciples were thick and ordinary. -John Lennon
Secure login by Lord+Lode · 2010-11-08 01:47 · Score: 1

Don't most big email and social network sites use a secure login, so that it won't work for firesheep? Are there any examples of large ones that don't? Thanks.
1. Re:Secure login by marcansoft · 2010-11-08 01:53 · Score: 4, Informative
  
  Secure login doesn't matter. You need secure everything, or people can just steal your session cookie. That is almost as bad as having your login stolen.
2. Re:Secure login by SgtKeeling · 2010-11-08 01:54 · Score: 3, Informative
  
  Most email and social network site do use a secure login, but it's not logging in that's the issue. After you've logged in securely, your session information keeps getting sent back and forth over regular http, instead of https, and there is enough information in there for firesheep to impersonate you.
3. Re:Secure login by SharpFang · 2010-11-08 02:07 · Score: 4, Insightful
  
  Firesheep doesn't steal login credentials, only hijacks (insecure) session already (securely) authenticated.
  You log in securely, you receive a cookie that proves you did. You present it to a webpage, the webpage allows you to access the content, because the cookie identifies and authorizes you. Then someone else obtains a copy of your cookie and their browser, upon presenting the cookie to the website, receives the same treatment as your own. Since the cookie is sent in plaintext in headers of every common unencrypted connection, obtaining it is trivial (compared to secure login)
  Examples? Facebook, Myspace, Twitter, enough for you?
  
  --
  45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
4. Re:Secure login by AdamsGuitar · 2010-11-08 02:17 · Score: 3, Informative
  
  The issue with Firesheep is session hijacking, not theft of login and password information.
5. Re:Secure login by Mashiki · 2010-11-08 04:57 · Score: 1
  
  True story on that. About 2 years ago, one of the WoW forum heads had their session cookie stolen. Much luling was enjoyed by all as they started mass-posting spam, on their forums.
  
  --
  Om, nomnomnom...
6. Re:Secure login by Jonner · 2010-11-08 06:59 · Score: 1
  
  If you were aware of the purpose of Firesheep, you'd know that it is quite effective, since so many large sites don't require the use of HTTPS.
7. Re:Secure login by Anonymous Coward · 2010-11-08 07:07 · Score: 0
  
  Just attended a conference where I made liberal use of Firesheep, for the sake of testing the waters. You wouldn't believe how many different Twitter, Facecbook, and Gmail accounts I could have hijacked if I'd wanted - in one session (probably about 10 minutes), I got the cookies of 15 separate accounts. Kind of ridiculous.
So, to clarify... by Jugalator · 2010-11-08 01:50 · Score: 4, Insightful

Since this extension only *informs* and does nothing else, such as actively disrupt Firesheep's functionality, you will still be busted if doing insecure communication on the network, see this warning suddenly pop up, and are already using Twitter/Facebook/...? And in this case, you would have to "ZOMGQUIT!!!" to have any chance of being safe.
For how long can a session be hijacked anyway? If you close your browser, is the seesion instantly invalidated? Or only after like 5 minutes? I mean, in that case, Blacksheep could scream all it wants, and you'll still be a potential victim even if it warned you and you closed your browser (or tab).

--
Beware: In C++, your friends can see your privates!
1. Re:So, to clarify... by dhawton · 2010-11-08 01:59 · Score: 0
  
  Log out. Sites that do proper coding should "terminate" the session anyway. Or at least empty the information on their end so that the session ID is no longer useful.
2. Re:So, to clarify... by The+MAZZTer · 2010-11-08 02:16 · Score: 2, Insightful
  
  I'm willing to bet sessions for most websites can last indefinitely, at least until you change your password. The website usually instructs the browser when to clear the session cookie (several weeks to several months, in my experience), but of course an attacker doesn't need to honor that request.
3. Re:So, to clarify... by Anonymous Coward · 2010-11-08 02:20 · Score: 0
  
  I'd guess that on most websites, clicking "log out" would render the session ID no longer useful.
4. Re:So, to clarify... by Barefoot+Monkey · 2010-11-08 02:24 · Score: 4, Informative
  
