Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firesheep Countermeasure Tool BlackSheep

Posted by CmdrTaco on from the baa-ram-yew dept.

Orome1 writes "Slashdot already covered Firesheep, the Firefox extension that makes it easier to steal logins and take over social media and email accounts after users log in from a WiFi hotspot or even their own unprotected network. Zscaler researchers have created, and are now offering to every consumer, a free Firefox plugin called BlackSheep, which serves as a counter-measure. BlackSheep combats Firesheep by monitoring traffic and then alerting users if Firesheep is being used on the network. BlackSheep does this by dropping 'fake' session ID information on the wire and then monitors traffic to see if it has been hijacked."

11 of 122 comments (clear)

  1. or just use proper security by datapharmer · · Score: 4, Insightful

    Or you could just force tls/ssl on sites that support it and render firesheep useless. Because you know, being alerted that your information just got stolen is much better than using proper security in the first place.... or not.

    --
    Get a web developer
    1. Re:or just use proper security by Monkeedude1212 · · Score: 2, Insightful

      I suppose thats an equally effective countermeasure.

  2. So, to clarify... by Jugalator · · Score: 4, Insightful

    Since this extension only *informs* and does nothing else, such as actively disrupt Firesheep's functionality, you will still be busted if doing insecure communication on the network, see this warning suddenly pop up, and are already using Twitter/Facebook/...? And in this case, you would have to "ZOMGQUIT!!!" to have any chance of being safe.

    For how long can a session be hijacked anyway? If you close your browser, is the seesion instantly invalidated? Or only after like 5 minutes? I mean, in that case, Blacksheep could scream all it wants, and you'll still be a potential victim even if it warned you and you closed your browser (or tab).

    --
    Beware: In C++, your friends can see your privates!
    1. Re:So, to clarify... by The+MAZZTer · · Score: 2, Insightful

      I'm willing to bet sessions for most websites can last indefinitely, at least until you change your password. The website usually instructs the browser when to clear the session cookie (several weeks to several months, in my experience), but of course an attacker doesn't need to honor that request.

    2. Re:So, to clarify... by contra_mundi · · Score: 2, Insightful

      Depends on the implementation of the website. It could be that clicking "log out" only removes the cookie from your browser -> You are logged out.

      Making sure that someone else doesn't also have the cookie might be viewed as redundant, if this kind of security is not kept in mind while designing/coding the site. Perhaps it could even be removed as an optimization for a very popular service like Facebook.

    3. Re:So, to clarify... by Anonymous Coward · · Score: 1, Insightful

      Twitter does too. If you are sharing the same session cookie, if you logout, the cookie is no longer valid and the hacker gets kicked out.
      If it's two separate sessions to the same twitter account (two different session cookies) then what you mentioned is true but that is not what happens when someone uses firesheep.

  3. Re:Secure login by SharpFang · · Score: 4, Insightful

    Firesheep doesn't steal login credentials, only hijacks (insecure) session already (securely) authenticated.

    You log in securely, you receive a cookie that proves you did. You present it to a webpage, the webpage allows you to access the content, because the cookie identifies and authorizes you. Then someone else obtains a copy of your cookie and their browser, upon presenting the cookie to the website, receives the same treatment as your own. Since the cookie is sent in plaintext in headers of every common unencrypted connection, obtaining it is trivial (compared to secure login)

    Examples? Facebook, Myspace, Twitter, enough for you?

    --
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  4. Re:Wrong premise by Anonymous Coward · · Score: 1, Insightful

    The truth is, unless you're someone who matters, nobody cares about your rambling on your blog, your Facebook account or your Facebook friends, what you tweet about, your nickserv password on IRC or your POP3 email password. Nobody... cares...

    A half a million downloads of firesheep says you are wrong.

  5. Re:Wrong premise by asdf7890 · · Score: 3, Insightful

    So in short, if you're a harmless Joe Blow, you can stop worrying about securing your digital presence: it only makes you look suspect if your computer or your communications are investigated for any reason. Your place in the Who's Nobody pretty much ensures your security and anonymity on the internet.

    People thinking this, or not worrying about password sniffing in other forms, all make one crucial wrong assumption, and it's that protecting your account is often not about protecting the information you chose to publish.

    Once someone has access to your account either by password sniffing or session hijacking can act as you, spamming your contacts and perhaps sending them off to sites that perform drive-by malware installs by posting links as if they had come from you.

    While you might be right that nobody cares specifically about one person's facebook account, there are certainly people out there who would love to pick up a large number of them for spamming purposes.

    Also for people who are daft enough to use the same password for multiple sites (actually I have one password for sites I don't care about, but for anything else I have separate passwords stored in keepass) sniffing their facebook/twitter/what-ever password could be far worse than getting their social networking account hijacked: it could give an attacker access to your webmail account from which they may be able purloin enough data to gain access to your bank account and so forth.

  6. Nobody? by contra_mundi · · Score: 3, Insightful

    You forget the '4chan' part of the problem. They will use this to ruin your (however unimportant you think it is) life and just for giggles.

  7. Re:Wrong premise by fuzzyfuzzyfungus · · Score: 3, Insightful

    People like you make two crucial assumptions; both wrong:

    1. Attacks are laborious: As spam demonstrates, evil can be automated. Thanks to automation, the effort required is so low that the number of rationally viable targets balloons enormously. Further, because security people and mail admins are constantly working against automated evil, the value of genuine "civilian" hosts/accounts/etc. from which to disguise hostile action is higher than it would otherwise be(a single mailserver on a 1Gb line can send more p3n1s p1llz spam, and is much easier to administer, than a huge number of home computers or hijacked hotmail accounts; but costs more and is easier to block).

    2. Humans are not, in a substantial number of cases, motivated purely by curiosity, voyeurism, or malice: People break into stuff merely because they can, or because they are hoping to access some of those private pictures from the blond across the coffee shop's account, or because they think that it would be hilarious to have you post "L0L shittingniggerdicks!!!!" to the facebook walls of all your friends and then leave you to explain that one to the dean.