Git-Mirrors
/
into-the-crypt
mirror of https://0xacab.org/optout/into-the-crypt.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Elaboration on coalmine canaries / Styolemetry additions

This commit is contained in:
arcanedev 2023-01-29 22:41:23 +00:00
parent d2edb459b0
commit d7b9e628e3
No known key found for this signature in database
GPG Key ID: 13BA4BD4C14170C0
1 changed files with 84 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
README.md
View File

@ -34,7 +34,7 @@
- [Minimize Architecture](#minimize-architecture)
- [Automated Shutdown Procedures](#automated-shutdown-procedures)
- [Dead Man's Switch](#dead-mans-switch)
- [Silent Canary](#silent-canary)
- [Canary in the Coalmine](#canary-in-the-coalmine)
- [Play on Resources](#play-on-resources)
- [Radio Transmitters](#radio-transmitters)
- [EMF Shielding](#emf-shielding)
@ -438,11 +438,11 @@ While some of these proposed methods may be unconventional, these are unconventi
### Dead Man's Switch
A Dead Man's switch is a mechanism that automatically triggers a specific action (such as shutting down a system or wiping data) if a certain condition is not met (such as the user not interacting with the system within a certain period of time). In the context of protecting journalists, a Dead Man's switch can be used to ensure that sensitive information is not compromised if a journalist's device is seized or if they are under duress.
For example, a journalist could configure a Dead Man's switch to wipe the memory of their device if it has not been used for a certain period of time, or if a specific button is not pressed at regular intervals. This would ensure that any sensitive information that is stored on the device is not accessible to unauthorized parties.
For example, a journalist could configure a dead man's switch to wipe the memory of their device if it has not been used for a certain period of time, or if a specific button is not pressed at regular intervals. This would ensure that any sensitive information that is stored on the device is not accessible to unauthorized parties.
There are various ways to implement a Dead Man's switch, such as using USB devices, system events, or panic buttons. A physical wired dead man's switch reduces attack surface and intricacy, however remote switches can also be used to propagate a panic signal to all nodes on a network. This can be useful in situations where multiple journalists are working together and need to quickly destroy sensitive information if their operation is compromised.
There are various ways to implement a dead man's switch, such as using USB devices, system events, or panic buttons. A physical wired dead man's switch reduces attack surface and intricacy, however remote switches can also be used to propagate a panic signal to all nodes on a network. This can be useful in situations where multiple journalists are working together and need to quickly destroy sensitive information if their operation is compromised.
Implementing a panic signal to invoke a Dead Man's switch can involve several steps, depending on the specific requirements and the systems involved. Here is a general overview of the process, with some references that provide more detailed information:
Implementing a panic signal to invoke a dead man's switch can involve several steps, depending on the specific requirements and the systems involved. Here is a general overview of the process, with some references that provide more detailed information:
1. Define the panic signal: The first step is to define the panic signal that will trigger the Dead Man's switch. This can be a button, a keyboard shortcut, a voice command, or any other type of signal that can be captured by the system.
2. Capture the panic signal: The next step is to capture the panic signal and convert it into a system event that can be handled by the Dead Man's switch. This can be done using various methods such as using keyboard hooks, USB device monitoring, or voice recognition.
3. Create a script or program to handle the panic signal: Once the panic signal is captured, you need to create a script or program that can handle the panic signal and invoke the Dead Man's switch. This script or program should be able to run on the target system and be able to interact with the system's resources.
@ -453,7 +453,86 @@ Implementing a panic signal to invoke a Dead Man's switch can involve several st
There are USB devices known as "Mouse Jigglers" that are used by forensic teams after device seizure. These jigglers are serial devices plugged in to interface with the system to keep the screenlock from being invoked. There are easy preventative software-based solutions such as USBCTL[^45] that can prevent these devices for operating, however this will likely be picked up on and human mouse jigglers can take their place. Ideally a process can be utilized to detect such a device and invoke a shutdown process. A mitigation for the human mouse jigglers could be implementing forced authentication every half hour to an hour. If the credentials have not been entered, the user session could be terminated, memory could be cleared, or the shutdown command could even be invoked.
Remote switches are interesting devils, and their utility should be placed under high consideration if the size of the operation warrants it. Panic buttons such as Centry.py can be used to broadcast or propagate a panic signal to all nodes on the network.
