This gives me a thought: is there any service out there that creates and monitors canary tokens on a larger scale to try to identify when specific providers have been breached?
In light of the LastPass breach, it seems like it would be useful if someone had created a few LastPass vaults and seeded them with some canary tokens (and probably canary crypto wallets), so if any of those tokens or wallets were used, it would almost certainly indicate that attackers had breached LastPass and successfully cracked vault passwords.
For what it's worth, I maintained a crypto canary in LP and it hasn't moved yet. I do think it's worth keeping a canary wallet with some small amount of crypto in any password manager. Although it probably wouldn't be effective to detect targeted attacks, crypto wallets are probably very effective for widespread/untargeted attacks.
I'm not entirely sure, but it seems like parsing the apache/nginx/other webserver access log is enough. When you detect request to some token ID, get email associated with it and send notification pre-recorded by the user.
I immediately thought of a concern which is already highlighted in their FAQ:
> What if attackers blacklist the canarytokens.org domain? Doesn’t that work?
> This would work! That’s why we suggest that you download the canarytokens docker image and run your own server. (You can grab the source to build it yourself from here)
This seems like something that could be highlighted more prominently, since the main site makes it so extremely convenient to use a hosted token (where some knowledgeable attackers can avoid triggering the canary).
Don't let perfect be the enemy of good. I really doubt that many hackers have blacklisted this domain (while not working on offline machines). A self-hosted version must also be tested and maintained, this is an easy set and forget solution.
Do you think any one in practice will be watching for this domain? My suspicion is that it will still work for most people, but I am ignorant, and am basing this on how competent I see people behave in general.
Moving that item up to be more prominent does sound like a good idea though
Would depend on the method. For the ones that are automated like opening a PDF - I doubt many attackers will bother blacklisting the domain in their DNS.
But for the manual ones, like opening a link - it'd probably be better to host them at a much less suspicious sounding domain.
An easier service would be if canarytokens.org allowed us to CNAME our a subdomain of our company, so the token would be sent to hj.example.com. But that would make canarytoken.org a public service, which requires funding.
> Windows provides an even cooler way to get notified, in the guise of the venerable old desktop.ini configuration file. Dropping a desktop.ini file in a folder allows Explorer to set a custom icon for a file. Since this icon can reside on a remote server (via a UNC path), using DNS we can effectively make use of a token as our iconfile.
KEK.
So just unpacking an archive and browsing the directory structure in Explorer is a threat to your privacy.
So many times on engagement I’ve opened files that looked like canaries but we’re just dumb jokes between sysadmins (is_rsa containing “hah got you” for instance)
A dozen canary tokens will probably get your security detection program alot further than your first $2M of splunk license
I have. I kept about $500 worth of bitcoin, as an unencrypted wallet.dat file, on my gaming PC in which I sometimes run untrusted executables.
One day, I got a notification the coins have been moved. After realising it wasn't a false positive, I immediately disconnected and imaged the PC, and sure enough, deep investigation found malware.
Small price to pay, as it alerted me to rotate all passwords and sessions, and alert the community about the compromised executable.
To this day, I keep some crypto on every device I use. If not breached, it doesn't cost me anything.
You are literally paying hackers to out their presence.
This is just a brilliant principle: Provide some low hanging, easy to identify, inexpensive fruit for thieves, to protect higher hanging fruit.
It could be used instead of more formal rewards for encouraging white hackers to report vulnerabilities: just let everyone know your outer ring of security has a wallet.
Even if more sophisticated hackers would skip the wallet, you are much more likely to find out vulnerabilities if hackers of all shades know there is honey for the taking.
This is, sincerely, the first time I've heard a use case for cryptoassets and thought, yeah, that's something real, useful, and which cryptoassets are uniquely suited for.
It's related to a home security tactic I heard of: keeping a "pocket change" tray visible on a table just inside your front door, with coins and a few bills.
The theory being that, if a burglar sees it, they'll probably at least grab the bills.
When you enter, if the bills are missing, there might be a burglar still in the house.
