This gives me a thought: is there any service out there that creates and monitors canary tokens on a larger scale to try to identify when specific providers have been breached?
In light of the LastPass breach, it seems like it would be useful if someone had created a few LastPass vaults and seeded them with some canary tokens (and probably canary crypto wallets), so if any of those tokens or wallets were used, it would almost certainly indicate that attackers had breached LastPass and successfully cracked vault passwords.
For what it's worth, I maintained a crypto canary in LP and it hasn't moved yet. I do think it's worth keeping a canary wallet with some small amount of crypto in any password manager. Although it probably wouldn't be effective to detect targeted attacks, crypto wallets are probably very effective for widespread/untargeted attacks.
I immediately thought of a concern which is already highlighted in their FAQ:
> What if attackers blacklist the canarytokens.org domain? Doesn’t that work?
> This would work! That’s why we suggest that you download the canarytokens docker image and run your own server. (You can grab the source to build it yourself from here)
This seems like something that could be highlighted more prominently, since the main site makes it so extremely convenient to use a hosted token (where some knowledgeable attackers can avoid triggering the canary).
Don't let perfect be the enemy of good. I really doubt that many hackers have blacklisted this domain (while not working on offline machines). A self-hosted version must also be tested and maintained, this is an easy set and forget solution.
Do you think any one in practice will be watching for this domain? My suspicion is that it will still work for most people, but I am ignorant, and am basing this on how competent I see people behave in general.
Moving that item up to be more prominent does sound like a good idea though
> Windows provides an even cooler way to get notified, in the guise of the venerable old desktop.ini configuration file. Dropping a desktop.ini file in a folder allows Explorer to set a custom icon for a file. Since this icon can reside on a remote server (via a UNC path), using DNS we can effectively make use of a token as our iconfile.
KEK.
So just unpacking an archive and browsing the directory structure in Explorer is a threat to your privacy.
So many times on engagement I’ve opened files that looked like canaries but we’re just dumb jokes between sysadmins (is_rsa containing “hah got you” for instance)
A dozen canary tokens will probably get your security detection program alot further than your first $2M of splunk license
I have. I kept about $500 worth of bitcoin, as an unencrypted wallet.dat file, on my gaming PC in which I sometimes run untrusted executables.
One day, I got a notification the coins have been moved. After realising it wasn't a false positive, I immediately disconnected and imaged the PC, and sure enough, deep investigation found malware.
Small price to pay, as it alerted me to rotate all passwords and sessions, and alert the community about the compromised executable.
To this day, I keep some crypto on every device I use. If not breached, it doesn't cost me anything.
Absolutely, I worked at a place where we generated unique aws tokens, pushing it out to all users/computers in the fleet and had alerting anytime one was used, which was traceable to a service, user or server.
Within 1 year I found a breach on a developers box and another on a frontend server.
Good idea, but this would need to be maintained over the years in order to be effective. And you should also trigger it yourself regularly but not too often to make sure it works.
I evaluated this a while back. Cool idea but limited application in a corporate environment. But for personal use, why not?
Someone needs to open a document for the canary token to trigger. Even the smallest company with M365 gets MSIP (formerly Azure Information Protection), if you classify your docs right, only people who own or have been shared the document can decrypt it and even without a good classification, you get logs of any M365 document being opened, so why can't I just have a regular but public doc everywhere and monitor when it gets opened from external IPs, user agents,etc....
Not exactly "canaries", in that you won't know if they're dead. If you were to use this device/service, you'd want to test some/all of them every now and then to know if they still did what you want. Or just cross your fingers and consider them bonus security.
Funny. In all the companies I worked at so far I added very long random tokens into the databases, which only get returned when dumping the entire database. They specifically are added in a way, and the queries made in a way, that those entries are never returned.
A separate container monitors all traffic returned by the databases and if those tokens are detected, the databases are essentially shut down by disabling the port of the database until it is manually unlocked again.
Funnily enough, I was working at an auction platform and a few times the databases stopped responding. Everyone way furious until I shared why the databases stopped responding.. :-)
[+] [-] czx4f4bd|3 years ago|reply
In light of the LastPass breach, it seems like it would be useful if someone had created a few LastPass vaults and seeded them with some canary tokens (and probably canary crypto wallets), so if any of those tokens or wallets were used, it would almost certainly indicate that attackers had breached LastPass and successfully cracked vault passwords.
