The Register® — Biting the hand that feeds IT

Feeds

Firefox extension detects FireSheep snoop software

Unleash the BlackSheep

By Dan Goodin, 8th November 2010
  • print
  • alert

Agentless Backup is Not a Myth

Researchers from security firm Zscaler have published free software that detects when users' web connections are being monitored by a controversial tool that steals log-in credentials from Facebook, Google and dozens of other websites.

Dubbed BlackSheep, the Firefox extension alerts users when computers on a local area network are using FireSheep to steal unencrypted cookies the websites use to grant users access to their account pages. When BlackSheep detects the snoop software in a hotspot or other open Wi-Fi network, it displays a message that reads “Somebody is using FireSheep on this network.” It then displays the LAN IP address of the offending party.

BlackSheep's release comes two weeks after security researcher Eric Butler published FireSheep in an attempt to expose the bovid practices of Facebook and other websites that don't bother to encrypt session cookies used to authenticate their users. With the exception of Twitter and a handful of Google services, few popular websites offer the end-to-end encryption needed to foil such attacks, a shortcoming that seemed to be lost on the masses until FireSheep made it easy to exploit the weakness.

FireSheep listens to web traffic for instances when users on an unsecured network log in to known websites such as Facebook, Google, and Yahoo. Although such websites encrypt the login name and password entered by the user, most send the corresponding session cookie in the clear, making it easy for people performing man-in-the-middle attacks to appropriate them and use them to access the user's account.

FireSheep had been downloaded 659,620 times at time of writing, according to figures supplied by Butler.

BlackSheep, which is based on the FireSheep source code, works by broadcasting fake session IDs over the network and then monitoring to see if other machines use them to sign in. By default, it checks a network every five minutes, but can be configured to send out faux cookies more or less frequently as preferred by the user. Zscaler has more information here.

Since FireSheep's release, Microsoft appears to have added detection for it to its antivirus software. This seems like a reactionary and futile move on the part of Microsoft, since detecting the snoop software will in no way protect users from the underlying vulnerability. ®

Steps to Take Before Choosing a Business Continuity Partner

COMMENTS

House Rules Send Corrections
All Reader Comments (27)
Highly Rated
Pet Peeve
Reply Icon

Missing the point

Firesheep exists as a club to bang over the heads of the idiotic web2.0 sites that don't do basic session security. Countermeasures are stupid because they don't fix the underlying problem - that session cookies are sent in the clear, ripe for grabbing out of the air.

Stop complaining about firesheep - direct your anger at lazy sites that still think it's 1997 and https has significant overhead.

5
0
Bounty

(untitled)

So it detects lazy script kiddies, buy installing security programs, that the "victim" installed so they could continue to insecurely connect to web 2.0 crap on public networks?

1) Sniffing cookies has been around forever. Firesheep is just new lazy/convient grabs a pic from Facebook cuz it's purdy.

2) If you're worried about a sniffer, encrypt something. If they're not using exactly Firesheep™ brand sniffing, you're not protected.

3) What the hell exactly are you going to do if you "know" 2.3.4.5 is using Firesheep? Punch the nearest guy with a laptop?

3
0
asdf
Reply Icon

bullcrap

Nice try there Mr Flash Web developer but yes the XSS vulnerabilities you code all day because you don't understand basic coding best practices is why you are probably advocating this attitude. In fact this do it as cheap as possible with the worse hack coders and very little QA is why El Reg puts these basic fail software advisories for some very big commerical products nearly daily. Just because it compiles doesn't mean the developer did it right and we all suffer because of it (if for no other reason have to put security for our computer setups in front of everything else).

2
0

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
136
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
60
Internet fraud still stings suckers
Australians twice as gullible as Americans
36
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
breaking news
Yahoo! joins! rivals! in! PRISM! data! request! admission!
Keep calm and carry on using American tech firms, folks
41
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17