back to article Firefox extension detects FireSheep snoop software

Researchers from security firm Zscaler have published free software that detects when users' web connections are being monitored by a controversial tool that steals log-in credentials from Facebook, Google and dozens of other websites. Dubbed BlackSheep, the Firefox extension alerts users when computers on a local area network …


This topic is closed for new posts.
  1. McBread

    counter-counter measures

    I imagine it won't take much to upgrade Firesheep to defeat Blacksheep by being more rigorous in determining sessions that are actually successful, rather than just anything that appears to be an attempted login. The fakeness of the attempts could then be turned against it such that Firesheep detects those using Blacksheep.

    I haven’t installed any sheep based plugins, but would a possible countermeasure be to passively listen for any occurrence of a login occurring from multiple IPs? It would only reveal an attack after the fact, and it wouldn’t work if the sidejack is routed via a secure tunnel, but it also wouldn’t be such a visible look-at-me countermeasure.

  2. Notas Badoff

    Groping... oh, did you notice?

    Re: Microsoft

    "Programs designated as Hacktool are generally installed intentionally by a computer user."

    In other words: we'll notice that you installed a "bad thing" on your dingus, and you really shouldn't have those you know, and so why don't you remove it like a good net citizen.

    I guess I might be able to envision the usefulness of this on a shared portable? Now how do I force a full scan of the dingus everytime I get it back from junior the jokester?

    "By default, BlackSheep generates fake traffic every 5 minutes. You can change this value in the option settings."

    Ahh, yes, but where is the "check it *NOW*" button? I know most people don't realize that they do it, but when you walk into a new room you subconsciously take a sniff. Does wonders for detecting leaking gas and other butthole emissions. A "now, before I do something risky" button would be nice.

    (Strange thing about 'innovations': to you and your PR it might be an innovation. To everyone else it's an obvious bag bolted on the side you forgot the first time around. Too many 'innovations' are simply confessions of stupidity.)

    1. The Fuzzy Wotnot

      Oooh, nasty!

      " you installed a "bad thing" on your dingus "

      No thanks, sounds very painful!

  3. banjomike

    Seems like a reactionary and futile move on the part of Microsoft !!!!

    What a dumb statement. Since Firesheep was released the business of stealing cookies has become something that any crook, snooper, or idiot can do. Using the "underlying vulnerability" was more-or-less restricted to tech-savvy crooks of whom there will be fewer. Detecting Firesheep must be a good thing.

    1. Pet Peeve

      Missing the point

      Firesheep exists as a club to bang over the heads of the idiotic web2.0 sites that don't do basic session security. Countermeasures are stupid because they don't fix the underlying problem - that session cookies are sent in the clear, ripe for grabbing out of the air.

      Stop complaining about firesheep - direct your anger at lazy sites that still think it's 1997 and https has significant overhead.

      1. Keith T

        Firesheep causes damage to innocent third parties

        What you suggest is akin to blaming Ford or GM for not putting scratch proof paint on your "keyed" vandalized car.

        It is akin to blaming your housebuilder for not using bullet proof lexan or heat proof glass for your windows after they are vandalized.

        The crime is the fault of the person with the criminal intent, not the person who decided using vandal proof technology was too expensive.

        1. asdf


          Nice try there Mr Flash Web developer but yes the XSS vulnerabilities you code all day because you don't understand basic coding best practices is why you are probably advocating this attitude. In fact this do it as cheap as possible with the worse hack coders and very little QA is why El Reg puts these basic fail software advisories for some very big commerical products nearly daily. Just because it compiles doesn't mean the developer did it right and we all suffer because of it (if for no other reason have to put security for our computer setups in front of everything else).

        2. R.P.Charlie
          Paris Hilton

          "not the person who decided

          using vandal proof technology was too expensive."

          So one doesn't buy an expensive safe for one's valuables cause the crime is the burglar's fault?

          Why is protecting oneself against loss not an ethical demand?

          It's about time that many sites did something about their security if they want to continue enticing the innocent third parties to party!

          Why Paris, cos she knows what's safe!

        3. Tom 13

          No, it's blaming Ford or GM for

          not installing locks on car doors because they cost too much and it's the thieves fault for stealing cars anyway.

  4. Tom Chiverton 1


    My, wouldn't this be useful for generating a whole bunch of static inside IMP...

    1. Keith T

      There are tools that can be abused to do that already on your computer

      There are tools that can be abused to do that already on your computer. All that is required is criminal intent and a little (very little) intelligence.

  5. Mr Beast

    Don't have a Cow man

    " in an attempt to expose the bovid practices of Facebook and other websites..."

    Erm Bovid? Methinks you may be getting your cattle befuddled. Ovid, yes. Bovine, notsomuch.. Bovid? OMG! Killitwithfire!!!.

    The IT question would be who watches for the watchers watcher process?

    1. Pet Peeve

      Look it up

      I know you were trying to be funny there, but why is the "joke alert" tag always related to failed attempts at humor? Bovid is a perfectly good word, correctly used in the article.

      1. Big-nosed Pengie


        Bovid is, indeed, a perfectly good word. But it's a noun. The OP used it as an adjective. "Bovine" is the adjective.

  6. Keith T
    Thumb Up

    Firefox should make BlackSheep a recommended add-on

    1. Yes someone could update FireSheep to make it resist BlackSheep -- that would be undeniable proof they are black-hats.

    FireSheep was alleged created not for publicity, not for malicious kicks, but to encourage websites to use HTTPS. Updating FireSheep to get past BlackSheep would serve no such purpose. Hence proof of black-hat mentality and criminal intent.

    While increasing security necessarily involves more processing cycles, and thus greater green house gases and pre-mature obsolescence of hardware, in the case of sites like Facebook where people are supposed to be using their real names I must agree that HTTPS is long over due.

    But I argue generally the distribution of malware as free-ware to encourage higher security expenditures is equivalent to (as criminal as) handing out spring nail sets or rusty nails to teenagers passing by a crowded parking lot in the middle of the night, along with the advice "There is no CCTV protecting this parking lot, so if you decide to commit vandalism you won't get caught. I am only doing this to force auto-makers to use scratch proof paint and shatter proof windows."

    Malware makers with just intentions could achieve the same goal of making their point without causing serious theft and vandalism damage to innocent third parties by restricting the distribution of their malware to bona fide trustworthy security companies and the maker of the insecure software.

    2. While I agree that 100% of the time FireSheep will have been installed with the computer users permission, remember that in some cases computers have more than one user, or the computer may be administered by an organization (i.e. company computer).

    Because those limited cases do sometimes occur, there is a point to adding FireSheep detection to anti-virus software.

    If MS is the only AV maker to realize this I'd be surprised.

    1. David 141

      AV software makers

      "If MS is the only AV maker to realize this I'd be surprised."

      So would I.

      The AV makers are pretty shifty characters themselves, and will happily add any old rubbish to their AV signatures in order to pump up their malware detection stats and continue peddling software that is at best of limited use, and at worse a significant resource hog.

    2. Ray Simard

      Firesheep as Proof of Concept

      @Keith T:

      As a generality, I'd agree with distribution of malware as you describe it. I'm not so sure Firesheep falls quite into that category. The way it's been publicized isn't very consistent with black-hat mentality.

      The distinction from the analogy of handing out nails to scratch cars is that there is no reasonable protection of a car's paint other than trying to park where there's less likelihood of vandalism (and keeping current with your auto insurance premiums). You can't be expected to carry an impenetrable block wall along with you to set up to guard your car's finish when you park, and a close friend with an AK-47 who likes to sit in the back seat waiting for fun is not recommended.

      In contrast, the problem Firesheep dramatizes is just that: failure to erect a protective barrier that is not only practical, but by any reasonable reckoning, necessary.

      Certainly that's a gray area: less-honorable types can get Firesheep and use it less honorably. Given the way its maker has publicized it and encouraged the fixing of certain weaknesses, the fixing of which would render his creation impotent, makes it look to me more like a proof of concept than real malware.

  7. Bounty


    So it detects lazy script kiddies, buy installing security programs, that the "victim" installed so they could continue to insecurely connect to web 2.0 crap on public networks?

    1) Sniffing cookies has been around forever. Firesheep is just new lazy/convient grabs a pic from Facebook cuz it's purdy.

    2) If you're worried about a sniffer, encrypt something. If they're not using exactly Firesheep™ brand sniffing, you're not protected.

    3) What the hell exactly are you going to do if you "know" is using Firesheep? Punch the nearest guy with a laptop?

  8. Anonymous Coward
    Paris Hilton

    "White hat malware" is like Rolling Drunks

    So-called "White hat malware" is like "rolling drunks" (beating up helpless staggering drunks) to teach people not to binge drink.

    People roll drunks for fun and to make a name for themselves. They just tell themselves they are doing it to teach the drunks a lesson.

    Paris, because she does not approve of rolling drunks.

    You could also steal children's bicycles to teach kids to always lock their bicycles.

    1. Sir Runcible Spoon Silver badge


      I would be more accepting of the White Hat argument if the creators of the malware also created the way of detecting it, but they didn't.

      The path to Linux is paved with good intentions.

  9. Logos

    missing info

    "Firesheep" works on public/unprotected wi-fi LANs exclusively am I wrong, so why is that not mentioned in the Register article ???

    1. Anonymous Coward
      Anonymous Coward

      Re: missing info

      ...for instances when users on an unsecured network log in to known websites such as...

  10. Major N


    Since the discussion is Firesheep, BlackSheep and the Sheep-like public, surely Ovine would have been a better choice than Bovine?

  11. Tigra 07 Silver badge
    Dead Vulture


    "This seems like a reactionary and futile move on the part of Microsoft, since detecting the snoop software will in no way protect users from the underlying vulnerability."

    Your dig at Microsoft was useless there as i'd rather know than be left in the dark.

    You would have probably criticized them if they didn't do anything about it aswell

    1. Anonymous Coward

      @Tigra 07 Fail:FAIL

      You misunderstand: Firesheep is not running on your computer it's running on the bad mans computer and if he is sitting there attempting to steal your identity he probably already know he's a bad man. The antivirus software on your computer will not lift the darkness from your eyes. If I were a less kind person I might suggest that only a supernova could do that

      1. Tigra 07 Silver badge

        RE: AC Fail

        Read the article and what you just said again

        Microsoft warns you that a computer on the same network is possibly stealing your login details and the Reg points out Microsoft only warns people about it rather than doing something.

        Warning people is something as they can be more careful from then.

        You criticized my post and then pointed out antivirus wouldn't help anyway.

        So why criticize for no reason?

        Don't feed the trolls

        1. Anonymous Coward
          Anonymous Coward

          @ Tigra 07, AC again, I should be working!

          Sorry, in my futile attempt at humour I did not make it clear : the MS antivirus software won't warn you about the snooping because it is anitvirus software and can only scan things on your computer and Firesheep is not running on your computer.

          It will only flag Firesheep as malware or what ever if it is on YOUR computer * and if you are running Firesheep your are the (allegedly) bad man. * As I understand it.

          PS please ignore the supernova crack, my bad, stones and glass houses etc.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021