SquareLemon Blog



stealthier attacks and smarter defending with tls fingerprinting

Posted on May 25, 2015

I am really pleased to announce that I have decided to try my hand at talking at conferences again this year and have a new talk ready “Stealthier Attacks and Smarter Defending with TLS Fingerprinting”. Despite being a talk on TLS (and SSL) there isn’t any complex crypto or mathematics, this is aimed at defenders and attackers rather than cryptographers. Here’s the abstract: Ever been busted because you man in the middle software (which does TLS properly) alerted someone to your bad certificate? [Read More]


mitm in telecoms networks i told you so ... sort of

Posted on March 18, 2015

For anyone that has read this blog before, you will probably know that at the end of 2014 I gave my “Corporation in The Middle” talk at both SecTor and BSides Toronto. In short my ISP (Rogers) used a platform to Man (Corporation) in The Middle my and every other customers connection in order to insert notification banners at the top of pages in certain circumstances, such approaching your bandwidth cap. [Read More]


quick and dirty crapware analysis ids rule creation foo

Posted on March 4, 2015

Recently I have made some brief posts on the Snort/Suricata rules that I wrote to detect SuperFish and PrivDog, two pieces of Crapware/Malware/Adware/PUP that insert themselves as a Certificate Authority in the local browsers and proceed to Man in the Middle HTTPS traffic for the purposes of injecting ads. In those posts I mentioned that CipherSuite fingerprinting was the key to creating the rules, however I didn’t give a very comprehensive technical blow-by-blow. [Read More]


privdog detection

Posted on February 23, 2015

In much the same way as I was able to detect hosts infected with SuperFish by profiling the changes in Cipher Suites used in their SSL connections (by virtue of SuperFish essentially having it’s own SSL client) I have been able to create a fingerprint for PrivDog. For those who are interested, the ciphersuites used by the PrivDog client are: Cipher Suites (44 suites) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) Cipher Suite: TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA (0xc022) Cipher Suite: TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA (0xc021) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038) Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) Cipher Suite: TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA (0xc01f) Cipher Suite: TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA (0xc01e) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e) Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007) Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c) Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a) Cipher Suite: TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x0099) Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096) Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015) Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012) Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009) Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014) Cipher Suite: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011) Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008) Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008) Cipher Suite: TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA (0xc01c) Cipher Suite: TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA (0xc01b) Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d) Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: TLS_RSA_WITH_IDEA_CBC_SHA (0x0007) Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) I have updated my Interception Snort Rules to include this. [Read More]


superfish detection

Posted on February 20, 2015

Much has been in the press the past couple of days regarding Superfish, specifically being pre-installed on Lenovo hardware, however the issues discussed are relevant to any device with Superfish installed. It just so happens that Lenovo made the decision to bundle it up in the factory. There are a number of write-ups on the technical nature of this malware/adware, and I won’t attempt to rehash those, they are most likely better than anything that I could contribute anyway. [Read More]


man in the middle reach grows

Posted on February 19, 2015

With all the talk of Lenovo and Superfish in the press, now seems a good time to mention an update which is personal to me on the topic of Man in The Middle attacks. People have asked me how widespread the man in the middle attempts made my by ISP actually are. Well thankfully the manufacturer of the equipment used has put out a press statement around their current “subscriber reach” which you can read in full here. [Read More]


the value of cloud security report

Posted on February 11, 2015

Today my employer, Leviathan Security, released three reports written by James Arlen, Brendan O’Connor and myself on the overarching topic of Cloud Security. I’m pleased to say that they seem to have been well received by the press. ZDNet (twice), IT World Canada & CloudWedge have all picked up on it so far. [Read More]


os x sandbox quickstart

Posted on February 10, 2015

The sandbox feature on OS X is really useful for restricting what applications have access to in more granular and controlled fashion than standard file permissions allow. However writing the initial sandbox profile can be problematic for many users, it’s not always clear what an application needs access to in order to operate in the expected way; there are a number of system files, libraries and such like, that an application quite rightly needs to read. [Read More]


brakeing down security podcast isp man in the middle

Posted on February 9, 2015

I made a return visit to the Brakeing Down Security as a guest to discuss ISPs who Man in The Middle their customers. We discuss my Corporation in The Middle talk from SecTor & BSidesTO. Thanks again to Bryan and Brian for having me! [Read More]


brakeing down security podcast threat modeling

Posted on February 4, 2015

This week I was lucky enough to be a guest on the Brakeing Down Security podcast, the specific episode is available here, or you can subscribe to the podcast here. Thanks to Bryan and Brian for having me :) [Read More]


← Newer Posts
Older Posts →