Herding Fire with Fire

herding sheepA few weeks ago the Internet was abuzz about Eric Butler’s release of a new FireFox extension called Firesheep.  The point of the extension was to highlight the vulnerability of open wireless networks.  Firesheep makes it easy to capture login credentials from a site that isn’t using a Secure Sockets Layer (SSL) or HTTPS connection.  By default the extension lets you capture credentials from Facebook, Twitter, Yahoo, Foursquare and lots of other popular sites.  You can also add more sites in the user preferences. 

Was this a good citizen trying to move the technology along or a hacker’s dream?  Since Eric provided the source code to his extension, I assume he had honorable intentions and wanted to point out a major issue with website security.  On the other hand, Firesheep was downloaded over 200,000 times and I am sure not everyone had the best intentions.     

As is usual with anything that is open source and has to do with security, someone decided to create a tool to block the mischievous activities of Firesheep.  Enter FireShepherd.  It can leap tall buildings in a single bound and make the world safe for surfing again.  Developed by Gunnar Atli Sigurdsson from the University of Iceland and released under a GNU General Public License, this program aims to thwart Firesheep.

According to the information on its site:

FireShepherd, a small console program that floods the nearby wireless network with packets designed to turn off FireSheep, effectively shutting down nearby FireSheep programs every 0.5 sec or so, making you and the people around you secure from most people using FireSheep.

The program kills the current version of FireSheep running nearby, but the user is still in danger of all other session hijacking mechanisms. Do not do anything over a untrusted network that you cannot share with everyone.

Know that this is only a temporary solution to the FireSheep problem, created to give people the chance to secure themselves and the others around them from the current threat, while the security vulnerabilities revealed by FireSheep are being fixed.

The program runs on a user’s desktop and periodically jams the local wireless network with a string of junk characters that Sigurdsson says will instantly crash Firesheep.  Sounds like an aggressive, but effective approach.  Currently FireShepherd only runs on Windows, so people running on OSX or Linux need to find another solution.  If you are running FireFox, you could run HTTPS Everywhere or Force-TLS which forces websites to use HTTPS – unfortunately this only works with a site that has enabled HTTPS.  

Now before you go panicking, you should realize that only websites where you need to login are of any concern.  If you just browse to a website for reading, don’t worry about it.  If you login, then make sure the site is using an HTTPS connection.  You can see it in the URL in your browser.  If you have a VPN connection into your Intranet, you are also fine.  All the traffic through your VPN is encrypted, so people can’t spy on you.

So now we have a solution to a symptom, but not the problem.  As Sigurdsson points out, don’t send information over an untrusted network that you cannot share with everyone.  That’s the problem.  For websites like Facebook and Gmail, put HTTPS before the URL and you will be safe.  For sites that don’t have SSL, hopefully this will force them to implement it.  (I wonder how long it will be before someone creates an update to FireSheep that thwarts FireShepherd?  Ah the fun of the internet.)


Photo credit the bbp

Leave a Reply