  For how long can a session be hijacked anyway? If you close your browser, is the seesion instantly invalidated? Or only after like 5 minutes? I mean, in that case, Blacksheep could scream all it wants, and you'll still be a potential victim even if it warned you and you closed your browser (or tab).
  As long as the hijacker keeps using your session the session will stay alive, even if you close your browser. But if you actually log out of the website then the hijacker gets kicked off too. So if Blacksheep tells you that someone's on your account then log out of Facebook immediately. Or, better yet, check that your email address hasn't been changed while the other guy's been on your account, then log out.
5. Re:So, to clarify... by contra_mundi · 2010-11-08 02:46 · Score: 2, Insightful
  
  Depends on the implementation of the website. It could be that clicking "log out" only removes the cookie from your browser -> You are logged out.
  
  Making sure that someone else doesn't also have the cookie might be viewed as redundant, if this kind of security is not kept in mind while designing/coding the site. Perhaps it could even be removed as an optimization for a very popular service like Facebook.
6. Re:So, to clarify... by LincolnQ · 2010-11-08 02:58 · Score: 1
  
  It depends on the website. Many websites do have the behavior you describe. But some will just delete your session cookie from your browser (without deleting it from the server) which would let the attacker keep using it.
7. Re:So, to clarify... by John+Hasler · 2010-11-08 03:41 · Score: 1
  
  Would it be better for Blacksheep to log you out immediately? That might prevent the attacker from accomplishing anything since it would happen within milliseconds of him sending a duplicate cookie.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
8. Re:So, to clarify... by CrashandDie · 2010-11-08 03:41 · Score: 2, Informative
  
  As far as I know, Twitter doesn't behave this way. If you log out on machine_x, only machine_x is logged out. Not the attacker.
  GMail's "Destroy all other sessions" would be closer to the behaviour you're talking about.
9. Re:So, to clarify... by Anonymous Coward · 2010-11-08 04:08 · Score: 1, Insightful
  
  Twitter does too. If you are sharing the same session cookie, if you logout, the cookie is no longer valid and the hacker gets kicked out.
  If it's two separate sessions to the same twitter account (two different session cookies) then what you mentioned is true but that is not what happens when someone uses firesheep.
10. Re:So, to clarify... by TheCarp · 2010-11-08 04:18 · Score: 2, Informative
  
  However two different "machines" (even two different browser sessions on the same machine) should get different session IDs. As such, this would be expected, since each session is independent. The session ID is, generally, just a cookie with a specific value, your browser hands this back with every request, thus associating each request to the session.
  So if you logout, and that invalidates the session, then this is to be expected, since each browser/machine has its own session cookie, each one is independent.
  This is not the situation for a hijacked session. The original session and the hijacker will both have the same ID. So when you log out, if that invalidates the session properly, then the hijacker is logged out too, even if other sessions are still active.
  Of course, this is "in general how it works". Most sites probably follow this model and will work this way. There is nothing to say all sites will. A site could easily correlate sessions and either allow only one session at a time for a user, or any number of things that would make it behave differently.... but usually you will have different sessions in each browser.
  -Steve
  
  --
  "I opened my eyes, and everything went dark again"
11. Re:So, to clarify... by drcheap · 2010-11-08 06:23 · Score: 1
  
  I'm willing to bet sessions for most websites can last indefinitely, at least until you change your password.
  Yes, because they have infinite system resources to keep an unlimited number of indefinite sessions around.
  No, sessions have expirations, some longer than others.
12. Re:So, to clarify... by drcheap · 2010-11-08 06:26 · Score: 1
  
  Depends on the implementation of the website. It could be that clicking "log out" only removes the cookie from your browser -> You are logged out.
  If that's the implementation, then said site deserves to be taken advantage of (and the developer fired).
  As for the poor unsuspecting users...well, sorry.
13. Re:So, to clarify... by clone53421 · 2010-11-08 06:34 · Score: 1
  
  That might prevent the attacker from accomplishing anything since it would happen within milliseconds of him sending a duplicate cookie.
  No. Up to 5 minutes, by default. Blacksheep generates traffic with a fake session ID every 5 minutes, and it notifies you when the fake cookie is used. Your real session cookie can be stolen any time your browser talks to the Facebook server, and Blacksheep doesn’t detect that.
  