Despite what triggers the dead man's switch, if the operation falls under a life or death category, one should consider implementing this safeguard.
## Canary in the Coalmine
The term "canary" originates from the practice of coal miners in the 19th century who would take canaries into the mines with them. Canaries are particularly sensitive to toxic gases, such as carbon monoxide, that might be present in the mines. If the canary stopped singing or died, the miners would know that the air quality was dangerous and would evacuate the mine.
In a similar manner, the concept of a "canary" in modern computing and information security refers to a warning mechanism that can detect unauthorized access or tampering of systems, data, or information. The idea is that a canary will give a warning sign if something is wrong, just as the canary in the mine would give a warning sign of toxic gas.
Canaries have been used in a variety of contexts in information security:
1. Legal Canaries: Legal canaries are statements made by a company or organization that they have not received any legal orders, such as a subpoena, to disclose information about their users or activities.
2. Service Canaries: Service canaries are statements made by a company or organization indicating the status of their services or systems. They can be used to detect unauthorized access or tampering, as well as to provide real-time information about the availability of services.
3. Technical Canaries: Technical canaries are systems or tools used to detect unauthorized access or tampering of a network, computer system, or data. Examples include intrusion detection systems, honeypots, and honey tokens.
4. Cryptographic Canaries: Cryptographic canaries are digital signatures that are used to verify the authenticity and integrity of data or information. They can be used to detect unauthorized modification of information, such as in the case of a [poisoned-document](#document-poisoning).
5. Media Canaries: Media canaries are statements made by journalists or media organizations indicating the status of their media operations. They can be used to detect censorship, tampering, or other attempts to control the flow of information.
### Canary Statement
One way a journalist could use a canary is by publishing a "canary statement" on their website or social media accounts. This statement would contain information that would be unlikely to change, such as the journalist's phone number or a specific phrase that they use frequently. If the journalist is later arrested or otherwise prevented from publishing, they can have a trusted contact check to see if the canary statement is still present. If it is not, it would indicate that the journalist's website or social media accounts have been compromised, and that any information published on them should not be trusted.
There can be canaries that are cryptographically signed simply stating that no legal subpoenas have been issued. More advanced uses, such as Kicksecure's canary, can include raw query output displaying the current block of a public ledger of say Bitcoin, along with performing curl requests to determine recently posted articles from various news organizations. These canaries are often cryptographically signed to ensure that they have not been tampered with. See the following example:
```
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
No warrants or subpeonas issued.
user@host:~$ date -R -u
Sun, 29 Jan 2023 20:37:38 +0000
user@host:~$ curl --silent --fail --proto =https --tlsv1.3 https://blockchain.info/q/getblockcount
774230
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEEuHeLXAbPjV5p5NTrE7pL1MFBcMAFAmPW2XdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEI4
Nzc4QjVDMDZDRjhENUU2OUU0RDRFQjEzQkE0QkQ0QzE0MTcwQzAACgkQE7pL1MFB
cMCP+A//RZHEq6SAeldb3QNdhpbUAanliAg7kP3kZxW8anhtcw4WPygJ5M360oMU
+3DY79uD8BIxPcNCZrs728Vm9Ns3UZGzzb9cbnzky2udEFo4OVaVy5esC4jm9E7L
TKI6ZjuGKpMwrDIRSpTdqQbz1u06XUmtW2Y/5/ZC4V0MIMXvVZ1UUV/c0LxwicL8
5vsPIzIhsOvGTY8u90+C4sFscWEMM9O4AW2izIMNNX/UErO4yVXRKthNYNkT1uOe
p2DorwaHAWt1WkMomy2/ywfvSgHVX1nwAvEv1nVhrSEjbeO0WiYNDpXn8W9U95o9
vWuzJQWR/0sk1+ifE7i56NoCktzomqhFHDZ0/WND2nyM0rCBABns6F3mCzSOodk/
q70TeY/hyWTBUJ7F88gZHnVExfnngvIoPe3ekFcGJVsoFc13qBCbZrHhWIEHNE2q
8OEEyteU334V+7pQ+cIEpxso9lfCwACcnBbaa2wvFuI1z6g8M70iOkT/13B+jOv6
AmGlhcwiS57UPmPnQAYA7je8ZACxIFlxMp/gWFCHQ03Ql9StrBgK5kD0kfNVIPaX
ZKgeW/TZy6xx/KQkKYLBCdu6oCzMsBH857d3P5lO+T1MJuqRe8RFDRvqAg2ZE4VT
9a9WWWwbMjEsscgoaggOENXlv/FrihTDV8udRQqtVZAWWUKB8kg=
=gtgh
-----END PGP SIGNATURE-----
```
See the following examples of a public-facing canary:
Qubes Canary Template: https://github.com/QubesOS/qubes-secpack/blob/master/canaries/canary-template.txt
Kicksecure Canary: https://download.whonix.org/developer-meta-files/canary/canary.txt
### Cryptographic Canary with an IDS
There are many setups one could configure to use with an Intrusion Detection System (IDS). I'll provide one example with the use of an open-source tool known as Tripwire.
