Firesheep Countermeasure Tool BlackSheep 122
Orome1 writes "Slashdot already covered Firesheep, the Firefox extension that makes it easier to steal logins and take over social media and email accounts after users log in from a WiFi hotspot or even their own unprotected network. Zscaler researchers have created, and are now offering to every consumer, a free Firefox plugin called BlackSheep, which serves as a counter-measure. BlackSheep combats Firesheep by monitoring traffic and then alerting users if Firesheep is being used on the network. BlackSheep does this by dropping 'fake' session ID information on the wire and then monitors traffic to see if it has been hijacked."
or just use proper security (Score:5, Insightful)
Re:or just use proper security (Score:5, Informative)
Exactly, this is what EFF's Firefox Addon does [eff.org]
Re: (Score:2)
Much, much better solution than this "Blacksheep" tool if you ask me. Blacksheep simply isn't doing this right.
Re: (Score:3, Informative)
Re: (Score:1)
Firesheep users are generally not malicious actors... just pranksters. Ironically, a real malicious actor would just use Firesheep to just grab sessions and then use SSL as described to actually use them, which would be beyond what BlackSheep could deal with. I wonder if that is already doable with the install of the EFF extension and Firesheep and no other modification.
Re: (Score:2)
My concern would be exploitation of the vector that firesheep draws attention to. If your machine is 0wned and part of a botnet, this
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
The admin's job is to make everyone on your network suddenly a guru of security? :-)
Re: (Score:3, Interesting)
Re:or just use proper security (Score:4, Informative)
Mmm neat, but force-tls is not helpful for wikipedia (and other similar sites), that need mapping from en.wikipedia.org/wiki/Google to secure.wikimedia.org/wikipedia/en/wiki/Google
Re:or just use proper security (Score:4, Informative)
Mmm I have not pasted the link properly... EFF's plugin can map automatically from http://en.wikipedia.org/wiki/Google [wikipedia.org] to https://secure.wikimedia.org/wikipedia/en/wiki/Google [wikimedia.org] It is not possible with force-tls
Re: (Score:2)
Force-tls seems to depend on the page telling the browser to use tls, not sure how different that is from a frontpage that redirects to https. The EFF extension however alters any attempt to access one of the domains it is set up with to https, and do so based on user, rather then page, settings.
Re:or just use proper security (Score:4, Informative)
Spot-on, Force-tls actually prevents DNS spoffing attacks and nothing more. Say you try to visit http://www.bankofamerica.com/ [bankofamerica.com] from starbucks, someone might spoof the dns and redirect you to their own page rather than https://www.bankofamerica.com/ [bankofamerica.com] . Force-tls prevents this by not requesting for the http page and directly requesting for the secure page (it knows for what pages it has to request using https, by remembering the last time you visited the site (to be more specific, whether the site had sent a X-Force-TLS when you had visited them before)).
Re: (Score:2)
And if one where to click the http link above, would force-tls then convert that to a https?
could it convert a random http facebook or wikipedia url to a https url?
If it can, perhaps EFF should get in touch with the creator of the extension and combine efforts. This basically by having the EFF provide the extension with a preset of pages that will use https indefinitely.
Re: (Score:2)
on sites that support it
And therein lies the problem.
Re: (Score:3, Funny)
Because you know, being alerted that your information just got stolen is much better than using proper security in the first place.... or not.
But if we did have an Add-on which "alerted that your information just got stolen" we could call it "Wake Up Sheeple!"
Re: (Score:1)
Re: (Score:2)
Firefox users are using software which actively discourages use of ssl and other secure connections. They're unlikely to set their browsers to use secure connections by default.
Re: (Score:1)
Re: (Score:1)
Firefox 4 comes with HSTS
Sorry, but that's an AIDU.
(I admit I'm now TLTG)
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Some sites dont support SSL. Hotmail for instance.
