I built 1pix.me about six months ago and it would be perfect for this. You get a link to a 1 p pixel transparent PNG, and phone or desktop notifications (via notifo) every time it is served. Its totally free, enjoy.
Maybe it doesn't matter (bc as I understand it, the image is really what notifies you - but this might tip off a hacker if they're perceptive), but would it be better for the zip file to be .zip instead of .gz? I would think that most banks, when interacting with "regular customers" would send zip files instead of gzip files ... maybe I'm wrong?
It's probably a bit late by the time they've got to looking at the extension of the attachment - the image will have already loaded and they'll be "busted".
Why not just a canary that a (unknown) IP has logged into the account? Gmail displays the logged in IPs. How hard would it be to grab that info into similar notifications? Add to that reverse look ups and you could get a IP and location. Train the system through use and you'll quickly get a white list.
I think that's a good idea, but I didn't realize (at the time I created my canary mail) that it would be possible for me to write a Google Gadget inside Gmail that would do this sort of thing. It turns out that it would be possible to have a Gadget that reports the IP address when the UI is loaded and from that an interesting service could be built. From there I could probably do similar work for other online services.
I can imagine paying for a 'cloud watch' service that keeps an eye on all my online accounts and tells me if something odd is happening.
The problem is, once such an online service is well known, the hackers could just blacklist the host name(s) to the service so no alerting messages are sent. I think this is something that would have to live on the actual Gmail servers so it is not detectable from the client-side.
The problem is, once such an online service is well known, the hackers could just blacklist the host name(s) to the service so no alerting messages are sent.
Agreed, this is another problem. However, I think that it also depends on who you think might be targeting you. I know that a few years ago, plenty of everyday non-technical folks "hacked" their ex-girlfriend or boyfriends' accounts by doing a password reset with known details.
If the aim is to get notified of similar issues (e.g. my home laptop accessing during office hours), such a service could have merit.
The other catch with the ex-girlfriend/boyfriend is that they are not really after bank details so the Barclay's email won't interest them as it would the professional criminal... The problem with the canary is that it is trying to tailor a trap to someone without knowing much about them.
Which is another reason why the IP-based approach works better.
The IP-based approach seems flawed from my pov as someone who travels often. I'm always checking in from various IP addresses. Even locals who like to log in from the nearest cafe would get false positives, while the canary approach is more targeted.
You would get a false positive just after logging in from an unknown IP, but you would also know that it was due to your own actions (and could therefore ignore it).
If he's cautious enough to do two-factor auth, he probably doesn't leave his accounts logged in. Plus you have a whole lot of other problems if someone owns your personal machine.
If he's cautious enough to do two-factor auth, he probably doesn't leave his accounts logged in.
Suppose he uses http://googleblog.blogspot.com/2011/02/advanced-sign-in-secu... and has it remember the second authentication for 30 days (available from a checkbox). Then someone who has compromised his machine and has installed a keylogger can find it password, and log back in as him from that machine when he is not there. Two-factor has not saved you. Nor has the IP check.
And yes, you're right. If someone owns your personal machine you have a whole lot of other problems. This fact makes discovering that someone owns your machine more important, not less.
Because if you have a smartphone that you use to access your email then you'll be getting notifications non stop. That is, unless you want to whitelist every single IP address your carrier would use.
I fear your assumption might be wrong. It's much easier to steal someone's password when they're in the area than from afar. A bit of clever packet sniffing, session hijacking, DNS fun, or even some plain old binoculars are MUCH more effective than trying to guess someone's password.
All of these tools are available. Also, recall that most mail clients will use STARTTLS opportunistically, i.e. will not encrypt stuff if you MITM them. The better ones may not send the login in the clear, but an attacker can still read mail - or steal the authenticated connection (this is more tricky, and pretty much requires being on the same network.)
Seriously, most online security works only because the competent people have better things to do.
And many mail clients happily continue non-encrypted sessions if the STARTTLS negotiation fails.
I wasted _days_ recently trying to track down code bugs that weren't there - a piece of Cisco gear that was in the clients network was running a standard configuration called SMTP Fixup which was deep packet inspecting and rewriting the "250-STARTTLS" capability responses and passing them on as "250-XXXXXXXA" on the fly. It took me way longer than it should have to debug, partly 'cause I started looking in the wrong place, but largely because most of the testing we did was with mail clients that were perfectly happy to transfer mail unencrypted when the STARTTLS capability wasn't announced.
Anybody MITMing you in Starbucks could easily do the same.
A little bit of thinking with my "evil hat" on leads me to believe a similar protocol aware packet inspection/modification tool could easily rewrite webpages on the fly, looking for links to common service login forms and rewrite appropriate links and form actions to be http instead of https...
Maybe an appropriately paranoid way to set up this sort of canary is to have all your mobile (ie, non-fixed ip address) devices use a vpn into a trusted and well secured host?
> A little bit of thinking with my "evil hat" on leads me to believe a similar protocol aware packet inspection/modification tool could easily rewrite webpages on the fly, looking for links to common service login forms and rewrite appropriate links and form actions to be http instead of https...
