Canary Tokens

I managed to setup CanaryTokens for my Gmail and Yahoo accounts using the Web bugs feature and also for my hard-drive, by using the Windows Directory Browsing feature and spreading that folder across all my partitions.

However, I tried to setup an alert for my Dropbox and Google Drive, uploading a generated doc, pdf and folder, but no success, nothing is triggered, neither with DNS/HTTP nor with Browser Scanner selected.

P.S. 1: The .doc token only works with Microsoft Word, not OpenOffice, when on the hard-drive.

P.S. 2: The .pdf token does not work with Foxit Reader. Maybe Adobe Reader only?

It’s best to use the folder token, that will work for sure on Windows.

Correct yes on both accounts. The method of trigger is tied to little tricks in Word and Adobe that allow you to reach out. They have limitations which is why you want a few.

Using the email/web bugs token on Gmail or Yahoo, should the email I send to myself as a trap for hackers be left unread (Mark as Unread) or will the alarm be triggered if the email is in the Read state and someone accesses it. I tried testing this, but the results are not very consistent. Thanks!

It will be triggered when the image is loaded. If they are loaded will depend on the web mail. But generally on any viewing of an email for the first time, by a browser they are loaded. Read or unread won’t matter. But If the image is cached that can prevent your test. But that won’t effect a hacker.

Hi Nathan,
How do we review all of the canary tokens that we’ve created? Also, I’ve been testing some of mine (web link, image, .doc, .pdf) and sometimes they fire off an email, other times they do not.

Any thoughts?
John

You see them after you clock generate token under each token name.

Requests can be cached by the OS so are not made a second time.

Good to know. I will set up additional tokens and avoid testing so that the request isn’t cached next time around. Thanks!

Hi Nathan, I made a post this morning about a Canary Drop being triggered by what seems to be a Mountain View IP address. The file was placed in my Microsoft One Drive folder as part of a government drive. Any thoughts? [Solved] CanaryDrops trigger

Send me a pm with the alert link.

I thought I’d just post to an existing post about the topic.

I haven’t fully gone through the lectures where this was all explained in depth, but my question was can these Canaries be triggered even when the device is offline, and not connected to the internet??

Or say even mobile devices where it can be far or external hard drive where it is not connected anywhere wifi/internet, and no signal at all??

The tokens need to be Internet connected to trigger. To trigger it has to reach out to our server.

Hi! Brand new to the course btw.
I tested the Canary Tokens as recommended, and as it seems like a good detection setup if used correctly.
When testing I noticed a few flaws, (I’ll be the first to admit it might be user error tho)

Word - I did not get an E-mail until I enabled editing on the document it self, meaning that any info could be read without actually triggering the token. Not that there should be any sensitive info in that file, but it makes the token kind of useless?.

PDF - Adobe Reader DC actually asked if i wanted to block the trigger (i assume).
I’m paraphrasing the info box, but Adobe Reader basically asked if I wanted to allow the document to connect to a web page.

Am I failing here, or are there some updates to office and Adobe that basically neuters the trigger?

The tokens are triggered in different ways depending on the version of the application and the settings. Tokens are not perfect. They are just a layer of defence. The webug will work every time though.

1 Like

Hi Nathan, ive tried on two seperate computers connected to the internet, still havent received any alerts. Can the files be modified or do they need to be preserved with their original filenames?

What would be the juiciest sort of fake info hackers would be targetting to put into them?

Cheers!

Does a webug not work? It should.

Juicy info here https://www.stationx.net/canarytokens/

ive tried different PC’s and still no alerts. Do I need office or the right programs to open them? Ill keep at it to make sure

Does a webug work?

The Word bug only works on Word. The PDF on Adobe.

1 Like

Yes, the web bug url triggered an instant alert

I also found the thinkst free canary site, which may be worth looking at

what about on a MAC using Firefox and DuckDuckGo? I don’t have Word on this machine.

Nice to meet you Nathan! I am a total beginner to cyber security and I just purchased your complete cyber security course vol. 1-4. Just finished the clip about Canary Tokens and tried using my email accounts… I dont quite understand the part about how an image can trigger the alert, do you mean whenever a hacker loads my email containing the image, the alert will be triggered? No matter he clicks on my “website trap” or not

BTW, really like your course! it is so comprehensive and fun to learn!

Thank you!