Some thoughts on BlackSheep and Firesheep

Responding to the hubbub about Firesheep, Julien Sobrier of Zscaler recently released a Firesheep detection tool called BlackSheep.

At first, detecting Firesheep seemed impossible. After all, it listens for unencrypted cookies and there is no way to detect passive listening. It turns out, however, that Firesheep is also an active LAN participant, even when it seems to merely be watching.

To be clear, BlackSheep detects the use of Firesheep, period. It does not protect anything. Think of BlackSheep as someone sitting in a car pointing out that it is nighttime, the headlights are off, the road is icy and the car is speeding. Saying this out loud does not make the passengers safer.

The Idea Behind BlackSheep

Initially, Mike Geide of Zscaler blogged about how someone could detect Firesheep running on another computer on a shared network.

One thing that makes Firesheep sexy is that for the 25 or so websites it's programmed to deal with, it reports the victims name or userid and perhaps even their picture. All this without the Firesheep user actively impersonating the victim at the target website.

Getting this information about the potential identity theft victim, requires Firesheep to connect to the target website. According to Geide

The first thing that Firesheep does after it detects the session cookies for a site of interest is to automatically attempt to connect and scrape the user's account name and avatar to then display in the Firesheep/Firefox side panel. Because Firesheep is running on the same LAN/WLAN you are able to see Firesheep's network transactions the same way it saw yours :)

In other words, if Firesheep wasn't so ambitious, and merely reported that some user was connected to a website of interest, it couldn't be detected until actual impersonation took place.

Geide suggested using fake cookies to create a fake identity for the websites targeted by Firesheep and then passively listening for any attempt to connect as that fake user. Only Firesheep would do such a thing.

In addition, Geide suggested making the target IP address of his fake cookies that of the router rather than the target website (Facebook, Hotmail, Wordpress, etc.). Firesheep listens for cookies by name, not by IP address and this avoids flooding the target sites with garbage.

In the case of Facebook, for example, Firesheep is looking for three cookies named xs, c_user and sid. As soon as Geide sent three fake Facebook cookies, he noticed that "Firesheep immediately attempts to access with the captured (fake) session cookies..."


Shortly after Geide's blog posting, Julien Sobrier released the free BlackSheep extension for Firefox that implements what Geide had suggested.

Much of Sobrier's description of BlackSheep mirrors what Geide initially wrote, but he does add that "BlackSheep is based on the Firesheep source code. It reuses the same network listening back-end and the list of sites and corresponding cookies, etc. This ensures that the fake traffic generated by BlackSheep is what Firesheep is expecting."

He also notes that BlackSheep reports on the IP address of the Firesheep user. However, he offers no useful fallout from knowing the IP address. And, it's hard to think of any.

BlackSheep does not break Firesheep or try to disable it. Another program, which I won't even name, has been released that tries to interfere with Firesheep by flooding the network with garbage. This strikes me as irresponsible. In contrast, BlackSheep is well behaved, sending out just a few packets every five minutes (an interval that can be adjusted).

Interestingly, Sobrier did not say anything about BlackSheep itself being stealthed. Geide had warned in his blog that Firesheep detects the fake cookies that he created and reports on them as an error. Thus, an educated Firesheep user can probably detect BlackSheep, just as BlackSheep is detecting Firesheep.

Windows and Firesheep

I say "probably" because as a Windows user, I can't test this myself. Firesheep and BlackSheep (the system requirements for each are the same) are best done on a Mac.

Before installing either extension, Windows users have to first install WinPcap. No big deal, in and of itself.

However, that's far from sufficient. Many, if not most, Windows WiFi adapters can't enter promiscuous mode, which prevents them from seeing the unencrypted cookies traveling in the air.

I tried Firesheep on two Windows laptops and each failed. On one machine, I then disabled the internal WiFi adapter and switched to a PCMCIA based WiFi adapter. Didn't help. I struck out, oh for three.

According to the FAQ at, this is more the rule rather than the exception.

The WinPcap device driver was developed to work primarily with Ethernet (10/100/1000) adapters. Support for other MACs was added during the development, but Ethernet remains the most tested one.

The recommended solution is AirPcap, an external USB WiFi adapter that starts at $198. For the price of a high end AirPcap adapter, you can almost buy a Macintosh computer.

Again, to be perfectly clear, BlackSheep does not solve the underlying problem of unencrypted cookies being sent back and forth between uneducated users and websites. Sniffer applications other than Firesheep can also see these cookies and BlackSheep does not detect these other apps.

More on Firesheep

Finally, a couple overlooked points about Firesheep.

Although Firesheep requires Firefox, it can snoop on anyone, regardless of their operating system or web browser. The problem or vulnerability that Firesheep exploits is one of unencrypted cookies, which is a website design issue, not a browser issue.

Every article on Firesheep offers suggestions for defending against it. I must have read about a dozen different approaches by now. The best defense, by far, against Firesheep and other sniffing programs is a virtual private network (VPN).

It's striking how few people writing about Firesheep have actual experience using a VPN. It's brutally obvious, at least to me, when a reporter or blogger spends a minute Googling around for VPN providers and just throws a name or two into an article.

The only person I've run across who suggested a VPN and has actually used one extensively is Glenn Fleishman who blogs at Wi-Fi Net News. Interestingly, we both use the same VPN provider, Witopia.

For more about VPNs, see What your mother never told you about VPNs. I also suggest Being Secure on Public Wi-Fi: VPN, Firewalls, File Sharing.

Note: For a good beginner level introduction to cookies and how sessions can be stolen, see Secure Your PC and Website From Firesheep Session Hijacking by Steven Andrés of PCWorld. Nothing like a good analogy.

Copyright © 2010 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon