Use case: finding out a bit more about an attack

One of the original reasons for Canary being created is because of the fact that in many cases, details about a breach are shared before the general public or affected organisations get wind of it. While Canary does not prevent breaches, it potentially at least could provide you with an enough head’s up in order to mitigate the already dealt damage.

In this case, it’s sort of the reverse. With a distributed denial of service attack, we can learn a bit more about what is attacking you.

A case in point today was the following was shared on an IRC channel earlier today:

23:03:53 < [someone]> [retail chain] getting ddos
23:03:55 < [someone]> [url containing details]
23:04:00 < [someone]> where do I report this?
02:28:30 < [person]> [someone]:

The individual who shared it never made light of how they acquired the information, but it can be safely assumed that it was not something that they themselves found on their own. I am sure the target might be aware however.

But it seems that the person does have access to packet capture data from the machine. How they acquired it is ambiguous, but nonetheless it does provide some details that we can use.

The pixelated items in the packet capture in the image was of the IP address that was supposedly being targeted. The source in the first half and the destination in the second are not of the individual’s machine either. Both here are good candidates for finding out a bit more about what is known within Canary about these two IPs.

When we look for the IP address found within the packet data itself, we do not get any results. Maybe we can check its IP block? Nope. In fact, it does not appear that the target organisation has any leaked data–which is good news. If you want to try this for yourself, you can use the following search terms as examples (without parenthesis):

Note: searching for bigger ranges will likely lead to longer search times! It’s suggested that you consider using the API the larger the IP block is.

But what about the attacking machine? What can we find out about it? Well, luck would have it that we did find something within Canary’s database.

Bingo. Just one search result but here we are. Some scrolling around eventually leads us to the IP address involved in the attack.


This can be useful for investigations to determine when the attacking machine was possibly compromised. What the content of these files is exactly can be for another time, but we can at least determine that this machine has been compromised for at least a week here.

More about what you can do with Canary will be written in the future!

Canary will not charge you to find out if you’re affected by a breach (also we want volunteers)

News came out today that there are 1 billion usernames and passwords floating about from Russian gangs. An excerpt is as follows:

The firm that uncovered the breach, Hold Security of Milwaukee, said a group of about 20 hackers from south-central Russia are to blame. The group, dubbed “CyberVor” (“vor” meaning “thief” in Russian), stole data from thousands of businesses Web sites, both small and large, and even from personal Web sites.
It appears the firm initially planned to charge for its services. According to Forbes reporter Kashmir Hill, after the Times story ran Hold Security’s Web site advertised its services to potential victims of the breach for “as low as 120$/month [sic]” with a “money back guarantee.”
Wall Street Journal reporter Danny Yadron noticed Hold’s ad and tweeted about it. It was quickly taken down. A modified version has since appeared offering pre-registration for the free 30-day trial.

We at Canary do not like this idea as you as an individual should know about any compromise of your personal information without having to pay a broker for details.

As a result of this, we are announcing that by October, individuals will be able to sign up for a free alerting service. All that will be required from you is to sign up with an e-mail address you want monitored and we’ll go from there. In fact, go ahead and register right now and we’ll approve your account, allowing you to have it monitored right off of the bat once the service is active.

Commercial users are (for now) free to sign up in anticipation of the service but it is asked that you consider a donation to Canary’s parent organisation. Individuals are not requested to do this but are also free to support us as well.

Also we need help!

Canary would love to have financial support, but what right now is really needed more is data.

We want lots of data. We want to fill up hard drives with data.

If you’re interested in helping scrape, please contact us. We’re looking for data from the following types of sources:

  • Pastebin-like sites
  • Resources hosted via TOR
  • Message boards
  • Non-English-based websites

We also welcome other sources should you have the ability to access them and have an idea on how to send it.

Announcing the Canary API beta!

