Fighting Firesheep with Firesheep
When software developers Ian Gallagher and Eric Butler unleashed "Firesheep," an add-on they developed for the Firefox Web browser that allows users on unsecured Wi-Fi networks to identify and capture the social networking sessions of others on that network, Butler declared on his blog that their intention was to throw a spotlight on the lack of effective security among popular social media Web sites, such as Facebook and Twitter.
"This is a widely known problem that has been talked about to death," Butler wrote, "yet very popular Web sites continue to fail at protecting their users." He went on to scold Facebook and Twitter in particular for failing to fix the problem, adding, "Web sites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure Web…."
But you know this already. The add-on was reportedly downloaded more than 500,000 times between its mid-October release and early November, and "Firesheep" was among the Top Tweets on Twitter for weeks.
Firesheep is dead simple to use. No skills needed. You just download it from the Web, install it on Firefox, click on a button, and viola, you can collect any session cookies floating around the Wi-Fi network to which you're currently connected. Session hijacking has never been easier.
Julien Sobrier decided it was too easy. The senior security researcher at Zscaler, a Sunnyvale, Calif.–based provider of cloud security solutions, and his crew created their own Firefox add-on to defend against Firesheep. Dubbed BlackSheep, the Zscaler add-on is actually based on the Firesheep source code.
"To understand how it works, you have to first consider how Firesheep works," Sobrier told me. "Firesheep listens for HTTP connections to popular websites and looks for specific cookie values which will identify a user. When it detects a connection to, let's say, Facebook, it connects back to the same website with the same cookie values to retrieve information about the user. What BlackSheep does is to regularly generate fake traffic to this website with fake cookie values. Just like Firesheep, it listens to HTTP connections and notices if anyone else is going to the same site with the same fake values. And then it gives a warning and the IP address of whoever is using Firesheep."
BlackSheep is an elegant parry to Firesheep's thrust, and it's another freebie.
"This is what we do," Sobrier said. "We try to help people to protect themselves and help them to be aware of the security threats that are out there. Not just our own users, but everybody. Firesheep gave us another opportunity to do this."
Zscaler unveiled BlackSheep on a blog through which the company keeps readers informed about new and ongoing security threats. Definitely worth reading. Here's the blog post on BlackSheep. This is also the download site.
To give them the credit due, Butler and Gallagher's dramatic demonstration not only put the security inadequacies of popular social media sites in the spotlight, but underscored the growing appeal of these sites to malicious hackers.
And now to download BlackSheep so I can post my freakin' Facebook status from Starbucks!
Posted by John K. Waters on November 17, 2010 at 10:53 AM