This is actually a fantastic feature. I was recently traveling in Europe, and without thinking logged into Facebook without HTTPS (using a third-party iframe app that couldn't use HTTPS). Within a few hours, I had a notification from FB letting me know that there was a new login from the same city I was in and a different OS/web browser combo.
I've experienced this too. Apparently, Google Chrome on OS X gets labeled Opera/Win XP by Facebook. I was paranoid for a little while, wondering how these hackers kept tracking me around the world with that browser/os combo.
Clever, but works only against targeted attacks - an attack on many accounts would presumably rifle through your mailbox automatically, which would defeat this.
That would have to be targeted attacks by foolish intruders, because a manual attack would presumably start with changing your password, after which this notification would be nearly useless.
Why would they change your password? That just lets you know they are in. In Gmail, they simply search your email for other accounts and change the passwords on those accounts. They can see when you are logged in and simply send password reset requests for other services when you are not logged into gmail.
That depends on the motive. Some attackers might want to snoop your mail for a long time without being detected, instead of making it unusable (and instantly detectable) for you. Arguably, those are the creepyest.
Except it would still trigger the canary if you click on the email... which is incredibly useful. The big problem isn't necessarily that you've been compromised. Its knowing that you've been compromised.
Two big points here, any hacker with a brain wouldn't
1) Rummage through your emails with image loading turned on
2) At least at a minimum be behind a service such as tor..
so uhhh, i guess this is a good idea for alerting you, if that is you are un/lucky enough to get 'hacked' by those that ignore the previous two points.
>You pulled a statement about behaviour out of thin air, and it wont hold up to scrutiny. Now its being scrutinised, you are dodging it.
Why does the most obvious and logical course of events require justification? "Most hackers breathe constantly." "Do you have data to support that?"
Maybe you're right. Maybe this "canary" is extremely effective. Maybe everyone who makes a living by breaking security also happens to be dumb enough that they fail to take the most basic precautions to protect themselves.
Even if that's true, there are still more effective solutions that should be used instead of this "canary".
Why does the most obvious and logical course of events require justification?
Obviously because what you've written is non-obvious ;)
Enough people "hack" by using simple password-reset forms[1]. Whilst I have no doubt that there are plenty of worringly-competent hackers out there, I'd bet that there are also lots of less competent hackers. Taking this through to its logical conclusion: I'd rather know about some of them than give up and know about none of them.
Why does the most obvious and logical course of events require justification?
It doesn't. Your claim does.
The easiest way to "hack" is to install a script and run it, e.g. a traffic sniffer, a wifi encryption breaker, Firesheep, or any one of many vulnerability scan/exploiters. Or to look over someone's shoulder as they type a password in, or to walk up when they step away from their computer for a moment. None of that needs any hacking chops or brains. Most exploits by volume are going to be like these because these are easiest.
The next most easy way is to do phishing scams, it needs some chops to fake login forms and bulk email, but it's not massively complex.
The hardest way is to understand and find flaws in a system and then exploit them. This is likely to be most successful, but due to the knowledge, effort and skill and sustained interest required, to be the least common by volume.
And then above that, people who do the last one "for a living".
A canary that squawks against "I made a mistake and some opportunist got into my email" is more likely to go off, and more likely to be useful, than a canary that squawks against "a skilled hacker targetted me and got through Google's security".
Metalfrog's claim is that it is more likely that a real hacker would get in, be taking precautions against honeypots, and the canary would be useless. I think it much more likely that an opportunist would be getting in and a skilled hacker targetting something more important instead, and that the canary stands a slim chance of being useful instead of zero chance.
Well you can always turn on the "always display images from this email" for that specific email address. That way the hacker won't click on "show images".
Why would an intruder use the web interface, anyway? Also, you can tell your web browser not to load any images, so an intruder might do that if they did resort to the web interface.
1. is indeed quite a problem. It would detect most people rummaging idly through the web interface, but not much more.
2. is not quite relevant. I'd say the idea is to know that someone has accessed the email. Not who. As long as you can be sure that it's not yourself, something bad is happening anyway.
Yes, some hackers would no act in such a way as to do this, but the world is full of stupid people. Just look at Sony and their PSN network hacks. 1 year ago people would have said that of course a big company would never be that stupid. And it turns out they were that stupid. Likewise there are hound to be some stupid hackers. This canary email will catch them.
You could also leave your keys in the ignition and the door open whenever you go to the grocery store, because that's more convenient and any thief with a brain could hotwire your car anyway.
Neat idea. One thing I'd probably do if I wanted to use this technique would be to develop a browser extension to go along with it to either hide the row when accessed from "trusted" IP addresses, or injects the row via the extension when accessed from an unknown IP. That way I wouldn't be forced to have that row on my screen from home or work where it might accidentally be clicked on and triggered.
This assumes that the attacker is using a web browser.
Many toolkits exist (no, I'm not going to link to them) where you just feed in a list of usernames and passwords for popular email systems and they go harvesting, usually via IMAP.
Right, so this will catch jealous girlfriends, snooping coworkers, and malicious kids. People that would try to grab your credentials and set it up in Outlook Express...
Check out www.inboxalarm.com which is something I built for fun a couple years ago. It's a free service and uses SMS to alert you the moment the image is triggered.
decided to use facebook authentication since it can also push an alert to your friends' newsfeeds not to click links until the hack has been mitigated.
It also decreased friction in the sign up process - no need to enter a name, email adddress, etc. Was built before Facebook allowed application to access a phone number, or I would have added that too.
and so when an attacker configures thunderbird to slurp all the email out of your inbox this does .. what? why not just poll the list of most recently logged in IP addresses and track the number of currently logged in sessions/authentications, and when that number approaches a certain hair trigger, sound the alarm? oh right, google already does that for you...
I like the idea - but please do not confuse this with security. While the canary might be activated, all of your genuine information has also been compromised.
I have thought about the security issues with gmail, especially for mobile devices (they can be easily stolen).
It would be really REALLY great if Google offered several account access levels - I could use a 'read only' account for my mobile device, which could also only give me access to the last 1 hour of emails for example. and seperate account access for use with 3rd party services (facebook, gtalk apps etc)
Following on from the idea of Google offering account access for different security levels, would also be great if you could label an email as 'bank', 'money' or 'personal' and these emails, photos and calendar items would only be visible with full account access - so effectively you could associate a particular email label to a 'security' or 'access' level.
He works around this by reading the email himself first, clicking the option to always display images from the sending email address and then starring it so the email is always at the top of his inbox even though it has been read.
I suppose an attacker could bypass this method by turning off images in their browser though.
An IMAP client somewhere could poll the 'read' state of message 0x12345678 instead, alerting the owner when the message turns 'read'. However, that client would have to have access to the Gmail box...
But would an attacker read a message marked as unread? A careful attacker would know that this alerts the owner of the mailbox, as he can't remember opening the message.
His canary is a mail that has already been opened, so the attacker assumes he can look at it harmlessly.
I don't see the point. The guy says he owns a private server. Why doesn't he just move his email there, and monitor activity in all sort of imaginable ways?
I would think that the hacker might try to turn that off before he starts looking into emails? If doing that can avoid detection, then, its difficult to have faith in this system.
I think that it's a bit over the top. The "canary" gets in the way of what you are doing.
I operate on the opposite principle: there is nothing sensitive in my email account. When it arrives, it is actioned and disposed of (properly) immediately.
I am not sentimental and do not keep every email "just in case" as I do not remember 99.9% of telephone conversations I've had.
When it arrives, it is actioned and disposed of (properly) immediately
What about "important" emails in your inbox that you have not yet had a chance to take action on? Can you be taking action on your email 24 hours a day?
Gets summarised and copied straight onto my task list which is a text file with relevant information within an hour usually (unless I'm out cold). If it takes less than 5 mins it's done there and then.
I use aliases (one shots) for most sign-ups so it's very unlikely to happen. Only 5-6 trusted people know my real address. Also allows me to find the source for all incoming crap email and bin it quickly so I don't have to dredge through it (just drop the alias).
I do something similar. If I sign up at Slashdot, I'll use the email address slashdot-SECRETKEY@domain.com, and if I sign up at Gawker, I'll use gawker-SECRETKEY@domain.com. Those emails get forwarded to my real email account.
Nice thing about this system is that I can immediately tell where spammers got my email address and shut it off. Also, any email that comes in that doesn't contain a SECRETKEY gets ignored, so I don't have to worry about spammers sending to sales@domain.com and admin@domain.com.
I also use a separate email alias for each company I deal with. I run my own Postfix servers (primary + backup), but I've now created a web UI with a view to making this usable by others. The URL is in my profile (not sure if posting it here would be considered spam). It's still early days, but seems to work fine for my own emails. If you'd like to use it I'll be happy to create a (free) account for you.
If an attacker is going to attack your gmail, they already know that their IP is logged on the "Last account activity". If they are really going in, they'll be behind at least 7 proxies. Then again, there is next to nothing you can do with an IP address, if this make you feel safer then w/e.
it still gives you time to "sign out all other sessions" in your browser and change password immediately. granted, you may be afk etc but still better than nothing at all...
Yes. Easiest way would be to just have a script (for example, Firefox addon or greasemonkey script) that drives a browser.
Or if you don't want the overhead of a browser, a somewhat more tricky way is to do it once yourself and record the traffic using a plugin, and repeat that in a script... (but this might require some reverse engineering work on the clientside JS if there are fields like one-time tokens)
Since Gmail records the IP of anyone accessing, if you're really paranoid, there could be a setting that lets you specify what IPs you will access it from.
That would be really inconvenient if you wanted to check it from elsewhere...
Why not build an app that keeps a log of every time you log into your email, stores it to x specified # of logins and sends you an sms showing your email activity including # of logins, what time and IP address.