  --
  Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
14. Re:So, to clarify... by drcheap · 2010-11-08 07:36 · Score: 1
  
  And a less common, but better approach is to not simply trust the session ID supplied by the client as the sole method of post-login identification.
  For example, you could log the client IP address at session creation, and then re-verify with each request to detect a hijacker. Not completely foolproof (IP spoofing, man in middle, etc.), but a lot better nonetheless.
15. Re:So, to clarify... by TheCarp · 2010-11-08 09:25 · Score: 1
  
  Yup, but in this case, it might not help.
  There are cases where you can't rely on this. I did some work on Tor "Location Hidden Services". In such a setup you will only ever see local IP's since the system does a double blind to prevent either side from knowing the other's IP. (of course, it also garauntees end to "end" (the tor router, not actually the final process, but they are usually on the same box) encryption without the need for https.
  That is a very strange case. However, this fails in much more mundane cases. Look at black sheep. What does it do? It watches network traffic. That implies that the attacker is on the local network. In many cases (think: most people's homes) this means being NAT'd through the same public IP... thus circumventing IP/session checks.
  
  --
  "I opened my eyes, and everything went dark again"
16. Re:So, to clarify... by TheCarp · 2010-11-08 09:28 · Score: 1
  
  What you could do....
  Use javascript to implement Diffie-Hellman key exchange, and then use the shared key to embed authentication messages into requests. Since an eavesdropper can't easily divine the key, the server could easily detect and reject requests from a hijacker.
  This requires that the system be armored against replay attacks (reusing the same authentication message) but... doing so would also prevent form resubmissions, often a problem in web apps.
  
  --
  "I opened my eyes, and everything went dark again"
17. Re:So, to clarify... by tgeller · 2010-11-08 12:21 · Score: 1
  
  Not a bad idea, but what if the snooper changed your Facebook account's email address during the minute between Blacksheep's checks? That person would pwn you permanently; you couldn't log back in, but the attacker could (by retrieving your password).
  
  --
  Tom Geller
18. Re:So, to clarify... by Anonymous Coward · 2010-11-08 17:51 · Score: 0
  
  Well, if Blacksheep flooded the network with tons of fake session ids, then it could bury your real connection deep enough that Firesheep users might not find it. Kind of like a chaff plume... or the bad guy using the hall of mirrors to confuse spider man.
So... by Anonymous Coward · 2010-11-08 01:51 · Score: 0

...what happens when you're on an unencrypted network and the FireSheep user picks the correct session ID anyway? I'd imagine choosing an encrypted network is still the better way to go.
Sheepsafe by mosburger · 2010-11-08 01:53 · Score: 1

See also: Sheepsafe. http://github.com/nicksieger/sheepsafe ... it's a simple Ruby script that automates setting up a SOCKS proxy for you on untrusted networks. I think it's only setup to work w/ OSX right now, but should be pretty simple to adapt to other unixy OSes.
New Zealanders rejoise :) so much sheep :))) by Anonymous Coward · 2010-11-08 02:03 · Score: 0

New Zealanders rejoise :) so much sheep :)))
Wrong premise by Rosco+P.+Coltrane · 2010-11-08 02:04 · Score: 0

People worrying about Firesheep, or any other form of password sniffing, all make one crucial wrong assumption, and it's that any aspect of their digital life is of any interest whatsoever. The truth is, unless you're someone who matters, nobody cares about your rambling on your blog, your Facebook account or your Facebook friends, what you tweet about, your nickserv password on IRC or your POP3 email password. Nobody... cares...
And if you're someone who matters (no, really, no you), someone probably made sure your digital details are pretty secure for you. As for those who are very VERY important and famous, they have nothing to worry about, as their Twitter or Facebook accounts are usually fake, with one of their staff behind the keyboard, so they look cool and digital and in touch with their constituency to get more votes at the next election.
Finally, those who might have something to hide from, say, the law, already know how to encrypt their partitions, run ssh tunnels or use TOR, and do that in a bar with a laptop using an insecure Wifi hotspot. Nobody can sniff any password from them if they stay careful.
So in short, if you're a harmless Joe Blow, you can stop worrying about securing your digital presence: it only makes you look suspect if your computer or your communications are investigated for any reason. Your place in the Who's Nobody pretty much ensures your security and anonymity on the internet.

