 Tom here from Lawrence Systems, and I am joined by Harun Mir, the founder of Thanks Canary. You've probably heard the ads before if you listen to any tech podcast, this product is wildly popular. We're not here to talk about that, but a little background in case you didn't know who Harun was, and welcome today. Thanks so much for having me. It's great to be here. So Thanks Canary, I think I probably first heard about it on some security podcast, definitely cool, and you have a lot of insights into the world of honey pots. And that's kind of what we're going to discuss today. And of course, the goal isn't just to talk about how cool they are or anything like that. This is not an advertisement. This is about how you can play with them for free, really easy. And I started this on Twitter and we were laughing and we're going to we're going to show some of the results of me just tweeting out of would you click this link? And boy, a lot of people were clicking the link here. Let me go ahead and throw a couple of things up here. If you're not familiar with Canary.tools, you can check them out over here. The Canary.tools is the commercial product and if you're interested, but the open canary is also adjacent to that. And this is actually what's really cool is you offer this whole free open canary project. We're not going to talk about this day. This is later. This is, I believe it's a little bit, it's a little bit more complicated to set up because this is building your own honey pot, but absolutely. This is a free open source download on GitHub. All this will be linked down below and they have plenty of documentation. And good documentation is great, but it's still there's a few setup things you got to do to configure these, but it's all in there. What needs no configuration is what we're going to talk about here is the Canary tokens. This is just fun. I've been playing with this this morning and you can just I'm learning out IP addresses in the post-production here, but these are all the people thus far as of just a couple of hours ago before we started this video that clicked the token with my clickbait title. Would you click this? It's super interesting because if you take canary tokens, people have been talking about the idea like honey tokenish things or honey docks for two decades, people have been saying, insert some records into your database. And if you ever see those records on the wire, then you know you've been breached or why don't you just do this? And of course, InfoSec people always say these, why don't you just things? Yeah, except you can't do it in production and it's too hard. And then you've got to create infrastructure to make sure that it's running and create infrastructure to make sure like all of that stuff. And so with canary tokens, we wanted to make that easy enough so people don't have to think about it. It's like, here, you should just do this. Yeah, you can literally just copy and paste these and we'll give a demonstration at a moment. And the concept isn't completely new, of course. This is just reiterating old ideas. One of the cool early examples to me is in cartography when they designed maps years and years ago, companies would put a fake city in there and they would put a fake city and that way they know someone else just duplicated their map. So it's the same kind of concept like you want to know someone touched this is someone duplicated to someone copy this. Is this actually my database out there? Yeah, it's it's such an old concept, but it's such win for defenders. And and one of the things is like canary tokens sometimes confuse people because some of them look really familiar. Some of them look foreign. Some have really high signal to noise ratio. But if you spend a few moments understanding them like honestly, they're free, but they some of the best things you can do to detect attacks on your network like literally we've had people tweet us to say like they discovered Russian hackers breaking into their web servers just with free canary tokens. So like even though it's free, people should absolutely just go use it. Like we get nothing out of it. Like like we don't have this is part of a give back. This is the hacker ethos and that's in for anyone who hasn't bothered to research her own here. He definitely been in a hacker community for a minute. So you want to have a conference or two, you know, the nicest way I've been called old yet. Thanks, Tom. But the the concept here with the canary tokens is really simple. And we can create things like what I did this morning was create this web URL token. You say where you want the notices to be sent to you. Give a note why this was triggered and you could just drop this web URL in there and I went a step further and did a tiny URL and I tweeted this out. I say, you know, who would click this and it turns out and that's what these examples right here are. Is yes, a lot of people would click this and it gives me a little bit of insight into different areas of people clicking. And matter of fact, I had commented. Hey, why how come no one from South America and then right away some South America. Very fresh and I'm sure there's even more more. On the right, if you click the one of those dates, what you actually find is more information on it. So if they running special plugins in their browser, if they and this is such a simple example, but it's it's so powerful, right? Because essentially you saying if I can get an attacker to visit my link, what can I find out about it? Yes. And and once you have that primitive like like the top two tokens there, if you look at them, the web bug and the DNS token. And if you check out the DNS token, you'll see that's equally simple, right? So you put in your email address and the system will give you back a unique host name. And the logic here is if you can get an attacker to look up this host name, you're going to get a you're going to get a message from the system. So if you just copy that and