We’re updating!

As you may have noticed, Canary’s blog hasn’t had an update as of late. We can assure you that we’re working on a huge update that addresses performance, better data extraction, and much more.

Expect to see further details on this in September.

Announcing Canary Alerts and public data submission

One of the features originally planned and promised for Canary was alerts. Finally we have delivered that and a few new features to the Canary website.

Alerts

In this update, we have introduced the new Alert system. At the moment it is set up to only alert you if there is an incoming sample that has your Canary account’s e-mail address contained within–more on the future of this will be explained later. This feature is included with all accounts both current and future–we can outright disable it for your account if requested. Alerts are triggered shortly after the data has been analysed and will be tripped regardless of who submitted the data.

To access your alerts, you’ll need to login as normal (or register a free account and then login) and immediately you’ll be presented with an account page that shows an “Alerts” tab.

Default Alert page.
Default Alert page.

By default you should expect the above screen but in the event that there is an alert, you’ll be able to see and acknowledge them as follows:

Upon an alert being received, it will appear here.
Upon an alert being received, it will appear here.

In addition, you’ll be able to enable the e-mailing of alerts (disabled by default) so if an alert comes in you’ll be able to know without having to log into the website–this can be done by enabling it via the “configuring alerts” tab.

Typical alert e-mail you should expect to receive.
Typical alert e-mail you should expect to receive.

Down the road we’re working on the following for the site:

  • Keyword-based alerting in addition to the e-mail address you’ve signed up with. All accounts will have a maximum of three keywords and requests for more will be a paid feature. It should be kept in mind that alerts are not based on search queries so the usual triggers (!http, !ip, et cetera) will not apply here.
  • Regular expression-based alerting will be available on a pay-basis. Details are still being worked on this but we’ve had requests for regex-based searching in the past and would like to act upon it in some way.
  • API access to alerts which will be useful for those of you who are looking to integrate this into Splunk, LogRhythm, ArcSight, and so forth.

Stay tuned for more on alerting.

Public Data Submission

One of the things that we are aiming for is to make Canary more engaged with the community. As such, we’ve gone ahead and introduced a much simpler way to send us data. If you look on the top-right of the page, you’ll see a page available to you provided you’re logged in with an account:

This link will change once you've logged in.
This link will change once you’ve logged in.
Submitted data will appear as follows.
Any submitted data will appear as follows.

You’ll be able to see on this page a list of your previously submitted items (if any of course) but in addition to that you’ll also be presented with a submission form where you can submit data:

Submission form. Only a title and body is really required but a URL is helpful for us.
Submission form. Only a title and body is really required but a URL is helpful for us.

Any data posted via this submission form is only accessible to those with registered accounts. Data shared via this service is by default not exposed to the public unless either it has already been submitted before and was made public or we decided to make it public for whatever reason. Your account details are attached to the submission but those will not be visible to the public regardless if they’re signed in or not.

All registered users have access to this feature and we look forward to having everyone contribute whatever they can. This is meant for one-off posts that are 100 KB or less but if you’re looking to upload mass amounts of data or anything larger, please let us know as we have much better mechanisms for submitting data.

We’re going to evaluate how this feature works out so expect changes if we deem them necessary.

Other Updates

We’re working on changing the search mechanism as it’s producing results that are either erroneous, a bit too verbose, or are simply not what users should and want to expect. This is a known problem and we’re working to resolve this. Making use of the triggers will allow for better results.

Determining the possible validity of a breach (or was PSN really hacked again?)

If you’ve been following social media as of late, you might have seen remarks about a new set of data that is floating about stating that PlayStation Network (PSN) along with 2K Games and Windows Live were all breached and that a dump of passwords has been made available.

derp_hack

But is this really the case?

The password dump was added to Canary yesterday and immediately we saw some interesting results. Here are the links containing the dump as it is (for analysis purposes most large dumps are split up):

While this requires free registration, viewing the ‘related’ tab on these entries (specifically parts 3, 4, and 5) shows a number of similarities between this dump and dumps belonging to booter forums (“booter” being a term used to refer to DDoS attacking) as evident in these screenshots:

derp3 derp1 derp2

The sources in question can also be viewed via these links (there are more than just these but it gives you an idea):

This sort of thing has happened before where dumps from various databases were either re-branded as something else or were co-opted by another group in an attempt to boost reputation. A perfect example of this is an old breach on a site run by the FBI, which has been stated to have been done by several different groups since it was first dumped–every few weeks to a few months we see the dump rehashed.

So should you be concerned about this dump? Well it comes down to what level of risk you want to take, but it should always be kept in mind that breach data may not be what it seems. If you think you’re at risk, do what is appropriate.

Use case: finding out a bit more about an attack

One of the original reasons for Canary being created is because of the fact that in many cases, details about a breach are shared before the general public or affected organisations get wind of it. While Canary does not prevent breaches, it potentially at least could provide you with an enough head’s up in order to mitigate the already dealt damage.

