Forgot your password?
typodupeerror
Firefox Privacy Security IT Your Rights Online

Firesheep Countermeasure Tool BlackSheep 122

Posted by CmdrTaco
from the baa-ram-yew dept.
Orome1 writes "Slashdot already covered Firesheep, the Firefox extension that makes it easier to steal logins and take over social media and email accounts after users log in from a WiFi hotspot or even their own unprotected network. Zscaler researchers have created, and are now offering to every consumer, a free Firefox plugin called BlackSheep, which serves as a counter-measure. BlackSheep combats Firesheep by monitoring traffic and then alerting users if Firesheep is being used on the network. BlackSheep does this by dropping 'fake' session ID information on the wire and then monitors traffic to see if it has been hijacked."
This discussion has been archived. No new comments can be posted.

Firesheep Countermeasure Tool BlackSheep

Comments Filter:
  • by datapharmer (1099455) on Monday November 08, 2010 @09:46AM (#34160738) Homepage
    Or you could just force tls/ssl on sites that support it and render firesheep useless. Because you know, being alerted that your information just got stolen is much better than using proper security in the first place.... or not.
    • by iammani (1392285) on Monday November 08, 2010 @09:57AM (#34160798)

      Exactly, this is what EFF's Firefox Addon does [eff.org]

      • by Jugalator (259273)

        Much, much better solution than this "Blacksheep" tool if you ask me. Blacksheep simply isn't doing this right.

        • Re: (Score:3, Informative)

          Tools for detecting malicious actors certainly have their place(even if you are cryptographically protected from them, it's always nice to know what sort of neighborhood you are currently in); but the idea of playing cat-and-mouse when you could be playing cat and enciphered-such-that-it-will-be-inedible-long-after-the-sun-has-devoured-the-inner-planets-mouse is seriously head -> desk...
          • Firesheep users are generally not malicious actors... just pranksters. Ironically, a real malicious actor would just use Firesheep to just grab sessions and then use SSL as described to actually use them, which would be beyond what BlackSheep could deal with. I wonder if that is already doable with the install of the EFF extension and Firesheep and no other modification.

            • My bigger concern would not be firesheep users as such, as they are likely to be pranksters, kiddies, and the assorted merely curious. Not harmless; but hardly evil masterminds. Nor, for its part, is firesheep a terribly refined tool for doing real damage. Too manual, too slow, GUI oriented. A lot of harassment and petty pranksterism will likely occur; but that is about it.

              My concern would be exploitation of the vector that firesheep draws attention to. If your machine is 0wned and part of a botnet, this
            • by flowwolf (1824892)
              I thought EFF extension was the greater of the two, but now we know that it could be getting used by the enemy for greater exploit? Classic.
        • by flowwolf (1824892)
          This tool is targeted towards network administrators, not individual users. It's a threat diagnostic tool, not a prevention. You can't make everyone on your network suddenly be a guru of security. That's the admin's job. Writing this off as useless is ignorant.
          • You can't make everyone on your network suddenly be a guru of security. That's the admin's job.

            The admin's job is to make everyone on your network suddenly a guru of security? :-)

      • Re: (Score:3, Interesting)

        by datapharmer (1099455)
        well kind of... that plugin fails in that it requires you to add in each domain you want to use ssl for. I would recommend force-tls [mozilla.org] for firefox and KB SSL enforcer for chrome [google.com] (the second is not completely secure due to chrome's design, but hoping that will be fixed soon).
    • by Spad (470073)

      on sites that support it

      And therein lies the problem.

    • Re: (Score:3, Funny)

      by mounthood (993037)

      Because you know, being alerted that your information just got stolen is much better than using proper security in the first place.... or not.

      But if we did have an Add-on which "alerted that your information just got stolen" we could call it "Wake Up Sheeple!"

    • by tjlaxs (1872422)
      Forcing SSL on, for example, Facebook renders some features just unworking. :/ But yes, it's still better security to browse in some what nonworking environment.
    • Or you could just force tls/ssl on sites that support it and render firesheep useless.

      Firefox users are using software which actively discourages use of ssl and other secure connections. They're unlikely to set their browsers to use secure connections by default.

