We have (finally) added the non-macro Microsoft Excel Canarytoken. This allows you to drop an MS-Excel file that will create an alert when opened (without the user needing to enable macros).
We work hard to make sure that Canaries are not trivially compromisable, but it's important to know if they ever are. We now surface local integrity alerts to the Console to let you know if something that shouldn't ever happen happened.
Along with our usual platforms receiving a host of features and improvements, this is also our first full release that includes Docker Canaries!
We've added a new fake service, Windows Remote Management! WinRM is Microsoft's implementation of the WS-Management Protocol (WSMan), and allows server admins to easily manage servers and devices on their networks. It's a juicy target for attackers, and one that will fit nicely into your current Bird offering.
Along with our previous update which included some new Oracle personalities, we added a new VMWare ESXi personality, extending your ability to mimic your virtual environments.
Custom TCP Services now support arbitrary binary banners. It's a small change, but allows you greater control over what your Canaries can fake. Easily emulate some Nmap custom service profiles, or uncommon services, all from the comfort of a Custom TCP service on your Canary.
There's been a bunch of work done around joining your Birds to Active Directory. From fixes to better report connections to RDP and Windows Fileshare when using hostnames, to improved Domain join timeout handling on complex networks, as well as better Computer OS attribute and SPN record handling. Overall, your Birds are going to play more nicely with AD, which means they'll be working better for you.
For those of you who (rarely) need to boot your Hardware Bird to Bluetooth config mode, you no longer need to awkwardly unplug the power, plug it back in, and hold down the LED. You can now simply take a live bird, hold down the LED for a few seconds, wait for the confirmation lights and press the LED to confirm. It'll reboot and automatically switch to config mode, allowing you easy access to the local config page, great for Hardware birds sitting in remote locations that require small network tweaks!
HTTP service alerts get a non-insignificant update that allows them to report HTTP headers along with existing alerting mechanisms. Great for digging into useful headers such as X-Forwarded-For which may include the real source IP of the machine connecting to your bird from behind a proxy or load balancer.
This release is currently available on all new Canaries, which means newly launched Virtual, Cloud, or Docker Canaries will be on the new version, and newly purchased Hardware birds will ship with the new version. Updates are currently being built and tested, and will be pushed to all live birds once they're ready.
We've done a lot of work to make sure that Canaries are still dead simple to use. We can't wait for you to take it for a spin!
This Canary release sees a number of new features and improvements arrive simultaneously on all Canary platforms.
Two arrivals are new services: We brought back the Canary RDP service! It supports the RDP negotiation, TLS and NLA (Network Level Authentication - NTLMv2) auth, so Canaries will catch RDP lateral movement without being easily fingerprinted. The second arrival is the ever-attractive MongoDB. Which attacker can resist rifling through an unauthenticated NoSQL document DB? As you'd expect, Canaries will sound the alarm at such intrusion.
There's a slew of new personalities arriving for systems that regularly show up in breach notices like Splunk and Kibana for those juicy internal log databases and Jenkins, because everyone loves CI and that includes attackers. There's also personalities for networking appliances like SonicWall, Citrix, Big-IP and Checkpoint as they help us - and attackers - get around our networks.
For building your own personalities, the custom webroots for the the Canary server, now offers fine-grained control (like custom headers and cookies) on every page.
On the configuration side: we've updated the Canary's look and feel to match the shiny new UI on your Console. This comes with an improved pairing process (when adding birds to a Console) which allows adding birds directly to a flock.
More versatile connectivity options are available for Canaries. They now support DNS over HTTPS and when using DHCP, custom DNS servers can be set.
When joining Canaries to Active Directory there are a bunch of improvements including settings appropriate SPN records and the configuration options to specify your own Time Server.
V3 is currently available on new Canaries. This means spinning up new virtual or cloud canaries (or newly purchased hardware birds) will be on the shiny new version. Updates are currently rolling out for all existing birds.
We've done a lot of work to make sure that Canaries are still dead simple to use. We cant wait for you to take it for a spin!
The new WireGuard Canarytoken allows you to add a “fake” WireGuard VPN endpoint on your device in seconds. If your device is compromised, a knowledgeable attacker is likely to enumerate VPN configurations and try connect to them. Our Canarytoken means that if this happens, you receive an alert. This can be useful at moments like national border crossings when devices can be seized and inspected out of sight.
