How To Deanonymize the TOR Network

Episode 307 –

This week on the podcast, we discuss how German law enforcement managed to deanonymize and arrest users on the TOR network. After that, we discuss why the US government is trying to ban Chinese-manufactured car hardware. We then end with a cool research article on chaining open redirect and iframe issues into a 1-click vulnerability that grants attackers access to arbitrary Google Docs files.

View Transcript

Marc Laliberte  0:00  
Hey everyone, welcome back to the 443 security simplified. I'm your host, Marc Laliberte, and joining me today is

Corey Nachreiner  0:06  
Corey exit, no Nachreiner and where all the crap comes out of

Marc Laliberte  0:13  
wow, that is way accurate on today's episode.

Corey Nachreiner  0:17  
Get for self deprecating humor. Immediate confirmation.

Marc Laliberte  0:22  
We will be de anonymizing the Tor network, or at least discussing the story about how one government managed to do that. We'll then have a chat about banning even more China based technology, this time in our cars, and we will end with a cool research post on chaining some low severity vulnerabilities into a medium severity vulnerability, and pretty interesting way with that, though, let's go ahead and relay our way in. That's a good one.

So last week, there was a really interesting story that kind of at least on like the InfoSec social media areas that I still follow, which is basically exclusively Reddit at this point. It originally set off alarm bells for folks when this story popped up, because the headlines for this was basically that German law enforcement had de anonymized the Tor network. So the Tor Go ahead, the Tor network is, you know, the dark web, meaning the application slash system for protected Internet services to both access Dark Web hidden services, as well as just protect normal users internet browsing to normal internet websites through through this ecosystem too. It is

Corey Nachreiner  1:44  
essentially just a peer to peer network, right? So it stands for the onion routing or the onion relay, and it's essentially using peer to peer, but some peers can act as very specialized exit nodes, but I'm oversimplifying it, sure Marc, but by having multiple hops between lots of peers, you know your your actual traffic comes out of exit node that's hopped through all kinds of other peers before it gets there with, of course, cryptography and encryption on top of it, yeah. And I guess it was, was it the US Navy? It was like research us groups that first made it to help get past the Great Firewall of China. It was made as a part of, you know, fight for freedom and open information to to people that may not be maybe receiving censored information online. And it was

Marc Laliberte  2:37  
originally created by the US Naval laboratory, laboratory, I'm not British. Now it is owned by the Tor Project, which is a nonprofit that still gets a lot of funding from the US federal government, but it is technically independent. And let's like real quickly go over how the Tor network works at a high level. It gets more complicated when you talk about accessing what are called hidden services, like Dark Web websites, but if you're just using it to access a regular website to protect your anonymity as you're browsing the internet, it's a little more simple. So the map Corey is showing on the video right now is a map of a whole bunch of different types of relays, or relay nodes, is what it's called. And the goal for the Tor network is so no outside observer can or the destination, like web server itself, can associate a connection with a the original user. So like, if I connect to super illegal website.com, or, let's use a better example, if I'm a journalist and like Saudi Arabia and I'm connecting to a journalist website. I want to protect my identity so I don't get buzz sawed to death by a oppressive government over there.

Corey Nachreiner  3:48  
Or if you're going to unalienable human rights.org from China, you know you might actually get to that site instead of a blank page saying, This doesn't exist here. So

Marc Laliberte  4:01  
it works by having a collection of nodes that are just deployed around the world, run by some organizations, run by individual hobbyists around the world. These nodes could be,

Corey Nachreiner  4:12  
it could be you to the hobbyists. Right? When you set up for a network, you can actually choose to be one of these. I mean, granted, you're going to get a lot of traffic going through your connection, if depending on what you pick. So I think it's more likely that someone that has that is an organization with routing and heavy bandwidth does it, but it could literally be you, if you wanted.

Marc Laliberte  4:33  
And so like Corey, you hinted at, there's actually three different type types of nodes that participate in this network. So there's something called the entry guard, which is a protected type of node that's responsible for your client will build the connection to this one first, and that's how you enter into the network. There's the exit relay, which is where your connection will exit the network and go to whatever actual website you're trying to visit. So. And then in between those are middle relay nodes, which is basically anything that's used as that hop in between the guard and the exit. If you want to join the Tor network and participate and set up your own node, you can set up a middle relay, as it's called, and you won't have any risk of like illegal traffic exiting your IP address is just a bandwidth usage to that point. The exit nodes are the ones where, technically, like any activity that people are sending over the Tor network could exit out of your node. And so could be journalists getting access to their publication websites, or it could be people doing super illegal stuff, and so you'll need to fight with your ISP. And the Tor Project has, like, I don't know what the right like, template responses. You can work with your ISP for this too, to kind of protect you. But at the end of the day, it's, it's still, I don't know, I'd say, Isn't without risk running an exit relay. And