Re: (Score:2)
Hotmail has had HTTPS support for a while now. All you have to do is visit https://www.hotmail.com/ [hotmail.com] and as soon as it logs on click on always https (hotmails prompts you for it).
And most websites I use support https (if not they lose the tinfoil market)
Re: (Score:2)
Actually, that doesn't work. I'm able to log in but then it fails on the next page load.
The issue is that if you login without https it redirects you to a https page FOR LOGIN ONLY. Everything else in unencrypted past that point. The trick you supplied is forcing it to use https after login and that is not supported. At least on Firefox.
Re: (Score:2)
It does work for me (with out using EFF's addon). Do try visiting https://account.live.com/ManageSSL [live.com] , where you can set this up. Not sure why simply visiting https://www.hotmail.com/ [hotmail.com] does not work for you.
And I do understand what you looking for is https even beyond logon. The one I had mentioned (in this post and the prev post) is exactly for this purpose.
Re: (Score:2)
Oopsie, I forgot to mention, you need a live plus account to be able to change settings at https://account.live.com/ManageSSL [live.com] . But still visiting https://www.hotmail.com/ [hotmail.com] should still work for non-paying users. Here is a source if you are interested... http://lifehacker.com/5684326/hotmail-adds-always+on-secure-https-connection-option [lifehacker.com]
Re: (Score:2)
Important note: Turning on HTTPS will work for Hotmail over the web, but it will cause errors if you try to access Hotmail through programs like:
* Outlook Hotmail Connector
MS is really screwing this up. I use the Outlook connector on a different computer. So now I can have either HTTPS or the connector.
Re: (Score:2)
> https://www.hotmail.com/ [hotmail.com]
Hmm...I get a warning thrown up by the SSLPasswdWarning FF plugin (actually on the hotmail-redirected login.live.com):
Warning!!!
The password field you have selected will transmit your information over an unencrypted and insecure connection.
The form submits to:
UNKNOWN (or handled in Javascript)
Anybody verified, that this actually gets handled via SSL (in JS or whatever)?
Re: (Score:1)
http://www.facebook.com/notes/facebook-security/forget-to-log-out-help-is-on-the-way/425136200765 [facebook.com]
Re: (Score:2)
Speaking of which - what does Slashdot use? I don't see an HTTPS in my urls...
Couldn't someone sidejack a Slashdot Session?
Re: (Score:2)
In recent threads about Firesheep in regards to Slashdot I had seen several times the suggestion to use:
https://slashdot.org/my/login [slashdot.org]
Yes, there is an SSL-page for login. After login it the re-directs to the main /. page (http).
So far so good except...I am still NOT logged in! Anybody know, what the deal is with that?
Re: (Score:3, Insightful)
I suppose thats an equally effective countermeasure.
Since this thing attacks Firesheep (Score:5, Funny)
Oh wait...
Re: (Score:2)
More like Firewolf!
Re: (Score:3, Funny)
Airwolf.
Re: (Score:1)
Re: (Score:1, Funny)
LibreSheep!!
Re: (Score:3, Interesting)
Re: (Score:2)
Airwolf.
An alcohol fueled browser?
Re: (Score:1)
It's a wolf in sheeps clothing
Re: (Score:2)
Firesheep is attacked by Icewolf, working in conjunction with Iceweasel.
Re: (Score:2)
Re: (Score:2)
Great Scott! Why would you want to fire him?!
Secure login (Score:2)
Don't most big email and social network sites use a secure login, so that it won't work for firesheep? Are there any examples of large ones that don't? Thanks.
Re:Secure login (Score:5, Informative)
Secure login doesn't matter. You need secure everything, or people can just steal your session cookie. That is almost as bad as having your login stolen.
Re: (Score:2)
True story on that. About 2 years ago, one of the WoW forum heads had their session cookie stolen. Much luling was enjoyed by all as they started mass-posting spam, on their forums.
