Firefox extension detects FireSheep snoop software
Unleash the BlackSheep
Researchers from security firm Zscaler have published free software that detects when users' web connections are being monitored by a controversial tool that steals log-in credentials from Facebook, Google and dozens of other websites.
Dubbed BlackSheep, the Firefox extension alerts users when computers on a local area network are using FireSheep to steal unencrypted cookies the websites use to grant users access to their account pages. When BlackSheep detects the snoop software in a hotspot or other open Wi-Fi network, it displays a message that reads “Somebody is using FireSheep on this network.” It then displays the LAN IP address of the offending party.
BlackSheep's release comes two weeks after security researcher Eric Butler published FireSheep in an attempt to expose the bovid practices of Facebook and other websites that don't bother to encrypt session cookies used to authenticate their users. With the exception of Twitter and a handful of Google services, few popular websites offer the end-to-end encryption needed to foil such attacks, a shortcoming that seemed to be lost on the masses until FireSheep made it easy to exploit the weakness.
FireSheep listens to web traffic for instances when users on an unsecured network log in to known websites such as Facebook, Google, and Yahoo. Although such websites encrypt the login name and password entered by the user, most send the corresponding session cookie in the clear, making it easy for people performing man-in-the-middle attacks to appropriate them and use them to access the user's account.
FireSheep had been downloaded 659,620 times at time of writing, according to figures supplied by Butler.
BlackSheep, which is based on the FireSheep source code, works by broadcasting fake session IDs over the network and then monitoring to see if other machines use them to sign in. By default, it checks a network every five minutes, but can be configured to send out faux cookies more or less frequently as preferred by the user. Zscaler has more information here.
Since FireSheep's release, Microsoft appears to have added detection for it to its antivirus software. This seems like a reactionary and futile move on the part of Microsoft, since detecting the snoop software will in no way protect users from the underlying vulnerability. ®
Missing the point
Firesheep exists as a club to bang over the heads of the idiotic web2.0 sites that don't do basic session security. Countermeasures are stupid because they don't fix the underlying problem - that session cookies are sent in the clear, ripe for grabbing out of the air.
Stop complaining about firesheep - direct your anger at lazy sites that still think it's 1997 and https has significant overhead.
So it detects lazy script kiddies, buy installing security programs, that the "victim" installed so they could continue to insecurely connect to web 2.0 crap on public networks?
1) Sniffing cookies has been around forever. Firesheep is just new lazy/convient grabs a pic from Facebook cuz it's purdy.
2) If you're worried about a sniffer, encrypt something. If they're not using exactly Firesheep™ brand sniffing, you're not protected.
3) What the hell exactly are you going to do if you "know" 126.96.36.199 is using Firesheep? Punch the nearest guy with a laptop?
Nice try there Mr Flash Web developer but yes the XSS vulnerabilities you code all day because you don't understand basic coding best practices is why you are probably advocating this attitude. In fact this do it as cheap as possible with the worse hack coders and very little QA is why El Reg puts these basic fail software advisories for some very big commerical products nearly daily. Just because it compiles doesn't mean the developer did it right and we all suffer because of it (if for no other reason have to put security for our computer setups in front of everything else).