Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firesheep Countermeasure Tool BlackSheep

Posted by CmdrTaco on from the baa-ram-yew dept.

Orome1 writes "Slashdot already covered Firesheep, the Firefox extension that makes it easier to steal logins and take over social media and email accounts after users log in from a WiFi hotspot or even their own unprotected network. Zscaler researchers have created, and are now offering to every consumer, a free Firefox plugin called BlackSheep, which serves as a counter-measure. BlackSheep combats Firesheep by monitoring traffic and then alerting users if Firesheep is being used on the network. BlackSheep does this by dropping 'fake' session ID information on the wire and then monitors traffic to see if it has been hijacked."

31 of 122 comments (clear)

  1. or just use proper security by datapharmer · · Score: 4, Insightful

    Or you could just force tls/ssl on sites that support it and render firesheep useless. Because you know, being alerted that your information just got stolen is much better than using proper security in the first place.... or not.

    --
    Get a web developer
    1. Re:or just use proper security by iammani · · Score: 5, Informative

      Exactly, this is what EFF's Firefox Addon does

    2. Re:or just use proper security by mounthood · · Score: 2, Funny

      Because you know, being alerted that your information just got stolen is much better than using proper security in the first place.... or not.

      But if we did have an Add-on which "alerted that your information just got stolen" we could call it "Wake Up Sheeple!"

      --
      tomorrow who's gonna fuss
    3. Re:or just use proper security by datapharmer · · Score: 2, Interesting

      well kind of... that plugin fails in that it requires you to add in each domain you want to use ssl for. I would recommend force-tls for firefox and KB SSL enforcer for chrome (the second is not completely secure due to chrome's design, but hoping that will be fixed soon).

      --
      Get a web developer
    4. Re:or just use proper security by iammani · · Score: 3, Informative

      Mmm neat, but force-tls is not helpful for wikipedia (and other similar sites), that need mapping from en.wikipedia.org/wiki/Google to secure.wikimedia.org/wikipedia/en/wiki/Google

    5. Re:or just use proper security by iammani · · Score: 3, Informative

      Mmm I have not pasted the link properly... EFF's plugin can map automatically from http://en.wikipedia.org/wiki/Google to https://secure.wikimedia.org/wikipedia/en/wiki/Google It is not possible with force-tls

    6. Re:or just use proper security by fuzzyfuzzyfungus · · Score: 2, Informative

      Tools for detecting malicious actors certainly have their place(even if you are cryptographically protected from them, it's always nice to know what sort of neighborhood you are currently in); but the idea of playing cat-and-mouse when you could be playing cat and enciphered-such-that-it-will-be-inedible-long-after-the-sun-has-devoured-the-inner-planets-mouse is seriously head -> desk...

    7. Re:or just use proper security by iammani · · Score: 3, Informative

      Spot-on, Force-tls actually prevents DNS spoffing attacks and nothing more. Say you try to visit http://www.bankofamerica.com/ from starbucks, someone might spoof the dns and redirect you to their own page rather than https://www.bankofamerica.com/ . Force-tls prevents this by not requesting for the http page and directly requesting for the secure page (it knows for what pages it has to request using https, by remembering the last time you visited the site (to be more specific, whether the site had sent a X-Force-TLS when you had visited them before)).

    8. Re:or just use proper security by Monkeedude1212 · · Score: 2, Insightful

      I suppose thats an equally effective countermeasure.

  2. Since this thing attacks Firesheep by Spy+Handler · · Score: 4, Funny

    shouldn't it be called Firefox?

    Oh wait...

    1. Re:Since this thing attacks Firesheep by M.+Baranczak · · Score: 2, Funny

      Airwolf.

    2. Re:Since this thing attacks Firesheep by qubezz · · Score: 2, Interesting

      It should have been named white sheep, to prevent against black [hat/sheep] hackers.

  3. So, to clarify... by Jugalator · · Score: 4, Insightful

    Since this extension only *informs* and does nothing else, such as actively disrupt Firesheep's functionality, you will still be busted if doing insecure communication on the network, see this warning suddenly pop up, and are already using Twitter/Facebook/...? And in this case, you would have to "ZOMGQUIT!!!" to have any chance of being safe.

