Re: a bit off topic, how to find encrytped files (ransom attack)
On Fri, Aug 05, 2022 at 05:45:53PM +0200, Uwe Brauer via Gnupg-users wrote:
1. just for the first very rough analysis what is a convenient command to
get a list of files that have high entropy?
The first step might be to install tripwire and only check files, which
tripwire reports as changed. See "man tripwire" after installing it.
Regarding your attempt to find candidate files:
find . -iname '*.*' -follow -print -exec ent {} \;
Files don't need to have a dot in their name. But they might have unusual
characters in their names instead. So you might actually want to use
find -type f -print0 | xargs -0 ent
Tip: "man find" and "man xargs" describe what those zeroes mean.
So I am not sure what is the best line, but the question boils down to
this, anybody know enough sed or awk or whatsoever to tell me how ot filter the
ent output?
Gentle suggestion: you'd need to learn such basic usage yourself, before
you rely on them as a tool. especially when attempting to secure your
systems.
Tips (for example):
https://www.amazon.de/Learning-Perl-Making-Things-Possible/dp/1492094951 or
https://www.amazon.de/Effective-awk-Programming-Universal-Processing/dp/1491904615
Regards, JC
--
Experience is the worst teacher. It always gives the test first and the
instruction afterward.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Windows x64 binaries, unusable with Thunderbird
On Sun, 7 Aug 2022 12:46, andrew--- said: > It looks like GPG4Win as well as "simple" installer are 32bit-only, > which is somewhat unexpected in 2022. Is there a reason for this? Windows 64-bit-only installations are pretty rare and thus the 32-bit GnuPG suite is not a problem. > Such builds are unusable with the x64 Thunderbird [1], no matter if user Thunderbird does not use GnuPG and the former Enigmail used CreateProcess to start gpg et al. No problem at all. You may very well build libgpgme as 64-bit DLL or static library. (we do this for our Outlook an explorer plugins). The native messaging with gpgme-json does not care about 64 or 32 bit because CreateProcess is used by Thunderbird. The background why we have no 64 bit version of GnuPG are due to problems with HANDLEs, sockets, file descriptors and such. GnuPG uses some tricks to handle this all. Instead of migrating these tricks and assumptions over to a 64 bit world, we are slowing moving towards internal data structures which allow us to avoid all tricks (i.e. our own data object (estream_t) conveying meta information, such as whether we have a socket or a libc file descriptor). Shalom-Salam, Werner -- The pioneers of a warless world are the youth that refuse military service. - A. Einstein signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent and socket forwarding
I forgot to mention, another thing in place on the server's sshd configuration is: StreamLocalBindUnlink yes On Tue, Aug 9, 2022 at 10:29 AM James A. Robinson wrote: > Hi folks, > > I've got two Fedora 36 machines I use in my office: a laptop that I log > into using the keyboard and monitor and a server that I ssh into from the > laptop. I have my GnuPG private keys on the laptop, and the public keys on > both the laptop and the server. Additionally, I've got my laptop > ~/.ssh/config set up with a directive: > > RemoteForward /run/user/1000/gnupg/S.gpg-agent /run/user/1000/gnupg/S.gpg- > agent > > and when I ssh into the server using 'ssh -v' I see in the output the > following: > > debug1: remote forward success for: listen > /run/user/1000/gnupg/S.gpg-agent:-2, > connect /run/user/1000/gnupg/S.gpg-agent:-2 > > Now at this point I'm under the impression that if gpg were to be called > on the server, and it talks to the socket, it should be triggering my > gpg-agent on my laptop. This seems to work as long as the gpg-agent on the > server doesn't start up. If the gpg-agent on the server does start it > complains about no private keys (which makes sense, since the server > doesn't have the private keys). > > I've read that systemctl is managing the sockets on Fedora 36, and that I > can prevent gpg-agent from starting on the server by 'mask'ing the handlers > for the sockets. So, on the server, there are /dev/null links in place: > > lrwxrwxrwx. 1 root root 9 Jul 28 10:30 > /etc/systemd/user/gpg-agent-browser.socket > -> /dev/null > lrwxrwxrwx. 1 root root 9 Jul 28 10:30 > /etc/systemd/user/gpg-agent-extra.socket > -> /dev/null > lrwxrwxrwx. 1 root root 9 Jul 28 10:30 /etc/systemd/user/gpg-agent.service > -> /dev/null > lrwxrwxrwx. 1 root root 9 Jul 28 10:30 /etc/systemd/user/gpg-agent.socket > -> /dev/null > lrwxrwxrwx. 1 root root 9 Jul 28 10:30 /etc/systemd/user/gpg-agent-ssh.socket > -> /dev/null > lrwxrwxrwx. 1 root root 9 Aug 8 09:16 > /etc/systemd/user/sockets.target.wants/gpg-agent.socket > -> /dev/null > > Sometimes I am able to call gpg w/ any problem and other times gpg is > starting up gpg-agent and then failing because of the lack of private keys > on the server machine. Is there some other thing I should have been doing > to tell systemctl to stop trying to handle the sockets itself? Should I be > reconfiguring gpg to use different sockets than ones that systemctl is > trying to manage? > > Jim > > > > ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problems when importing previously exported private keys on new linux system.