    • by jonescb (1888008)
      Or just tunnel through SSH whenever you're on an unsecured network. I was with some friends last week who were using Firesheep on each other (all in good fun), but I was tunneling all my traffic and nobody was able to get my cookies.
    • by gad_zuki! (70830)

      Some sites dont support SSL. Hotmail for instance.

      • by iammani (1392285)

        Hotmail has had HTTPS support for a while now. All you have to do is visit https://www.hotmail.com/ [hotmail.com] and as soon as it logs on click on always https (hotmails prompts you for it).

        And most websites I use support https (if not they lose the tinfoil market)

        • by gad_zuki! (70830)

          Actually, that doesn't work. I'm able to log in but then it fails on the next page load.

          The issue is that if you login without https it redirects you to a https page FOR LOGIN ONLY. Everything else in unencrypted past that point. The trick you supplied is forcing it to use https after login and that is not supported. At least on Firefox.

        • > https://www.hotmail.com/ [hotmail.com]

          Hmm...I get a warning thrown up by the SSLPasswdWarning FF plugin (actually on the hotmail-redirected login.live.com):

          Warning!!!
          The password field you have selected will transmit your information over an unencrypted and insecure connection.
          The form submits to:
          UNKNOWN (or handled in Javascript)

          Anybody verified, that this actually gets handled via SSL (in JS or whatever)?

    • If you are alerted that someone is using firesheep on you, then you at least know and can use a "logout all other sessions".
      http://www.facebook.com/notes/facebook-security/forget-to-log-out-help-is-on-the-way/425136200765 [facebook.com]
    • Speaking of which - what does Slashdot use? I don't see an HTTPS in my urls...

      Couldn't someone sidejack a Slashdot Session?

      • In recent threads about Firesheep in regards to Slashdot I had seen several times the suggestion to use:

        https://slashdot.org/my/login [slashdot.org]

        Yes, there is an SSL-page for login. After login it the re-directs to the main /. page (http).
        So far so good except...I am still NOT logged in! Anybody know, what the deal is with that?

  • by Spy Handler (822350) on Monday November 08, 2010 @09:46AM (#34160740) Homepage Journal
    shouldn't it be called Firefox?

    Oh wait...
  • Don't most big email and social network sites use a secure login, so that it won't work for firesheep? Are there any examples of large ones that don't? Thanks.

    • Re:Secure login (Score:5, Informative)

      by marcansoft (727665) <hector@marcans[ ].com ['oft' in gap]> on Monday November 08, 2010 @09:53AM (#34160782) Homepage

      Secure login doesn't matter. You need secure everything, or people can just steal your session cookie. That is almost as bad as having your login stolen.

      • by Mashiki (184564)

        True story on that. About 2 years ago, one of the WoW forum heads had their session cookie stolen. Much luling was enjoyed by all as they started mass-posting spam, on their forums.

    • Re: (Score:3, Informative)

      by SgtKeeling (717065)
      Most email and social network site do use a secure login, but it's not logging in that's the issue. After you've logged in securely, your session information keeps getting sent back and forth over regular http, instead of https, and there is enough information in there for firesheep to impersonate you.
    • Re:Secure login (Score:5, Insightful)

      by SharpFang (651121) on Monday November 08, 2010 @10:07AM (#34160850) Homepage Journal

      Firesheep doesn't steal login credentials, only hijacks (insecure) session already (securely) authenticated.

      You log in securely, you receive a cookie that proves you did. You present it to a webpage, the webpage allows you to access the content, because the cookie identifies and authorizes you. Then someone else obtains a copy of your cookie and their browser, upon presenting the cookie to the website, receives the same treatment as your own. Since the cookie is sent in plaintext in headers of every common unencrypted connection, obtaining it is trivial (compared to secure login)

      Examples? Facebook, Myspace, Twitter, enough for you?

    • Re: (Score:3, Informative)

      by AdamsGuitar (1171413)
      The issue with Firesheep is session hijacking, not theft of login and password information.
    • by Jonner (189691)

      If you were aware of the purpose of Firesheep [codebutler.com], you'd know that it is quite effective, since so many large sites don't require the use of HTTPS.

