Re: a bit off topic, how to find encrytped files (ransom attack)
On Thu, 2022-08-04 at 18:58 +0200, Uwe Brauer via Gnupg-users wrote: > How can I find say encrypted files in my home directory? What an interesting exercise! Got me thinking. I'm a total crypto ignoramus, so take all this with a grain of salt... I don't think there is any truly reliable way, but a combination of ent and a relevant expectation might work. For example, if you run ent on a .txt file, you do not expect to see high entropy, so you would throw that file up as suspicious. If you run file on a .jpg file, you expect to see it identified as a JPEG file, so if it is not, you throw it up as suspicious. Then you manually check files that your system has identified as suspicious. Another way to approach it would be to take hashes of all your files and store the hashes securely (read-only!). You can then compare a current hash with the known hash, and if the hash has changed, the file has changed. This is not that good for frequently changing files, but frequently changing files that are suddenly encrypted are probably going to be very obvious. And a third method would be a "canary" or two. Put some tasty-looking files in your home directory, and regularly check them for changes. If they ever unexpectedly change, you know to take action. Anyway - if you come op with a good method, let us know! Regards, K. PS: I remember reading a while ago someone writing that as a technological society advances, its communications become more and more like random noise, because they will tend to be encrypted and compressed. The writer was saying this might be one reason we haven't found life out there - because we can't tell their transmissions apart from random noise :-) -- ~~~ Karl Auer (ka...@biplane.com.au) http://www.biplane.com.au/kauer GPG fingerprint: 61A0 99A9 8823 3A75 871E 5D90 BADB B237 260C 9C58 Old fingerprint: 2561 E9EC D868 E73C 8AF1 49CF EE50 4B1D CCA1 5170 ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg-agent
Hi, How can I, programmatically, prevent gpg-agent to cache a passphrase? Or clear its cache? I tried using: err = gpgme_set_ctx_flag(ctx, "no-symkey-cache", "1"); but then when I run my program for the second time, it uses a cached item. Using: libgpgme-dev 1.14.0-1+b2 Thanks ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: a bit off topic, how to find encrytped files (ransom attack)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Thu, 4 Aug 2022, Jan Eden via Gnupg-users wrote: Hi, I just check for a list of ransomware filename patterns (e.g. *.cryptotorlocker*). Best regards, Jan On 2022-08-04 18:58, Uwe Brauer via Gnupg-users wrote: Hi I apologize for this message that can be a bit off topic. (I am on Ubuntu 16.04) How can I find say encrypted files in my home directory? The idea is to use some magic command together with the find command. I know 1. The file command will return for example for a gpg encrypted file file .authinfo.gpg .authinfo.gpg: PGP RSA encrypted 2. However for X509 file I obtain file test.p12 file.p12: data 3. I could use the ent command which measure the entropy, high entropy is an indication of encryption (but jpg have also high entropy). However I should then study the distribution of each letter to be sure. So is there any other way to run find and some other script to find suspicious files? Google is not really helpful Regards Uwe Brauer Hi Uwe, my first thought would be to look for compressability (or entropy, as you suggested) of files. Encrypted files should look like good randomness, thus not compressable. I would then eliminate the false positives (which are most likely compressed) by checking their integrity "by protocol" - i.e. "convert this jpeg to an bmp -> is the bmp (much) bigger than the jpeg?" regards, Erich -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmLsF/8ACgkQCu7JB1Xa e1pojA//RuWb76drpfvfQbcXnqkLhHRwMNPNbdwfZKmxJ4MJTBA+LX9t2is7+mTw