    For how long can a session be hijacked anyway? If you close your browser, is the seesion instantly invalidated? Or only after like 5 minutes? I mean, in that case, Blacksheep could scream all it wants, and you'll still be a potential victim even if it warned you and you closed your browser (or tab).

    --
    Beware: In C++, your friends can see your privates!
    1. Re:So, to clarify... by The+MAZZTer · · Score: 2, Insightful

      I'm willing to bet sessions for most websites can last indefinitely, at least until you change your password. The website usually instructs the browser when to clear the session cookie (several weeks to several months, in my experience), but of course an attacker doesn't need to honor that request.

    2. Re:So, to clarify... by Barefoot+Monkey · · Score: 4, Informative

      For how long can a session be hijacked anyway? If you close your browser, is the seesion instantly invalidated? Or only after like 5 minutes? I mean, in that case, Blacksheep could scream all it wants, and you'll still be a potential victim even if it warned you and you closed your browser (or tab).

      As long as the hijacker keeps using your session the session will stay alive, even if you close your browser. But if you actually log out of the website then the hijacker gets kicked off too. So if Blacksheep tells you that someone's on your account then log out of Facebook immediately. Or, better yet, check that your email address hasn't been changed while the other guy's been on your account, then log out.

    3. Re:So, to clarify... by contra_mundi · · Score: 2, Insightful

      Depends on the implementation of the website. It could be that clicking "log out" only removes the cookie from your browser -> You are logged out.

      Making sure that someone else doesn't also have the cookie might be viewed as redundant, if this kind of security is not kept in mind while designing/coding the site. Perhaps it could even be removed as an optimization for a very popular service like Facebook.

    4. Re:So, to clarify... by CrashandDie · · Score: 2, Informative

      As far as I know, Twitter doesn't behave this way. If you log out on machine_x, only machine_x is logged out. Not the attacker.

      GMail's "Destroy all other sessions" would be closer to the behaviour you're talking about.

    5. Re:So, to clarify... by TheCarp · · Score: 2, Informative

      However two different "machines" (even two different browser sessions on the same machine) should get different session IDs. As such, this would be expected, since each session is independent. The session ID is, generally, just a cookie with a specific value, your browser hands this back with every request, thus associating each request to the session.

      So if you logout, and that invalidates the session, then this is to be expected, since each browser/machine has its own session cookie, each one is independent.

      This is not the situation for a hijacked session. The original session and the hijacker will both have the same ID. So when you log out, if that invalidates the session properly, then the hijacker is logged out too, even if other sessions are still active.

      Of course, this is "in general how it works". Most sites probably follow this model and will work this way. There is nothing to say all sites will. A site could easily correlate sessions and either allow only one session at a time for a user, or any number of things that would make it behave differently.... but usually you will have different sessions in each browser.

      -Steve

      --
      "I opened my eyes, and everything went dark again"
  4. Re:Secure login by marcansoft · · Score: 4, Informative

    Secure login doesn't matter. You need secure everything, or people can just steal your session cookie. That is almost as bad as having your login stolen.

  5. Re:Secure login by SgtKeeling · · Score: 3, Informative

    Most email and social network site do use a secure login, but it's not logging in that's the issue. After you've logged in securely, your session information keeps getting sent back and forth over regular http, instead of https, and there is enough information in there for firesheep to impersonate you.

  6. Re:Secure login by SharpFang · · Score: 4, Insightful

    Firesheep doesn't steal login credentials, only hijacks (insecure) session already (securely) authenticated.

    You log in securely, you receive a cookie that proves you did. You present it to a webpage, the webpage allows you to access the content, because the cookie identifies and authorizes you. Then someone else obtains a copy of your cookie and their browser, upon presenting the cookie to the website, receives the same treatment as your own. Since the cookie is sent in plaintext in headers of every common unencrypted connection, obtaining it is trivial (compared to secure login)

    Examples? Facebook, Myspace, Twitter, enough for you?