Re: (Score:3, Informative)
Re:Secure login (Score:5, Insightful)
Firesheep doesn't steal login credentials, only hijacks (insecure) session already (securely) authenticated.
You log in securely, you receive a cookie that proves you did. You present it to a webpage, the webpage allows you to access the content, because the cookie identifies and authorizes you. Then someone else obtains a copy of your cookie and their browser, upon presenting the cookie to the website, receives the same treatment as your own. Since the cookie is sent in plaintext in headers of every common unencrypted connection, obtaining it is trivial (compared to secure login)
Examples? Facebook, Myspace, Twitter, enough for you?
Re: (Score:3, Informative)
Re: (Score:2)
If you were aware of the purpose of Firesheep [codebutler.com], you'd know that it is quite effective, since so many large sites don't require the use of HTTPS.
So, to clarify... (Score:5, Insightful)
Since this extension only *informs* and does nothing else, such as actively disrupt Firesheep's functionality, you will still be busted if doing insecure communication on the network, see this warning suddenly pop up, and are already using Twitter/Facebook/...? And in this case, you would have to "ZOMGQUIT!!!" to have any chance of being safe.
For how long can a session be hijacked anyway? If you close your browser, is the seesion instantly invalidated? Or only after like 5 minutes? I mean, in that case, Blacksheep could scream all it wants, and you'll still be a potential victim even if it warned you and you closed your browser (or tab).
Re: (Score:3, Insightful)
Re: (Score:1)
I'm willing to bet sessions for most websites can last indefinitely, at least until you change your password.
Yes, because they have infinite system resources to keep an unlimited number of indefinite sessions around.
No, sessions have expirations, some longer than others.
Re: (Score:2, Insightful)
Making sure that someone else doesn't also have the cookie might be viewed as redundant, if this kind of security is not kept in mind while designing/coding the site. Perhaps it could even be removed as an optimization for a very popular service like Facebook.
Re: (Score:1)
Depends on the implementation of the website. It could be that clicking "log out" only removes the cookie from your browser -> You are logged out.
If that's the implementation, then said site deserves to be taken advantage of (and the developer fired).
As for the poor unsuspecting users...well, sorry.
Re:So, to clarify... (Score:4, Informative)
For how long can a session be hijacked anyway? If you close your browser, is the seesion instantly invalidated? Or only after like 5 minutes? I mean, in that case, Blacksheep could scream all it wants, and you'll still be a potential victim even if it warned you and you closed your browser (or tab).
As long as the hijacker keeps using your session the session will stay alive, even if you close your browser. But if you actually log out of the website then the hijacker gets kicked off too. So if Blacksheep tells you that someone's on your account then log out of Facebook immediately. Or, better yet, check that your email address hasn't been changed while the other guy's been on your account, then log out.
Re: (Score:2)
It depends on the website. Many websites do have the behavior you describe. But some will just delete your session cookie from your browser (without deleting it from the server) which would let the attacker keep using it.
Re: (Score:2)
Would it be better for Blacksheep to log you out immediately? That might prevent the attacker from accomplishing anything since it would happen within milliseconds of him sending a duplicate cookie.
Re: (Score:2)
That might prevent the attacker from accomplishing anything since it would happen within milliseconds of him sending a duplicate cookie.
No. Up to 5 minutes, by default. Blacksheep generates traffic with a fake session ID every 5 minutes, and it notifies you when the fake cookie is used. Your real session cookie can be stolen any time your browser talks to the Facebook server, and Blacksheep doesn’t detect that.
Re: (Score:2)
Re: (Score:3, Informative)
As far as I know, Twitter doesn't behave this way. If you log out on machine_x, only machine_x is logged out. Not the attacker.
GMail's "Destroy all other sessions" would be closer to the behaviour you're talking about.
Re: (Score:1, Insightful)
Twitter does too. If you are sharing the same session cookie, if you logout, the cookie is no longer valid and the hacker gets kicked out.
