Firefox extension detects FireSheep snoop software Researchers from security firm Zscaler have published free software that detects when users' web connections are being monitored by a controversial tool that steals log-in credentials from Facebook, Google and dozens of other websites. Dubbed BlackSheep, the Firefox extension alerts users when computers on a local area network …
I imagine it won't take much to upgrade Firesheep to defeat Blacksheep by being more rigorous in determining sessions that are actually successful, rather than just anything that appears to be an attempted login. The fakeness of the attempts could then be turned against it such that Firesheep detects those using Blacksheep.
I haven’t installed any sheep based plugins, but would a possible countermeasure be to passively listen for any occurrence of a login occurring from multiple IPs? It would only reveal an attack after the fact, and it wouldn’t work if the sidejack is routed via a secure tunnel, but it also wouldn’t be such a visible look-at-me countermeasure.
Re: Microsoft
"Programs designated as Hacktool are generally installed intentionally by a computer user."
In other words: we'll notice that you installed a "bad thing" on your dingus, and you really shouldn't have those you know, and so why don't you remove it like a good net citizen.
I guess I might be able to envision the usefulness of this on a shared portable? Now how do I force a full scan of the dingus everytime I get it back from junior the jokester?
"By default, BlackSheep generates fake traffic every 5 minutes. You can change this value in the option settings."
Ahh, yes, but where is the "check it *NOW*" button? I know most people don't realize that they do it, but when you walk into a new room you subconsciously take a sniff. Does wonders for detecting leaking gas and other butthole emissions. A "now, before I do something risky" button would be nice.
(Strange thing about 'innovations': to you and your PR it might be an innovation. To everyone else it's an obvious bag bolted on the side you forgot the first time around. Too many 'innovations' are simply confessions of stupidity.)
What a dumb statement. Since Firesheep was released the business of stealing cookies has become something that any crook, snooper, or idiot can do. Using the "underlying vulnerability" was more-or-less restricted to tech-savvy crooks of whom there will be fewer. Detecting Firesheep must be a good thing.
Firesheep exists as a club to bang over the heads of the idiotic web2.0 sites that don't do basic session security. Countermeasures are stupid because they don't fix the underlying problem - that session cookies are sent in the clear, ripe for grabbing out of the air.
Stop complaining about firesheep - direct your anger at lazy sites that still think it's 1997 and https has significant overhead.
What you suggest is akin to blaming Ford or GM for not putting scratch proof paint on your "keyed" vandalized car.
It is akin to blaming your housebuilder for not using bullet proof lexan or heat proof glass for your windows after they are vandalized.
The crime is the fault of the person with the criminal intent, not the person who decided using vandal proof technology was too expensive.
Nice try there Mr Flash Web developer but yes the XSS vulnerabilities you code all day because you don't understand basic coding best practices is why you are probably advocating this attitude. In fact this do it as cheap as possible with the worse hack coders and very little QA is why El Reg puts these basic fail software advisories for some very big commerical products nearly daily. Just because it compiles doesn't mean the developer did it right and we all suffer because of it (if for no other reason have to put security for our computer setups in front of everything else).
using vandal proof technology was too expensive."
So one doesn't buy an expensive safe for one's valuables cause the crime is the burglar's fault?
Why is protecting oneself against loss not an ethical demand?
It's about time that many sites did something about their security if they want to continue enticing the innocent third parties to party!
Why Paris, cos she knows what's safe!
" in an attempt to expose the bovid practices of Facebook and other websites..."
Erm Bovid? Methinks you may be getting your cattle befuddled. Ovid, yes. Bovine, notsomuch.. Bovid? OMG! Killitwithfire!!!.
The IT question would be who watches for the watchers watcher process?
1. Yes someone could update FireSheep to make it resist BlackSheep -- that would be undeniable proof they are black-hats.
FireSheep was alleged created not for publicity, not for malicious kicks, but to encourage websites to use HTTPS. Updating FireSheep to get past BlackSheep would serve no such purpose. Hence proof of black-hat mentality and criminal intent.
While increasing security necessarily involves more processing cycles, and thus greater green house gases and pre-mature obsolescence of hardware, in the case of sites like Facebook where people are supposed to be using their real names I must agree that HTTPS is long over due.
