File canary kill switch

cross-posted from: https://programming.dev/post/52544724

I wrote a dead simple file canary tool that will install an eBPF program that drops all outgoing packets if a canary is touched. I wrote this in response to the current trend of supply chain attacks that try to harvest credentials

https://gitlab.com/drosseau/file-canaryOpen link View original on programming.dev

Comments3

Random Dent

lemmy.ml

chicken

lemmy.dbzer0.com

I wonder what the ideal placement or naming of such a file would be, where are credential scrapers going to check first?

lemmyuser reply

programming.dev

I'm hesitant to share my list :)

I'd consider looking at recent attacks by TeamPCP and the recent AUR compromise for inspiration. Some obvious targets are fake SSH keys, cloud provider credentials that you don't use, package manager credentials that you don't use, etc. Also things that allow a configuration and accept a default value you can place a canary at the default value and configure for a different path.

moonpiedumplings reply

programming.dev

TeamPCP is very interesting, since they actually reused an open source secrets scanner to find secrets:

https://github.com/trufflesecurity/trufflehog

So if you wanted to know, I'd start by looking there.