Hacker News new | past | comments | ask | show | jobs | submit login
Canary Tokens (canarytokens.org)
280 points by saikatsg on Dec 30, 2022 | hide | past | favorite | 59 comments



This gives me a thought: is there any service out there that creates and monitors canary tokens on a larger scale to try to identify when specific providers have been breached?

In light of the LastPass breach, it seems like it would be useful if someone had created a few LastPass vaults and seeded them with some canary tokens (and probably canary crypto wallets), so if any of those tokens or wallets were used, it would almost certainly indicate that attackers had breached LastPass and successfully cracked vault passwords.


For what it's worth, I maintained a crypto canary in LP and it hasn't moved yet. I do think it's worth keeping a canary wallet with some small amount of crypto in any password manager. Although it probably wouldn't be effective to detect targeted attacks, crypto wallets are probably very effective for widespread/untargeted attacks.


Do keep us posted if it changes!


Let's do it. I just bought carnarychecker.com

Any devs want to volunteer? I don't know shit about how to make it work.

EDIT: If anyone wants it and promises to do something like the post above suggested I will transfer the domain, I really did buy it.

EDIT 2: canarychecker.com is the one I registered.


carnarychecker.com or canarychecker.com? (I'm only being nitpicky since it seems like an important detail in this case :-P )


Double checked, thanks for pointing out the typo, but I registered the correct one (phew):

Domain - canarychecker.com 1 year registration $12.00


I'm not entirely sure, but it seems like parsing the apache/nginx/other webserver access log is enough. When you detect request to some token ID, get email associated with it and send notification pre-recorded by the user.


If this is something you are willing to work on, send me an email, it is in my profile.


That is an incredible thought, I think it would have to be done independently though.


Cool idea!

I immediately thought of a concern which is already highlighted in their FAQ:

> What if attackers blacklist the canarytokens.org domain? Doesn’t that work?

> This would work! That’s why we suggest that you download the canarytokens docker image and run your own server. (You can grab the source to build it yourself from here)

This seems like something that could be highlighted more prominently, since the main site makes it so extremely convenient to use a hosted token (where some knowledgeable attackers can avoid triggering the canary).


Don't let perfect be the enemy of good. I really doubt that many hackers have blacklisted this domain (while not working on offline machines). A self-hosted version must also be tested and maintained, this is an easy set and forget solution.


Well, they will now :D


Do you think any one in practice will be watching for this domain? My suspicion is that it will still work for most people, but I am ignorant, and am basing this on how competent I see people behave in general.

Moving that item up to be more prominent does sound like a good idea though


Would depend on the method. For the ones that are automated like opening a PDF - I doubt many attackers will bother blacklisting the domain in their DNS.

But for the manual ones, like opening a link - it'd probably be better to host them at a much less suspicious sounding domain.


> Do you think any one in practice will be watching for this domain?

I would bet money that multiple governments already do.


Hmm, why? It seems like another risk to let people mark urls as 'please do not read' and respect it


An easier service would be if canarytokens.org allowed us to CNAME our a subdomain of our company, so the token would be sent to hj.example.com. But that would make canarytoken.org a public service, which requires funding.


You totally can?


> Windows provides an even cooler way to get notified, in the guise of the venerable old desktop.ini configuration file. Dropping a desktop.ini file in a folder allows Explorer to set a custom icon for a file. Since this icon can reside on a remote server (via a UNC path), using DNS we can effectively make use of a token as our iconfile.

KEK.

So just unpacking an archive and browsing the directory structure in Explorer is a threat to your privacy.


Not to mention the obvious security implications should any of the supported icon image format decoders ever have any issues.


It’s worse than that, unfortunately. Windows happily authenticates with an NTLMv2 hash using this method as well - requires zero interaction.


