If it isn’t clear already, we have decided to rename Canary to Canario! This change comes after a decision to give the service a name that is unique amongst other products with similar names. If you’re a Spanish or Portuguese speaker, the name isn’t quite that different however.
All traffic going from the canary.pw domain will automatically be redirected indefinitely.
There’s been some cosmetic changes, but what we’re most excited about is an entire overhaul to the software backend! Here’s what we’ve been busy doing the past few months:
One big thing we’ve done away with (temporarily) is keyword-based searching. This was done because we have never been satisfied with the results given by previous iterations of the search engine.
After the Ashley Madison breach, Canario saw thousands of searches per hour and most of them were by those who were not using the bangs (“!email” for example) with mixed results. So because of this we have opted to make it so if you perform a search without a bang it will search within our collection of objects (such as an e-mail, IP address, et cetera), allowing for more accurate results.
This does not mean that we’ve done away with the bang feature as we’ve improved one and added a new one as well.
For those who are interested in IP addresses, we’ve added the ability to perform CIDR notation when searching.
This means that the following search examples are valid when using the IP (!ip) bang:
- !ip 192.168.1.0/24
- !ip 10.0.0.
- !ip 188.8.131.52
With the second example, it is converted to “10.0.0.0/24” (and if it were to be “10.0” it would become “10.0.0.0/16”). You can only do this from a /32 down to a /16.
One new feature we’ve added is the ability to search by TLD and sub-TLD via the new “!tld” bang.
We’ve included all two-letter country TLDs, all original non-country TLDs, and all of the new ones approved by ICANN through to the end of 2015–we will update as we go along of course. Non-Latin TLDs are also supported starting with “XN-“, meaning we cover over 1,000 different TLDs.
On top of that, we also are including sub-TLDs. This means that hosts ending with “gc.ca” (Government of Canada), “ca.us” (State of California), and even services like DynDNS (“dyndns.org”) and Amazon AWS (“amazonaws.com”) are included in the search area. There’s almost 10,000 sub-TLDs covered here.
Going back to keyword searching, we do plan to return this feature as a paid option later this year. We will provide more details on this as we go forward but a (sort of) workaround has been made available.
More in-depth analysis
One of the biggest challenges we’ve had with the old software was that it was designed with a different purpose in mind and that over time features were added in that required more work for the database back-end than what was best.
Here’s an example e-mail address:
Under the old software this is what we’d extract:
- The e-mail address: firstname.lastname@example.org
- The hostname: example.email.co.uk
With the new software, we still extract the the above but we also retrieve the following:
- All subdomains: email.co.uk
- The TLD: uk
- The sub-TLD: co.uk
- The IP address that the original hostname resolves to: 10.255.2.16
What this allows for you to do is find any item regardless of how you search for it. This permits an organization to find things that may exist within their IP space that do not show up explicitly in our samples.
Under consideration is the extraction of MX records but as it stands right now we’re sticking with just A records.
Here’s one other example using an HTTP link:
Under the old software here’s what we’d get:
Under the new software, we get the above plus much more:
- All redirects leading up to the end URL: http://seclists.org/fulldisclosure/2016/Jan/0
- The hostnames from all redirects and URLs: bit.ly, seclists.org
- All TLDs from the hostnames: ly, org
- All IP addresses from the hostnames: 184.108.40.206, 220.127.116.11
We want to make it easier for you to find your data and we hope that making the analysis more in-depth will be helpful.
Better alerts (soon)
Right now we’re re-analyzing all of our samples and as a result we’ve opted to disable outright the alert system until this has been completed. However, you can in the meantime create alerts that will be enabled the moment we have the system ready.
If you have already registered before the transition to the software and enabled alerts based on your e-mail address, this will already be ready to go once the data processing is complete. For any new users going forward, you will need to input this manually but as a new feature, you can now set any object you want as an alert result within Canario.
The Canario alert engine will look for these strings within any new sample upon the analysis being completed. For now, we’re only allowing up to five strings but in the future we will be permitting more than five plus the ability to use regular expressions on data that is coming in. As mentioned earlier, more details on this will be forth coming.
We will make an announcement once we’ve completed the data migration.
In addition to everything above, we encourage anyone who is interested to check out our IRC channel on Freenode at #canario.
We’ll provide an update on the data migration progress very soon. There will be some interruptions to service over the coming week or two but the worst of what was needed to be done on our end is over.