Hello, welcome to the Friday, July 29, 2020 edition of the Sands and the Storm Center's Stormcast. My name is Johannes Ulrich, and then I'm recording from Jacksonville, Florida.

I posted a quick diary earlier today, summarizing a research paper, one of the students at our Sands Technology Institute College

published earlier this week.

It actually takes a preliminary observation by Boyan from last year.

It was published as a diary back then.

The issue Boyan noted in last year's diary was that Google Chrome's extension sync

features was used as a cover channel by an extension installed into Google Chrome. Now, the student,

David Preffer, looked into this mechanism and how it can be exploited.

David noticed that even without having control over the browser itself via a plugin or an extension,

it is possible to just manipulate bookmarks and use the same sync channel that this plugin

used.

The cover channel David uncovered is quite capable and actually very

difficult to detect as it uses the normal requests to Google's API to synchronize these

malicious bookmarks. Basically, all he does is he takes any file on the system and then encodes it to work as a bookmark.

There is also quite a bit of bandwidth available here.

David showed that over 200,000 bookmarks actually may be used and the transfer rate is pretty high

and only being throttled after a few 10,000 of bookmarks have been synced.

Take a look at David's paper if you want to learn more about, isn't how to detect this particular

covert channel. David also published a GitHub repository with a tool that he created in order to experiment with this channel.

And maybe we'll have David on a future podcast to talk a little bit more about this work.

And Samba, the open source implementation of the S&B protocol, received a critical update that

you probably want to apply quickly in

...