from Hacker News

Canarytokens: Honeypot for critical credentials, get notified when they are used (2015)

by Kovah on 7/30/24, 8:39 AM with 42 comments

  • by legobeet on 7/30/24, 3:21 PM

    The next step is to actually use underprivileged canary tokens on the client for your day-to-day work, intercept them with a proxy, and replace them with the real deal in a more isolated setting.

    For example, an application-specific HTTP proxy for your GITHUB_TOKEN. You can use a canary token for the internal user-facing auth. https://github.com/legobeat/git-auth-proxy [0].

    That piece is being used here[1] in order to make it transparent for the user and I intend to add more features there for credentials- and secrets compartmentalization. Been keeping it fairly structured so you could also use it as a reference if you ever do similar stuff and want some inspiration or copypasta for your personal hacking.

    [0]: Caveat: The proxy repo is a fork and the documentation is still more reflective of the previous owners intentions. I ripped out all the Azure/k8s integrations.

    [1]: https://github.com/legobeat/l7-devenv/

  • by Tiberium on 7/30/24, 2:31 PM

    Should be mentioned that this is not a bullet-proof solution (obviously), for some services the canary tokens can be bypassed, see e.g. https://trufflesecurity.com/blog/canaries ("TruffleHog Now Detects AWS Canaries without setting them off")
  • by notepad0x90 on 7/30/24, 12:46 PM

    a lot of security tools and "platforms" (don't get me started) have deception features now which includes stuff like this.

    https://learn.microsoft.com/en-us/defender-xdr/deception-ove...

    But in my opinion, deception tech is best implemented in-house. Nothing wrong with using externally developed tools, especially for high signal-to-noise things like honeypots but the actual monitoring and alerting data flow should be ideally be environment specific.

  • by aflukasz on 7/30/24, 5:36 PM

    By the way, simple honeypot on Linux using auditd: just set a rule like `-w /etc/secret-file -p rxwa -k some.tag` and use your mechanism of choice to watch logs/journal for the occurrence of `some.tag` string.

    `-p rxwa` causes logging of any read, exec, write or attributes change on that file. More in `man auditctl`.

    Among others, this has a benefit that, in principle, such honeypot triggers immediately and not only after someone decides to try using some actual credentials/data.

    Obviously needs some work to make this robust (logs monitoring plus alerting), but it's a nice building block worth knowing and, if you care, then you probably already have those additional pieces in place anyway.

  • by dredmorbius on 7/30/24, 11:27 AM

    The project documentation is ... slightly ... more useful to generate discussion, though it's pretty lacking in details:

    <https://docs.canarytokens.org/guide/>

  • by pjot on 7/30/24, 2:11 PM

    I’ve used this to see if my employer was spying on my email. They were.
  • by westpfelia on 7/30/24, 12:12 PM

    Been a big fan of CanaryTokens since it was just 3-4 different types.

    Super easy to configure via webhooks into a siem or any kind of alerting platform.

  • by dredmorbius on 7/30/24, 11:26 AM

    Previous discussion from 28 Dec 2022 (59 comments): <https://news.ycombinator.com/item?id=34157751>
  • by jesprenj on 7/30/24, 1:40 PM

    How do they detect MS Word docs being opened?
  • by declan_roberts on 7/30/24, 10:23 PM

    I don't understand how they can keep such a feature-rich service free forever?
  • by shortsunblack on 7/30/24, 10:31 PM

    I wonder whether eBPF allows for increased deception capabilities.