Corey Nachreiner  5:56  
essentially, the exit the exit nodes can be publicly known by IP address. There might be encryption and things that you know, unless you're an ISP, you're not going to see all the traffic where it's going from an exit node. But you can, we know, the world knows what the exit nodes are. So if you can, if you see something going to or from an exit node, you know it could be potentially Tor it is Tor related, and it could be potentially bad or benign. Hard to know. I

Marc Laliberte  6:25  
mean, the reality is, we know every single node on the Tor network, like this map that you're showing on the video is literally every node on the Tor network, yeah, because you need to know their their IP address in order to build this relay through them. So what happens when, let's say, you boot up the Tor web browser and you want to go visit the newyorktimes.com to go get news while you're overseeing an oppressive country your web browser, the Tor web browser, starts by picking a guard relay. And this guard relay, typically, you'll use the same one for like, months in a row until there's an issue with it that causes you to switch to another one, and it will build a encrypted connection to that guard relay. It then tells that guard to build a encrypted connection to a middle relay that it picks randomly for the connection it's building just right then and there. So at this point, that entry guard, it knows both your computers, your client's IP address, and it knows the middle relay that you're talking to, but nothing else. That middle relay knows the guard that's connecting to it, but it can't see the hop on the other side of the guard. So now that middle relay has no idea what client is connected to it. It just knows the guard it is connected to, then through that tunnel to that middle relay. The Tor Browser instructs the middle relay to build a connection to the exit relay, or the exit node. So now that middle relay knows it's connected to this guard and this exit, but it has no idea what's going on between that tunnel. The exit only knows the middle relay that's connected to it, but not the guard or the original client. This is actually where, like, the Tor name or idea comes from, because it's basically layers of an onion, layers of encryption that you're peeling off through this tunnel, where one layer only knows the two that are touching it, and nothing else in between it or above it,

Corey Nachreiner  8:14  
and that includes your traffic too, right? So other is technical. Everything passing through other. It knows the guard it's coming through, and it knows the exit it's going to but it doesn't know what the contents are. The only one that might be able to see like the guard has a directly encrypted connection to you, but it doesn't you know it once it passes off to other, it kind of slowly disappears by the its knowledge of where it goes until it gets out the exit so the

Marc Laliberte  8:43  
guard relay it. In theory, could know like what you're trying to connect to from you as the client. The exit node obviously knows the website you're trying to go to, because it has to actually make that final connection. But nothing in the middle knows both of those details, and neither the guard or the exit knows the other end of it. And so this is how that anonymity is built, where an outside observer that compromises like one of these endpoints, like a subpoena for the destination web server or the guard or one other one doesn't have enough information to figure out fully, like who is talking to what on the other end of that tunnel. That's the 10,000 foot level for how the Tor network works. But it's important to understand that compromising one single piece of this isn't enough to really break the anonymity, the anonymity of the Tor network. So this is why it was surprising when that news story came out saying that German law enforcement had arrested and successfully prosecuted a few individuals back in I think it was 2021 even is when it actually happened by de anonymizing their activity on the Tor network. So the Tor network gets built of around, like 8000 Tor nodes around the world. 2200 of them are actually in Germany itself too. And so in theory. Three like German law enforcement could issue a subpoena for any of these nodes that exists in Germany and start monitoring like the connections going through it, at least the metadata. They wouldn't have access to the like actual web request, depending on which node they went after. But they could monitor the volume of the traffic, the timing of the traffic going through it. Corey did successfully locate the country of Germany, and so you can see that on the map, at least on the video for this podcast, light blue. So the news article says that German law enforcement focused on this chat service that runs on the Tor network. So it's not like accessing a website, it's actually an instant messaging service called ricochet that uses the Tor network to protect the identity, to protect the IP addresses of people that communicate with each other in this chat app and that they de anonymized the participants in this chat app by using Something called timing analysis. So to explain that, like, let's picture the extreme example where law enforcement is compromised both the guard relay and the exit relay. So they have visibility into both of those. They could monitor connections coming into the guard relay. They could monitor connections going out of the guard relay. So if they see, like, one megabyte coming into the guard and one megabyte leaving the exit node, they can, with reasonable certainty assume that, oh, this client that sent one megabyte is actually that one megabyte going to illegalwebsite.com, for example, and just like one single instance of that probably isn't enough to hold up in court. But if you can establish a pattern of this one client we can associate with reasonable certainty, like these connections with them, going to this illegal website on the other end, and built up a pattern of this that probably can hold up in court, and clearly did, because they were able to prosecute someone in this case. Now that's an extreme example, by the

