 So this is about the Google 2 bar and midget porn. So if you're into either one of those two things, you should stick around. If you're not, well, actually there's, we're talking about XML and bash and sending some code to Google as well. So, all right, so midget porn, Google 2 bar, XML, bash, Python. If any of those things interest you, then this is the right place. Okay, so the Google, right? What would we ever do without these guys? What do we do before we had Google? Google 2 bar specifically, what problem does this thing solve for us? So if you're a geek, if you've got a computer in front of you, you probably have a million bookmarks, right? And you have a million at home, you have a million at work, and they're the geek tool. So they're everywhere on the go. So Google 2 bar sure seems like the solution, right? Or as we're going to talk about here, is it really just a tease? You probably think, or probably like most people that, of course it's good, right? It's freaking downloaded with Adobe. There's no problem. It just installed, showed my browser, I can start using it. No big deal, right? So of course it's good. Install is easy. It stores all your bookmarks. You can access them wherever you want, whenever you want. No more lost bookmarks, right? Some days they just start better than others. So time passes if you're like an ordinary person and you discover things out on the internet or elsewhere, and you bookmark your discoveries and of course now you're happy, right? And if you're like this guy, you may accidentally or on purpose put on your special shirt and have a special night all to yourself. So the specific function of my talk here is to make you aware of some things you may not be aware of, if that is your lifestyle of choice, and what the corporate side of this may look like to you. So the next day of work after your special night, you get in and you log into Google, of course, and use your toolbar with all your handy bookmark links. Now if you're like most organizations, you probably have a computer security department, and if you're like most organizations, that department probably watches what you do, or at least what they think you're doing, or your computer's doing, and they associate that with you. So they may watch you very closely. They may have web proxies in place, they may have web filtering, they may have web reporting in place. Depending on how much diligence they apply to their web reporting, they may actually let your manager take a look at your usage, and how technically proficient do you really think your manager is in looking at usage and figuring out whether it was you or whether it was your computer or whether it was something else. So I'm going to temp fade again and change some screens around and see if we can do, see what happens when we actually access the Google toolbar. Okay, so hey, this is working finally. Okay. So here we have a Windows box, just a VM on my station, and then we've got our little my box here that's going to be our attacker. So let's show you what I'm going to run. So I'm just going to run a quick little t-shart command to grab traffic on this interface that this guy happens to be listening to. And then we're going to go out and access the Google toolbar. Hopefully you can see some of this stuff. If you can't, anyone really interested, come see me after this and I'll show you in person. So we're going to log in to Google and the Google toolbar. I'm going to choose stay signed in. If you watch down here in the bottom, hopefully you can see this. If you're in the back, you're probably going to have some trouble. So move up front because there's lots of spaces. So we're going to go out and access the bookmarks. So here's three bookmarks that I've got for DEF CON, Freaky Midgets, because that's what I like, not really. The research for this, you wouldn't want to be with me when I had to do it. Anyways, and Yahoo, right? And you don't see any traffic down at the bottom so far. And we also don't have any, in this case, we're looking for favorite icon hits. So we don't have any right now. And as a user, we're going to go, well, what's wrong with that? Maybe, oops. Let's do it again here. Do refresh is what I meant to hit. Refresh, we still don't see anything down the bottom. When you do a third refresh, then you start to see the favorite icon hits down in the browser below. So this is, you haven't actually hit anything for any website yet. And the Google toolbar is going out on your behalf and retrieving the favorite icons for all the sites in your list, no matter where you have them in your list. All right. So again, what we saw, I put this in there just in case my demo didn't work. So for every bookmark you've got, the Google toolbar attempts to hit to the favorite icon.gif or favorite icon.url file. Why does it do this? There's an XML structure that we'll look at in just a little bit associated with the bookmarks. See, I told you there was more than a midget porn. There's XML. If you look into the XML structure in here, you can see there's an attribute for the favorite icon itself. Whereas down here, in this case, it's a freaking midget favicon.ico file. So the tool bar knows that you got this one at one point in time and it's going to go out there and try to retrieve it for you again. And at this point in the talk, you're probably saying, well, that's fascinating. Of course, that's what it does. Why is that of any interest at all? So back to the corporate security department that we've got. Remember, they're watching you. So in the case where you have bookmarks at your home that you may not want anyone to know about at your corporate environment, the Google toolbar is still letting everyone know, just even via the favorite icons. And we'll look at some other ways that'll let people know. All the sites that you've got bookmarked in there. And I've seen this in investigations, which is what led me to this talk, where you investigate someone and you go, why is this guy looking at porn? It happens every, you know, there's a timed refresh associated with