If it's two separate sessions to the same twitter account (two different session cookies) then what you mentioned is true but that is not what happens when someone uses firesheep.
Re: (Score:3, Informative)
However two different "machines" (even two different browser sessions on the same machine) should get different session IDs. As such, this would be expected, since each session is independent. The session ID is, generally, just a cookie with a specific value, your browser hands this back with every request, thus associating each request to the session.
So if you logout, and that invalidates the session, then this is to be expected, since each browser/machine has its own session cookie, each one is independen
Re: (Score:1)
And a less common, but better approach is to not simply trust the session ID supplied by the client as the sole method of post-login identification.
For example, you could log the client IP address at session creation, and then re-verify with each request to detect a hijacker. Not completely foolproof (IP spoofing, man in middle, etc.), but a lot better nonetheless.
Re: (Score:2)
Yup, but in this case, it might not help.
There are cases where you can't rely on this. I did some work on Tor "Location Hidden Services". In such a setup you will only ever see local IP's since the system does a double blind to prevent either side from knowing the other's IP. (of course, it also garauntees end to "end" (the tor router, not actually the final process, but they are usually on the same box) encryption without the need for https.
That is a very strange case. However, this fails in much more mund
Re: (Score:2)
What you could do....
Use javascript to implement Diffie-Hellman key exchange, and then use the shared key to embed authentication messages into requests. Since an eavesdropper can't easily divine the key, the server could easily detect and reject requests from a hijacker.
This requires that the system be armored against replay attacks (reusing the same authentication message) but... doing so would also prevent form resubmissions, often a problem in web apps.
Sheepsafe (Score:2)
See also: Sheepsafe. http://github.com/nicksieger/sheepsafe ... it's a simple Ruby script that automates setting up a SOCKS proxy for you on untrusted networks. I think it's only setup to work w/ OSX right now, but should be pretty simple to adapt to other unixy OSes.
Master Yoda says: (Score:4, Funny)
HTTPS Everywhere (Score:2)
This [eff.org] firefox extension from the EFF will force an HTTPS connection if possible. It works with Firefox (ie keeps the connection in https mode throughout the session, not just during the login).
Counter-counter measures (Score:2, Interesting)
Re: (Score:2)
Indeed, for instance firesheep could just use a different internet connection (e.g. 3G). Some websites check the source IP of the cookie, but most probably don't.
Re: (Score:1)
How long until Firesheep implements something that detects a Blacksheep trap, and doesn't respond to it? Will Blacksheep then implement a detection detector?
Never. The purpose of Firesheep is to demonstrate the vulnerability of stupid websites.
And Blacksheep does not protect from side-jacking at all, a black hat just needs to go through everything Firesheep captures and check which ones are fake.
What Blacksheep does is warn you if someone tries to hijack your session, which fits with the original purpose of Firesheep, and probably does a better job than Sheepherder, at the expense of bandwidth.
If you log out immediately it might minimize the damage a black hat
You Are Doing It WRONG. (Score:2)
Let's say you have a house. You keep valuable things in it, but you don't have a front door. Anyone can just walk in.
In particular, you've regularly noticed shifty-looking people entering your house carrying a large black bag in order to steal your stuff.
Now from this, you might draw the conclusion that it is time to get a door and lock it.
Or you could set up a sophisticated system of cameras and image analyzing software that will scan everyone walking down your street and sound a loud alarm if one of them
Re: (Score:2)
A house?!! WTF, this is slashdot, can we please get a proper car analogy?
I'd rather have (Score:2)
This is a good one too (Score:2)
http://www.imdb.com/title/tt0779982/ [imdb.com]
LMAO
Should Provide For Fun Trips To Starbucks (Score:4, Funny)
I can't wait to be at Starbucks when a socially awkward 17 year old stands up triumphantly to save the day by alerting everyone that there is a 'Firesheeper' in the building hijacking their cookies!