On 08/08/2022 22:36, Vladislav Alekseev via Gnupg-users wrote: So, here is the problem. Is there any method to restore my private key or revoke it? Why gpg program can't identify my key file? Is the root cause of it that I didn't add "--armor" parameter when exporting my private key? Thanks. Check the key format manually. If ASCII - try `dos2unix`. Sounds like it has been transferred between Windows/*nix. If binary, show the output of `gpg --list-packets` -- Glory to Ukraine, A ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg-agent and socket forwarding
Hi folks, I've got two Fedora 36 machines I use in my office: a laptop that I log into using the keyboard and monitor and a server that I ssh into from the laptop. I have my GnuPG private keys on the laptop, and the public keys on both the laptop and the server. Additionally, I've got my laptop ~/.ssh/config set up with a directive: RemoteForward /run/user/1000/gnupg/S.gpg-agent /run/user/1000/gnupg/S.gpg- agent and when I ssh into the server using 'ssh -v' I see in the output the following: debug1: remote forward success for: listen /run/user/1000/gnupg/S.gpg-agent:-2, connect /run/user/1000/gnupg/S.gpg-agent:-2 Now at this point I'm under the impression that if gpg were to be called on the server, and it talks to the socket, it should be triggering my gpg-agent on my laptop. This seems to work as long as the gpg-agent on the server doesn't start up. If the gpg-agent on the server does start it complains about no private keys (which makes sense, since the server doesn't have the private keys). I've read that systemctl is managing the sockets on Fedora 36, and that I can prevent gpg-agent from starting on the server by 'mask'ing the handlers for the sockets. So, on the server, there are /dev/null links in place: lrwxrwxrwx. 1 root root 9 Jul 28 10:30 /etc/systemd/user/gpg-agent-browser.socket -> /dev/null lrwxrwxrwx. 1 root root 9 Jul 28 10:30 /etc/systemd/user/gpg-agent-extra.socket -> /dev/null lrwxrwxrwx. 1 root root 9 Jul 28 10:30 /etc/systemd/user/gpg-agent.service -> /dev/null lrwxrwxrwx. 1 root root 9 Jul 28 10:30 /etc/systemd/user/gpg-agent.socket -> /dev/null lrwxrwxrwx. 1 root root 9 Jul 28 10:30 /etc/systemd/user/gpg-agent-ssh.socket -> /dev/null lrwxrwxrwx. 1 root root 9 Aug 8 09:16 /etc/systemd/user/sockets.target.wants/gpg-agent.socket -> /dev/null Sometimes I am able to call gpg w/ any problem and other times gpg is starting up gpg-agent and then failing because of the lack of private keys on the server machine. Is there some other thing I should have been doing to tell systemctl to stop trying to handle the sockets itself? Should I be reconfiguring gpg to use different sockets than ones that systemctl is trying to manage? Jim ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Problems when importing previously exported private keys on new linux system.
On 2022-08-08 at 13:06 +, Vladislav Alekseev wrote: > So, here is the problem. > Is there any method to restore my private key or revoke it? > Why gpg program can't identify my key file? Is the root cause of it > that I didn't add "--armor" parameter when exporting my private key? > Thanks. The missing --armor shouldn't make a difference here. What was the gpg version in the old system and which is the version in the new one? Is it possible that the new system is using an *older* version of gpg? ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: a bit off topic, how to find encrytped files (ransom attack)
On 2022-08-04 at 18:58 +0200, Uwe Brauer wrote: > > Hi > > So is there any other way to run find and some other script to find > suspicious files? Google is not really helpful > > Regards > > Uwe Brauer If you suffer a ransomware attack I would say your problem won't be *noticing* that. If you didn't, that's a failure by the attackers. They want you to notice (once they're finished), so that they get paid. Most often, they will change the extension (.ransom, an email address...) as well as include a ransom note on every directory. Once you find what pattern they used, it's simple to find all other files like that. Regards ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Does the PGP public key at https://www.washingtonpost.com/anonymous-news-tips/
On Sun, 7 Aug 2022, Andrew Gallagher wrote: On 7 Aug 2022, at 17:28, Jay Sulzberger via Gnupg-users wrote: Andrew, do the sks keyservers work today? I was able to find the key by going to https://keyserver.ubuntu.com/ and putting EC6C2905F0F93C0373946CA10642427A5FF780BE into the search box. Do you mean SKS the software (i.e. github.com/sks-keyserver) or SKS the protocol/network? The answer in both cases is ???yes???, but for different values of ???yes???. In the past two days, I have come to understand how little I know about the design, the practical use, and the statistics of usage, of gnupg. I think that learning some more is worth the effort. What doesn???t work any more is the sks-keyservers.net pool, which had become a nightmare to manage. This has been taken by many to mean that the SKS network itself is down, but this is absolutely not the case. Ah. sks-keyserver still works, but is IMO not suitable for use in production unless you are an expert willing to roll your own load balancing pool and recompile the code to update blacklists (there are still a few such brave souls left). This may change in the future ??? the software is maintained but hasn???t had a significant feature bump in some time. Ah, oi. The SKS network also still works, and depending on your choice of metric is probably more stable today than it has ever been. The reasons are twofold: many operators have migrated from sks-keyserver to hockeypuck, and most of the rest have shut down. This means that although there are fewer keyservers now than five years ago, the ones that do exist (including keyserver.ubuntu.com) are generally much more reliable. Ah, OK. Information about the SKS network can be found at https://spider.pgpkeys.eu A Andrew, thank you much for this useful short introduction to these obscure things! oo--JS. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
