If you have not read Part I Please Read it Before you read below – Read Part 1 HERE >>>
In part one of this series I introduced you to the dangers of side jacking/man in the middle attacks using browser plugins such as Firesheep.
Part II will give you a few ways to see when someone is using Firesheep and how to protect yourself.
An easy way to determine if someone is using Firesheep is by using something called BlackSheep. BlackSheep is a simple plugin that will alert you whenever someone on the network you are on is using FireSheep. BlackSheep can be found here:
From the site:
BlackSheep, also a Firefox plugin is designed to combat Firesheep. BlackSheep does this by dropping ‘fake’ session ID information on the wire and then monitors traffic to see if it has been hijacked.
While Firesheep is largely passive, once it identifies session information for a targeted domain, it then makes a subsequent request to that same domain, using the hijacked session information in order to obtain the name of the hijacked user along with an image of the person, if available. It is this request that BlackSheep identifies in order to detect the presence of Firesheep on the network. When identified, the user will receive a warning message.
I should note that if you want to try this for yourself and see results, you’ll have to have two separate computers running Firefox as both of the apps use a lot of the same code.
- The BlackSheep install is as simple as clicking the add to Firefox button allowing the install and restart Firefox. It’s installed and running.
- Once BlackSheep is running, you can adjust it to scan at different intervals, different interfaces and if you want it to start with Firefox or not.
- When you’re using it, if someone on the network tries to use FireSheep, you will get a popup like this:
- Once you see this pop up, (if you’ve got it installed), you can be safe in knowing that a HTTPS proxy service will help keep your stuff safe. As long as you’re visiting one of the sites that there is code/rules for.
- If you’re not using HTTPS Anywhere, it’s an easy enough program to use. Again, it’s a Firefox browser plugin so you’ll have to be using Firefox.
- Head on over to the Electronic Frontier Foundations site at http://www.eff.org/https-everywhere.
- Click on the big blue install button.
- Click on Install now, restart Firefox and it’s ready to run.
Whenever you visit any of the sites that you would have previously been vulnerable on, https anywhere will help keep your sessions secure. This will render Firesheep useless to gain your information.
Again, this will only work with sites that they have listed within the application, so make sure before you visit a site and think you’re secure, you check to see if it’s listed within the application.
You are able to choose which ruleset you’d like to enable, but I suggest keeping them all turned on unless it’s causing issues. Most of the sites that you’re likely to visit will have a rule available for it. The sites that have rules are:
Amazon, Dropbox, Facebook, Google Search, Mail.com, Twitter, Gentoo, Washington Post, NYTimes, bit.ly, Mozilla, Microsoft, WordPress.com, Cisco and others.
You are also able to write your own rulesets to add support for sites that aren’t listed.
Let’s take a look at creating a ruleset.
The rulesets that are used are xml files. An xml file is a way to mark data within a file so that it can be sorted easier and be formatted within a database for use. Sort of like tagging different columns within an Excel file.
There are several things that you need to ‘tag’.
• Ruleset name
• Rule form.
The Target is the domain or domains that the ruleset should be applied to. This target can also have wildcards so that it encompasses all portions of a website like .google.com or .microsoft.com or microsoft.com/*.
The rule part is actually what does the work. It will take the http portion of the domain name and force it to https. It’s simple enough and works quite well.
Here’s an example using Wikipedia:
- Open a new text file
- Enter the information into the file
<target host=”*.wikipedia.org” />
- Save the file as a .xml file instead of a .txt file in your profiles directory.
- That’s it.
- Restart Firefox and you’re good to go.
- A more thorough walkthrough of creating a ruleset can be found at the EFF rulesets page:
If you’re not sure on where to find your Firefox Profile folder, it’s simple enough to find:
- Open Firefox, click on the Help menu. Select Troubleshooting Information.
- When the page opens, you will be presented with a decent amount of information. One piece is a link that will open the Profile Directory for you.
The way that https anywhere works is similar to if you were to have a .hosts file within your system configuration files that translates one set of internet addresses into another one. I haven’t been able to fully test this, but it should also work for a quick down and dirty answer if you’re not using Firefox.
I know this one is a pretty simple article and fairly short overall, but it’s a simple answer to a complex problem.
Was this helpful? Would you like additional information or have additional questions on this? Let me know in the comments.
Information Security Correspondent
Norm W. is an information security engineer currently employed as a CONUS civilian contractor. He has worked in the computer industry for the past 20 years and holds several security and non-security related IT certifications. Norm has worked with multiple agencies in the private and public sector as well as foreign companies and agencies to resolve information security issues.