Firesheep and BlackSheep

Recently, there has been a huge amount of coverage of the ‘Firesheep’ add-on for Firefox. If you have missed the kerfuffle, Firesheep is a Firefox add-on which enables sidejacking (HTTP session hijacking) to be exploited over open wireless networks. One of the key reasons that this has been so popular, is that it doesn’t require any technical expertise on behalf of the attacker, as logins are sent directly to a console within Firefox and can be visited (and the user logged-in) upon double-clicking. The author, Eric Butler, released the application in order to highlight poor coding practices on social networking sites, with a particularly big ‘poke’ to Facebook.

A response to this, from a slightly surprising source (Zscaler, a cloud-based web proxy / email filtering vendor), has been another Firefox add-on called ‘BlackSheep’. The Zscaler add-on can detect if someone is using Firesheep on the network.

"BlackSheep does this by dropping ‘fake’ session ID information on the wire and then monitors traffic to see if it has been hijacked. While Firesheep is largely passive, once it identifies session information for a targeted domain, it then makes a subsequent request to that same domain, using the hijacked session information in order to obtain the name of the hijacked user along with an image of the person, if available. It is this request that BlackSheep identifies in order to detect the presence of Firesheep on the network."

If BlackSheep identifies that a host has Firesheep installed on the network, it displays a banner indicating that someone has the add-on installed and shows their IP address (as below).



Un-ironically, BlackSheep and Firesheep cannot be installed on the same Firefox profile as they use a lot of the same code and will conflict.