As you may or may not have noticed, Canary has undergone some drastic changes. Some of the changes include:

  • New logo and layout.
  • Performance boosts on the search engine itself.
  • A finer-tuned related search result for posts.
  • An improved user-interface for viewing found objects.
  • And last but not least, an API to interface with.

The API has been in the works since the creation of Canary and was to be introduced not too long after Canary was out of a ‘beta’ phase. The plan was to have it done by around summertime and well, we’re only a few days in and it’s now up and running!

If you’re wondering what Canary is, Canary is a search engine for data that has been posted on document-sharing websites. It takes the data, analyses it, and then stores it in a database. You can determine if any of the documents are linked to each other as well. Click here and give it a try!

Now, here’s the part you may be interested in: how do I get to use it?

Well, simply go ahead and register! Once that is done, feel free to tweet at me (@afreak) with your username and let me know that you’re interested–e-mailing us or responding to this post works too! At this time certain restrictions on e-mail accounts and how many searches and views you can make are relaxed, but get in early if you’re interested in playing around.

We also want to see what sort of ideas you have for Canary. An issue tracker has been launched and all you need is a Github account to make requests, report bugs, and so forth!

In the near future, we plan to provide details on what you can do with Canary so stay tuned for that as well.

Also, Canary celebrates its first year anniversary soon. Thanks to everyone who has helped on this project so far!

Brief update regarding registration

If you’re attempting to register, just let it be known that this is a test-run at the moment and accounts are not being accepted en-masse. We’ll update this blog once we’re ready to enable accounts, but feel free to register once you’ve read the guidelines.

Canary API is coming!

Hi all,

Just a brief update here: Canary’s API is coming along nicely and will soon be looking for testers. If you’re interested, please reach out to me via Twitter (@afreak) or e-mail me at

I won’t be able to respond immediately but I will put you down on a list to contact.

Massive update and presenting at BSides Vancouver 2014!

I’ve been silent as of late! This should not indicate anything however with Canary as I have been actively developing it and tuning it to be better and more feature-rich. How about we cover what has been changed?

You can view all the changes now at:

New features

Who done what? Related results!


This is the feature I have been wanting to have up and running since day one: related items.

Basically if you view a document, it will attempt to find anything related to it based on its content. There are still some features to be added to that functionality, but it’s quite possible you could suffer from the same problem that some people have when reading one Wikipedia article and finding that you’ve gone from My Little Pony to Adolf Hitler in two hops (try this if you’re curious about this).

Expanded search


The search has been moved to the top-right of the screen like in the old version but has been simplified to allow for you to look for other items in the process. Gone are the mentions of the bangs (they’re still there however) but ready to read is a help page.

I have removed the functionality that allowed for searching of phone numbers. The reason for this is quite simple: the false positives were quite problematic.

The bangs are fully documented now and have had some of their abilities extended. You can check out the Help page to see more.

Presenting at BSides Vancouver

I will be presenting at BSides Vancouver on March 11th. The talk will feature some of the origins of Canary and will also discuss some other related items. I definitely invite you to come out if you’re able to come to the conference.

I plan to submit this elsewhere so stay tuned for that.


I am looking for donations as I wish to expand the service. There is a plan to expand this service to allow for access via an API, but this won’t be available for a few more months.

You can submit a donation via the links on this page:

I also take DOGE if you wish to send me that as well. :)

The address for DOGE is DU8hYS4Z9Nb3fG155LfcnxMVjKzp3MJJsN.

Bug reports

Please let me know via Twitter (@afreak) or via IRC (afreak on Freenode) if you wish to let me know of a problem. At the time of this writing, I am aware of the problem with the left column links when viewing the page, but I have a fix due for tomorrow.

Performance improvements

Small update here, but the performance of Canary has been drastically improved. Some changes were made to the database structure and data retrieval and it is now much, much faster. In addition, the hash searching is a lot more refined and will give far more accurate results.

There is a large feature coming to Canary in the next month or two so stay tuned!