From: no data
Date: Mon, 21 Feb 2022 04:52:54 -0800
Subject: [cryptome] wholeaked - a new open source program to catch whistle blowers
To: cryptome@freelists.org
this post is an attempt to get this list back to the roots of what
cryptome is based on: leaked files. I attempt to share an interesting
coder, the coders shared work in his github and what is his most
interesting creation yet called wholeaked in hopes of drumming up
interesting discussions on leakers and related software, and hopefully
we can leave behind some of the insane and inane discussions of recent
history on this list.
Ill first go over his github and the various projects he created and
the skills/languages he used to create the tools and then go onto
wholeaked, what it does, a brief explanation on how it does what it
does, its uses, its shortfalls and why its an interesting and
important addition to those who are for and/or against leaks and/or
leakers (it helps and works against both leakers and anti-leakers
both). Lets begin.
the original Developer of this code quote about the project he named
"wholeaked":
"a file-sharing tool that allows you to find the responsible person in
case of a leakage"
The github project page has 19 forks, uses the BSD-3-Clause License
and was created on January 26th, 2022 appears to be made by a talented
hacker named Utku Sen who's written other pro-privacy and published
them on github such as his "house party" emergency data locker tool
that encrypts every file in your home directory via remote command in
an attempt to block a thief's access to your documents, as well as
several anti-ransomware tools that detect when encrypting of files has
begun and stops the process and warns you as soon as it sees it
happening. A re-write of the program was done to have the code
available in python.
His other open source tools include:
-several DoS tools,
-a url-shortener reversal tool,
-a fork of "empire" windows exploit toolkit for automated pwning of
windows domain controllers,
-an IRC based botnet/bot tool,
-a second fork of Empire with modifications to timing and order of
loading is functions for IDS evasion,
-a stresstester
-a program called jeopardize; a threat intelligence&response tool
against phishing domains
-and a mass-security-auditing toolkit
-a blackjack analyzer
-other interesting hack tools.
The languages he uses to create these tools spans across various major
languages from C to python to visual basic to c# and finally Go. His
repos can be found here: https://github.com/utkusen?tab=repositories
While the method this program uses is not brand new the program itself
is and it is more than a simple single functioning binary with only
one function..., it crosses platforms to every major 64 bit OS (linux
x64, macOSX x64and windows x64) which makes this program all the
more versatile to use
Classification of program type:
The program might be whats known as a type of "traitor tracing"
software (see here: https://en.wikipedia.org/wiki/Traitor_tracing )
..and uses a canary trap to finger the leaker (see here:
https://en.wikipedia.org/wiki/Canary_trap )..
..... some might be offended by such strong labels such as 'traitor'
to describe this software, as the word "traitor" could be replaced
with "brave unwavering ethical bar-setting/bar-raising whistleblower
hero" and the functionality of the software would be the exact same
even if the intent is different.
...., the program helps you keep track of everyone who gets a copy of
the file that you suspect will be leaked (or you might do this as a
form of anti-copying enforcement in hopes of distributing the book
with consequences of getting fired from their job, fined or
imprisoned. Each copy that gets sent out gets its own unique invisible
watermark which is essentially just metadata that ties that particular
copy to the email address (or person) who you sent it too.
When the file or files get leaked (or if it gets leaked) then you can
check the metadata in the copy of the now public file and see which
person the watermarks show that it was tied to, and then you've just
found your leaker.
Here are the several ways you are able to tag the file (copied
directly from the github here: https://github.com/utkusen/wholeaked )
"wholeaked can add the unique signature to different sections of a
file. Available detection modes are given below:
File Hash: SHA256 hash of the file. All file types are supported.
Binary: The signature is directly added to the binary. Almost all file
types are supported.
Metadata: The signature is added to a metadata section of a file.
Supported file types: PDF, DOCX, XLSX, PPTX, MOV, JPG, PNG, GIF, EPS,
AI, PSD
Watermark: An invisible signature is inserted into the text. Only PDF
files are supported."
A note of caution: Of course this tool will only reveal the most
inexperienced and/or over confident of leakers, as anyone with half a
brain will realize, 19th attempt to strip all metadata from the file
before leaking, if not altogether re-creating the document with
screenshotting each page of data one at a time with something like the
good old printscreen button and pasting and saving in ms paint or
something similar, One should consider using a brand new VM that was
spun up for this single purpose or a live linux distro like ubuntu
live or tails will also work (those who work in digital forensics are
much better to discuss this part of the topic!)
This is but one way to by-pass someone using a
unique-injection-of-watermark-per-file leak-detection technique (try
saying that 5x fast!). among other methods,
The _actual_ common term of this technique is called the canary trap
for the laymen, It is actually used in many different contexts that
are much different than someone breaching national security with PDF
files or whatever, like for example, some AV programs use canary files
that are placed in your documents folder and if the AV detects that
they are no longer accessible (yet still remain in your documents
folder) or if they appear to be modified, then the AV might cause all
processes to stop and block any processes from writing to disk until
the user either lets the processes continue after confirming that it
was not ransomware that modified, encrypted or changed the file.
Wholeaked is essentially making every distributed file its own unique
identifiable canary. If that canary is ever found anywhere by being
leaked, then at the very least you will know who was responsible for
the file becoming public (if it was their intent on spreading the file
to the public or not!).
What makes this one note-worthy is that it is now trivial to do it
easily without the need to understand concepts like unique
watermarking and metadata or how to add them correctly. Also that it
is open source with compiled binaries for windows, OSX and linux (you
can find the project, binaries and source code on github here:
https://github.com/utkusen/wholeaked/releases/tag/v0.1.0 )
Its a reminder to those who are experienced in leaking to stay
vigilant , less they be exposed (and in some states/places this could
mean death or worse to you and your family).
Its also a wakeup call for those who leak who dont know what they are
doing , and might mean lost jobs, legal action, imprisonment and
possibly a lot more if they don't smarten up about their opsec.
On the other hand, it could also mean the capture of those who are
leaking classified documents to rogue states who routinely deny
mountains of evidence of human rights abuses (im looking at you China)
for money, in which case, it would be a good thing exposing those who
give aid to powerful unethical monsors.
No matter the use case, the tool is now in the hands of everyone and
anyone is free to add and change it for their own uses and publish
their own versions as a fork if they like.
To end this post which has gone on far too long, here is the creators home page:
https://utkusen.com/
kudos you, Utkusen!
|