We now have a Gmail (mass) Canarytoken. With a few clicks, you can stash a juicy, editable email in every mailbox in your Gsuite organisation. Attackers snooping around victim mailboxes are bound to trip over them and reveal their presence.
Some alerts will now include annotations if we are able to deduce that more context is available than meets the eye. This allows you to make smarter decisions based on the alert.
Support HTTPS sites in the Cloned Website Token
The Cloned Website Canarytoken (which is really useful!) now supports HTTPS based websites too. Begone “Mixed Content” warnings!
AWS have finally hardened their AWS meta-data service, so we are retiring our Apeeper token. So long Apeeper... You served us well. (“And now his watch is over”)
Users of our new “Flocks Console” who are also signed up for Critical Research's “Rumble” service can now lookup IPs with a click of a button.
Office365 Token Refinement
A few clicks and you can create a tokened email in every O365 mailbox in your company. The mail is hidden from regular view, but shows up when a nosy attacker is snooping for keywords.
Updated the Birding Guide
We've updated our Birding Guide (which includes sample deployments and light inspiration for Canary configurations). The guide now includes an entire section on Canarytokens and, as always, can be downloaded here.
Add SAML support for SSO
(Finally) You can now enable enable SAML support for your Console! Contact us to make it happen and you too can login to your Console using the SSO provider of your choice.
New AWS EC2 Canary with the 2.3 features
AWS Canaries have now been upgraded to include the latest 2.3 goodness!
Google Pub/Sub notifications
Canary alerts have been email and SMS based since day-1. We then added an API, webhooks and Syslog so you could get alerts into your other tools trivially. We've now added support for Google Pub/Sub too.
Refreshed API documentation
We know how important having a friendly API (and accompanying documentation) is for customers. With this in mind, we've given ours a bit of a make-over. Head on over to the docs and take a look (we think you'll like it!)
(If nothing else, we now support “dark-mode” too!)
Slack API Key token
Everybody loves Slack, but what could an attacker do if she had access to your Slack API key? (Turns out, quite a bit!). So we tokened it! Generate a few dozen Slack API keys and leave them lying around. Attackers who find them, try them, and almost immediately announce their presence.
Azure Canaries now join the cough flock of birds you are able to deploy. Like their hardware, VMWare, AWS and GCP brethren, they setup in minutes and “just work”.
Want to drop Canaries on your Hyper-V network? We've got you covered. Hyper-V Canaries means that all your favourite personalities are now just 3 minutes and a few key presses away.
Support running a user script on boot of a Cloud Canaries
Cloud Canaries now support running a custom user script at boot. This allows for a bunch of configuration and customisation needed by some of our bigger customers.
Rollout a new Knowledge Base
We've transitioned our knowledge-base over to ZenDesk. We've used the opportunity to refresh a bunch of docs, so its not just a pretty face. Check it out at help.canary.tools
Now you can choose from a Hirschmann RS20 Industrial Switch; a Canon IR 2525 multifunction printer; a Cisco VoIP Phone 7975G; a CentOS7 server; Windows Server 2016 or an Integrated Dell Remote Access Controller.
More robust AD joining
Behind the scenes, Active Directory joining now works on domains with dynamic DNS updates disabled and networks with slower DNS resolution.
Improved Windows File Share fingerprinting evasion
Windows File Share now evades several SMB fingerprinting techniques and blocks SID user enumeration.
Rollback from misconfigured MAC addresses
Canaries normally recover and roll back from bad networking settings pushed to it. It now supports recovering from a MAC address changes that knocks the bird offline too.
Improved Windows File Share handling
Improved file share handling means that Windows clients which pin share files to Quick Access will no longer trigger unexpected alerts on the Windows File Share.
Alert on Windows File Share auth
The Windows File Share now supports "Alert on Auth" as a feature. This allows you to receive an alert before an attacker actually grabs files from your share (if you want to).
HTTP Scan Incident added
You will now receive alerts when your Canary's web server is being scanned.
Added local security tweaks
Improvements were made to the Canary sandbox and local security mechanisms.
Guest Access for Windows File Share
The Windows File Share module now allows you to enable or disable guest access when your bird is joined to an Active Directory domain. If you are interested in learning why, head over to our KB item.