So many times on engagement I’ve opened files that looked like canaries but we’re just dumb jokes between sysadmins (is_rsa containing “hah got you” for instance)

A dozen canary tokens will probably get your security detection program alot further than your first $2M of splunk license


I have a shell login canary that uses the twilio API to send me an SMS:

~/.login contains the line:

/usr/local/sbin/sms ...

... where 'sms' calls the twilio API like this:

  /usr/local/bin/curl -s -X POST -d "Body=$msg" -d "From=$from" -d "To=$to" "https://api.twilio.com/2010-04-01/Accounts/$accountsid/Messages" -u "$accountsid:$authtoken"


Has anybody actually detected and prevented some kind of hack by using a canary?

I don't doubt they can be useful but I suspect they aren't really used that much


I have. I kept about $500 worth of bitcoin, as an unencrypted wallet.dat file, on my gaming PC in which I sometimes run untrusted executables.

One day, I got a notification the coins have been moved. After realising it wasn't a false positive, I immediately disconnected and imaged the PC, and sure enough, deep investigation found malware.

Small price to pay, as it alerted me to rotate all passwords and sessions, and alert the community about the compromised executable.

To this day, I keep some crypto on every device I use. If not breached, it doesn't cost me anything.

I even have a paper wallet in my physical wallet.


You are literally paying hackers to out their presence.

This is just a brilliant principle: Provide some low hanging, easy to identify, inexpensive fruit for thieves, to protect higher hanging fruit.

It could be used instead of more formal rewards for encouraging white hackers to report vulnerabilities: just let everyone know your outer ring of security has a wallet.

Even if more sophisticated hackers would skip the wallet, you are much more likely to find out vulnerabilities if hackers of all shades know there is honey for the taking.


This is, sincerely, the first time I've heard a use case for cryptoassets and thought, yeah, that's something real, useful, and which cryptoassets are uniquely suited for.


Leaving canary crypto is a great idea.

It's related to a home security tactic I heard of: keeping a "pocket change" tray visible on a table just inside your front door, with coins and a few bills.

The theory being that, if a burglar sees it, they'll probably at least grab the bills.

When you enter, if the bills are missing, there might be a burglar still in the house.


I like this so much!!!! (Partly because I think I've suggested a couple times here a long time ago to hold some bitcoin private keys in your "most secure" code/dir/whatever and monitor if they go missing, but I'm probably not the 1st to think about it as a bounty)

Do you know if the $500 was moved 'automatedly' or by a human? If the former, makes you wonder if $0.01 would do it. (I guess network fees don't matter since you'd still see it pending on the block chain and that's good enough)


Absolutely, I worked at a place where we generated unique aws tokens, pushing it out to all users/computers in the fleet and had alerting anytime one was used, which was traceable to a service, user or server.

Within 1 year I found a breach on a developers box and another on a frontend server.


I detected a hack once when someone quoted something off my hard drive. I had a diary I kept offline and only edited when alone.

She had the balls to get mad when I yelled at her for it.

Some people don’t know how lucky they are to be in this world.

Edit: it was a first date. She never had physical access.


On a first date, someone quoted the contents of your diary that had been stolen in a hack? Were you dating on a hacker matching app? How does this even come about?


Tinder. She didn’t mention her TS:SCI.

I got the impression using wifi in airplane mode paired with years of exchanging numbers at hacker cons and academic events influenced my matches in some odd ways.

(Such as having someone freak out you have a weed card and might not forget they do too if that’s the reason you can’t get a job)

Anyways I thought she was just some random divorcè but she worked for the local FFRDC

Edit: it also may have been a catfish who got annoyed I had no idea who the person she was impersonating was absent being fourth author on something outside my area of expertise


> Were you dating on a hacker matching app?

Or maybe participating in a dating CTF?


Your diary was kept offline and she never had physical access to the device? How do you think you were hacked?


Possibly via libreoffice itself I didn’t update it often?

Every screenshot in my screenshots folder had the time created date edited on 1/6 so I suspect someone owned my laptop.

My phone otoh I trust more since Apple signs the code, the diary wasn’t there.


