Tuesday, November 9, 2010

Firesheep plugin

http://codebutler.com/firesheep

This is a little old but still funny. I'm interested in this from a security point of view but also from seeing what the reaction to it is. Its one of those things that could catch fire and take off or disappear into the background noise. Its an interesting experiment on public scrutiny and security by obscurity.  The techniques to exploit this hole have been around since cookies were invented and abused for session management over insecure networks... so far its passed about 1.4 million search results on google using "firesheep -sheep". The top ten pages are all 100% articles on Firesheep so I figure the rest of the results are probably pretty good.  LOL.  Way to shine a light on the issue. Lets see if anything happens.

Edit
The general reaction has been two fold. Firstly all the tech press is generally cheering the political objectives while recommending countermeasures. Secondly the hysterical non technical press is decrying the existance of such a terrible weapon... blah blah blah.

Another interesting aspect is the ecosystem of countermeasure tools that are popping up. BlackSheep and FireShepard are the two that have sprung fully formed to offer a solution for the ignorant. Does that not strike you as suspicious?  I have read that BlackSheep is actually a DDOS attack client which I find much more credible than that it magically has some capacity to reach out and touch a passive sniffer application. The description of how it works is kinda credible but not if you know much about DNS and how FireSheep actually works. Even if its exploiting a weakness in FireSheep, its not actually dealing with the underlying issue that is being highlighted. It would be trivial to rework FireSheep to be impervious to BlackSheep's supposed technique.

As for FireShepard:

http://blogs.forbes.com/andygreenberg/2010/10/28/how-to-screw-with-firesheep-snoops-try-fireshepherd/

This page has a lightweight description of how it claims to work. Again its basically trying to attack a weakness in the Firesheep tool rather than patch the problem that FireSheep is highlighting.  Also FireShepard would probably breach the terms of service of any reasonable network because it works by intermittently flooding the network with rubbish packets. This sort of activity would probably set off all sorts of DOS attack detectors, Intrusion systems and just generally piss off any network admins who caught you using it.  Its the equivalent of turning on the sprinkler system in a whole building to put out a single candle (that may or may not be there). And just consider the chaos if one paranoid user on the network starts talking about it to their co-workers and encourages them to also install it.  You then have multiple people intermittently DOS'ing the network segment. Genius.... (Sarcasm)
The first tool sounds like its a tiny step from being outright scamware if its not already malware. The second sounds like a poorly thought out tool with marginal hope of fixing the problem but much larger potential for getting the user banned or prosecuted.

Nothing has turned up about dealing with false positives or the social consequences of detecting an attacker and how to deal with it ethically or safely has shown up yet.  I would assume that the common witch hunt rules would apply. If you think someone is running a sniffer on the network, you can unilaterally employ the "strike first" approach and burn them publicly so you feel all safe again.  Since there is no actual evidence (unless your facebook profile has been hijacked by a completely incompetent person who signs all their fake posts with their real name... but then how would you even prove that that was their real name?  Endless fun with digital forensics.

So we have a scary mix of paranoia, uncertainty, ignorance, exploitative tool developers, no useful solutions from most of the affected sites and a bubbling pool of anger, distrust and the usual illusion of invulnerability that internet users get when they feel safe and anonymous. Nothing bad could happen here...

No comments:

Post a Comment