How FireShepherd could live up to its name

November 3rd, 2010 by Strawp

First there was FireSheep. It allows anyone to hijack HTTP session cookies for a number of sites for anyone using them on the same open access point as you. Now, a predictable counter point for that is that someone would come up with “FireShepherd” to protect this poor flock. However, FireShepherd is no where near as fun as FireSheep – all it does is try and crash FireSheep with fake data and hope for the best, meanwhile your session info is still being transmitted in the clear.

Ideas for FireShepherd to be more useful/fun:

  1. Have it force SSL connections on all the same sites that FireSheep snoops on, making session hijacking impossible. Plugins like Force-TLS do this.
  2. Have it create bogus logins to sites where the user’s profile pic has been set as goatse, tubgirl etc. When the FireSheep user grabs that user’s session data they will have those lovely pics appear in their stolen sessions list.
  3. (getting crazy here) have it perform a man-in-the-middle attack on the wireless network, replacing the network’s router as the default gateway or DNS server. You can then point people to fake versions of captured websites and feed the FireSheep user whatever you want. Oops, there’s goatse again! Oh, what’s that you just went to? A malware site? Careless FireSheep user!

Anyway, there’re some ideas. As Steve Gibson pointed out in the last Security Now, simply switching a network to WPA is enough to protect all the users from this attack. If you’re running a Cafe and want to provide free wifi you can make the network password as public as you want – make a poster and stick it above the till. It is unencrypted wifi, not wifi itself that allows user sessions to be hijacked like this.

2 Responses to “How FireShepherd could live up to its name”

  1. Ewan Marshall Says:

    Session cookie hijacking through MITM attack has been around for about as long as HTTP has had cokie support, a well known attack. All firesheep is is a nice extension to make it easy to do from within firefox.

    As a such, the old adage applies, if it’s not end to end encrypted then there is an attack point somewhere, whether it’s on the ISPs border gateway router or ones home LAN.

  2. Ewan Marshall Says:

    Oh, did I mention if the cookies are susceptable to intercept most likely so is the username and password.