    --
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  7. Re:Secure login by AdamsGuitar · · Score: 3, Informative

    The issue with Firesheep is session hijacking, not theft of login and password information.

  8. Re:Wrong premise by asdf7890 · · Score: 3, Insightful

    So in short, if you're a harmless Joe Blow, you can stop worrying about securing your digital presence: it only makes you look suspect if your computer or your communications are investigated for any reason. Your place in the Who's Nobody pretty much ensures your security and anonymity on the internet.

    People thinking this, or not worrying about password sniffing in other forms, all make one crucial wrong assumption, and it's that protecting your account is often not about protecting the information you chose to publish.

    Once someone has access to your account either by password sniffing or session hijacking can act as you, spamming your contacts and perhaps sending them off to sites that perform drive-by malware installs by posting links as if they had come from you.

    While you might be right that nobody cares specifically about one person's facebook account, there are certainly people out there who would love to pick up a large number of them for spamming purposes.

    Also for people who are daft enough to use the same password for multiple sites (actually I have one password for sites I don't care about, but for anything else I have separate passwords stored in keepass) sniffing their facebook/twitter/what-ever password could be far worse than getting their social networking account hijacked: it could give an attacker access to your webmail account from which they may be able purloin enough data to gain access to your bank account and so forth.

  9. Master Yoda says: by TheWarp · · Score: 4, Funny

    Begun, the sheep wars have.

  10. Tell that to these 170 'nobodies'... by Animaether · · Score: 2, Interesting

    The recent arrest of a 23-year-old California man that has allegedly hacked e-mail accounts of more than 170 women and posted sexually explicit pictures found within them to the victims' Facebook accounts, has highlighted the need to limit the amount of personal information posted on various social networks.

    - http://www.net-security.org/secworld.php?id=10096

  11. Nobody? by contra_mundi · · Score: 3, Insightful

    You forget the '4chan' part of the problem. They will use this to ruin your (however unimportant you think it is) life and just for giggles.

  12. Counter-counter measures by embolalia · · Score: 2, Interesting

    How long until Firesheep implements something that detects a Blacksheep trap, and doesn't respond to it? Will Blacksheep then implement a detection detector?

  13. Re:Wrong premise by fuzzyfuzzyfungus · · Score: 3, Insightful

    People like you make two crucial assumptions; both wrong:

    1. Attacks are laborious: As spam demonstrates, evil can be automated. Thanks to automation, the effort required is so low that the number of rationally viable targets balloons enormously. Further, because security people and mail admins are constantly working against automated evil, the value of genuine "civilian" hosts/accounts/etc. from which to disguise hostile action is higher than it would otherwise be(a single mailserver on a 1Gb line can send more p3n1s p1llz spam, and is much easier to administer, than a huge number of home computers or hijacked hotmail accounts; but costs more and is easier to block).

    2. Humans are not, in a substantial number of cases, motivated purely by curiosity, voyeurism, or malice: People break into stuff merely because they can, or because they are hoping to access some of those private pictures from the blond across the coffee shop's account, or because they think that it would be hilarious to have you post "L0L shittingniggerdicks!!!!" to the facebook walls of all your friends and then leave you to explain that one to the dean.

  14. Should Provide For Fun Trips To Starbucks by mastershake82 · · Score: 4, Funny

    Not because I care enough to use it to try to protect the 'sheep'. But I know that somebody will.

    I can't wait to be at Starbucks when a socially awkward 17 year old stands up triumphantly to save the day by alerting everyone that there is a 'Firesheeper' in the building hijacking their cookies!

    1. Re:Should Provide For Fun Trips To Starbucks by halcyon1234 · · Score: 2, Funny

      The first amendment doesn't give you the right to shout "Firesheep" in a crowded Starbucks.

      --
      UTF-8: There and Back Again
  15. Don't worry... by Syberz · · Score: 2, Funny

    No need to worry folks, the FireSheep guys will come up with SheepDog which will make sure that BlackSheep stays the hell put dagnabbit and you'll be able to spy on your friends again in no time.

    --
    ~Syberz