SquareLemon Blog



quick and dirty crapware analysis ids rule creation foo

Recently I have made some brief posts on the Snort/Suricata rules that I wrote to detect SuperFish and PrivDog, two pieces of Crapware/Malware/Adware/PUP that insert themselves as a Certificate Authority in the local browsers and proceed to Man in the Middle HTTPS traffic for the purposes of injecting ads. In those posts I mentioned that CipherSuite fingerprinting was the key to creating the rules, however I didn’t give a very comprehensive technical blow-by-blow. [Read More]


privdog detection

In much the same way as I was able to detect hosts infected with SuperFish by profiling the changes in Cipher Suites used in their SSL connections (by virtue of SuperFish essentially having it’s own SSL client) I have been able to create a fingerprint for PrivDog. For those who are interested, the ciphersuites used by the PrivDog client are: Cipher Suites (44 suites) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA (0xc022) Cipher Suite: TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA (0xc021) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038) Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA (0xc01f) Cipher Suite: TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA (0xc01e) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007) Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c) Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a) Cipher Suite: TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x0099) Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096) Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015) Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012) Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009) Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014) Cipher Suite: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011) Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008) Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008) Cipher Suite: TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA (0xc01c) Cipher Suite: TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA (0xc01b) Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d) Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: TLS_RSA_WITH_IDEA_CBC_SHA (0x0007) Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) I have updated my Interception Snort Rules to include this. [Read More]


superfish detection

Much has been in the press the past couple of days regarding Superfish, specifically being pre-installed on Lenovo hardware, however the issues discussed are relevant to any device with Superfish installed. It just so happens that Lenovo made the decision to bundle it up in the factory. There are a number of write-ups on the technical nature of this malware/adware, and I won’t attempt to rehash those, they are most likely better than anything that I could contribute anyway. [Read More]


man in the middle reach grows

With all the talk of Lenovo and Superfish in the press, now seems a good time to mention an update which is personal to me on the topic of Man in The Middle attacks. People have asked me how widespread the man in the middle attempts made my by ISP actually are. Well thankfully the manufacturer of the equipment used has put out a press statement around their current “subscriber reach” which you can read in full here. [Read More]


the value of cloud security report

Today my employer, Leviathan Security, released three reports written by James Arlen, Brendan O’Connor and myself on the overarching topic of Cloud Security. I’m pleased to say that they seem to have been well received by the press. ZDNet (twice), IT World Canada & CloudWedge have all picked up on it so far. [Read More]


os x sandbox quickstart

The sandbox feature on OS X is really useful for restricting what applications have access to in more granular and controlled fashion than standard file permissions allow. However writing the initial sandbox profile can be problematic for many users, it’s not always clear what an application needs access to in order to operate in the expected way; there are a number of system files, libraries and such like, that an application quite rightly needs to read. [Read More]


brakeing down security podcast isp man in the middle

I made a return visit to the Brakeing Down Security as a guest to discuss ISPs who Man in The Middle their customers. We discuss my Corporation in The Middle talk from SecTor & BSidesTO. Thanks again to Bryan and Brian for having me! [Read More]


brakeing down security podcast threat modeling

This week I was lucky enough to be a guest on the Brakeing Down Security podcast, the specific episode is available here, or you can subscribe to the podcast here. Thanks to Bryan and Brian for having me :) [Read More]


citm snort rules

Last year I gave my Corporation In The Middle talk in which I explained how my ISP has been man-in-the-middle’ing my connection to inject a warning banner into the top of webpages I visited (talk content here and here). Part of this involved traffic analysis to discover artifacts of the injection process. In an effort to make this process more automated, repeatable and accessible I have put together a few snort rules to allow others to alert on this condition: https://github.com/LeeBrotherston/snort One rule is commented out as it is noisy and prone to false positives, however I have included it (disabled) for now, for reference. [Read More]


mitm at 30,000 feet

In the past week I have seen a few mentions on twitter regarding Gogo Air presenting fake SSL certs for YouTube to users of their in air Internet access service: hey @Gogo, why are you issuing *.google.com certificates on your planes? pic.twitter.com/UmpIQ2pDaU — Adrienne Porter Felt (@apf) January 2, 2015 No, not OK. @Gogo please justify breaking the Internet for your paying users. Huge privacy connotations! pic.twitter.com/AxZOPEK0oO — Ben Hughes (@benjammingh) January 4, 2015 I started to wonder if they were using the same technique that I had recently been researching and discussing in my Corporation in The Middle talk. [Read More]


← Newer Posts
Older Posts →