--
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
1. Re:Wrong premise by Anonymous Coward · 2010-11-08 02:12 · Score: 1, Insightful
  
  The truth is, unless you're someone who matters, nobody cares about your rambling on your blog, your Facebook account or your Facebook friends, what you tweet about, your nickserv password on IRC or your POP3 email password. Nobody... cares...
  A half a million downloads of firesheep says you are wrong.
2. Re:Wrong premise by asdf7890 · 2010-11-08 02:21 · Score: 3, Insightful
  
  So in short, if you're a harmless Joe Blow, you can stop worrying about securing your digital presence: it only makes you look suspect if your computer or your communications are investigated for any reason. Your place in the Who's Nobody pretty much ensures your security and anonymity on the internet.
  People thinking this, or not worrying about password sniffing in other forms, all make one crucial wrong assumption, and it's that protecting your account is often not about protecting the information you chose to publish.
  
  Once someone has access to your account either by password sniffing or session hijacking can act as you, spamming your contacts and perhaps sending them off to sites that perform drive-by malware installs by posting links as if they had come from you.
  
  While you might be right that nobody cares specifically about one person's facebook account, there are certainly people out there who would love to pick up a large number of them for spamming purposes.
  
  Also for people who are daft enough to use the same password for multiple sites (actually I have one password for sites I don't care about, but for anything else I have separate passwords stored in keepass) sniffing their facebook/twitter/what-ever password could be far worse than getting their social networking account hijacked: it could give an attacker access to your webmail account from which they may be able purloin enough data to gain access to your bank account and so forth.
3. Re:Wrong premise by fuzzyfuzzyfungus · 2010-11-08 02:40 · Score: 3, Insightful
  
  People like you make two crucial assumptions; both wrong:
  
  1. Attacks are laborious: As spam demonstrates, evil can be automated. Thanks to automation, the effort required is so low that the number of rationally viable targets balloons enormously. Further, because security people and mail admins are constantly working against automated evil, the value of genuine "civilian" hosts/accounts/etc. from which to disguise hostile action is higher than it would otherwise be(a single mailserver on a 1Gb line can send more p3n1s p1llz spam, and is much easier to administer, than a huge number of home computers or hijacked hotmail accounts; but costs more and is easier to block).
  
  2. Humans are not, in a substantial number of cases, motivated purely by curiosity, voyeurism, or malice: People break into stuff merely because they can, or because they are hoping to access some of those private pictures from the blond across the coffee shop's account, or because they think that it would be hilarious to have you post "L0L shittingniggerdicks!!!!" to the facebook walls of all your friends and then leave you to explain that one to the dean.
4. Re:Wrong premise by Observador · 2010-11-08 02:55 · Score: 1
  
  Slashdot needs a "+1 Retweet this comment" option... No, seriously. It's off-topic but I really think insightful comments [like the parent comment] should be given more exposure outside of /.
  
  --
  I wish I could filter out the annoying Pickens articles...
5. Re:Wrong premise by Arancaytar · 2010-11-08 03:08 · Score: 1
  
  And if you're someone who matters (no, really, no you), someone probably made sure your digital details are pretty secure for you.
  
  Yeah, like that Alaskan politician who used a Yahoo email account. :P
6. Re:Wrong premise by Anonymous Coward · 2010-11-08 03:44 · Score: 0
  
  Nobody... cares...
  The truth is quite the opposite, actually. We're not talking about being able to publish an ad on your blog, or changing your Facebook status to "screwed", but really stealing your identity.
  ID theft is the first step of many criminal scenarii, and stealing your Facebook, or mail account, is one very simple thing that can open many doors, as pointed out by asdf7890.
  In fact, VIPs are of no interest to thieves, because they know their ID is hard to steal (due to the security measures they use), and it would be far too risky to attempt to impersonate them (due to the fact that an investigation will very soon point out the criminal). OTOH, Mr Joe Blow, is the perfect target. Nobody cares about him, so nobody will jump and call the FBI if all his money gets transferred to an anonymous account in the Cayman Islands. By the time Mr Blow calls the police, his money will be far, far away. Or his friends, totally infected by a trojan. And so on.
  Criminality is driven by a combination of factors, including how attractive the target is, how difficult it is to put your hands on it, how much risk you'd take, how weakly protected the target is, etc. Fort Knox is very attractive, but too protected. Your Facebook account is only slightly attractive, but so easy to be stolen that it will be stolen.
7. Re:Wrong premise by MoeDumb · 2010-11-08 03:45 · Score: 1
  
  But how many of those half a million are look-sees that wind up in the trash?
  
  --
  Mod Me Up. You'll make a grown man cry.
8. Re:Wrong premise by Anonymous Coward · 2010-11-08 04:26 · Score: 0
  
  Also for people who are daft enough to use the same password for multiple sites (actually I have one password for sites I don't care about, but for anything else I have separate passwords stored in keepass) sniffing their facebook/twitter/what-ever password could be far worse than getting their social networking account hijacked: it could give an attacker access to your webmail account from which they may be able purloin enough data to gain access to your bank account and so forth.
  Well don't worry. With Facebook's new single sign-on service hacking multiple accounts really is as simple as hijacking a session!
  New and Improved indeed...
9. Re:Wrong premise by fbjon · 2010-11-08 05:17 · Score: 1
  
  The only problem being it's not actually an insightful comment, for the reasons given by other posts...
  
  --
  True confidence comes not from realising you are as good as your peers, but that your peers are as bad as you are.
Master Yoda says: by TheWarp · 2010-11-08 02:23 · Score: 4, Funny

Begun, the sheep wars have.
1. Re:Master Yoda says: by Adult+film+producer · 2010-11-08 04:34 · Score: 0
  
  hey, I thought that was pretty funny :-) Screw the mods.
Grrrrr. by Anonymous Coward · 2010-11-08 02:25 · Score: 0

"BlackSheep" could not be installed because it is not compatible with your Firefox build type (Linux_x86-gcc3). Please contact the author of this item about the problem.
HTTPS Everywhere by chebucto · 2010-11-08 02:27 · Score: 1

This firefox extension from the EFF will force an HTTPS connection if possible. It works with Firefox (ie keeps the connection in https mode throughout the session, not just during the login).

--
The English word fart is one of the oldest words in the English vocabulary.
Tell that to these 170 'nobodies'... by Animaether · 2010-11-08 02:28 · Score: 2, Interesting

The recent arrest of a 23-year-old California man that has allegedly hacked e-mail accounts of more than 170 women and posted sexually explicit pictures found within them to the victims' Facebook accounts, has highlighted the need to limit the amount of personal information posted on various social networks.
- http://www.net-security.org/secworld.php?id=10096
1. Re:Tell that to these 170 'nobodies'... by canajin56 · 2010-11-08 03:18 · Score: 1
  
  Uploading naked pictures of yourself to an email server doesn't count as not doing anything interesting that's worth protecting ;)
  
  --
  ASCII stupid question, get a stupid ANSI
2. Re:Tell that to these 170 'nobodies'... by maxwell+demon · 2010-11-08 12:30 · Score: 1
  
  Yeah, who cares if those pictures are naked. All we care about is if you are naked on the picture.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
Nobody? by contra_mundi · 2010-11-08 02:36 · Score: 3, Insightful

You forget the '4chan' part of the problem. They will use this to ruin your (however unimportant you think it is) life and just for giggles.
Counter-counter measures by embolalia · 2010-11-08 02:36 · Score: 2, Interesting