and host it or in this look up it or anything, what you'll find is you'll get an alerted that email address saying, hey, listen, this domain name that really only you knew about, somebody just looked it up. And and with those two super simple primitives that say what tell me when an attacker views a page of mine or tell me when an attacker looks up a domain name, you can set traps in bunches of interesting places that that no conventional security tools go like you can start booby trapping your slack or booby track your booby trap. That's probably you know, and this is probably a great example if the Twitter the infamous Twitter hack that happened was last year, if they would have had because they had some of the two factor information, I believe it was inside their slack channel. And then what happened was the threat actors essentially were able to get into the slack channel. And then they started clicking on everything. It's exactly that right. So so literally, like if you take the slack example, if you go back to your first one and you create a URL, and then you go into your own slack and look for a conversation that's 10 months old, where you say, good morning, guys, and just change the conversation to here's the link to the password file guys. And what's going to happen is when your slack gets compromised, the person's going to go into slack search and search for password secret customer name, they're going to find this URL click on it. And you're going to get a message saying, listen, this URL that really nobody should be clicking, somebody just clicked. Yeah. And with all of the canary slash canary token things, like what you're looking for is that one piece of string to pull on because stupidly, because of the way our networks and complexity has expanded, people don't know that they compromised for months. And so what you're looking for is that heads up that says, Hey, listen, this thing that shouldn't have happened happened, go pull on this thread to find out why it happened. And it gives you a start. Now, and I want to point something out here. Now I typed in an email address, which is just my test at launch systems.com email address. But if you read the fine print here, it's provided an email address or web hook URL. So you're able to build automation around this. So if you have, you know, your own web server, and you've got several web hooks, and you could tie this together with a web hook that could tie to some triggering program. Once again, this is free. This is like something you can start dancing around, putting this around your infrastructure and go, All right, let's a drop a few here and a few here and gain a lot of insight very quickly or low effort here. Exactly. Right. And two other things are worth noting there. One is we don't want your email address to mail you and sell you like that's literally just for the notifications. Like we'll never use it. I should mention this too. One, I've been testing each for a little while too. I did not sign up. I literally can pop open any window. I just type in the canary tokens that are there's no sign up, whatever email or web hook you want to use, there is no way for her room to contact you. His marketing team doesn't get the copy of this. We absolutely don't. So it's just for that alert to get through. And the other thing that's really cool, if you look at that, that stock page, right? So we ask you for your email address. And then what we tell you is give yourself a reminder. And that reminder is interesting because like you said, when you say spread these around, it really allows you to fire and forget them. So literally, I've got them dropped on my mom's desktop, my mom's inbox, my mom's dropbox, and I forget about it like forever. And five years from now, I get a ping that says, listen, the token in your mom's dropbox just got viewed. And then you know, okay, like this is, and of course, if you take this to your company, you'd be saying CFO's laptop, CEO's laptop, prod one, prod two, domain controller one. And so you drop them, you forget about them. And the alert self identifies, you get this ping telling you, listen, the token that you left on domain controller one just got used. And so immediately you know where to go, start looking. It's it's a super low effort, super cool way to go. This this is probably one of my favorite tokens, this AWS token. Yeah, and I if you were running any type of AWS, AWS infrastructure, or if you're not even that it probably Yeah, you should probably have this in there because this is irresistible to someone inside your network. If they see that there are some access credentials, can you do anything other than try them? I mean, I want to try them right now. It's why I love this so much, right? And there's multiple reasons to love it. So literally, you go here, we give you a AWS API key. And that's a legit AWS API key. So, so there's no way to eyeball it and say, is this legit or not? And as an attacker, I have to try it like, like there's nothing I can do. And, and we didn't even intend it, but there's some hidden benefits of this, right? Let's say you've been compromised by Mossad, like, like they've owned everything that you own. So so now they own your mail systems, they own everything. Like this triggering is happening completely off site, right? Because when they test the key, they're logging into Amazon. And Amazon sending the message to us and we sending it to your phone or to your email and saying, Hey, listen, this AWS key that was only on your production server, someone just used it to log in to Amazon. And so in terms of fidelity of message, it's super high fidelity, like it's clear you've got a problem. Yeah. And I think that's an important factor because we always talk about what could have missed a detection? Like what could have missed the what's going on type things like if did my security tool detect if an intruder's in there? And of course, the beating ourselves up when a security tool doesn't detect, you're like, Oh, I never detected why didn't it? And then we're mad at the tool company. But this is a very actionable intelligence that we can say definitely confirmed, not suspicion, not a weird thing going on. Something was in here because they tried the credential. And by the way, the AWS key technically is available credentials is valid for you, not your your company. So it becomes there is no way if there is no second guessing this one, which I think exactly right. And what you said about about detection like that is also super interesting because like, like everyone who's who's tried to do defense right now knows, like, you just get brow beats, right? Like, like, like, you're trying to harden your network. And then there's a new black hat. And you find out that maybe your monitor can be compromised. And maybe the office phone can be compromised. And maybe the firmware on your blue Yeti mic can be compromised. And so there's a zillion different ways to attack you. And, and you try to patch them all. But once an attack is on your network, they therefore reason, like, like there's actions on objectives that they've got to do. And let me use the AWS key I found is one of them. Like, let me read these secret docs that I found is one of them. And, and it really flips the case around where now attackers have to worry about what they touch, rather than defenders having to catch everything. And again, like, you'll see there's someone who's tweeted us saying, since they've discovered tokens, now they're scared to use anything they find on an engagement. Because when they're on an engagement, anything they find could potentially be a token. And that's such a ridiculous win. Like, like for free, you make attackers lives harder. Yeah. And it's, it's irresistible. And you, you even have one question I did have from a technical aspect, the Windows folder one, I looked at how it works where it creates a desktop I&I file. Um, has that cued people onto it or they still can't resist going into that folder? Yeah. It's, it's a good question. So, so look, there's certain, like, for, for some of the tokens, we'll tell people that tokens, like, analogies are terrible, because they work till they don't. But, but like tokens are closest to chipwires. And, and like you could spot a chipwire, if you were going through somewhere, like on an individual basis, you can spot one. But when you know the floor has chipwires, like it just changes the way you have to roll, right? You just can't. And, and so like for almost every token, you could do really clever things to try to identify if it's a token or not. But if an attacker has to do that on your network, you've slowed him down about a thousand fold. Yes. Like, like, otherwise they're just running through their, like, bulls in China shops. The Windows folder one's pretty cool. And I threw this one up and everyone who is paying attention, I said, how many people will scan this? Because obviously none right now, because, but in post-production, I'm going to be watching this one here. It's such a winner. And, and even though, like, like this, this one is fun, like, like one of the applications for this is the next time, like your staff has to go through customs and you worried about, like, are they scanning hardware? Like, you take this, you have it in a sticker under their phone battery. And, and like the only way someone's getting to that. And, and the cool thing about most of the tokens is a little while back, Colin Mulliner did a talk on embedding these tokens inside of binaries to detect reverse engineering. And, and in his presentation, he says, listen, when you are reverse engineer and you are reversing code and you find a web endpoint, what do you do? You surf to that web endpoint because you, like, maybe there's stuff there. And, and so now with, with his system, you get told, hey, someone's engineering, reverse engineering your binary and you can start doing cool stuff around it. So it's, it's really a neat take off attacking attackers without the stupid hackback stuff. Yeah. And, and lets you know. And like you said, the signals and noise ratios are truly important as well. We, we are, we get, especially as defenders, we get such decision fatigue and notification fatigue because we're like trying to, what do we say? What is this and that? Is this good? Is this a threat? You know, false positives, they're challenging and they're always the, the goal of any of these security companies is not to give us that many, but the reality of these security companies is that when each one of them is not trying to give us many cumulatively when we're using a security stack, we all preach defense in depth, but defense in depth means having several tools that communal cumulatively make my day harder. Is alerts to death. Yeah. It's, it's interesting. Like, like the reason we do tokens, like the same as our canary stuff, like we aim really hard for low alerts. Like we've got customers with like hundreds of canaries and these are canaries, not even tokens. And they get four alerts a year. And literally that's what we go for is, is like you should be getting like our customer success team, if they see you getting an alerted date, they'll reach out and say, listen, something's wrong. Like you've deployed this thing wrong. Yeah. Cause, cause ideally these things are drop them, forget about them. And when they go off, cancel your weekend plans because yeah, because they're in exactly. Right. That's that is very cool. I think this is, one of the things I like is this is so tangible for even the most basic of computer operators. Like you just, like you said, you can put these on people's desktop. You can put them in your desktop. If, if you're just curious, if the kids are snooping through things on your computer, because you share a computer, drop a couple of things on there. And why not put, create a word document that says all my passwords. If someone clicks it, someone was on your computer, it's kind of as simple as that. Yeah. It's, it's exactly that. And part of the thing, like, like when you think about it, like, like you'll see people who are new to InfoSec. And you don't want to believe that it can be that simple. Like people will say like, but, but surely an attacker wouldn't click that. And it's like, really, like I've been on hundreds of pen tests. And that's literally how you own networks. Like you find a document saying server passwords dot XLS. And that's, that's how that stuff works. Yeah. And unfortunately, recently there was a rather large company that was breached. And we found out that's where they were keeping the passwords in reality. And they should have at least had a token they would have known as it turned out that the threat actors were in there for a little while. And this is persistence is something they try to maintain, especially the larger the company, the more likely that they won't do a hit and run, they're going to do a strategic attack. And people sometimes underestimate until they get hit how advanced the threat actors have become. And knowing they're in there is so key, because somehow they have evaded for whatever technique they may have used, whatever security and defense in depth, they've navigated around that. But boy, they are not going to be able to resist once in server passwords dot XLS. Oh, count me in. It's why they did like, like even if you are super sophisticated attacker, like the chance to spread, like it's, it's just your day job. Like that's what you've got to do. And so again, it ends up working super nicely as a defender, because it's all the stuff that's been done to our users. Like you just doing it in reverse. And the joy of it is that this really shouldn't be someone's full time job. Like you don't need a counter intel team dropping tokens. It's like literally take five minutes, create some tokens, drop them, forget about it. And when it goes off, you'll know. And if you made a mistake and put a token in a place where too many people are bumping over it, you'll know. Like if you get two messages today, delete that token or disable it. So that token doesn't bother you. And it costs you nothing. Right. It is such a just low hanging fruit that you can do on your network to up your game, understand there's an intrusion, give you a little bit of peace of mind on there and know who's clicking through things. Exactly. I can't really call the easy reason not to do this type thing. Neither can we. Like, like literally that's our pitch is like, it's going to take you five minutes, just do it. Like, like, so, so we go to RSA, like, like other security vendors and literally our pitch is, listen, we the dumbest product here, like, like no machine learning, dark net, any of that stuff. We're super dumb, but we work. So like, take five minutes and drop us and go do the other clever stuff. Just do this. Yeah. And so far. Yeah, simplicity, simplicity at its best here. I will leave links to where you can check all of these things out. And maybe if there's enough people commenting, I'll dive deeper into what you the instructions are pretty clear if you wanted to use the actual canaries. You can run that other one on a Raspberry Pi, right? That's, yeah, open canary this even people online who have tutorials select drop open canary on a whole high. Totally the low hanging fruit that you get started today, get started. You can pause this video and have while we made this video could have made probably 30 or 40 different tokens and already had deployed places. That is so easy to do. I don't know why you wouldn't want to do it. So sounds sounds like the way to go. Yep. Well, thank you for joining me. This was awesome. Like I said, leave links where we can get to everything and look forward to playing with these in the future and hoping no one trips over them, other than people on Twitter that I've been link baiting because that's just been kind of fun. Actually, we'll refresh it one more time because I did this just before the just before we started looking and I see more of them popping up. It's just growing. Nobody nobody yet from South Africa that that seems like something that that needs to be resolved. Like, yeah, why are no South Africans on this? Yeah, you know, I actually realized some of them fell off because there was one right outside of Madagascar. I don't see that one. And I thought there were two at the beginning, but there's definitely more. The cool things too are this can be downloaded and exported to Jason CSV. So you can you can download all this and start parsing and analyzing it deeper. So yeah, absolutely. Awesome. I should have just added a South Africa in there. But there you go. Yeah, we were. It'll pop up. But oh, yep. Hey, we found you. That's that's me waving from from Cape Town. It's that it's all done in real time. All I'm doing is refreshing the page and they're popping up, which makes it that much more fun. All right, thanks for joining us and awesome. Thanks so much. And thank you for making it to the end of this video. If you enjoyed this content, please give it a thumbs up. If you like to see more content from this channel, hit the subscribe button and the bell icon to hire a sure project. Head over to LawrenceSystems.com and click on the hires button right at the top to help this channel out in other ways. There is a join button here for YouTube and a Patreon page where your support is greatly appreciated for deals, discounts and offers. Check out our affiliate links and descriptions of all of our videos, including a link to our shirt store where we have a wide variety of shirts and new designs come out well randomly. So check back frequently. And finally, our forums, forums.laurancesystems.com is where you can have a more in depth discussion about this video and other tech topics covered on this channel. Thank you again. And we look forward to hearing from you. In the meantime, check out some of our other videos.