Hacker News new | past | comments | ask | show | jobs | submit login
My Email Canary (jgc.org)
581 points by jgrahamc on June 9, 2011 | hide | past | favorite | 118 comments

I built 1pix.me about six months ago and it would be perfect for this. You get a link to a 1 p pixel transparent PNG, and phone or desktop notifications (via notifo) every time it is served. Its totally free, enjoy.

Seems like a neat service, but I never got a request via notifo to approve the subscription. I'm guessing the service is overloaded at the moment?

I'll check into it - it could be overloaded right now. Best bet is to just try again in a bit.

Actually, I fixed it. I was trying to put my API key instead of my username. It works now, thanks!

Maybe it doesn't matter (bc as I understand it, the image is really what notifies you - but this might tip off a hacker if they're perceptive), but would it be better for the zip file to be .zip instead of .gz? I would think that most banks, when interacting with "regular customers" would send zip files instead of gzip files ... maybe I'm wrong?

It's probably a bit late by the time they've got to looking at the extension of the attachment - the image will have already loaded and they'll be "busted".

Also, the PDF format is already compressed. Compressing it again with zip or gzip is a little strange.

Why not just a canary that a (unknown) IP has logged into the account? Gmail displays the logged in IPs. How hard would it be to grab that info into similar notifications? Add to that reverse look ups and you could get a IP and location. Train the system through use and you'll quickly get a white list.

I'd pay for that service.

I think that's a good idea, but I didn't realize (at the time I created my canary mail) that it would be possible for me to write a Google Gadget inside Gmail that would do this sort of thing. It turns out that it would be possible to have a Gadget that reports the IP address when the UI is loaded and from that an interesting service could be built. From there I could probably do similar work for other online services.

I can imagine paying for a 'cloud watch' service that keeps an eye on all my online accounts and tells me if something odd is happening.

The problem is, once such an online service is well known, the hackers could just blacklist the host name(s) to the service so no alerting messages are sent. I think this is something that would have to live on the actual Gmail servers so it is not detectable from the client-side.

The problem is, once such an online service is well known, the hackers could just blacklist the host name(s) to the service so no alerting messages are sent.

Agreed, this is another problem. However, I think that it also depends on who you think might be targeting you. I know that a few years ago, plenty of everyday non-technical folks "hacked" their ex-girlfriend or boyfriends' accounts by doing a password reset with known details.

If the aim is to get notified of similar issues (e.g. my home laptop accessing during office hours), such a service could have merit.

The other catch with the ex-girlfriend/boyfriend is that they are not really after bank details so the Barclay's email won't interest them as it would the professional criminal... The problem with the canary is that it is trying to tailor a trap to someone without knowing much about them.

Which is another reason why the IP-based approach works better.

The IP-based approach seems flawed from my pov as someone who travels often. I'm always checking in from various IP addresses. Even locals who like to log in from the nearest cafe would get false positives, while the canary approach is more targeted.

You would get a false positive just after logging in from an unknown IP, but you would also know that it was due to your own actions (and could therefore ignore it).

What about the attacker who compromises your home computer and then is using it remotely while you are not home?

An IP based check won't help you there. This canary would.

If he's cautious enough to do two-factor auth, he probably doesn't leave his accounts logged in. Plus you have a whole lot of other problems if someone owns your personal machine.

If he's cautious enough to do two-factor auth, he probably doesn't leave his accounts logged in.

Suppose he uses http://googleblog.blogspot.com/2011/02/advanced-sign-in-secu... and has it remember the second authentication for 30 days (available from a checkbox). Then someone who has compromised his machine and has installed a keylogger can find it password, and log back in as him from that machine when he is not there. Two-factor has not saved you. Nor has the IP check.

And yes, you're right. If someone owns your personal machine you have a whole lot of other problems. This fact makes discovering that someone owns your machine more important, not less.

Facebook could do a facial recognition match to see if you match your profile picture ...

Wouldn't work. A hacker could just hold a picture of you up to the camera.

Or replay a generated video feed of a picture of you, saves the arm muscles and printer ink you see.

Because if you have a smartphone that you use to access your email then you'll be getting notifications non stop. That is, unless you want to whitelist every single IP address your carrier would use.

I think that's where the reverse look ups to location becomes important. The chance that a hacker would be in the same physical location seems small.