How long until Firesheep implements something that detects a Blacksheep trap, and doesn't respond to it? Will Blacksheep then implement a detection detector?
1. Re:Counter-counter measures by Timmmm · 2010-11-08 03:56 · Score: 1
  
  Indeed, for instance firesheep could just use a different internet connection (e.g. 3G). Some websites check the source IP of the cookie, but most probably don't.
2. Re:Counter-counter measures by Synonymous+Homonym · 2010-11-09 02:24 · Score: 1
  
  How long until Firesheep implements something that detects a Blacksheep trap, and doesn't respond to it? Will Blacksheep then implement a detection detector?
  Never. The purpose of Firesheep is to demonstrate the vulnerability of stupid websites.
  And Blacksheep does not protect from side-jacking at all, a black hat just needs to go through everything Firesheep captures and check which ones are fake.
  What Blacksheep does is warn you if someone tries to hijack your session, which fits with the original purpose of Firesheep, and probably does a better job than Sheepherder, at the expense of bandwidth.
  If you log out immediately it might minimize the damage a black hat could do, except for twitter, where logout is merely cosmetical - the session persists.
You Are Doing It WRONG. by Arancaytar · 2010-11-08 02:43 · Score: 1

Let's say you have a house. You keep valuable things in it, but you don't have a front door. Anyone can just walk in.
In particular, you've regularly noticed shifty-looking people entering your house carrying a large black bag in order to steal your stuff.
Now from this, you might draw the conclusion that it is time to get a door and lock it.
Or you could set up a sophisticated system of cameras and image analyzing software that will scan everyone walking down your street and sound a loud alarm if one of them is carrying a large black bag.
For bonus points, overspecialize the system so that it only reacts to black bags, but not green ones.
1. Re:You Are Doing It WRONG. by Anonymous Coward · 2010-11-08 03:00 · Score: 0
  
  Problem is, this technically isn't "your house" that the shifty people are breaking into. This is more like checking into a motel that doesn't have locks on its doors and there is no easy way to keep anyone from getting in.
  The only solution in this situation is to convince management that they need to replace all of their doors with doors that have locks.
  Considering the difficulty of that solution, analysis of what "has" happened to your unsecure room is the next best thing.
2. Re:You Are Doing It WRONG. by MarkGriz · 2010-11-08 06:11 · Score: 1
  
  A house?!! WTF, this is slashdot, can we please get a proper car analogy?
  
  --
  Beauty is in the eye of the beerholder.
I'd rather have by Chrisq · 2010-11-08 02:47 · Score: 1

I'd rather have this blacksheep myself.
Counter Attack? by Anonymous Coward · 2010-11-08 03:10 · Score: 0

If it tells you the IP, any thoughts on a tool to shut down that IP? Or find out who is using it? I guess you could always go to the person who is in charge of the network and block their computer from reconnecting - but ofter times in a public WIFI, there isn't anyone.

Personally, I would love to knock some kid over the head after finding out he is trying to steal my account/session.
1. Re:Counter Attack? by Anonymous Coward · 2010-11-08 06:42 · Score: 0
  
  If you administrate the network, you could log into the wireless router settings and blacklist their MAC address (assuming they're not spoofing). If not, Ping of Death, LOIC, and MetaSploit come to mind.
  (Yes, I know that Ping of Death shouldn't work. But it wouldn't hurt to try it.)
  If nothing else, RST-spoofing would be pretty effective I imagine.
Should Provide For Fun Trips To Starbucks by mastershake82 · 2010-11-08 04:03 · Score: 4, Funny

Not because I care enough to use it to try to protect the 'sheep'. But I know that somebody will.

I can't wait to be at Starbucks when a socially awkward 17 year old stands up triumphantly to save the day by alerting everyone that there is a 'Firesheeper' in the building hijacking their cookies!
1. Re:Should Provide For Fun Trips To Starbucks by halcyon1234 · 2010-11-08 07:15 · Score: 2, Funny
  
  The first amendment doesn't give you the right to shout "Firesheep" in a crowded Starbucks.
  