Corey Nachreiner  11:59  
way, it did require one for the bad actors to go to a place that was known by law enforcement, the chat app. And also, I think, just JavaScript help, I know like one of the things, especially if you get Tor browser, you know people that the Tor organization reminds you that Tor Browser alone or is not enough to protect yourself. The second you allow JavaScript, you're allowing code from a website to run on your client. So everything you've done to anonymize yourself can likely be reversed by JavaScript that might be able to run local code and identify things like your actual IP, or at least the private one, etc, etc,

Marc Laliberte  12:43  
yep. So that example was the extreme one where they would need to know both the guard and the exit relay. And that's probably pretty rare, because, remember, there's 8000 different nodes. Your computer will use the same guard for like months at a most of the time, but every single like destination you try and go access, it'll set up an entirely separate relay, meaning a separate middle node and a separate exit node to get there. So the chance is hard to determine law enforcement to get both the guard and the exit for a specific connection between a specific client and a specific destination. That's very difficult without other vulnerabilities or weaknesses somewhere in the process. Yeah. So they what the Tor network owners or the Tor Project released in a like a publication after this news story came out, trying to explain what was going on, is they said, first off, they none of the details were shared with them. They're having to go based off of just public information and not the specific details from the specific incident, but what they think happened was German law enforcement conducted what's called a guard discovery attack, which let them discover the guard that this this criminal, let's say, because they were tried and convicted in court, that they found the guard that the criminal was using, and then they were able to subpoena that guard to start capturing network traffic on the guard, and they presumably already had subpoenaed access to, like, the malicious or the illegal web server that the criminal was connecting to. So like, let's say an example for a guard attack. Let's say law enforcement. They're already monitoring an illegal website, but they don't know which guard they need to go after for the court order to figure out what the client is connecting through. So again, because your Tor browser will always use the same guard for every connection, this is normally fine, because it should, in theory, be impossible to map a user to their guard. But what law enforcement can do is if they also control a website that you regularly visit over the Tor network, or if they can trick you into visiting a site they control through like a phishing attack or something like that, could have the JavaScript. Yeah, exactly. And if the law enforcement owns a number of middle. Relays somewhere in the middle there, which they can advertise, like a high bandwidth middle relay, to make it more probable that your client will pick that relay to build the actual connection. What they can do is on that website they control, they can use JavaScript like you just suggested, to just make a ton of connections behind the scenes to different destinations that don't exist. So they should all return to 404 response, now, if law enforcement owns a middle relay, they're not going to be able to see the actual like, 404 does not exist. Response, but they will know that there will be like a 40 something byte response, back.

Corey Nachreiner  15:36  
Response, very likely compared to a normal one,

Marc Laliberte  15:39  
exactly. So each new connection this JavaScript creates, I will use a new relay. It'll build a new path to the destination, and with enough time, it will eventually make a connection to a middle relay, or that includes a middle relay under law enforcement's control. So if they sit there and monitor and they can correlate their request through JavaScript with, oh, now we see that 44 byte packet come back. Maybe do that a few different times to get like, a good assumption that they've mapped that out. Now, because they know the middle relay, they can see okay for that response back. We know it was using this guard to handle the request, and we can assume that it was our client connecting through it, because we have control over the connections they were making. Yeah. So now they know the guard that that client is using, and if that guard exists in Germany, which with 2000 different nodes in there, there's a decent chance it does. And because it's local to that user, there's a decent chance it does. Now they can go get a court order and say, Hey, we have I know what the German equivalent of like probable causes, but we have probable cause that this user is connecting through this relay. Here's our court order. We want to start monitoring the network traffic that goes through this relay, and they give that to the ISP in front of it, or the data center that hosts it, or whatever. So they still can't see the actual content of the web request going to this but now they can monitor the actual network traffic going through it, and they can do that timing analysis, where they see a connection come in from this IP address for 10 megabytes, they see it leave the Tor network on the other end and hit the illegal web server 10 megabytes. Do enough of that over time, and they can build up a correlation that this client is using this illegal website, this user, and they think it's this user, and that's how they most likely de anonymize these users. Then went after their residential IP address ISP, found the actual owner of that, arrested them, tried and convicted them for accessing this pretty gross, illegal content in the case of this story.

Corey Nachreiner  17:44  
To your point, by the way, Tor on the Tor blog, Marc mentioned they did the blog post basically with their response to how this probably happened, and they agree with that whole ricochet timing attack is the likely reason. So if you go to tours blog page, it's called, is Tor still safe to use? And you can read, you know, the Tor projects response to all of this and how they think it happened, as well as what you can maybe do to protect yourself from specifically ricochet, at least the version. So the point is, yeah, they believe that the the criminal in this case was using an old version of ricochet that's actually been deprecated over time. There is a new, rebooted version of ricochet called ricochet refresh, which includes some of tor's protections that they have against guard discovery attacks.