1. Configure Tripwire: After installing Tripwire, you will need to configure it to monitor the files and systems that you want to protect. This involves defining the files, directories, and systems to be monitored, as well as the parameters for monitoring and alerting. Tripwire provides a comprehensive configuration guide that explains how to set up monitoring and alerting.
2. Create a database of file hashes: Tripwire uses cryptographic hashes to verify the integrity of files. You will need to create a database of file hashes to compare against the files being monitored. To do this, you can use the Tripwire command-line interface to generate a hash of the files and store them in a database.
3. Monitor the files: Once the database of file hashes has been created, Tripwire will start monitoring the files and systems defined in the configuration. If any changes are detected, Tripwire will generate an alert and log the changes in a report.
4. Respond to alerts: When an alert is generated, you should respond by reviewing the log and report generated by Tripwire to determine the nature and extent of the changes. Depending on the severity of the changes, you may need to take action, such as restoring the files from a backup, investigating the cause of the changes, or taking other measures to secure the system.
### Document Poisoning
Another way a journalist could use a canary is by creating a "poisoned" document, which contains hidden markers or fingerprints that can be used to detect if the document has been tampered with. For example, the journalist could include a specific word or phrase in the document that would be unlikely to appear in any other context, or they could use a tool like filemeta to embed hidden metadata in the document.
If the document is later leaked or published, the journalist can check to see if the hidden markers are still present. If they are not, it would indicate that the document has been tampered with, and the journalist can choose not to trust the information it contains.
Here's a simple step-by-step method on how a journalist could set up a poisoned PDF document:
1. Create a PDF document that contains sensitive information, such as leaked documents or information about a source.
2. Install filemeta, which is a command line tool for adding hidden metadata to files.
3. Open a terminal and navigate to the directory where the PDF file is located.
4. Use the filemeta tool to add a hidden marker to the PDF file by running the following command:
`filemeta add -m "hidden marker" my_file.pdf`
> This command will add the text "hidden marker" as metadata to the PDF file, it can be any other text or set of characters.
5. Verify that the hidden marker is present in the PDF file by running the following command:
`filemeta show my_file.pdf`
6. Share or publish the PDF document in a secure manner, making sure that the recipient is aware of the hidden marker and knows how to verify its presence.
7. Periodically check the PDF document to ensure that the hidden marker is still present. If the hidden marker is not present, it would indicate that the document has been tampered with, and the journalist can choose not to trust the information it contains.
As mentioned with many other topics throughout this writing, canaries are not infallible and should not be relied upon solely. They play a part in the security ecosystem that could help determine tampering or interference with documents, services, and infrastructure.
## Play on Resources
Earlier, it was said that these groups have unlimited resources; this is not entirely true. The one resource which they lack is time. While they have infinite funds to allocate towards password and key cracking methods, so long as quantum physics strays behind computing, time is their main constraint. Taking methods from obscurity, the use of non-default encryption algorithms and hashing mechanisms for keys substantially increases the amount of time the analyst must expend on cracking. If the analyst cannot identify the hash function or cipher, they must try all possible options. Even if the correct password is obtained, this becomes useless without the proper cipher. For instance, Veracrypt uses over fifteen combinations of individual encryption algorithms and cascaded/stacked ciphers. Complement this with the five supported hash functions, and we are looking at 75 possible combinations of symmetric ciphers and one-way hash functions. As stated by ElcomSoft,[^46] "Trying all possible combinations is about 175 times slower compared to attacking a single combination of AES+SHA-512."