I fear your assumption might be wrong. It's much easier to steal someone's password when they're in the area than from afar. A bit of clever packet sniffing, session hijacking, DNS fun, or even some plain old binoculars are MUCH more effective than trying to guess someone's password.

How many folks manually enter in an email pswd on their smartphones?

If any of the tools you mention were readily doable today, I fear we'd be so deep in trouble, no canary would help.

All of these tools are available. Also, recall that most mail clients will use STARTTLS opportunistically, i.e. will not encrypt stuff if you MITM them. The better ones may not send the login in the clear, but an attacker can still read mail - or steal the authenticated connection (this is more tricky, and pretty much requires being on the same network.)

Seriously, most online security works only because the competent people have better things to do.

And many mail clients happily continue non-encrypted sessions if the STARTTLS negotiation fails.

I wasted _days_ recently trying to track down code bugs that weren't there - a piece of Cisco gear that was in the clients network was running a standard configuration called SMTP Fixup which was deep packet inspecting and rewriting the "250-STARTTLS" capability responses and passing them on as "250-XXXXXXXA" on the fly. It took me way longer than it should have to debug, partly 'cause I started looking in the wrong place, but largely because most of the testing we did was with mail clients that were perfectly happy to transfer mail unencrypted when the STARTTLS capability wasn't announced.

Anybody MITMing you in Starbucks could easily do the same.

A little bit of thinking with my "evil hat" on leads me to believe a similar protocol aware packet inspection/modification tool could easily rewrite webpages on the fly, looking for links to common service login forms and rewrite appropriate links and form actions to be http instead of https...

Maybe an appropriately paranoid way to set up this sort of canary is to have all your mobile (ie, non-fixed ip address) devices use a vpn into a trusted and well secured host?

> A little bit of thinking with my "evil hat" on leads me to believe a similar protocol aware packet inspection/modification tool could easily rewrite webpages on the fly, looking for links to common service login forms and rewrite appropriate links and form actions to be http instead of https...

That already exists in the form of sslstrip: http://www.thoughtcrime.org/software/sslstrip/

Gmail already has something similar built in with the Last Account Activity Alerts:


facebook can alert your by email when you log in from a new computer. http://www.google.com/search?q=facebook+computer+email+login

This is actually a fantastic feature. I was recently traveling in Europe, and without thinking logged into Facebook without HTTPS (using a third-party iframe app that couldn't use HTTPS). Within a few hours, I had a notification from FB letting me know that there was a new login from the same city I was in and a different OS/web browser combo.

I've experienced this too. Apparently, Google Chrome on OS X gets labeled Opera/Win XP by Facebook. I was paranoid for a little while, wondering how these hackers kept tracking me around the world with that browser/os combo.

That doesn't help much if they gained access to your Facebook through your hacked email account.

It'd be neat if it texted me when suspicious activity occurred, rather than just the in-Gmail alert.

I have those enabled as well, of course, but they are quite hard to interpret and I've had a few false positives.

I've had false positives on these alerts too, but I'm willing to put up with them. As long as there are no false negatives, I will be happy ;-)

Clever, but works only against targeted attacks - an attack on many accounts would presumably rifle through your mailbox automatically, which would defeat this.

That would have to be targeted attacks by foolish intruders, because a manual attack would presumably start with changing your password, after which this notification would be nearly useless.

Why would they change your password? That just lets you know they are in. In Gmail, they simply search your email for other accounts and change the passwords on those accounts. They can see when you are logged in and simply send password reset requests for other services when you are not logged into gmail.

That depends on the motive. Some attackers might want to snoop your mail for a long time without being detected, instead of making it unusable (and instantly detectable) for you. Arguably, those are the creepyest.

Except it would still trigger the canary if you click on the email... which is incredibly useful. The big problem isn't necessarily that you've been compromised. Its knowing that you've been compromised.

True, but you at least get a head start on changing passwords/emails on other websites to limit the damage.

Two big points here, any hacker with a brain wouldn't

1) Rummage through your emails with image loading turned on 2) At least at a minimum be behind a service such as tor..

so uhhh, i guess this is a good idea for alerting you, if that is you are un/lucky enough to get 'hacked' by those that ignore the previous two points.

Do you have data to support that?

It sounds too much like the No True Scotsman Fallacy for me to take it too seriously.

Why do i need to provide you data? If i were to hack your email account there is no way i'd use the web interface to trawl through them one-by-one.

