Researchers from security firm Zscaler have published free software that detects when users' web connections are being monitored by a controversial tool that steals log-in credentials from Facebook, Google and dozens of other websites. Dubbed BlackSheep, the Firefox extension alerts users when computers on a local area network …
I imagine it won't take much to upgrade Firesheep to defeat Blacksheep by being more rigorous in determining sessions that are actually successful, rather than just anything that appears to be an attempted login. The fakeness of the attempts could then be turned against it such that Firesheep detects those using Blacksheep.
I haven’t installed any sheep based plugins, but would a possible countermeasure be to passively listen for any occurrence of a login occurring from multiple IPs? It would only reveal an attack after the fact, and it wouldn’t work if the sidejack is routed via a secure tunnel, but it also wouldn’t be such a visible look-at-me countermeasure.
Groping... oh, did you notice?
"Programs designated as Hacktool are generally installed intentionally by a computer user."
In other words: we'll notice that you installed a "bad thing" on your dingus, and you really shouldn't have those you know, and so why don't you remove it like a good net citizen.
I guess I might be able to envision the usefulness of this on a shared portable? Now how do I force a full scan of the dingus everytime I get it back from junior the jokester?
"By default, BlackSheep generates fake traffic every 5 minutes. You can change this value in the option settings."
Ahh, yes, but where is the "check it *NOW*" button? I know most people don't realize that they do it, but when you walk into a new room you subconsciously take a sniff. Does wonders for detecting leaking gas and other butthole emissions. A "now, before I do something risky" button would be nice.
(Strange thing about 'innovations': to you and your PR it might be an innovation. To everyone else it's an obvious bag bolted on the side you forgot the first time around. Too many 'innovations' are simply confessions of stupidity.)
" you installed a "bad thing" on your dingus "
No thanks, sounds very painful!
Seems like a reactionary and futile move on the part of Microsoft !!!!
What a dumb statement. Since Firesheep was released the business of stealing cookies has become something that any crook, snooper, or idiot can do. Using the "underlying vulnerability" was more-or-less restricted to tech-savvy crooks of whom there will be fewer. Detecting Firesheep must be a good thing.
Missing the point
Firesheep exists as a club to bang over the heads of the idiotic web2.0 sites that don't do basic session security. Countermeasures are stupid because they don't fix the underlying problem - that session cookies are sent in the clear, ripe for grabbing out of the air.
Stop complaining about firesheep - direct your anger at lazy sites that still think it's 1997 and https has significant overhead.
Firesheep causes damage to innocent third parties
What you suggest is akin to blaming Ford or GM for not putting scratch proof paint on your "keyed" vandalized car.
It is akin to blaming your housebuilder for not using bullet proof lexan or heat proof glass for your windows after they are vandalized.
The crime is the fault of the person with the criminal intent, not the person who decided using vandal proof technology was too expensive.
Nice try there Mr Flash Web developer but yes the XSS vulnerabilities you code all day because you don't understand basic coding best practices is why you are probably advocating this attitude. In fact this do it as cheap as possible with the worse hack coders and very little QA is why El Reg puts these basic fail software advisories for some very big commerical products nearly daily. Just because it compiles doesn't mean the developer did it right and we all suffer because of it (if for no other reason have to put security for our computer setups in front of everything else).
"not the person who decided
using vandal proof technology was too expensive."
So one doesn't buy an expensive safe for one's valuables cause the crime is the burglar's fault?
Why is protecting oneself against loss not an ethical demand?
It's about time that many sites did something about their security if they want to continue enticing the innocent third parties to party!
Why Paris, cos she knows what's safe!
No, it's blaming Ford or GM for
not installing locks on car doors because they cost too much and it's the thieves fault for stealing cars anyway.
My, wouldn't this be useful for generating a whole bunch of static inside IMP...
There are tools that can be abused to do that already on your computer
There are tools that can be abused to do that already on your computer. All that is required is criminal intent and a little (very little) intelligence.
Don't have a Cow man
" in an attempt to expose the bovid practices of Facebook and other websites..."
Erm Bovid? Methinks you may be getting your cattle befuddled. Ovid, yes. Bovine, notsomuch.. Bovid? OMG! Killitwithfire!!!.
The IT question would be who watches for the watchers watcher process?
Look it up
I know you were trying to be funny there, but why is the "joke alert" tag always related to failed attempts at humor? Bovid is a perfectly good word, correctly used in the article.
Bovid is, indeed, a perfectly good word. But it's a noun. The OP used it as an adjective. "Bovine" is the adjective.
Firefox should make BlackSheep a recommended add-on
1. Yes someone could update FireSheep to make it resist BlackSheep -- that would be undeniable proof they are black-hats.
FireSheep was alleged created not for publicity, not for malicious kicks, but to encourage websites to use HTTPS. Updating FireSheep to get past BlackSheep would serve no such purpose. Hence proof of black-hat mentality and criminal intent.