Modern compilers have flags that add memory and stack canaries does that count?


Those canaries are meant to detect something bad happening within an executable. These canaries are instead meant to detect something bad happening "between" executables of sorts - i.e. malicious usage of said executables/services.

It's like placing unlocked safes all over your (locked) house with stuff that looks valuable to thieves. You know it's worthless so you never touch them. If a thief does however, you will know immediately. The overlap with honeypots here can be a bit fuzzy I guess.


Good idea, but this would need to be maintained over the years in order to be effective. And you should also trigger it yourself regularly but not too often to make sure it works.


why not too often?


Is something like this possible with shell logins? So basically every time a login to some Linux box is done it triggers a notification?


Yes, this is what I do for all my boxes.

In /etc/pam.d/sshd I set this, which then emails me.

    session optional pam_exec.so seteuid ~/login-notify.sh


Can this somehow be circumvented? I would like to employ something like this as poor mans intrusion detection


I evaluated this a while back. Cool idea but limited application in a corporate environment. But for personal use, why not?

Someone needs to open a document for the canary token to trigger. Even the smallest company with M365 gets MSIP (formerly Azure Information Protection), if you classify your docs right, only people who own or have been shared the document can decrypt it and even without a good classification, you get logs of any M365 document being opened, so why can't I just have a regular but public doc everywhere and monitor when it gets opened from external IPs, user agents,etc....

I struggled to show value for this. Honehashes are more interesting for me: https://github.com/EmpireProject/Empire/blob/master/data/mod...


Not everyone is using Azure and a full M365 implementation though.


Fair enough, but you need some sort of data classification and usually that tool can also do protection and leak detection. This tool is focused on just the canary part, if you have documents that can just get copied on a usb drive or emailed and exposed to the public there are plenty of good solutions before you accept that as an inevitable reality and implement leak detection via canaries. Don't get me wrong though, I'm a believer in deception tech in general.


https://bittrap.com does this with crypto wallets.


Not exactly "canaries", in that you won't know if they're dead. If you were to use this device/service, you'd want to test some/all of them every now and then to know if they still did what you want. Or just cross your fingers and consider them bonus security.


Funny. In all the companies I worked at so far I added very long random tokens into the databases, which only get returned when dumping the entire database. They specifically are added in a way, and the queries made in a way, that those entries are never returned.

A separate container monitors all traffic returned by the databases and if those tokens are detected, the databases are essentially shut down by disabling the port of the database until it is manually unlocked again.

Funnily enough, I was working at an auction platform and a few times the databases stopped responding. Everyone way furious until I shared why the databases stopped responding.. :-)


My colleague uses this in his CV to notify when and who has opened it. Pretty cool stuff.

Says he got around Google and MS flagging his CV as malware which I'm unsure how.


Love Canary Tokens! I use an HTML one to get notified whenever someone opens the CV page on my static website.


I guess it's a way if you don't have server logs.


Worked most excellently for testing Log4j vulnerabilities just a short while ago.


How?


IIRC Log4j roughly allowed loading arbitrary code from a URL. The mere process of trying to access that URL would cause a DNS request to the canary token domain.

I discovered that one of the major 2FA code SMS delivery gateways was actually susceptible to Log4j, where I could have potentially gotten a shell on their were, were I to have made an effort to. That could have allowed me to intercept all 2FA codes from major financial institutions that utilized the service to deliver 2FA codes to their customers.

On the underground fraudsters would have paid handsomely to be able to get past 2FA on accounts they had stolen creds for, without even having to SIM swap.

It goes to show how these services can be used for many purposes, offensive and defensive.


Related: serverthiefbait.com


I appreciate that they made the icon for DNS tokens Dan's photo.


There was https://www.canarywatch.org being pushed by the EFF that now appears to be out of service.


That was about a somewhat different kind of canary:

https://en.wikipedia.org/wiki/Warrant_canary




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: