Fire in the …. Sheep?

You may have already caught the news of the recently released FireSheep plugin for Firefox.  It is a “session hijacking for dummies” tool that brings “hacking” to the masses–242,000 so far, within the first 48 hours of this tool being released.

So what makes this tool any different than the thousands of other freely released “script kiddie” tools out there?  The tool is not exploiting any unknown 0 day vulnerabilities, or anything of that nature.  What it does, is package session hijacking/sidejacking into a very easy to use interface–all you have to do is install a Firefox plugin, and install winpcap–Total setup time: 5 min

And use it they are:  I have been watching the download numbers of the extension–Today, 24 hours after being released, the xpi was being downloaded at an average of 10,000 times an hour–And I expect that number to go higher, as the news reaches critical mass in the next couple days.

We do have  a couple things in our favor:

-Because it uses winpcap to capture the wireless frames, winpcap does not have the best track record when it comes to drivers for common wireless cards–This is because winpcap was devloped for hardline nics, not WiFi (that is where airpcap comes in, at a hefty $200 license)  This means that though thousands have downloaded and installed FireSheep, they will not be able to use it, since they do not have a supported WiFi card. (!)

-Google has already fixed their services (–You will start to see other services fixing their sites sooner, rather than later, as this thing continues to get press.

So what’s the moral of this post?

A couple thoughts:

1. Warn your users: as script kiddies and their mothers around the world pick up this idiot-proof tool, they will be coming out enmass to their local coffee shops, looking for targets.

2. There are a couple decent ways to mitigate this issue–Unfortunately, they all take the form of plugins for Firefox.  Check out  https-everywhere and its ilk.

3. This is only going to drive more normal traffic to SSL, which means that we have much less visibility into our user’s traffic in our enterprises, which means that we will have to find other means of monitoring the traffic–whether it is our corporate proxy decrypting the SSL, or a host-based monitoring application.

Check out Eric Butler’s blog for more information, technical details, and more mitigation ideas.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

search previous next tag category expand menu location phone mail time cart zoom edit close