Home » CurrentHeader, Digital Insight, Wireless

BlackSheep detects IP address of amateur sidejackers

By 8 November 2010 4 Comments

Updated 11/9/2010 – The researchers at Zscaler have come up with a clever tool for detecting usage of FireSheep.  More precisely, they’ve come up with a honey pot for baiting and then collecting the temporary IP addresses of FireSheep users who are most likely amateur hackers trying to sidejack (see definitions of sidejacking here) their schoolmates’ Facebook and Twitter account at a college campus somewhere.  The tool claims to offer “protection from FireSheep”, but it doesn’t actually locate any amateur Wi-Fi hackers using FireSheep much less detect or locate serious Wi-Fi hackers.  As clever the tool is, it should not be viewed in any way as a solution to the underlying problem of abysmal online services security and nonexistent Wi-Fi hotspot security.

FireSheep is an easy to use sidejacking tool that allows even inexperienced hackers to steal access to other people’s web accounts by monitoring unencrypted Wi-Fi Hotspots.  FireSheep was designed to be the easiest to use sidejacking tool but it is never intended to be the most powerful or stealthy sidejacking tool.  In fact it’s easily the weakest and least stealthy sidejacking tool.  FireSheep was never meant to be a weapon of mass cyber-destruction as those tools have existed for years.  The purpose of FireSheep was to raise awareness of glaring weaknesses in popular websites like Facebook and Twitter that have been known for more than 3 years and it is forcing Microsoft and Facebook to improve their security.

There are far more advanced methods of silently collecting massive amounts of user authentication sessions and login credentials and one only needs to look at the annual “Wall of Sheep” event to see how bad the problem is.  Serious hackers use Wi-Fi laptops armed with large antennas that record every hotspot (SSID) in a one mile radius.  FireSheep users only see the users on the Wi-Fi network they’re connected to which by itself makes them more visible.  FireSheep also immediately connects to the same online services over the same insecure Wi-Fi hotspot with copycat authentication cookies which makes them very easy to detect.  Serious Wi-Fi hackers can probably detect thousands of times more users than an amateur FireSheep user and they do so with complete silence and undetectability.

The danger in the security space is that many companies may implement something like BlackSheep to detect the amateurs to show that they’re doing something.  But if BlackSheep works at all, it means that the underlying security weakness is being ignored.  The solution is to prevent sidejacking from working in the first place rather than the detection of a few amateur hackers.  The solution is to fix the online services from leaking authentication material in the first place and fix the insecure Hotspots.

Unfortunately, Zscaler positions BlackSheep as “protection” against FireSheep and many in the press seems to be drinking the Kool-Aid and reporting it as protection.  But what does it protect you against?  BlackSheep does detect the temporary IP addresses of FireSheep users but not much more.  What does one do after acquiring the IP addresses of anoymous hotspot users?  But even if BlackSheep could identify the true identity of every FireSheep user it sees (which it cannot), it does nothing to address the larger issues.  BlackSheep merely identifies the symptom and does nothing to combat the illness but it is being misconstrued as the solution to our problems.

BlackSheep will probably be a popular tool at the hacker conventions to prank the novice hackers, but it should not be considered IT protection.  Any IT wireless network that even allows FireSheep to work in the first place is already lost.  For consumers, BlackSheep will warn them that FireSheep amateur hackers are roaming the network but it does nothing to thwart the real threat.

4 Comments »

  • Michael Sutton said:

    George – I appreciate the coverage but I would like to clarify a point. You rightly point out that BlackSheep identifies the problem, but does not solve it. I completely agree. The ‘problem’ is far greater than anything that a simple browser plugin can solve. BlackSheep is designed to alert you to the existence of the threat. Nothing more. Nothing less. Web application owners are in control of the ultimate solution which can be provided by end to end encryption.

    BlackSheep, like Firesheep is designed to draw attention to the issue, not eliminate it altogether. It is a completely free tool, not a commercial offering. I’m very pleased with the discussion that the release of these tools has inspired and I hope that web app vendors will be pressured to finally protect their end users as they should have all along.

    Michael Sutton
    VP, Security Research
    Zscaler

  • George Ou (author) said:

    @Michael Sutton

    Michael, it doesn’t completely identify the threat though. Just because you don’t see FireSheep users doesn’t mean it’s safe. You’re still vulnerable to the much greater threat of serious hackers using large antennas and AirDump to collect massive every SSID on every channel.

    As I said in the post, BlackSheep is a very clever hack in the way that it leverages FireSheep source code to combat FireSheep abusers. My problem with it is that it gives people a false sense of security because it doesn’t actually identify the entire threat much less “protect” against that threat.

  • steve said:

    BlackSheep keep reporting my own ipaddress as the one that use firesheep. But I already uninstall firesheep, why it keep reporting my own ip as the firesheep user.

  • George Ou (author) said:

    @Steve,

    Some drivers (like Intel Wi-Fi) only detect its own traffic and don’t let you look at traffic from other Wi-Fi devices. FireSheep and BlackSheep are heavily reliant on WinPCap which is reliant on specific Wi-Fi adapters.

Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.