The Tofsee malware family attempts to evade detection by using a custom encryption protocol. Nonetheless, that protocol can be identified efficiently. This post describes the detector that I developed and implemented in mercury. Why develop a detector for Tofsee, despite the fact that it is neither the newest nor nastiest malware? Because it is still … Continue reading Detecting Tofsee Malware Communication without False Positives
Sorting Out Randomized TLS Fingerprints
The Chrome browser recently added a feature that randomizes the order of TLS extensions in an attempt to discourage or impede TLS fingerprinting. Because of this, the fingerprinting techniques used by network defenders and the threat intelligence community need to adapt how they normalize data. Fortunately, there is a simple solution that is quite effective. … Continue reading Sorting Out Randomized TLS Fingerprints
Handling errno in multi-threaded C++ code
In Linux/POSIX/UNIX programs, errors are reported by the operating system and C library with the errno variable. What's the portable and thread-safe way to deal with them in C++? If you are like me, and know Linux better than C++, the answer might not be obvious. But it is simple: throw an std::system_error exception of … Continue reading Handling errno in multi-threaded C++ code
RC4 keystream bias, or parallel processing made easy with for_each/accumulate
RC4 is an obsolete cipher that was widely used just a decade ago, despite the fact that it has an exploitable statistical bias. This post shows how to compute the bias, using the neat modern C++ trick of parallel execution policies for the algorithms library, or for_each(std::execution::par). Complete code is available on GitHub. std::for_each() applies … Continue reading RC4 keystream bias, or parallel processing made easy with for_each/accumulate
Linux on an Framework DIY Edition Laptop
I got a Batch 6 Framework DIY Edition Laptop, to use as a portable Linux machine. I like it a lot; you might too. This post describes my expectations and impressions, the Gnome tweaks I made for usability, plus some benchmarks. The pic shows what's in the box (clockwise from top left): four expansion cards, … Continue reading Linux on an Framework DIY Edition Laptop
What is Null Hypothesis?
Null Hypothesis is a blog about Cyber Security and Data Science, broadly considered, with an emphasis on Networking and Software. It's written by David McGrew, who has worked in cybersecurity and applied cryptography research, development, and standards for over 25 years. Planned topics include algorithms, programming, crypto (in its proper sense), and open source, and … Continue reading What is Null Hypothesis?
Null Hypothesis