Re: [Full-disclosure] blocking Google Desktop



First, I made a mistake in the version number. The current/new one is version 3 (the one that uploads your data to Google)

I've been experimenting with Snort sigs to detect this.

Google Desktop uses a unique user-agent (I got a tip about this from another user at full-disclosure -- thanks Charles!) :

User-Agent: Mozilla/4.0 (compatible; Google Desktop)

So here is a snort sig for that ...

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg: "BLEEDING-EDGE Google Desktop User-Agent Detected"; flow: to_server,established; content:"User-Agent\: Mozilla/4.0 (compatible\; Google Desktop)"; nocase; classtype: policy-violation; sid: 3000001; rev:1; )

That sig would at least let you know who's using it, but blocking that traffic wouldn't do anything except prevent the RSS feeds (news, weather, etc) from loading.

Now, for the file-specific stuff, since that's all done over SSL to google.com :

Upon examining the SSL/TLS session setup, I wrote this one to flag the certificate Google is using (from Thwarte). This will probably change when they change/renew their certificates.

alert tcp $EXTERNAL_NET 443 -> $HOME_NET 1024:65535 (msg: "BLEEDING-EDGE Google SSL key exchange"; flow: from_server,established; content:"|30 36 30 36 30 37 32 32 31 32 35 34 5A 30 68 31|"; rawbytes; content:"|77 77 77 2E 67 6F 6F 67 6C 65 2E 63 6F 6D|"; rawbytes; classtype:policy-violation; sid: 3000002; rev:1; )

Note that this also flags logons to gmail.

The fetches with the "Google Desktop" user-agent happen first when the application is started -- then you get the SSL setup for any new data to be uploaded to Google's servers.

Unfortunately, the dynamic/activate stuff in snort dosen't let you do an "alert" action after an activate -- because it's designed to just dump the next (n) packets. If there was a good way to chain the two rules together -- to say "after seeing 1, do REACT on #2" you could reliably kill any SSL/TLS sessions from somebody running Google Desktop, thus preventing the upload of anything.

Thoughts?

Michael Holstein CISSP GCIA
Cleveland State University
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: Ansermet Stravinsky Disc 8 0f 8
    ... "This account has been banned because it violated the Google ... I hope this won't be putting an end to some of the great uploads we've ... Everybody's a fuckin' expert ...
    (rec.music.classical.recordings)
  • Re: (Semi-OT) As Google buys Youtube
    ... How many large companies does Google want to ... intellectual property in a manner that benefits both them and Google. ... So, they will ban all uploads of Comedy Central shows, ... given CC wants people to go to their web site to view those clips? ...
    (rec.arts.anime.misc)
  • Re: Ansermet Stravinsky Diusc 8 0f 8
    ... "This account has been banned because it violated the Google ... I hope this won't be putting an end to some of the great uploads we've ...
    (rec.music.classical.recordings)
  • Re: Apache and home directories (file browser).
    ... Please be aware that allowing uploads through php is quite insecure. ... security info on uploads through php. ...
    (freebsd-isp)
  • Google Desktop for Mac
    ... Google Desktop for Mac ... MacEng team: Google Desktop for Mac. ... you also get the new Google Updater. ...
    (comp.sys.mac.system)