Marc Laliberte  18:32  
So one of those protections is called uses the Vanguard protocol, which was not available in that older version of ricochet, but is in the newer ones and is available in just the normal Tor web browser for traffic. Vanguard at a high level, what it does is it adds two additional relays. They're called Vanguard relays, between the guard and the middle relay, which makes it more difficult to execute one of those guard discovery attacks, more difficult to get that path directly through your relay in a way that lets you de anonymize it, partially because only a very specific, like protected, restricted set of Vanguard nodes can actually be chosen as those. These are basically, like known, good servers that the Tor Project trusts. Maybe they're in regions where they can't be reached by law enforcement. Maybe they're protected in some other way, but it at least makes it more difficult to do one of these guard discovery attacks. Another thing that the Tor Project always talks about, actually went to one other talks, at think it was black or DEFCON this year, about trying to gather metrics on the Tor network, which gathering metrics from a private network, seems a little funky, but they were talking about how they can get those metrics in a way that still protects privacy. But one of their talking points was like, one of the best ways to protect traffic on the Tor network is to participate in the Tor network as a user. So either you using

Corey Nachreiner  19:58  
the equity. 5000 nodes, like, if we could double that, that alone is more protection. So that does require more of the normal people, like we talked about earlier, turning on the ability to be one of the relays.

Marc Laliberte  20:12  
The more legitimate, non malicious, non compromised nodes out there, the more or the less likely a relay will be built with one of those nefarious or compromised nodes. Also the more users there are, just in general, the more difficult it is to do traffic analysis on those connections. And again, we're talking about this in the context of a story of people that were doing illegal, gross stuff using the Tor network. But at the same time, this network does protect legitimate and like noble causes around the world too, and

Corey Nachreiner  20:44  
that's one of those. Are nine networks that can be used for bad or good, yep.

Marc Laliberte  20:50  
And so there is a good reason to protect Tor traffic, at least in my opinion, I understand some people maybe take a hard line approach of, if it can be used for bad, it shouldn't be used at all. But my opinion is there are legitimate, good uses for the Tor network, for journalism, for protecting the United States own morals around the world, that I think it is a network I should protect. And

Corey Nachreiner  21:13  
the other thing to point out is, in this case, it's the authorities trying to do this de anonymization, but that means bad actors and other nations can do the same, and it means criminals might be able to do the same. So not only does Tor have good uses, but bad, bad people can try to D on D anonymize good Tor users too. So it's just in everyone's benefit to to allow it to protect people's anonymity online. So

Marc Laliberte  21:41  
my main takeaway from this whole story, though, was, yes, it is possible, in some cases, to de anonymize the Tor network, if you are using outdated versions of applications, if you are in a region that has a high concentration of Tor nodes, that could be law enforcement friendly. But there's a lot of ifs that go into this where, in general, the Tor network is still safe to use,

Corey Nachreiner  22:03  
and a lot of the IFS were you ending up going to a known place, in this case, using the Ricochet chat of maybe even an old version for someone to catch you. And by that, I mean these authorities probably understood the tools, tactics and procedures of in this case, you know, pedophiles or whatever, and they knew they used a particular chat network to communicate. They probably knew a board, because anyone on tour could have found out this, and they found a vulnerability specifically so. So what I'm getting at is the other thing is, if you're doing something bad at a known like location on tour, that's where they're gonna catch you too. So is, you know, if you're using Tor for good, you're probably not going to these known bad places that law enforcement is specifically trying to de anonymize whoever's going there. And in this case, they needed that vulnerability to exist in ricochet to figure out who you were. Yep,

Marc Laliberte  23:02  
don't do bad stuff. Let's give the guidance for people that are using Tor for good. And so if you are using Tor for good, like practice good operational security, keep your Tor browser or ricochet applications updated. Don't use JavaScript. That is one of the Enable ways to de anonymize someone? Yes, that's

Corey Nachreiner  23:21  
hard, by the way, you're gonna, if you go to a normal Forum website or whatever, things won't work. But just remember, enabling JavaScript is one of the first ways to lose some anonymity, at least for the site you're visiting. And we