While increasing security necessarily involves more processing cycles, and thus greater green house gases and pre-mature obsolescence of hardware, in the case of sites like Facebook where people are supposed to be using their real names I must agree that HTTPS is long over due.
But I argue generally the distribution of malware as free-ware to encourage higher security expenditures is equivalent to (as criminal as) handing out spring nail sets or rusty nails to teenagers passing by a crowded parking lot in the middle of the night, along with the advice "There is no CCTV protecting this parking lot, so if you decide to commit vandalism you won't get caught. I am only doing this to force auto-makers to use scratch proof paint and shatter proof windows."
Malware makers with just intentions could achieve the same goal of making their point without causing serious theft and vandalism damage to innocent third parties by restricting the distribution of their malware to bona fide trustworthy security companies and the maker of the insecure software.
2. While I agree that 100% of the time FireSheep will have been installed with the computer users permission, remember that in some cases computers have more than one user, or the computer may be administered by an organization (i.e. company computer).
Because those limited cases do sometimes occur, there is a point to adding FireSheep detection to anti-virus software.
If MS is the only AV maker to realize this I'd be surprised.
AV software makers
"If MS is the only AV maker to realize this I'd be surprised."
So would I.
The AV makers are pretty shifty characters themselves, and will happily add any old rubbish to their AV signatures in order to pump up their malware detection stats and continue peddling software that is at best of limited use, and at worse a significant resource hog.
Firesheep as Proof of Concept
As a generality, I'd agree with distribution of malware as you describe it. I'm not so sure Firesheep falls quite into that category. The way it's been publicized isn't very consistent with black-hat mentality.
The distinction from the analogy of handing out nails to scratch cars is that there is no reasonable protection of a car's paint other than trying to park where there's less likelihood of vandalism (and keeping current with your auto insurance premiums). You can't be expected to carry an impenetrable block wall along with you to set up to guard your car's finish when you park, and a close friend with an AK-47 who likes to sit in the back seat waiting for fun is not recommended.
In contrast, the problem Firesheep dramatizes is just that: failure to erect a protective barrier that is not only practical, but by any reasonable reckoning, necessary.
Certainly that's a gray area: less-honorable types can get Firesheep and use it less honorably. Given the way its maker has publicized it and encouraged the fixing of certain weaknesses, the fixing of which would render his creation impotent, makes it look to me more like a proof of concept than real malware.
So it detects lazy script kiddies, buy installing security programs, that the "victim" installed so they could continue to insecurely connect to web 2.0 crap on public networks?
1) Sniffing cookies has been around forever. Firesheep is just new lazy/convient grabs a pic from Facebook cuz it's purdy.
2) If you're worried about a sniffer, encrypt something. If they're not using exactly Firesheep™ brand sniffing, you're not protected.
3) What the hell exactly are you going to do if you "know" 184.108.40.206 is using Firesheep? Punch the nearest guy with a laptop?
"White hat malware" is like Rolling Drunks
So-called "White hat malware" is like "rolling drunks" (beating up helpless staggering drunks) to teach people not to binge drink.
People roll drunks for fun and to make a name for themselves. They just tell themselves they are doing it to teach the drunks a lesson.
Paris, because she does not approve of rolling drunks.
You could also steal children's bicycles to teach kids to always lock their bicycles.
I would be more accepting of the White Hat argument if the creators of the malware also created the way of detecting it, but they didn't.
The path to Linux is paved with good intentions.
Since the discussion is Firesheep, BlackSheep and the Sheep-like public, surely Ovine would have been a better choice than Bovine?
"Firesheep" works on public/unprotected wi-fi LANs exclusively am I wrong, so why is that not mentioned in the Register article ???
Re: missing info
...for instances when users on an unsecured network log in to known websites such as...
"This seems like a reactionary and futile move on the part of Microsoft, since detecting the snoop software will in no way protect users from the underlying vulnerability."
Your dig at Microsoft was useless there as i'd rather know than be left in the dark.
You would have probably criticized them if they didn't do anything about it aswell
@Tigra 07 Fail:FAIL
You misunderstand: Firesheep is not running on your computer it's running on the bad mans computer and if he is sitting there attempting to steal your identity he probably already know he's a bad man. The antivirus software on your computer will not lift the darkness from your eyes. If I were a less kind person I might suggest that only a supernova could do that
RE: AC Fail
Read the article and what you just said again
Microsoft warns you that a computer on the same network is possibly stealing your login details and the Reg points out Microsoft only warns people about it rather than doing something.
Warning people is something as they can be more careful from then.
You criticized my post and then pointed out antivirus wouldn't help anyway.
So why criticize for no reason?
Don't feed the trolls
@ Tigra 07, AC again, I should be working!
Sorry, in my futile attempt at humour I did not make it clear : the MS antivirus software won't warn you about the snooping because it is anitvirus software and can only scan things on your computer and Firesheep is not running on your computer.
It will only flag Firesheep as malware or what ever if it is on YOUR computer * and if you are running Firesheep your are the (allegedly) bad man. * As I understand it.
PS please ignore the supernova crack, my bad, stones and glass houses etc.