Initial hack->Gains credentials->Pull down everything imap/pop->Load that shit into thunderbird on a dedicated vm->And we're away

Why do i need to provide you data?

You pulled a statement about behaviour out of thin air, and it wont hold up to scrutiny. Now its being scrutinised, you are dodging it.

1) What percentage of all hackers count as "hackers with a brain"?

2) How do you know most or all "hackers with a brain" would not be caught by this, without generalising from your example of one (you)?

3) Since both of the above are unknown, how can you use those as arguments to justify this being an ineffective precaution?

>You pulled a statement about behaviour out of thin air, and it wont hold up to scrutiny. Now its being scrutinised, you are dodging it.

Why does the most obvious and logical course of events require justification? "Most hackers breathe constantly." "Do you have data to support that?"

Maybe you're right. Maybe this "canary" is extremely effective. Maybe everyone who makes a living by breaking security also happens to be dumb enough that they fail to take the most basic precautions to protect themselves.

Even if that's true, there are still more effective solutions that should be used instead of this "canary".

Why does the most obvious and logical course of events require justification?

Obviously because what you've written is non-obvious ;)

Enough people "hack" by using simple password-reset forms[1]. Whilst I have no doubt that there are plenty of worringly-competent hackers out there, I'd bet that there are also lots of less competent hackers. Taking this through to its logical conclusion: I'd rather know about some of them than give up and know about none of them.

[1] http://en.wikipedia.org/wiki/Sarah_Palin_email_hack

Why does the most obvious and logical course of events require justification?

It doesn't. Your claim does.

The easiest way to "hack" is to install a script and run it, e.g. a traffic sniffer, a wifi encryption breaker, Firesheep, or any one of many vulnerability scan/exploiters. Or to look over someone's shoulder as they type a password in, or to walk up when they step away from their computer for a moment. None of that needs any hacking chops or brains. Most exploits by volume are going to be like these because these are easiest.

The next most easy way is to do phishing scams, it needs some chops to fake login forms and bulk email, but it's not massively complex.

The hardest way is to understand and find flaws in a system and then exploit them. This is likely to be most successful, but due to the knowledge, effort and skill and sustained interest required, to be the least common by volume.

And then above that, people who do the last one "for a living".

A canary that squawks against "I made a mistake and some opportunist got into my email" is more likely to go off, and more likely to be useful, than a canary that squawks against "a skilled hacker targetted me and got through Google's security".

Metalfrog's claim is that it is more likely that a real hacker would get in, be taking precautions against honeypots, and the canary would be useless. I think it much more likely that an opportunist would be getting in and a skilled hacker targetting something more important instead, and that the canary stands a slim chance of being useful instead of zero chance.

> If i were to hack your email account there is no way i'd use the web interface to trawl through them one-by-one.

Well, I don't doubt that.

I'm just wondering how well "what I would do" generalizes, here.

Well you can always turn on the "always display images from this email" for that specific email address. That way the hacker won't click on "show images".

Why would an intruder use the web interface, anyway? Also, you can tell your web browser not to load any images, so an intruder might do that if they did resort to the web interface.

1. is indeed quite a problem. It would detect most people rummaging idly through the web interface, but not much more.

2. is not quite relevant. I'd say the idea is to know that someone has accessed the email. Not who. As long as you can be sure that it's not yourself, something bad is happening anyway.

Yes, some hackers would no act in such a way as to do this, but the world is full of stupid people. Just look at Sony and their PSN network hacks. 1 year ago people would have said that of course a big company would never be that stupid. And it turns out they were that stupid. Likewise there are hound to be some stupid hackers. This canary email will catch them.

You could also leave your keys in the ignition and the door open whenever you go to the grocery store, because that's more convenient and any thief with a brain could hotwire your car anyway.

Seems like two erfectly sensible points to me. Why did people downvote this without even bothering to comment on why?

Neat idea. One thing I'd probably do if I wanted to use this technique would be to develop a browser extension to go along with it to either hide the row when accessed from "trusted" IP addresses, or injects the row via the extension when accessed from an unknown IP. That way I wouldn't be forced to have that row on my screen from home or work where it might accidentally be clicked on and triggered.

> injects the row via the extension when accessed from an unknown IP

Not so sure that would work. You'd have to first get the guy who stole your email account to install a custom browser extension.