But I argue generally the distribution of malware as free-ware to encourage higher security expenditures is equivalent to (as criminal as) handing out spring nail sets or rusty nails to teenagers passing by a crowded parking lot in the middle of the night, along with the advice "There is no CCTV protecting this parking lot, so if you decide to commit vandalism you won't get caught. I am only doing this to force auto-makers to use scratch proof paint and shatter proof windows."
Malware makers with just intentions could achieve the same goal of making their point without causing serious theft and vandalism damage to innocent third parties by restricting the distribution of their malware to bona fide trustworthy security companies and the maker of the insecure software.
2. While I agree that 100% of the time FireSheep will have been installed with the computer users permission, remember that in some cases computers have more than one user, or the computer may be administered by an organization (i.e. company computer).
Because those limited cases do sometimes occur, there is a point to adding FireSheep detection to anti-virus software.
If MS is the only AV maker to realize this I'd be surprised.
"If MS is the only AV maker to realize this I'd be surprised."
So would I.
The AV makers are pretty shifty characters themselves, and will happily add any old rubbish to their AV signatures in order to pump up their malware detection stats and continue peddling software that is at best of limited use, and at worse a significant resource hog.
@Keith T:
As a generality, I'd agree with distribution of malware as you describe it. I'm not so sure Firesheep falls quite into that category. The way it's been publicized isn't very consistent with black-hat mentality.
The distinction from the analogy of handing out nails to scratch cars is that there is no reasonable protection of a car's paint other than trying to park where there's less likelihood of vandalism (and keeping current with your auto insurance premiums). You can't be expected to carry an impenetrable block wall along with you to set up to guard your car's finish when you park, and a close friend with an AK-47 who likes to sit in the back seat waiting for fun is not recommended.
In contrast, the problem Firesheep dramatizes is just that: failure to erect a protective barrier that is not only practical, but by any reasonable reckoning, necessary.
Certainly that's a gray area: less-honorable types can get Firesheep and use it less honorably. Given the way its maker has publicized it and encouraged the fixing of certain weaknesses, the fixing of which would render his creation impotent, makes it look to me more like a proof of concept than real malware.
So it detects lazy script kiddies, buy installing security programs, that the "victim" installed so they could continue to insecurely connect to web 2.0 crap on public networks?
1) Sniffing cookies has been around forever. Firesheep is just new lazy/convient grabs a pic from Facebook cuz it's purdy.
2) If you're worried about a sniffer, encrypt something. If they're not using exactly Firesheep™ brand sniffing, you're not protected.
3) What the hell exactly are you going to do if you "know" 2.3.4.5 is using Firesheep? Punch the nearest guy with a laptop?
So-called "White hat malware" is like "rolling drunks" (beating up helpless staggering drunks) to teach people not to binge drink.
People roll drunks for fun and to make a name for themselves. They just tell themselves they are doing it to teach the drunks a lesson.
Paris, because she does not approve of rolling drunks.
You could also steal children's bicycles to teach kids to always lock their bicycles.
"This seems like a reactionary and futile move on the part of Microsoft, since detecting the snoop software will in no way protect users from the underlying vulnerability."
Your dig at Microsoft was useless there as i'd rather know than be left in the dark.
You would have probably criticized them if they didn't do anything about it aswell
You misunderstand: Firesheep is not running on your computer it's running on the bad mans computer and if he is sitting there attempting to steal your identity he probably already know he's a bad man. The antivirus software on your computer will not lift the darkness from your eyes. If I were a less kind person I might suggest that only a supernova could do that
Read the article and what you just said again
Microsoft warns you that a computer on the same network is possibly stealing your login details and the Reg points out Microsoft only warns people about it rather than doing something.
Warning people is something as they can be more careful from then.
You criticized my post and then pointed out antivirus wouldn't help anyway.
So why criticize for no reason?
Don't feed the trolls
Sorry, in my futile attempt at humour I did not make it clear : the MS antivirus software won't warn you about the snooping because it is anitvirus software and can only scan things on your computer and Firesheep is not running on your computer.
It will only flag Firesheep as malware or what ever if it is on YOUR computer * and if you are running Firesheep your are the (allegedly) bad man. * As I understand it.
PS please ignore the supernova crack, my bad, stones and glass houses etc.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