Marc Laliberte  23:35  
didn't discuss it, and probably won't go into details on it in this episode, but most of the like, let's say legitimate services you might try and access. Like, let's say, again, you are a journalist and you're trying to get to the Washington Post, for example, most of these have a hidden services, meaning a dark web version of their site that doesn't have JavaScript, that is exclusively on the dark web. It never exits into the clear web, onto the other legitimate website. So, like, there are ways to use it securely that will better protect or reduce the risk of you being exposed for using those services. But it was interesting story. It definitely had a bit of like fear factor from the start, but the end of the day, it's basic operational security, and you can probably continue using Tor that said, like one last hot take, Corey, what do you think the chances are that, like nation state governments, like the US, are just collecting all Tor traffic, so that when we invent quantum computers, they can break all the where everyone is going, I

Corey Nachreiner  24:33  
would not be surprised, maybe not all, maybe not all, literally, but maybe some people, or maybe some exit notes where they at least have enough data of where the users are going that they want to like, Yeah, I bet you for certain IP destinations from exit nodes, they are collecting all the traffic to that destination in hopes that one day it will be decryptable.

Marc Laliberte  24:56  
Maybe as soon as we get the the US government, quant. Computer, we're going to see a wave of arrests for people. What is

Corey Nachreiner  25:03  
single statutation of like, how long there is, I forget, in the Union statute of limitations, so will they crack it in time that they can still prosecute?

Marc Laliberte  25:13  
I in some of these cases, like, you know, child sex abuse material, like you mentioned, the story was about, I'm hoping there isn't one, and they can get them after the fact, no matter what, but I don't know. Maybe if you're just buying drugs on the dark web, you're actually safe. Maybe it will take more than seven years for the government to crack quantum and

Corey Nachreiner  25:33  
just avoid doing anything that's illegal, especially something as dangerous and harmful as the horrible stuff we've talked about, you know, that's the stuff giving tour a bad name, sage

Marc Laliberte  25:44  
advice. So next story, I want to talk about the the US, the Us. Us. Commerce department just proposed a national security fuel ban on Chinese and Russian made automobile hardware, specifically hardware that can connect to the outside world, so like Bluetooth interfaces or satellite modules or driverless systems and automobiles. So they pointed to evidence that China has already been pre positioning malware and critical infrastructure around the United States in preparation for future sabotage. They pointed to evidence from like the FBI and their investigations into like China based probing into our other critical infrastructure areas,

Corey Nachreiner  26:28  
pipelines, water, grid, etc, exactly.

Marc Laliberte  26:32  
And then they pointed to just the the risk from automobiles, specifically where cars exist for a long time. Like if you buy a car, maybe you don't own it for, like, 10 years, 12 years, but that car will be owned by other people for 1015, years or so and so if a hostile foreign country was able to, let's say, implant malware in one of these devices, or set up a back door in one of these systems that could exist for a long enough time that, God forbid, if we did go to war with that hostile foreign country, they could potentially activate that implant or backdoor and disrupt our transportation industry in this case, and

Corey Nachreiner  27:16  
this might, people might think this sounds crazy, But I think we have a non cyber perfect example of that in pagers. I mean, we can't forget that that many countries are intercepting ship. I mean, it's not as dystopian sci fi as it sounds, right? I mean, they intercepted shipments heavy

Marc Laliberte  27:37  
eyes about tainted products and services.

Corey Nachreiner  27:40  
Yeah, I'm fortunate, and honestly, I don't know if I love that one, because while I'm no fan of Hezbollah, I feel like there was a lot of collateral damage in that, and that would be the same with private cars. But even US governments, you know, tailored operations, you know one of the code names for an organization, and NSA was known to intercept router delivery to adversarial countries and put implants in them that could be active, you know, five years later, and turned on, or, you know, could be used for espionage. So unfortunately, we do live in a world where I think this is possible, and they've already banned thing, or they're, I think it's going to take a few more years to actually be in effect. But they banned DJI drones. They've banned Huawei routers. They've banned Kaspersky Antivirus. This

Marc Laliberte  28:29  
one's interesting, where there is a actual, like, economic reason to do this too, that they claim is not one of the driving factors, like there is a genuine risk to the US auto industry right now from Chinese made cars coming in at $10,000 for a pretty fancy self driving, or at least electric vehicle, from China, and then European markets as well. European markets already seen this. I think there's like 500,000 registered Chinese cars in the European market right now, in the US market, they're already proposing 100% tariff to try and impact the economics of Chinese cars entering the market. And this could be seen as a, you know, potentially putting your thumb on the scale from an economic perspective as well, not just a national security one, but, you know, that's the devil's advocate side for it. I do think that there is a legitimate national security concern from cars made like this type of component, from China and from Russia to nations that we are, you know, for better or worse, actually, honestly, for worse, there's no better for this, at odds with right now where it makes sense to maybe pump the brakes on some of those coming In. So like, I think there are, like, real concerns from, like, something that could come from one of these nations interfering with it. There's like, even if it isn't like, malicious, even if it's like, like, what the example I'm trying to get to is like, Huawei is one where the US government banned Huawei. Infrastructure, and, like, our cellular infrastructure and government agencies, not necessarily because they were, like, intentionally placed implants or stuff in there, but because they were just full of holes. And we couldn't prove without reasonable doubt that China didn't intentionally put them in there, or, like, intentionally turn a blind eye to fixing them.

