Hello, welcome to the Monday, October 22nd, 2018 edition of the Sandtonet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

In our diaries, in particular recently, we have usually talked about Windows matter.

Well, a Windows is not the only

operating system out there. There are quite a number of Mac users. So Pascal today wrote a little

bit about how to achieve persistence with Mac matter. Mac users out of its own little startup system and part of this

are launch agents. So Pascal is talking about how they work and how they could possibly be used to

achieve persistence by Malware and then also how to investigate your launch agent.

And if we got an interesting paper from researchers at the University of Hamburg about TLS sessions and how browsers maintain them for fairly long times.

So whenever you connect to a server via TLS, you are creating a TLS session

with a unique session ID. In the past, these session IDs have sometimes been used to actually

track users. This really hasn't worked out too well because the session ID is sometimes shared if a

browser is behind a proxy.

But nevertheless, if you just like to track users, for example, for advertisement purposes

and such, well, a TLS session ID may be good enough.

The tricky part here is that browsers will actually resume

sessions they had established with servers in the past if the browser itself wasn't closed.

These researchers did a very systematic study using something like 40 different browsers and then using the top 1 million

websites from Alexa in order to check how long sessions are maintained. Turns out that pretty much

all browsers maintain sessions, TLS sessions, that is, for at least 30 minutes, and some browsers, most notable, according to

the paper, Firefox and Safari, will even maintain them for 24 hours.

They're also introducing what they're calling a session prolongation attack where a malicious

...