this. It happens every X number of hours. I forget the exact interval. All of a sudden, there's all these favorite icon hits to a variety of porn sites in there. And you go, then, why? So when they say why, what's the next thing they're going to do? They're going to go investigate you. So let's take a look at what they'll see. So if they have a blue code proxy in place, they may run this little one-liner. I just put this in case you didn't know. I know about this. And you have a blue code proxy. You can use this to get traffic. And for index.dat files, we won't actually see anything, because it's not the Internet Explorer that generated. It's the Google toolbar itself, as you can see in the user agent down here below. So are there workarounds for this situation? Well, there are some Firefox plugins that seem like they'd be helpful. There's a Places pack from Andy Halford, the sync places, check places, sword places. And they allow you to send bookmarks to different places, package them up, ship them out over HTTP, HTTPS, all that in a variety of formats. And they look like they'd be useful because they seem to solve this favorite icon issue and storing it actually in binary in part of the JSON file. But the gotcha here is that anytime you import bookmarks, especially I tested this in Firefox, it still does exactly the same thing. It still tries to retrieve all the favorite icon. It's just like the Google toolbar. So what do you do? Stop looking at porn. Or go back to the good old days when you can carry it around in your floppy disks. Or if you're just determined to have it, you could straighten up the JSON. You can get it all neat and remove the bookmarks that you may not want someone else to see and then write some scripting to carry it back and forth. So enough about that. What else can we do with all this information? Well, here's a normal user agent from a browser. You see it's Mozilla 4, IE6, and it even says Google toolbar 6.4. But let's look at a user agent from the Google toolbar itself. Google toolbar 6.4.13211731. It also tells you the exact version of Microsoft here in Explorer. So obviously once you know a little bit more information, you can start to figure out what vulnerabilities that guy's got on him. And what else can we do with this? If you can actually get at the XML, I thought to myself, you could do some tag cloud bookmarking if you're just sitting on your coffee shop Wi-Fi and looking at that. So I took some time with Python and created a new tool to see what I could get out of that. So here I've got a bunch of PCAP files. And I'm going to run this tool against those. Actually, let me do it over here. For some reason I have multiple million screens. And so there's this G2 bar snoop that I wrote that's in the Defcon CD. And I'll post this as an updated version of it. Actually, I'll post it on my website, ponelabs.com, after the talk. So you just give the name of a file. In this case, we'll choose a pre-prepared, just one I captured as I happen to be accessing the bookmarks. And you can tell what you want to dig out of it. We'll go right for the money here and pull out the XML structure of the bookmarks that happen to be transferred back and forth on that. You can give it other things you want also. There's an email address associated with it. So in this case, you can see I added Defcon18 at ponelabs.com. That's in there. You can just pull out favorite icons. Oops. It's actually icons. I think I would know that. And one more thing you can do with this. Let's say in this case we have one without any bookmarks. So none in there. It turns out if you can gather the cookies associated with this traffic on there, you can just send those cookies back to Google and they'll cough up the bookmarks associated with it. So I wrote a module for this I called the cookie missile. And if you, in this case, like I showed you, there aren't really any bookmarks in this file, but I do have a cookie. Hopefully this works. Yes. So we get the XML back from Google. So here's a pcap file. I had no bookmarks in it. All I have is cookies and user agent headers send it back to Google and they cough up the user's bookmarks associated with that. So you can find out what someone's got in their bookmarks. That was the demo. What else happens to be in here? See if I got some more time. I think I do. There's deleted bookmarks. So let's look at an allocated bookmark. In this case, this is the URL structure for it. If you look at a deleted bookmark structure, it has what I call this special K label because I don't know what else to call it. But the labels are what they give to things for like, if you made a not-safe-work folder, they would call that a label. In this case, this bookmark has a special K label assigned to it. And then they also have a favorite icon, time stamps. This is just a Unix, you know, EPIC time timestamp. You can throw this into AUK or whatever and pull out, you know, just the time when that was actually allocated. So if you're a forensic guy and you want to know when someone lasts to access something and pull out their XML, you can just find a cookie, send it up to Google, they'll send you back all the deleted bookmarks and the last time the guy accessed it. So depending on how you use the Google toolbar and your work-life home balance habits and your corporate environment, this may be shocking to you. This may be sad and you may have to give up some sites or your use of the Google toolbar or you may choose to not use the Google toolbar anymore or you may choose to give up porn. I don't know. The point of it is to make you aware of some issues with the Google toolbar, especially the privacy issues associated with it if you weren't aware before, because I can tell you from experience that some people who use it aren't aware and they end up getting themselves in some embarrassing situations over an investigation. So be in the Q&A section if you have anything later. Just get a beer and talk about it if you want. No midgets were harmed in this presentation and enjoy the rest of your time at DEF CON. Thanks.