Corey Nachreiner  30:19  
Well, let me give you another example with DJI drones, right? I mean, one of the things with DJI drones is you have to give it a login, and it's delivered as a feature to the user. But any video you record to the DJI drone is uploaded to their cloud. You know, the same transmission that allows the video to go low resolution to your controller. It's putting it on, I think they call it Sky Map, dot, whatever, but it's a DJI on that. Like, they literally are getting telemetry, like, like, actual live maps of everyone flying the drones. So it's the same type of deal. Like, even if they, even if the Chinese government doesn't force DJI to do anything with their drone, or to take over a drone or put a bug in it, they basically DJI has live, has maps updated of many different places people fly, including their the idiots that fly in interesting but places they shouldn't that and that all is available. Those up to date maps could be available to China. And the same way we use GP and GPS and satellite imagery to get intelligence, it's a form of intelligence they could use, even if they never weaponized DJI drones. So I get the risk, and the risk is really we don't. We know that the authoritarian Chinese government has forced their way into companies and forced companies to do things. There may not be any evidence of them doing anything with cars yet, but it really is a lot of capability that's in the hands of the potentially Chinese government through these companies.

Marc Laliberte  31:57  
So we, a couple episodes ago, we talked about TP Link, the really popular consumer network equipment vendor, and how they may be wiped out of the US market because of similar security concerns. And I posed the question at the end of that one of like, Where does this end? And it feels like we've got another step now. Where? Now it's automobiles, too. I'm wondering like, what are your thoughts? Corey, do you think we're reaching a place where are we just not going to have any Chinese made electronics at all in the US? I don't think that's possible. We rely on I

Corey Nachreiner  32:30  
think it's untenable. A lot of stuff. I know everyone has a different opinion of globalization or what they think that means, but I actually think as humanity, we need the diversity of a globe, global economic, you know, supply and demand space. It's good for countries to trade with one another. I do think what has to happen, and this is the hard part that I don't know is, you know, the same time we talk about just negligent vendors, how the US can, government can have some sort of easy grading system for how secure a company is that helps with buying decisions. We probably need global standards for that, where third parties can validate that this car part doesn't have a back door or something. So I it's a hard problem Marc. I don't think we I think it's a slippery slope for countries to keep banning things, because that's you're just going back to an old school way where countries are adversaries against each other. They're not cooperating to make the world a better place, and everyone loses the diversity of food, choice, consumer brands, competition that is actually good for the whole world. We need to figure out how to get the governments out of using normal civilian consumer stuff to fight their wars. So consumer stuff does not belong in a country's war.

Marc Laliberte  33:49  
I don't know if this qualifies as a hot take, but, you know, I actually think I do support now for areas that we've designated as critical infrastructure, for the US, which there are, I think, 18 sectors that we've decided are critical infrastructure. I actually think I do support like technology in those sectors should be us manufactured. We've already designated them. They are critical infrastructure, meaning, if something were to happen to their availability or their integrity, it could have like, actual damages to national security or societal damages in the US, and so maybe we just should reduce the risk and of those sectors, and say, technology for them, specifically, just them, needs to be made in the US. And I think that would be a political win. It would make it more expensive. There would need to be government incentives to help make that actually does

Corey Nachreiner  34:36  
a car qualify? Or is that more like parts in a water like in nuclear facilities, energy facilities, etc. I can agree with that. I can agree with that. Yeah, so,

Marc Laliberte  34:49  
I mean, it depends how ambiguous you want to consider the transportation critical sector should is that, just like logistics of like shipping goods around the world. That is important. We need to be able to get food from where it's grown in the US to where it's consumed in the US. Or should that also include personal cars, where, if there's an issue with those, it could cause up the or clog up the transportation system, like I can see, where it does become important. But like you said, it's a slippery slope, and I don't I'm not educated enough to know think