I like this so much!!!! (Partly because I think I've suggested a couple times here a long time ago to hold some bitcoin private keys in your "most secure" code/dir/whatever and monitor if they go missing, but I'm probably not the 1st to think about it as a bounty)
Do you know if the $500 was moved 'automatedly' or by a human? If the former, makes you wonder if $0.01 would do it. (I guess network fees don't matter since you'd still see it pending on the block chain and that's good enough)
Absolutely, I worked at a place where we generated unique aws tokens, pushing it out to all users/computers in the fleet and had alerting anytime one was used, which was traceable to a service, user or server.
Within 1 year I found a breach on a developers box and another on a frontend server.
On a first date, someone quoted the contents of your diary that had been stolen in a hack? Were you dating on a hacker matching app? How does this even come about?
I got the impression using wifi in airplane mode paired with years of exchanging numbers at hacker cons and academic events influenced my matches in some odd ways.
(Such as having someone freak out you have a weed card and might not forget they do too if that’s the reason you can’t get a job)
Anyways I thought she was just some random divorcè but she worked for the local FFRDC
Edit: it also may have been a catfish who got annoyed I had no idea who the person she was impersonating was absent being fourth author on something outside my area of expertise
Those canaries are meant to detect something bad happening within an executable. These canaries are instead meant to detect something bad happening "between" executables of sorts - i.e. malicious usage of said executables/services.
It's like placing unlocked safes all over your (locked) house with stuff that looks valuable to thieves. You know it's worthless so you never touch them. If a thief does however, you will know immediately. The overlap with honeypots here can be a bit fuzzy I guess.
Good idea, but this would need to be maintained over the years in order to be effective. And you should also trigger it yourself regularly but not too often to make sure it works.
I evaluated this a while back. Cool idea but limited application in a corporate environment. But for personal use, why not?
Someone needs to open a document for the canary token to trigger. Even the smallest company with M365 gets MSIP (formerly Azure Information Protection), if you classify your docs right, only people who own or have been shared the document can decrypt it and even without a good classification, you get logs of any M365 document being opened, so why can't I just have a regular but public doc everywhere and monitor when it gets opened from external IPs, user agents,etc....
Fair enough, but you need some sort of data classification and usually that tool can also do protection and leak detection. This tool is focused on just the canary part, if you have documents that can just get copied on a usb drive or emailed and exposed to the public there are plenty of good solutions before you accept that as an inevitable reality and implement leak detection via canaries. Don't get me wrong though, I'm a believer in deception tech in general.
Not exactly "canaries", in that you won't know if they're dead. If you were to use this device/service, you'd want to test some/all of them every now and then to know if they still did what you want. Or just cross your fingers and consider them bonus security.
Funny. In all the companies I worked at so far I added very long random tokens into the databases, which only get returned when dumping the entire database. They specifically are added in a way, and the queries made in a way, that those entries are never returned.
A separate container monitors all traffic returned by the databases and if those tokens are detected, the databases are essentially shut down by disabling the port of the database until it is manually unlocked again.
Funnily enough, I was working at an auction platform and a few times the databases stopped responding. Everyone way furious until I shared why the databases stopped responding.. :-)
IIRC Log4j roughly allowed loading arbitrary code from a URL. The mere process of trying to access that URL would cause a DNS request to the canary token domain.
I discovered that one of the major 2FA code SMS delivery gateways was actually susceptible to Log4j, where I could have potentially gotten a shell on their were, were I to have made an effort to. That could have allowed me to intercept all 2FA codes from major financial institutions that utilized the service to deliver 2FA codes to their customers.
On the underground fraudsters would have paid handsomely to be able to get past 2FA on accounts they had stolen creds for, without even having to SIM swap.
It goes to show how these services can be used for many purposes, offensive and defensive.
In light of the LastPass breach, it seems like it would be useful if someone had created a few LastPass vaults and seeded them with some canary tokens (and probably canary crypto wallets), so if any of those tokens or wallets were used, it would almost certainly indicate that attackers had breached LastPass and successfully cracked vault passwords.