Re: (Score:3, Funny)
Tripwire? (Score:2)
That's not much of a tripwire, since your odds of activating it are sorta low.
What about FireShepherd [notendur.hi.is] which actively jams Firesheep?
Re: (Score:2)
Actively jams Firesheep or DDOS Facebook? The program sends a bogus request to Facebook with an interesting payload every 400ms. The assumption is that the payload somehow interferes with Firesheep. If enough people run this it could be interpreted as a DDOS attack.
Don't worry... (Score:3, Funny)
No need to worry folks, the FireSheep guys will come up with SheepDog which will make sure that BlackSheep stays the hell put dagnabbit and you'll be able to spy on your friends again in no time.
'It has begun' (Score:2)
Someone needs to open a dictionary (Score:2)
Pretend security (Score:2)
1) I can sniff and use the credentials later. Matter of fact, I would _only_ do that as I _know_ the other guy is active atm.
2) It tells you if you are being sniffed after the fact
3) Use a VPN while on public, shared networks. Always.
Re: (Score:1, Insightful)
The truth is, unless you're someone who matters, nobody cares about your rambling on your blog, your Facebook account or your Facebook friends, what you tweet about, your nickserv password on IRC or your POP3 email password. Nobody... cares...
A half a million downloads of firesheep says you are wrong.
Re: (Score:1)
Re:Wrong premise (Score:4, Insightful)
So in short, if you're a harmless Joe Blow, you can stop worrying about securing your digital presence: it only makes you look suspect if your computer or your communications are investigated for any reason. Your place in the Who's Nobody pretty much ensures your security and anonymity on the internet.
People thinking this, or not worrying about password sniffing in other forms, all make one crucial wrong assumption, and it's that protecting your account is often not about protecting the information you chose to publish.
Once someone has access to your account either by password sniffing or session hijacking can act as you, spamming your contacts and perhaps sending them off to sites that perform drive-by malware installs by posting links as if they had come from you.
While you might be right that nobody cares specifically about one person's facebook account, there are certainly people out there who would love to pick up a large number of them for spamming purposes.
Also for people who are daft enough to use the same password for multiple sites (actually I have one password for sites I don't care about, but for anything else I have separate passwords stored in keepass) sniffing their facebook/twitter/what-ever password could be far worse than getting their social networking account hijacked: it could give an attacker access to your webmail account from which they may be able purloin enough data to gain access to your bank account and so forth.
Tell that to these 170 'nobodies'... (Score:3, Interesting)
- http://www.net-security.org/secworld.php?id=10096 [net-security.org]
Re: (Score:2)
Re: (Score:1)
Yeah, who cares if those pictures are naked. All we care about is if you are naked on the picture.
Nobody? (Score:3, Insightful)
Re:Wrong premise (Score:4, Insightful)
1. Attacks are laborious: As spam demonstrates, evil can be automated. Thanks to automation, the effort required is so low that the number of rationally viable targets balloons enormously. Further, because security people and mail admins are constantly working against automated evil, the value of genuine "civilian" hosts/accounts/etc. from which to disguise hostile action is higher than it would otherwise be(a single mailserver on a 1Gb line can send more p3n1s p1llz spam, and is much easier to administer, than a huge number of home computers or hijacked hotmail accounts; but costs more and is easier to block).
2. Humans are not, in a substantial number of cases, motivated purely by curiosity, voyeurism, or malice: People break into stuff merely because they can, or because they are hoping to access some of those private pictures from the blond across the coffee shop's account, or because they think that it would be hilarious to have you post "L0L shittingniggerdicks!!!!" to the facebook walls of all your friends and then leave you to explain that one to the dean.
Re: (Score:1)
No, seriously. It's off-topic but I really think insightful comments [like the parent comment] should be given more exposure outside of
Re: (Score:2)
Re: (Score:2)
Yeah, like that Alaskan politician who used a Yahoo email account. :P