Corey Nachreiner  35:19  
about planes. I mean, even when you bring up transportation, the first thing I think of, Okay, forget consumer cars. They're not critical. If a person can't get around for a few days, that's fine. But trucks, planes, shipping containers, that's the critical transportation to everyone eating and getting stuff. But the majority of the planes are Boeing or why can I think of it the European? Yeah, even if US, I like does that mean countries can't have planes now? Because what would China do about that? I'm sure they have their own plane manufacturer, although I just think it's I'm not sure if it will work on an economic level, but there's definitely a risk. I absolutely agree, though, that if we should at least focus where is the biggest risk, it's critical infrastructure, for sure. On the flip side, I could go backwards and say, even a off the shelf router which doesn't support critical infrastructure can be weaponized in your own country by an external source, and that that puts a lot of power when you add up tons and tons of consumer routers. So it really is a crappy issue. I wish, I just wish governments would. I think we need a treaty for this type of cyber war. I think we made a we made a prediction long ago that there should be a cyber war treaty. And most war treaties basically, the rules of war typically are, leave civilians alone as much as possible. Don't do collateral damage, leave civilians alone. So I just don't think consume. I think governments need to stop backdooring consumer items and limit their warfare to things that we've I guess it's like, if you have a true adversary, they're never going to agree to the treaty in the first place. But we need to point out what the rules of engagement should be in collateral damage and targeting civilian stuff just should not be acceptable in any attack. 100%

Marc Laliberte  37:14  
agree. But in reality, if we can't even stop, like, again, Chinese fishing boats from like, going in, pillaging Philippines oceans. Then, like, yeah, I don't think we're gonna. Now we have

Corey Nachreiner  37:27  
one of our allies, you know, doing a physical warfare campaign that's affected many civilians, whatever you think about their true targets. So it's really a touchy area, and it's not, it's not fun that the wars or the world seems to be having more conflicts. So I think this is probably to continue to think about.

Marc Laliberte  37:49  
This is why I'm not in politics, and instead I just take pot shots from my office chair. Here,

Corey Nachreiner  37:56  
easier to be a couch quarterback than actually run into plays. Yep,

Marc Laliberte  38:00  
exactly, too. So either way. Wanna move on to the last story, which is actually pretty fun. This is interesting, quick, so technical. The reason this one stood out to me is I help run our bug bounty program at WatchGuard. We get a lot of vulnerability reports for like open redirects, which are generally considered like low severity security issues, if they're even considered a security issue at all, because, like an open redirect on its own, you need to still have a demonstrable security impact for it just redirecting from one side to another. Yes, it could technically expose someone to, like, a social engineering attack through there, but it is very low risk. And so this story stood out to me, because it actually showed how you could elevate this type of vulnerability into something with quite a bit of a bigger impact. So this starts with a researcher called Lyra that published on their blog last week walking through an exploit chain they found that starts with a Google document, specifically Google Slides, their PowerPoint equivalent, and how they escalated it into earning a $4,000 bounty on this one by gaining control of arbitrary documents with a one click exploit.

Corey Nachreiner  39:10  
So we start with the cat video too.

Marc Laliberte  39:14  
If you look at their blog like everything about it, they're basically a cat enthusiast slash security researcher. So it starts with them looking at Google Slides, where they found that in Google slides you can embed a YouTube video in there. And the way it works behind the scenes is Google Slides will take the video ID out of the YouTube embed URL, and use that to construct the like embedded video module and stick it in the Google slide. So all it takes it discards the YouTube URL, just takes that video ID and it uses it somewhere else. So the researcher thought, okay, is that untrusted input? Like, how could I potentially abuse this to do something? Thing that Google Slides doesn't want me to do. First thing they did was they tested a path traversal so changing it from an actual video ID to just slash, dot, dot slash, to see if they could embed the YouTube homepage in the slides. Turns out that that path traversal technically worked, but YouTube actually has iframe protections that prevent it from being loaded in an iframe somewhere else, which meant they couldn't actually do anything with it. They didn't, they couldn't find a meaningful vulnerability in there, but it was still an interesting a topic there. So then they pivoted though, on, okay, could I find a open redirect in here? Now, where, instead of embedding a video, maybe I can redirect the content that would be embedded to another website, either something under my controls, an attacker or another Google website to just get it to do something funky that it shouldn't. So they found, for example, on youtube.com there's actually a number of redirect URLs on there, open redirect URLs where one of the parameters and the request path is what YouTube uses to redirect the user to another website. They found, though, on like the youtube.com like main domain, most of those were actually protected. Where before YouTube redirects the user from youtube.com to the other URL, it pops up a little window saying, Are you sure that you want to navigate away from YouTube, go to the site or go back to YouTube, and that's a meaningful enough like insertion into the process that it makes it difficult to weaponize that

Corey Nachreiner  41:30  
if you said yes to this, it would be more your fault for running into it. It gives these are a pretty clear opportunity to back out and at least know the URL that they would be going to or the same they

