Zscaler develops free tool to detect Firesheep snooping

Blacksheep warns when Firesheep is hijacking session information on the same network

A security company has developed a free Firefox add-on that warns when someone on the same network is using Firesheep, a tool that has raised alarm over how it simplifies an attack against a long-known weakness in Internet security.

Firesheep, which was unveiled at the ToorCon security conference in San Diego last month by Eric Butler, collects session information that is stored in a Web browser's cookie. The session information is easily collected if transmitted back and forth between a user's computer and an unencrypted Wi-Fi router while a person is logged into a Web service such as Facebook.

While most Web sites encrypt the traffic transmitted when logging into a Web site, indicated by the padlock on browsers, most then revert to passing unencrypted information during the rest of the session, a weakness that security analysts have warned of for years, particularly for users of public open Wi-Fi networks.

Firesheep identifies that unencrypted traffic and allows an interloper to "hijack" the session, or log into a Web site as the victim, with just a couple of clicks. The style of attack has been possible for a long time, but because of its simple design, Firesheep has given less-sophisticated users a powerful hacking tool.

Zscaler's The Blacksheep add-on, however, will detect when someone on the same network is using Firesheep, allowing its users make a more informed security decision about their behavior while on an open Wi-Fi network, for example.

Once Firesheep has intercepted someone's session credentials for a Web site, it makes a request to that site using the same cookie values. Blacksheep plays on this by making HTTP requests every five minutes to those sites monitored by Firesheep -- but using fake cookie values. If Blacksheep then detects Firesheep making a request to the site using the same fake cookie values, it can raise a warning, Zscaler said.

Security analysts have recommended that Web sites encrypt all traffic, but many sites have been unwilling to do it because of the extra processing power needed to maintain encryption. However, there has been progress: In January, Google turned on HTTPS encryption for all users of its Gmail service, where previously it had only been an option.

Other defenses against Firesheep include simply not using open Wi-Fi networks. If that's not an option, the Electronic Frontier Foundation built a Firefox add-on called "HTTPS Everywhere," which will automatically trigger an encrypted session with those Web sites capable of providing one. A VPN connection can also thwart attacks.

Tags securitydata breachmobile securityzscalerdata protectionprivacy

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?