You're right. I was thinking of this in the scenario where somebody stole the whole laptop, and not just gained access to your email.

To the OP: Do you use Google's two-factor authentication with that account? If so, where do you see potential attack vectors?

Yes, I do. And when I think of Google Authenticator and its security I think of RSA SecurID and its security. Nothing is secure in the long run.

What happens if you lose your phone?

Edit: "If you've lost access to both your primary and backup phones, you can use one of your recorded backup codes in place of your verification code." from http://www.google.com/support/accounts/bin/static.py?page=gu...

This assumes that the attacker is using a web browser.

Many toolkits exist (no, I'm not going to link to them) where you just feed in a list of usernames and passwords for popular email systems and they go harvesting, usually via IMAP.

Dont forget, many email clients also consume Web content.

Right, so this will catch jealous girlfriends, snooping coworkers, and malicious kids. People that would try to grab your credentials and set it up in Outlook Express...

Check out www.inboxalarm.com which is something I built for fun a couple years ago. It's a free service and uses SMS to alert you the moment the image is triggered.

any way to sign up without facebook? I don't have an account.

decided to use facebook authentication since it can also push an alert to your friends' newsfeeds not to click links until the hack has been mitigated.

It also decreased friction in the sign up process - no need to enter a name, email adddress, etc. Was built before Facebook allowed application to access a phone number, or I would have added that too.

The FB connect thing didn't work for me. The page gave an error when I click Allow: "Virhe myönnettäessä lupaa sovelluksen käyttöön" (in Finnish).

Thanks for the heads up; taking a look into it.

Is the site down? Maybe not, http://www.downforeveryoneorjustme.com/www.inboxalarm.com says it's just me...

works for me =)

and so when an attacker configures thunderbird to slurp all the email out of your inbox this does .. what? why not just poll the list of most recently logged in IP addresses and track the number of currently logged in sessions/authentications, and when that number approaches a certain hair trigger, sound the alarm? oh right, google already does that for you...

This is very cool ... but what would you actually do (to prevent disaster) from your phone?

Let's say I get an alert on my iPhone but I'm 30 mins from getting to my laptop.

How would you stop them from recovering your DropBox or VPS console password?

I like the idea - but please do not confuse this with security. While the canary might be activated, all of your genuine information has also been compromised.

I have thought about the security issues with gmail, especially for mobile devices (they can be easily stolen).

It would be really REALLY great if Google offered several account access levels - I could use a 'read only' account for my mobile device, which could also only give me access to the last 1 hour of emails for example. and seperate account access for use with 3rd party services (facebook, gtalk apps etc)

Following on from the idea of Google offering account access for different security levels, would also be great if you could label an email as 'bank', 'money' or 'personal' and these emails, photos and calendar items would only be visible with full account access - so effectively you could associate a particular email label to a 'security' or 'access' level.

I would DEFINATELY use a feature like this.

The catch is that images are not displayed by default. Why would an attacker click on show images? Only if the text of the email asked them to...

EDIT: I'm wrong as pointed out by others in the replies below.

You can tell GMail to always display images from a particular sender.

Ah yes of course. Duh me

He works around this by reading the email himself first, clicking the option to always display images from the sending email address and then starring it so the email is always at the top of his inbox even though it has been read.

I suppose an attacker could bypass this method by turning off images in their browser though.

An IMAP client somewhere could poll the 'read' state of message 0x12345678 instead, alerting the owner when the message turns 'read'. However, that client would have to have access to the Gmail box...

But would an attacker read a message marked as unread? A careful attacker would know that this alerts the owner of the mailbox, as he can't remember opening the message.

His canary is a mail that has already been opened, so the attacker assumes he can look at it harmlessly.

You can mark messages un-read again in the gmail UI.

Thanks, I missed that point.

Yep, but it couldn't collect the IP of the attacker.

You're assuming that the attacked hasn't hidden his IP (i.e. Tor) or is in a country that will actually give a crap (i.e. not Russia/China).

I'm thinking of a secondary alarm anytime you get an email that may be a password recovery.

Something like SpamBayes put trained for account related emails from the popular services and banks.

Cool idea! But I think that if would get widely adopted, hackers would see it coming from miles away.

Awesome idea, even though it means you can never use stars again.

You can just change Priority Inbox to display some label, e.g. "Confidential" above the usual tabs.