Marc Laliberte  41:42  
noted it would be difficult to convince someone to click through that indeed, even if they could, there were still other protections, like x frame options headers set the same origin, meaning a lot of the interactable content wouldn't work, or you couldn't even load that iframe into there, it would be protected from click jacking, meaning you could capture the click going onto it to make it to do something else that said they found that a subdomain of YouTube, specifically www, or even music or there was like one other in there as well, these subdomains were not protected by a lot of those xray options protections or the open redirects. So, long story short, they found that by using accounts dot YouTube or music, dot YouTube or www, dot YouTube, they could control that redirect and cause the page to load something else. So they found one fun example where they could abuse the redirect on accounts.youtube.com to embed the presentation in itself, and basically create this like infinite Russian nesting doll of the presentation embedded in the presentation. You see

Corey Nachreiner  42:48  
inception, Inception. But

Marc Laliberte  42:52  
even that, it couldn't really be weaponized. It was just a fun little thing. The next thing they looked at, though, was the www subdomain has a sign in endpoint that doesn't prompt the user for accepting that redirect. And so most of the Google pages have protections around being loaded in an iframe. They've got X frame options headers that prevent that. But they found a old legacy domain and legacy path that was used for the old like G Suite URLs, where they would get loaded in an iframe, actually. And so they found a modified URL where they could load a specific file in there and trigger a share request for it, basically where, if you get tricked into loading this URL with a email address already embedded in there and a file already included in the path, it would automatically load up a prompt to share that specific file with that specific email address. So in Corey video, if it scrolls down just a little bit further, you'll see an example of this, where it's actually the URL that's used in like a sharing email. They could abuse that to prompt up and say, Do you want to share this file with researcher or whatever. But that's still kind of an obvious like, if you load up a Google slide and suddenly it goes, Do you want to share your secret folder with blah, blah, blah. You're not going to go share that. So that on its own, still isn't enough. So the last thing they did was they abused this, loading it in iframe, and then used some styling in there to hide everything on that little form except the actual Share button itself, the done button, or I guess send is what it was called. And so they ended up creating a fake form. I think their example was they asked the question of, like, what's the coolest horse? And it's got, like, a unicorn and a pony and some other stuff, and that is what was displayed to the end user. But the actual Send button itself was still the Send for the share form by. Behind the scenes, and this is like a classic example of what a click jacking attack looks like, where you trick the user into clicking something they think they're submitting a form saying ponies are their favorite type of horse. In reality, clicking that send isn't submitting the horse form. It's submitting the share request and approving it for whatever that secret file was behind the scenes. So, long story short, through like a chain of open redirects and weaknesses in the X frame options headers that let interactable forms get loaded in iframes, they were able to create a special Google sheet where, if you sent it to a victim with a file that you wanted to steal from them or steal access to and an email address you wanted to use to share that access by tricking them into filling out this little what's your favorite horse form, and clicking Send it would share a arbitrary file with an arbitrary email address just through that one click. So it still requires some user interaction, but because of that click jacking vulnerability, you could mask the interaction, which made this a pretty interesting vulnerability, I thought, and a great example of how you can actually weaponize chains of open redirects and click jacking vulnerabilities into a meaningful attack against someone and adorned them a bit over $4,000 That's pretty cool. Very cool. Yeah, if you want to check out the the researcher in their blog, the domain is Lyra dot horse. That's l, y, r, a dot horse as the TLD. They've got a few other interesting research posts on there too, but this one was pretty cool. Good shade showed a good example of taking two low severity issues and turning them into something meaningful. But man, I guess wrapping up this episode. Corey, what do you think we're going to be banning next in the world of cyber security? Smart egg containers. I can pry that out of my cold, dead hands,

Corey Nachreiner  46:58  
the Wi Fi egg things you got for the fridge way back when, when we were looking at really stupid IoT devices they can ban. That is if they want. I don't care. Oh no,

Marc Laliberte  47:08  
I need my smart Japanese

Corey Nachreiner  47:09  
computerized bidet toilets now that will be used to cyber attack us. I don't know. I'm still sad about my drones. I always DJ would just leave my video to me. Well,

Marc Laliberte  47:26  
maybe there will be a nice American alternative for at least a country that we're still friends with. Yeah,

Corey Nachreiner  47:32  
only customer times as much to do half as much. That's

Marc Laliberte  47:36  
the future we're in. Unfortunately. Hey, everyone, thanks again for listening, as always, if you enjoyed today's episode, don't forget to rate review and subscribe. If you have any questions on today's topics or suggestions for future episode topics, you can reach out to us on Instagram or at WatchGuard underscore technologies. Thanks again for listening, and you will hear from us next week.

Corey Nachreiner  47:59  
Callie says, Five stars only, five

Marc Laliberte  48:02  
stars only, and scratch her, please.

Corey Nachreiner  48:06  
She gets all the scratches For every five star we get.