Windows File Share Remote Upload
Mass upload files to your Canary's Windows File Share from your Canary Console. This allows you to create more complex and interesting file trees to ensure that your Windows File Share is juicy and irresistible. Read how over at our KB item.
Custom Webroots may now be uploaded remotely
Upload custom webroots from the comfort of your Canary Console. (These will even support form based alerting!) Head over to our KB item and get uploading!
Custom HTTP/HTTPS headers
Set custom headers for both the HTTP and HTTPS modules. This allows all responses from either service to include your custom headers. You can read more about it over at our KB item.
Configurable TLS cipher suites
The HTTPS webserver module now allows for configurable TLS cipher suites. Simply send us the desired cipher suites and we will make it happen. Drop us a note over here.
With the strategic partnership formed between Atlassian and Slack and their decision to discontinue HipChat, we have decided to also take the steps to remove HipChat integration from consoles to help our customers with a smooth and timely transition. For consoles with working HipChat integrations, we will continue to support the configuration option and functionality, but by default this configuration will no longer be available. For more details on the deprecation of HipChat integration, you can head over to our KB item.
Improved Slack alerting
We've beefed up our Slack alerts to allow you to directly Acknowledge and Delete alerts from your Slack channels. Read all about it here.
Multiple generic webhooks
Do you make use of the generic webhook to get data into your application and want another? Cool! Just like with Slack and MS Teams, you can now enable multiple Generic webhooks in your console. (This is super useful for users who are building automation on top of Canary Alerts). For more details on how to set up your generic webhooks, you can head over to our KB item.
Canaries (now that they are deployed all over the planet) have a great view of whether specific alerts are actually useful. Despite our initial intuition, they have been unanimous about the SNMP service: it offers little value in detecting breaches (and crowds out real alerts). Unlike the star services (like Windows File Share 😍) SNMP failed to live up to the promise we thought it had at the beginning. We pride ourselves in our signal to noise ratio (above almost anything else) so we'll begin deprecating and disabling the Canary SNMP service for all customers from the 24 September 2018. For those rare quiet networks where it's useful, get in touch, and we'll keep it enabled. More details are here.
Password masking in alert notifications
Passwords used to probe your Canary are handy (paired with usernames) to know if an attacker has stolen real credentials. Those passwords should of course be reset promptly, but Canary Consoles now mask passwords in alert notifications to minimise possibly leaving useful information lying around. To view passwords from incidents, you can still view this info on your Console.
Microsoft Teams Webhook
Want to get your Canary alerts straight into your Microsoft Teams workspaces? We've got your back! We've added Microsoft Teams to our growing pile of webhook options (it joins Slack and the generic webhook)! For more details, you can head over to our KB item.
It is now possible to manage users manually. Add/remove users to your heart's content! Other options available are disabling a user and forcing a user to use 2fa. For more details, you can head over to our KB item.
Virtual Canary 2.1.2
Customers who use Virtual Canary can now look forward to having all the benefits of the Canary 2.1.1 Hardware devices. The main attraction of this is the ability to remotely join your Virtual Canaries to your Active Directory. This can be easily achieved by taking a look at our Remote AD Join KB item.
Other new features include a new HTTP update channel, automatic DNS adjustments, network config rollback on errors, new OS personalities, plus a bunch of tweaks and fixes.
For setup instructions, take a look at our step by step guide which includes steps for using an OVA or VMX image.
Mail actions in Gmail and Google Inbox
Users of Gmail and Google Inbox's web mail UI will now see an action button on their Canary alert mails called "Jump to incident". Click on it to take you directly to the incident details in your console.
Remote AD Join
Added the ability to remotely join your birds to an Active Directory Domain.
Specify Domain Controller
For those very specific cases where it is needed, you can now specify a preferred Domain Controller to use when joining an Active Directory.
Keep-Alive TCP listeners
Custom TCP services now have the ability to be marked as long-lived connections. This lets you send through a secret string that tells the connection to keep-alive, allowing you to leave more crumbs that point to your bird.
Windows 2003 personality
Added a Windows 2003 personality.
Windows 2007 personality
Added a Windows 2007 personality.
IBM z/OS personality
Added an IBM z/OS personality.
FIN scan detection
The portscan module was behaving erratically on FIN scans. This is now covered (so you will detect attackers from the 90's again).
Improved connection TTL handling
We now modify the TTL of active connections to correctly match the personality of the bird, making it even harder to fingerprint a Canary.