[+] [-] kfichter|3 years ago|reply
[+] [-] Eisenstein|3 years ago|reply
Any devs want to volunteer? I don't know shit about how to make it work.
EDIT: If anyone wants it and promises to do something like the post above suggested I will transfer the domain, I really did buy it.
EDIT 2: canarychecker.com is the one I registered.
[+] [-] burnished|3 years ago|reply
[+] [-] schoen|3 years ago|reply
I immediately thought of a concern which is already highlighted in their FAQ:
> What if attackers blacklist the canarytokens.org domain? Doesn’t that work?
> This would work! That’s why we suggest that you download the canarytokens docker image and run your own server. (You can grab the source to build it yourself from here)
This seems like something that could be highlighted more prominently, since the main site makes it so extremely convenient to use a hosted token (where some knowledgeable attackers can avoid triggering the canary).
[+] [-] jenny91|3 years ago|reply
[+] [-] burnished|3 years ago|reply
Moving that item up to be more prominent does sound like a good idea though
[+] [-] mike_hock|3 years ago|reply
KEK.
So just unpacking an archive and browsing the directory structure in Explorer is a threat to your privacy.
[+] [-] xorcist|3 years ago|reply
[+] [-] tsujamin|3 years ago|reply
A dozen canary tokens will probably get your security detection program alot further than your first $2M of splunk license
[+] [-] rsync|3 years ago|reply
~/.login contains the line:
/usr/local/sbin/sms ...
... where 'sms' calls the twilio API like this:
[+] [-] armchairhacker|3 years ago|reply
I don't doubt they can be useful but I suspect they aren't really used that much
[+] [-] dannyw|3 years ago|reply
One day, I got a notification the coins have been moved. After realising it wasn't a false positive, I immediately disconnected and imaged the PC, and sure enough, deep investigation found malware.
Small price to pay, as it alerted me to rotate all passwords and sessions, and alert the community about the compromised executable.
To this day, I keep some crypto on every device I use. If not breached, it doesn't cost me anything.
I even have a paper wallet in my physical wallet.
[+] [-] genmud|3 years ago|reply
Within 1 year I found a breach on a developers box and another on a frontend server.
[+] [-] greggarious|3 years ago|reply
She had the balls to get mad when I yelled at her for it.
Some people don’t know how lucky they are to be in this world.
Edit: it was a first date. She never had physical access.
[+] [-] dangero|3 years ago|reply
[+] [-] aphroz|3 years ago|reply
[+] [-] type-r|3 years ago|reply
[+] [-] Phelinofist|3 years ago|reply
[+] [-] kilroy123|3 years ago|reply
In /etc/pam.d/sshd I set this, which then emails me.
[+] [-] badrabbit|3 years ago|reply
Someone needs to open a document for the canary token to trigger. Even the smallest company with M365 gets MSIP (formerly Azure Information Protection), if you classify your docs right, only people who own or have been shared the document can decrypt it and even without a good classification, you get logs of any M365 document being opened, so why can't I just have a regular but public doc everywhere and monitor when it gets opened from external IPs, user agents,etc....
I struggled to show value for this. Honehashes are more interesting for me: https://github.com/EmpireProject/Empire/blob/master/data/mod...
[+] [-] icecap12|3 years ago|reply
[+] [-] wslh|3 years ago|reply
[+] [-] jrootabega|3 years ago|reply
[+] [-] 19h|3 years ago|reply
A separate container monitors all traffic returned by the databases and if those tokens are detected, the databases are essentially shut down by disabling the port of the database until it is manually unlocked again.
Funnily enough, I was working at an auction platform and a few times the databases stopped responding. Everyone way furious until I shared why the databases stopped responding.. :-)
[+] [-] CommanderData|3 years ago|reply
Says he got around Google and MS flagging his CV as malware which I'm unsure how.
[+] [-] gsora|3 years ago|reply
[+] [-] ilyt|3 years ago|reply
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] AviationAtom|3 years ago|reply
[+] [-] lazyasciiart|3 years ago|reply
[+] [-] pifm_guy|3 years ago|reply
[+] [-] mike_d|3 years ago|reply
[+] [-] Zamicol|3 years ago|reply
[+] [-] schoen|3 years ago|reply
https://en.wikipedia.org/wiki/Warrant_canary