  • So, to clarify... (Score:5, Insightful)

    by Jugalator (259273) on Monday November 08, 2010 @09:50AM (#34160762) Journal

    Since this extension only *informs* and does nothing else, such as actively disrupt Firesheep's functionality, you will still be busted if doing insecure communication on the network, see this warning suddenly pop up, and are already using Twitter/Facebook/...? And in this case, you would have to "ZOMGQUIT!!!" to have any chance of being safe.

    For how long can a session be hijacked anyway? If you close your browser, is the seesion instantly invalidated? Or only after like 5 minutes? I mean, in that case, Blacksheep could scream all it wants, and you'll still be a potential victim even if it warned you and you closed your browser (or tab).

    • Re: (Score:3, Insightful)

      by The MAZZTer (911996)
      I'm willing to bet sessions for most websites can last indefinitely, at least until you change your password. The website usually instructs the browser when to clear the session cookie (several weeks to several months, in my experience), but of course an attacker doesn't need to honor that request.
      • by drcheap (1897540)

        I'm willing to bet sessions for most websites can last indefinitely, at least until you change your password.

        Yes, because they have infinite system resources to keep an unlimited number of indefinite sessions around.

        No, sessions have expirations, some longer than others.

    • Re:So, to clarify... (Score:4, Informative)

      by Barefoot Monkey (1657313) on Monday November 08, 2010 @10:24AM (#34160956)

      For how long can a session be hijacked anyway? If you close your browser, is the seesion instantly invalidated? Or only after like 5 minutes? I mean, in that case, Blacksheep could scream all it wants, and you'll still be a potential victim even if it warned you and you closed your browser (or tab).

      As long as the hijacker keeps using your session the session will stay alive, even if you close your browser. But if you actually log out of the website then the hijacker gets kicked off too. So if Blacksheep tells you that someone's on your account then log out of Facebook immediately. Or, better yet, check that your email address hasn't been changed while the other guy's been on your account, then log out.

      • by LincolnQ (648660)

        It depends on the website. Many websites do have the behavior you describe. But some will just delete your session cookie from your browser (without deleting it from the server) which would let the attacker keep using it.

      • Would it be better for Blacksheep to log you out immediately? That might prevent the attacker from accomplishing anything since it would happen within milliseconds of him sending a duplicate cookie.

        • That might prevent the attacker from accomplishing anything since it would happen within milliseconds of him sending a duplicate cookie.

          No. Up to 5 minutes, by default. Blacksheep generates traffic with a fake session ID every 5 minutes, and it notifies you when the fake cookie is used. Your real session cookie can be stolen any time your browser talks to the Facebook server, and Blacksheep doesn’t detect that.

        • by tgeller (10260)
          Not a bad idea, but what if the snooper changed your Facebook account's email address during the minute between Blacksheep's checks? That person would pwn you permanently; you couldn't log back in, but the attacker could (by retrieving your password).
      • Re: (Score:3, Informative)

        by CrashandDie (1114135)

        As far as I know, Twitter doesn't behave this way. If you log out on machine_x, only machine_x is logged out. Not the attacker.

        GMail's "Destroy all other sessions" would be closer to the behaviour you're talking about.

        • Re: (Score:1, Insightful)

          by Anonymous Coward

          Twitter does too. If you are sharing the same session cookie, if you logout, the cookie is no longer valid and the hacker gets kicked out.
          If it's two separate sessions to the same twitter account (two different session cookies) then what you mentioned is true but that is not what happens when someone uses firesheep.

        • Re: (Score:3, Informative)

          by TheCarp (96830)

          However two different "machines" (even two different browser sessions on the same machine) should get different session IDs. As such, this would be expected, since each session is independent. The session ID is, generally, just a cookie with a specific value, your browser hands this back with every request, thus associating each request to the session.

          So if you logout, and that invalidates the session, then this is to be expected, since each browser/machine has its own session cookie, each one is independen

          • by drcheap (1897540)

            And a less common, but better approach is to not simply trust the session ID supplied by the client as the sole method of post-login identification.

            For example, you could log the client IP address at session creation, and then re-verify with each request to detect a hijacker. Not completely foolproof (IP spoofing, man in middle, etc.), but a lot better nonetheless.

            • by TheCarp (96830)

              Yup, but in this case, it might not help.

              There are cases where you can't rely on this. I did some work on Tor "Location Hidden Services". In such a setup you will only ever see local IP's since the system does a double blind to prevent either side from knowing the other's IP. (of course, it also garauntees end to "end" (the tor router, not actually the final process, but they are usually on the same box) encryption without the need for https.

              That is a very strange case. However, this fails in much more mund

              • by TheCarp (96830)

                What you could do....

                Use javascript to implement Diffie-Hellman key exchange, and then use the shared key to embed authentication messages into requests. Since an eavesdropper can't easily divine the key, the server could easily detect and reject requests from a hijacker.

                This requires that the system be armored against replay attacks (reusing the same authentication message) but... doing so would also prevent form resubmissions, often a problem in web apps.

  • See also: Sheepsafe. http://github.com/nicksieger/sheepsafe ... it's a simple Ruby script that automates setting up a SOCKS proxy for you on untrusted networks. I think it's only setup to work w/ OSX right now, but should be pretty simple to adapt to other unixy OSes.

  • by TheWarp (1903628) on Monday November 08, 2010 @10:23AM (#34160948)
    Begun, the sheep wars have.
  • This [eff.org] firefox extension from the EFF will force an HTTPS connection if possible. It works with Firefox (ie keeps the connection in https mode throughout the session, not just during the login).

  • How long until Firesheep implements something that detects a Blacksheep trap, and doesn't respond to it? Will Blacksheep then implement a detection detector?
    • by Timmmm (636430)

      Indeed, for instance firesheep could just use a different internet connection (e.g. 3G). Some websites check the source IP of the cookie, but most probably don't.

    • How long until Firesheep implements something that detects a Blacksheep trap, and doesn't respond to it? Will Blacksheep then implement a detection detector?

      Never. The purpose of Firesheep is to demonstrate the vulnerability of stupid websites.
      And Blacksheep does not protect from side-jacking at all, a black hat just needs to go through everything Firesheep captures and check which ones are fake.
      What Blacksheep does is warn you if someone tries to hijack your session, which fits with the original purpose of Firesheep, and probably does a better job than Sheepherder, at the expense of bandwidth.
      If you log out immediately it might minimize the damage a black hat

  • Let's say you have a house. You keep valuable things in it, but you don't have a front door. Anyone can just walk in.

    In particular, you've regularly noticed shifty-looking people entering your house carrying a large black bag in order to steal your stuff.

    Now from this, you might draw the conclusion that it is time to get a door and lock it.

    Or you could set up a sophisticated system of cameras and image analyzing software that will scan everyone walking down your street and sound a loud alarm if one of them

  • I'd rather have this blacksheep [blacksheepbrewery.com] myself.
  • by mastershake82 (948396) on Monday November 08, 2010 @12:03PM (#34161864)
    Not because I care enough to use it to try to protect the 'sheep'. But I know that somebody will.

    I can't wait to be at Starbucks when a socially awkward 17 year old stands up triumphantly to save the day by alerting everyone that there is a 'Firesheeper' in the building hijacking their cookies!
    • Re: (Score:3, Funny)

      by halcyon1234 (834388)
      The first amendment doesn't give you the right to shout "Firesheep" in a crowded Starbucks.
  • That's not much of a tripwire, since your odds of activating it are sorta low.
    What about FireShepherd [notendur.hi.is] which actively jams Firesheep?

    • by Fnord666 (889225)

      What about FireShepherd which actively jams Firesheep?

      Actively jams Firesheep or DDOS Facebook? The program sends a bogus request to Facebook with an interesting payload every 400ms. The assumption is that the payload somehow interferes with Firesheep. If enough people run this it could be interpreted as a DDOS attack.

  • by Syberz (1170343) on Monday November 08, 2010 @01:20PM (#34162802) Homepage

    No need to worry folks, the FireSheep guys will come up with SheepDog which will make sure that BlackSheep stays the hell put dagnabbit and you'll be able to spy on your friends again in no time.

  • BlackSheep is not a counter-measure, it doesn't attack Firesheep. It is only a detector.
  • 1) I can sniff and use the credentials later. Matter of fact, I would _only_ do that as I _know_ the other guy is active atm.
    2) It tells you if you are being sniffed after the fact
    3) Use a VPN while on public, shared networks. Always.

ASCII a stupid question, you get an EBCDIC answer.

Working...