EY7AwyRIAUjV26eOztarEOC2GngKPoIb39VqEK0ilGTT08es41hbSqueIcP5wrH6 3ALUcBcgcT5Rh3pXQGCRYIxPSYmyVx+KUv2525DXePdPizJFU20KGjc3LXatYz9k KIVaAJnu4+9PcPjFueP0SxrgYOiFkAGCYDqx/NBoNbhzs+5/4s9dIGytJ2CgwZyr DB3CnjCejvJ25vD1LtiHOBmy5GCYuJAoxlimf5bRTalUF/bsZRcW2UYWp04jIz7S HI6fl5ASpwX2jtbZgkwgaqKhVfEU4xw3SrTAx89krZDaKM1MbQD8vE1hAmiBuzeb VygGG1g/s2FZ9kmgHv8TmTOoc9MzDR/aojHcpc4EgcQkRIhRM9GdNYtnUpw8cr0L E3itanqf+8ZH92BCjNmm+N9tB9VBmPjvXuhWIO6yQF4jOjFUyNbm5Mi3/LvJObys 46vXJPO5o1a//MxjKAS4ly9013PsXsoSpVmCrkPK8qwdy2cxaEAM+jMEDGrot2Um kSx0e19BdUgXpvOBPVf0Js+UvN3f6mahCLimyhhBoXgd/ievrWOCTI68GHV+izs6 2dL00klyCzQZl0mveNNhfPJDlCEKh0t5CTpMD+mCd0TnvnKDNxM= =8XRQ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: a bit off topic, how to find encrytped files (ransom attack)
3. I could use the ent command which measure the entropy, high entropy is an indication of encryption (but jpg have also high entropy). However I should then study the distribution of each letter to be sure. A JPEG *body* has high entropy. The JPEG *header* has very low entropy. That's a relatively good way to spot container files: you look for a low-entropy header followed by high-entropy data. Zip files, tar.bz2 files, JPEG files, MPEG, the rest, they're all detectable this way. However, the output of a straight-up block cipher operating in any modern mode (no ECB!) is going to be totally indistinguishable from a random number generator for any reasonably-sized file. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: a bit off topic, how to find encrytped files (ransom attack)
Hi, I just check for a list of ransomware filename patterns (e.g. *.cryptotorlocker*). Best regards, Jan On 2022-08-04 18:58, Uwe Brauer via Gnupg-users wrote: > > > Hi > > I apologize for this message that can be a bit off topic. > (I am on Ubuntu 16.04) > > How can I find say encrypted files in my home directory? The idea is to > use some magic command together with the find command. > I know > > 1. The file command will return for example for a gpg encrypted file >file .authinfo.gpg >.authinfo.gpg: PGP RSA encrypted > > 2. However for X509 file I obtain >file test.p12 >file.p12: data > > 3. I could use the ent command which measure the entropy, high >entropy is an indication of encryption (but jpg have also high >entropy). However I should then study the distribution of each >letter to be sure. > > So is there any other way to run find and some other script to find > suspicious files? Google is not really helpful > > Regards > > Uwe Brauer > > > > -- > I strongly condemn Putin's war of aggression against the Ukraine. > I support to deliver weapons to Ukraine's military. > I support the ban of Russia from SWIFT. > I support the EU membership of the Ukraine. > > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > https://lists.gnupg.org/mailman/listinfo/gnupg-users signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
a bit off topic, how to find encrytped files (ransom attack)
Hi I apologize for this message that can be a bit off topic. (I am on Ubuntu 16.04) How can I find say encrypted files in my home directory? The idea is to use some magic command together with the find command. I know 1. The file command will return for example for a gpg encrypted file file .authinfo.gpg .authinfo.gpg: PGP RSA encrypted 2. However for X509 file I obtain file test.p12 file.p12: data 3. I could use the ent command which measure the entropy, high entropy is an indication of encryption (but jpg have also high entropy). However I should then study the distribution of each letter to be sure. So is there any other way to run find and some other script to find suspicious files? Google is not really helpful Regards Uwe Brauer -- I strongly condemn Putin's war of aggression against the Ukraine. I support to deliver weapons to Ukraine's military. I support the ban of Russia from SWIFT. I support the EU membership of the Ukraine. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