In this case, it’s sort of the reverse. With a distributed denial of service attack, we can learn a bit more about what is attacking you.

A case in point today was the following was shared on an IRC channel earlier today:

23:03:53 < [someone]> [retail chain] getting ddos
23:03:55 < [someone]> [url containing details]
23:04:00 < [someone]> where do I report this?
02:28:30 < [person]> [someone]: isc.sans.org?

The individual who shared it never made light of how they acquired the information, but it can be safely assumed that it was not something that they themselves found on their own. I am sure the target might be aware however.

But it seems that the person does have access to packet capture data from the machine. How they acquired it is ambiguous, but nonetheless it does provide some details that we can use.

The pixelated items in the packet capture in the image was of the IP address that was supposedly being targeted. The source in the first half and the destination in the second are not of the individual’s machine either. Both here are good candidates for finding out a bit more about what is known within Canary about these two IPs.

When we look for the IP address found within the packet data itself, we do not get any results. Maybe we can check its IP block? Nope. In fact, it does not appear that the target organisation has any leaked data–which is good news. If you want to try this for yourself, you can use the following search terms as examples (without parenthesis):

Note: searching for bigger ranges will likely lead to longer search times! It’s suggested that you consider using the API the larger the IP block is.

But what about the attacking machine? What can we find out about it? Well, luck would have it that we did find something within Canary’s database.

Bingo. Just one search result but here we are. Some scrolling around eventually leads us to the IP address involved in the attack.

ddos3

This can be useful for investigations to determine when the attacking machine was possibly compromised. What the content of these files is exactly can be for another time, but we can at least determine that this machine has been compromised for at least a week here.

More about what you can do with Canary will be written in the future!

Canary will not charge you to find out if you’re affected by a breach (also we want volunteers)

News came out today that there are 1 billion usernames and passwords floating about from Russian gangs. An excerpt is as follows:

The firm that uncovered the breach, Hold Security of Milwaukee, said a group of about 20 hackers from south-central Russia are to blame. The group, dubbed “CyberVor” (“vor” meaning “thief” in Russian), stole data from thousands of businesses Web sites, both small and large, and even from personal Web sites.
[…]
It appears the firm initially planned to charge for its services. According to Forbes reporter Kashmir Hill, after the Times story ran Hold Security’s Web site advertised its services to potential victims of the breach for “as low as 120$/month [sic]” with a “money back guarantee.”
Wall Street Journal reporter Danny Yadron noticed Hold’s ad and tweeted about it. It was quickly taken down. A modified version has since appeared offering pre-registration for the free 30-day trial.

We at Canary do not like this idea as you as an individual should know about any compromise of your personal information without having to pay a broker for details.

As a result of this, we are announcing that by October, individuals will be able to sign up for a free alerting service. All that will be required from you is to sign up with an e-mail address you want monitored and we’ll go from there. In fact, go ahead and register right now and we’ll approve your account, allowing you to have it monitored right off of the bat once the service is active.

Commercial users are (for now) free to sign up in anticipation of the service but it is asked that you consider a donation to Canary’s parent organisation. Individuals are not requested to do this but are also free to support us as well.

Also we need help!

Canary would love to have financial support, but what right now is really needed more is data.

We want lots of data. We want to fill up hard drives with data.

If you’re interested in helping scrape, please contact us. We’re looking for data from the following types of sources:

  • Pastebin-like sites
  • Resources hosted via TOR
  • Message boards
  • Non-English-based websites

We also welcome other sources should you have the ability to access them and have an idea on how to send it.

Announcing the Canary API beta!

As you may or may not have noticed, Canary has undergone some drastic changes. Some of the changes include:

  • New logo and layout.
  • Performance boosts on the search engine itself.
  • A finer-tuned related search result for posts.
  • An improved user-interface for viewing found objects.
  • And last but not least, an API to interface with.

The API has been in the works since the creation of Canary and was to be introduced not too long after Canary was out of a ‘beta’ phase. The plan was to have it done by around summertime and well, we’re only a few days in and it’s now up and running!

If you’re wondering what Canary is, Canary is a search engine for data that has been posted on document-sharing websites. It takes the data, analyses it, and then stores it in a database. You can determine if any of the documents are linked to each other as well. Click here and give it a try!

Now, here’s the part you may be interested in: how do I get to use it?

Well, simply go ahead and register! Once that is done, feel free to tweet at me (@afreak) with your username and let me know that you’re interested–e-mailing us or responding to this post works too! At this time certain restrictions on e-mail accounts and how many searches and views you can make are relaxed, but get in early if you’re interested in playing around.

We also want to see what sort of ideas you have for Canary. An issue tracker has been launched and all you need is a Github account to make requests, report bugs, and so forth!

In the near future, we plan to provide details on what you can do with Canary so stay tuned for that as well.

Also, Canary celebrates its first year anniversary soon. Thanks to everyone who has helped on this project so far!