Easy HoneyPots – Canary Tokens:

Introduction:

The familiarity of web bugs maybe some image that tracks some users when they open an email, these features work using unique embedding URL in a page image which creates a TAG and generates an incoming GET request.

Those are the principles of Canary Tokens, the application of the previously described aspect applied to file reads or queries database, the execution of queries or maybe to detect a pattern within log files. Canary tokens can be used to implant traps in every area located within your structure or production system which is more efficient than just setting separate honeypots as a beacon.

Technical details:

Network breaches happen more often nowadays, this problem can affect small businesses even large mega-corps, what is trying to be protected and be avoided with the implementation of these tokens is to found out immediately which kind of users are attempting to break out into our system.

Canary tokens are available for free in http://canarytokens.org you can download your own token to send a notification to your personal email whenever someone is trying to reach or open any specific file that you put into your network.

How tokens work:

  1. You visit the website mentioned before and get a free token which can be used like an URL or a hostname depending in the type of Honeypot that you have selected
  2. If an unauthorized user or an attacker uses the token that you have placed into your network, Canary will give you an out of band email that the token has been opened.
  3. At last, Canary provides a variety of tools and hints that increase the possibility of an attacker to trip over the token.

Demonstration of Usage:

As we mentioned before you can visit the site: http://canarytokens.org and select which type of Honeypot you want to add into your workspace they can vary the options available from different options as it can be seen in the picture shown below:

After you select the type of toke you want to use, you can add a description for the notification that is going to be sent to your email and you can click into “Create my CanaryToken” for the token to be created. This process can be seen in the picture below:

After we click on Create my Canarytoken the page is going to show you the address for the token, in this case, we selected a Microsoft Word Document, the page will allow you download the file and change the name to be more appealing for any attacker which may access into our computer. The download page can be visualized in the picture below:

Now we download the file and change the name of the file to a name that represents the store of delicate data like the one shown in the picture below:

We open the file and see that’s empty but the token was already activated. We check into the email address that we selected to receive the notification to see if canary send a notification for unauthorized access to our token.

As we can see CanaryToken represents a free and easy solution to set Honeypots across your work environment and control the execution of some features within your network, it represents a helpful defensive tool against possible threats and helpful framework to keep a record of possible threats that may affect your data integrity or the privacy of your files.

 

 

This post was written by Marcus Smith