Oh I didn't know about that, I can totally use that for server notifications.

Why? I still use stars, in the example nothing else is currently starred, but in my day to day use there are usually two or three items.

I don't see the point. The guy says he owns a private server. Why doesn't he just move his email there, and monitor activity in all sort of imaginable ways?

May be I am missing something here... what if the Display Images is turned off? How will that activate the alert system?

This is for his own account; presumably, he's turned that option on.

I would think that the hacker might try to turn that off before he starts looking into emails? If doing that can avoid detection, then, its difficult to have faith in this system.

I think that it's a bit over the top. The "canary" gets in the way of what you are doing.

I operate on the opposite principle: there is nothing sensitive in my email account. When it arrives, it is actioned and disposed of (properly) immediately.

I am not sentimental and do not keep every email "just in case" as I do not remember 99.9% of telephone conversations I've had.

When it arrives, it is actioned and disposed of (properly) immediately

What about "important" emails in your inbox that you have not yet had a chance to take action on? Can you be taking action on your email 24 hours a day?

Gets summarised and copied straight onto my task list which is a text file with relevant information within an hour usually (unless I'm out cold). If it takes less than 5 mins it's done there and then.

I use Vim Outliner for task management.

What if somebody triggers password recoveries on all important sites using your email address?

I use aliases (one shots) for most sign-ups so it's very unlikely to happen. Only 5-6 trusted people know my real address. Also allows me to find the source for all incoming crap email and bin it quickly so I don't have to dredge through it (just drop the alias).

Lol, I'm sorry but you called this guy's process over the top but the more you explain your process it sounds way more over the top.

As I understood it the criticism wasn't of the process but that you had to stare at the canary email every single time you look at your inbox.

That is precisely it.

Why? I have two scripts "new-alias" and "kill-alias" that do all the work that took about 5 minutes each to write.

I automate everything.

Can you share those scripts?

I'd be embarrased if I posted them (they are crap) however here is how they work...

My mail comes directly into a Debian box running postfix on the end of my ADSL line.

new-alias: Echoes the alias onto the end of /etc/aliases, then runs newaliases.

kill-alias: Use sed to remove the line that matches the alias and run newaliases.

Dead simple.

I do something similar. If I sign up at Slashdot, I'll use the email address slashdot-SECRETKEY@domain.com, and if I sign up at Gawker, I'll use gawker-SECRETKEY@domain.com. Those emails get forwarded to my real email account.

Nice thing about this system is that I can immediately tell where spammers got my email address and shut it off. Also, any email that comes in that doesn't contain a SECRETKEY gets ignored, so I don't have to worry about spammers sending to sales@domain.com and admin@domain.com.

That's interesting to me. What service do you use that lets you quickly generate new addresses? Or are you running your own server?

I also use a separate email alias for each company I deal with. I run my own Postfix servers (primary + backup), but I've now created a web UI with a view to making this usable by others. The URL is in my profile (not sure if posting it here would be considered spam). It's still early days, but seems to work fine for my own emails. If you'd like to use it I'll be happy to create a (free) account for you.

I am an archival nut: it costs me little and from time to time, provides some big savings.

If an attacker is going to attack your gmail, they already know that their IP is logged on the "Last account activity". If they are really going in, they'll be behind at least 7 proxies. Then again, there is next to nothing you can do with an IP address, if this make you feel safer then w/e.

it still gives you time to "sign out all other sessions" in your browser and change password immediately. granted, you may be afk etc but still better than nothing at all...

You should really automate that... at least then you'll be faster than the intruder (at least if he/she hasn't already changed the password :p)

Is it possible to automate sign out and password change?

Yes. Easiest way would be to just have a script (for example, Firefox addon or greasemonkey script) that drives a browser.

Or if you don't want the overhead of a browser, a somewhat more tricky way is to do it once yourself and record the traffic using a plugin, and repeat that in a script... (but this might require some reverse engineering work on the clientside JS if there are fields like one-time tokens)

Since Gmail records the IP of anyone accessing, if you're really paranoid, there could be a setting that lets you specify what IPs you will access it from.

That would be really inconvenient if you wanted to check it from elsewhere...

That's what VPN is for.

Why not build an app that keeps a log of every time you log into your email, stores it to x specified # of logins and sends you an sms showing your email activity including # of logins, what time and IP address.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact