BlackSheep detects IP address of amateur sidejackers

Updated 11/9/2010 – The researchers at Zscaler have come up with a clever tool for detecting usage of FireSheep.  More precisely, they’ve come up with a honey pot for baiting and then collecting the temporary IP addresses of FireSheep users who are most likely amateur hackers trying to sidejack (see definitions of sidejacking here) their schoolmates’ Facebook and Twitter account at a college campus somewhere.  The tool claims to offer “protection from FireSheep”, but it doesn’t actually locate any amateur Wi-Fi hackers using FireSheep much less detect or locate serious Wi-Fi hackers.  As clever the tool is, it should not be viewed in any way as a solution to the underlying problem of abysmal online services security and nonexistent Wi-Fi hotspot security.image

FireSheep is an easy to use sidejacking tool that allows even inexperienced hackers to steal access to other people’s web accounts by monitoring unencrypted Wi-Fi Hotspots.  FireSheep was designed to be the easiest to use sidejacking tool but it is never intended to be the most powerful or stealthy sidejacking tool.  In fact it’s easily the weakest and least stealthy sidejacking tool.  FireSheep was never meant to be a weapon of mass cyber-destruction as those tools have existed for years.  The purpose of FireSheep was to raise awareness of glaring weaknesses in popular websites like Facebook and Twitter that have been known for more than 3 years and it is forcing Microsoft and Facebook to improve their security.

There are far more advanced methods of silently collecting massive amounts of user authentication sessions and login credentials and one only needs to look at the annual “Wall of Sheep” event to see how bad the problem is.  Serious hackers use Wi-Fi laptops armed with large antennas that record every hotspot (SSID) in a one mile radius.  FireSheep users only see the users on the Wi-Fi network they’re connected to which by itself makes them more visible.  FireSheep also immediately connects to the same online services over the same insecure Wi-Fi hotspot with copycat authentication cookies which makes them very easy to detect.  Serious Wi-Fi hackers can probably detect thousands of times more users than an amateur FireSheep user and they do so with complete silence and undetectability.

The danger in the security space is that many companies may implement something like BlackSheep to detect the amateurs to show that they’re doing something.  But if BlackSheep works at all, it means that the underlying security weakness is being ignored.  The solution is to prevent sidejacking from working in the first place rather than the detection of a few amateur hackers.  The solution is to fix the online services from leaking authentication material in the first place and fix the insecure Hotspots.

Unfortunately, Zscaler positions BlackSheep as “protection” against FireSheep and many in the press seems to be drinking the Kool-Aid and reporting it as protection.  But what does it protect you against?  BlackSheep does detect the temporary IP addresses of FireSheep users but not much more.  What does one do after acquiring the IP addresses of anoymous hotspot users?  But even if BlackSheep could identify the true identity of every FireSheep user it sees (which it cannot), it does nothing to address the larger issues.  BlackSheep merely identifies the symptom and does nothing to combat the illness but it is being misconstrued as the solution to our problems.

BlackSheep will probably be a popular tool at the hacker conventions to prank the novice hackers, but it should not be considered IT protection.  Any IT wireless network that even allows FireSheep to work in the first place is already lost.  For consumers, BlackSheep will warn them that FireSheep amateur hackers are roaming the network but it does nothing to thwart the real threat.


[Cross-posted at Digital Society]