  --
  UTF-8: There and Back Again
Anonymous Coward by Anonymous Coward · 2010-11-08 04:33 · Score: 0

Note: "BlackSheep" could not be installed because it is not compatible with your Firefox build type (Linux_x86-gcc3).
ac
Tripwire? by mr100percent · 2010-11-08 05:18 · Score: 1

That's not much of a tripwire, since your odds of activating it are sorta low.
What about FireShepherd which actively jams Firesheep?
1. Re:Tripwire? by Fnord666 · 2010-11-09 02:00 · Score: 1
  
  What about FireShepherd which actively jams Firesheep?
  
  Actively jams Firesheep or DDOS Facebook? The program sends a bogus request to Facebook with an interesting payload every 400ms. The assumption is that the payload somehow interferes with Firesheep. If enough people run this it could be interpreted as a DDOS attack.
  
  --
  'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
Don't worry... by Syberz · 2010-11-08 05:20 · Score: 2, Funny

No need to worry folks, the FireSheep guys will come up with SheepDog which will make sure that BlackSheep stays the hell put dagnabbit and you'll be able to spy on your friends again in no time.

--
~Syberz
This is a good one too by plopez · 2010-11-08 05:35 · Score: 1

http://www.imdb.com/title/tt0779982/
LMAO

--
putting the 'B' in LGBTQ+
NOT a viable solution by MichaelKristopeit128 · 2010-11-08 05:49 · Score: 0

would the secret service declare an area clear if they sent a random pedestrian into an area and they were not harmed?
if someone is waiting to hijack YOUR session with firesheep, and you are not using encryption for authentication, there is NOTHING you can do to predict it.
1. Re:NOT a viable solution by Anonymous Coward · 2010-11-08 07:22 · Score: 0
  
  Apart from the fact that they don’t know which cookie belongs to you until they try using it.
2. Re:NOT a viable solution by MichaelKristopeit128 · 2010-11-08 07:33 · Score: 0
  
  they don't? they can't watch their target enter an establishment and watch them log in and then use the newest cookie?
3. Re:NOT a viable solution by Anonymous Coward · 2010-11-08 08:03 · Score: 0
  
  All they would need to do is make sure that BlackSheep sends a fake session cookie before they actually log into Facebook.
  Go ahead and watch them log in, that was really just BlackSheep sending a fake session cookie and they know you’re listening now.
4. Re:NOT a viable solution by Anonymous Coward · 2010-11-08 09:38 · Score: 0
  
  You can’t see my computer screen. Now what, smartass?
  
  why do you cower? what are you afraid of?
  If you box with shadows for long enough, do you win?
5. Re:NOT a viable solution by MichaelKristopeit131 · 2010-11-08 09:51 · Score: 0
  
  wait until you leave and then hijack every session.
  i can't figure out if you're more pathetic or ignorant.
  if i box with you, you'd die.
6. Re:NOT a viable solution by Anonymous Coward · 2010-11-08 12:52 · Score: 0
  
  I logged out. You fail, sucker.
7. Re:NOT a viable solution by MichaelKristopeit140 · 2010-11-08 13:05 · Score: 0
  
  there is still an obvious window of opportunity... allowing someone to exploit it is ALWAYS a fail on the part of the person allowing the exploitation.
  you're an idiot.
  why do you cower? what are you afraid of? you don't know how to protect your sessions?
'It has begun' by ThatsNotPudding · 2010-11-08 06:36 · Score: 1

Sheep Wars
Someone needs to open a dictionary by scdeimos · 2010-11-08 11:19 · Score: 1

BlackSheep is not a counter-measure, it doesn't attack Firesheep. It is only a detector.
Pretend security by RichiH · 2010-11-09 01:38 · Score: 1

1) I can sniff and use the credentials later. Matter of fact, I would _only_ do that as I _know_ the other guy is active atm.
2) It tells you if you are being sniffed after the fact
3) Use a VPN while on public, shared networks. Always.