Recovery via Rollback
Added rollback functionality to birds which will allow them to revert to previous working settings if you accidentally push a broken network configuration to them.
New Update Highway
Updated the update channel, allowing for future patches to be pulled via HTTP or DNS both remotely and locally.
Automagic DNS Doctor
Improvements to the communication channel, catering for networks that don't play nicely with longer DNS query lengths. Our new DNS doctor will prescribe the optimum DNS query length.
OS X Personality added (finally!)
Canary v2.1 ships with a brand new MacOS X personality. This personality includes exactly what you would expect: a Mac OS X IP Stack fingerprint, a file share, an Apple MAC address and other preselected services to make it look legit.
Canary v2 ships with awesome new hardware. It's faster, it's more reliable and it's so pretty you'll almost not want to send it to your data centre.
Canarytokens allow you to create mini tripwires in 3rd party sites or applications (In fact you can use them all over the place!). This version brings you your own, customisable token server. Get alerts when your sites are cloned, documents are viewed or directories are browsed!
We have a bunch of new “fake” services with something for everyone: ICS fans get Modbus. Developers get GIT repositories and lovers of NoSQL get a safe implementation of our favourite key/value store (Redis!).
New OS personalities
This release brings through a bunch of new personalities. Windows XP and Rockwell. It's all in there, and all deployable with just a few clicks!
Web Servers now have lots of options. JBoss, VMWare, Sharepoint and a host of friends. If you feel like it, now you can even upload your own document root (or trivially wrap your service in SSL)!
Windows FileShare enhancements
The Windows file share service is now much nicer to use, with an improved Explorer-like interface that supports nested files and directories.
Canary cloaking allows your Canary to be completely invisible to port-scanners and asset inventory systems. This makes the fakery more complete and has a local segment NMAP looking more believable than ever!
We've added new OS Personalities to Canary. Deploy convincing and interactive Cisco routers, Dell switches, Windows or Linux servers (with a host of different services), in the standard 4-minute setup time you've come to expect.
Choosing an OS Personality will now automatically prepare your Canary with an appropriate MAC address. This makes the fakery more complete and has a local segment NMAP looking more believable than ever!
Canarys aren't supposed to generate lots of notifications, but what happens if there's a sudden flood of them? (Or if you only check your alerts after a horrible week?) Figuring out exactly what happened from a list of events can be sub-optimal. To help with this, your console now has a handy graph-view. Clicking on the graph-view icon maps out the activity visually. Graph view is fully interactive, allowing an easy way to mass-delete events (but also just makes it trivial to spot what's going on).
Alert pruning allows mass deletion of alerts that have accumulated on your console over time. If alerts go above a certain threshold (and have been present for a while on your console) the “Alert Pruning” option will pop up to allow you to quickly delete older events.
IP Address and port whitelisting
Known systems like vulnerability scanners, asset management / inventory servers or an SCCM service scan easily be added to a white list to ensure that they don't set off alerts when interacting with Canary. In order to ignore alerts from specific IP addresses, ranges or ports, simply add them to the “Ignore these IPs and ports” list on your settings page.
SNMP OID whitelisting
Similar to IP address whitelisting, specific SNMP Object Identifiers (OID) can also be ignored. This is done by adding the SNMP OID to the whitelist on your settings page. Once enabled, SNMP OID whitelisting follows the same format as the IP address and port whitelisting.
Now your Canaries can be managed from your console. Whether applying a completely new personality or making subtle changes to the device, you can do it from the comfort of your console! Simply click on your Canary, and then select the “Remote management” option available on each Canary. You will be able to configure your Canary settings exactly as if you were connected directly to it!
Port scan consolidation
Apparent port scan activity is common on noisy networks. In order to avoid bothering you with several Port Scan notifications, we've added functionality to roll-up multiple port scan alerts and present them as a single consolidated alert.
Canary notifications can be sent as text messages (or SMS, depending on your dialect) directly to your mobile phone. In order to receive alerts via SMS, you must add your mobile number to the “SMS notifications” field on your settings page. Make sure to enter your country code! You will then receive an SMS notification indicating that you've been successfully setup. Now, when an alert is triggered on your Canary, a notification will be sent to your mobile number.
Canary is a continually evolving product, and new features, fixes and improvements get rolled out frequently. Catch up with our updates here.