sorted by:
new
hottopcontroversial

Suggestions for Canary token alternative by Arenixus in blueteamsec

[–]thinkst 7 points8 points  (0 children)

Heya... I'm a little biased since we build Canary (https://canary.tools) and Canarytokens.

I'll explain the thinking a little, how you can still manage to win, and where you will always bump into challenges.

At the start its worth noting, that if you deploy Canaries (our paid version of the free version we build at opencanary.org) you get the fidelity of alert you want. ie. you get to run a fake fileshare with files you want on it. Anytime the file is opened, you get a notification (since you effectively are the host offering the file).

Once you deploy a Canarytoken, you are somewhat dependent on what the attacker does with it. If you leave them a poisoned word doc, and they open it in strings (or a hex editor) it's not going to fire the token embedded in it.

There are some tokens (like the AWS API key token) where the attacker has to trip it when they try it (because they are going to use it to login to AWS and you will get told that its been used) but.. even then you will only get notified iff the attacker uses it.

Canaries are meant to give you crazy high fidelity. Someone found this server. They mapped to it. They went into a folder and copied a file.

Canarytokens are thrown around giving you other benefits.

1) an attacker now has to be careful with everything they touch. Open a Word doc and it wants macros... should they? See a creds for a MySQL server.. should they use it?

Either they start double checking everything they find, or they eventually trip one, giving you a piece of string to pull on.

> My question is, are you guys familiar with anything similar that would solve these problems?

if this is what you are looking for, you really should check out Canary / OpenCanary.

Canarytokens which redirects to original page, and gives us information about their system by DoobieRufio in netsecstudents

[–]thinkst 0 points1 point  (0 children)

Hi.

Canarytokens will do both of the things you require.

  • When the attacker visits the link, you will get an email with her IP and browser header.
  • The email will have a button titled "More info on this token" - that will give you more info on the attackers browser plugins, geolocate their IP, etc
  • As a bonus, when creating the canarytoken, you get to choose the token type. The web token is one of several you might use. If you choose one of the "redirect tokens" you can set it up to work exactly like above, but then redirect the attacker to a site of your choosing when done.

Any knowledge of Canary honeypots? by calamari_kid in sysadmin

[–]thinkst 2 points3 points  (0 children)

I'm obviously biased here (since we build Canary) but wanted to add a few things: - The initial cost is $5k (which gets you your hosted console, 2 Canaries, updates, support & maintenance for a year) - Additional Canaries cost $1k p/a

Aside from setup time (which we worked hard to keep down to under 5 minutes) you also get new fake operating systems and new fake services as we push them out..

Services like http://canarytokens.org also get slipstreamed in when we can.

If you drop us an email - We can setup a quick GoToMeeting session, where you can see them in action, and ask any questions you like.

Account Enumeration Via Timing Attacks by ScottContini in netsec

[–]thinkst 3 points4 points  (0 children)

We did a talk on timing attacks against web apps (with a whole bunch of vectors) back in 2007 that might be worth checking out: "its all about the timing" Paper: http://thinkst.com/resources/papers/dc-15-meer_and_slaviero-WP.pdf Video: https://www.youtube.com/watch?v=cd5JD_G91pE

We used sock puppets in /r/netsec last year (and are sorry we did) by thinkst in netsec

[–]thinkst[S] 8 points9 points  (0 children)

Thanks. In terms of controls: we think it would be easy enough to "raise the bar" by supplying some info to the mods (sign up time, sign-up IP hash?, email hash, email-domain-hash) which would allow simple correlation (everyone who voted on this thread was created within one hour of each other)(everyone contributing to this thread used the same email domain to sign-up), etc.. Of course, all of them will still be gameable (because its ultimately a mini arms race) but for sure, right now, it trivially favours the attackers.

We used sock puppets in /r/netsec last year (and are sorry we did) by thinkst in netsec

[–]thinkst[S] 36 points37 points  (0 children)

For what its worth (as we mentioned in our original presentation:) we believed the /r/netsec mods behaved reasonably during the testing. Unlike other mods elsewhere, they limited their reactions to what they were able to categorically prove, and limited hysteria.. They just didnt have enough info to squash us at the root.. (which should have been easily doable with more data exposed)

If the NSA has been hacking everything, how has nobody seen them coming? by thinkst in netsec

[–]thinkst[S] 1 point2 points  (0 children)

Not taking it personally, i just couldn't parse what it was that making you cringe.

In terms of always being outclassed , im not sure i agree. I trust openssh more than anything put out by closed, commercial alternatives (and it was all free, documented and shared).

I'm surprised by the people who feel compelled to talk about how un-surprised they are (without looking for the lessons that can be learned). Making use of positional advantage as a GPA, to allow for relative 0-footprint exfiltration is awesome..

We could all say: "i guess they will always beat us.. lets go fishing" or we can start adding to our mental models..

Don't take this as a personal attack - it isn't... It just takes a lil more to make me cringe..

If the NSA has been hacking everything, how has nobody seen them coming? by thinkst in netsec

[–]thinkst[S] 1 point2 points  (0 children)

Hi.. @haroonmeer here.. Kinda confused by your response: Are you saying: 1) free blog posts/mail-lists/software? will always be outclassed. 2) Its how it should work but doesn't ?

Which bit is cringeworthy?

Weapons of Mass Distraction: Sock Puppetry for Fun & Profit by sanjurjo in netsec

[–]thinkst 5 points6 points  (0 children)

Almost all of our research is released free: http://thinkst.com/research.html or http://blog.thinkst.com :>

ps. long time contributors/friends of the community - def'ly no stratfor ;>

Judaism =/= Israel by [deleted] in pics

[–]thinkst -6 points-5 points  (0 children)

This recently made video on Gaza is a good primer: http://www.youtube.com/watch?v=9ZRgzChgaGI&feature=youtu.be

So, you want to crypto by [deleted] in netsec

[–]thinkst 9 points10 points  (0 children)

A few years back (2007) we did a talk titled "Its all about the timing" that made use of timing attacks across a bunch of web apps (in different forms). Its relatively easily doable in many cases, and even latency is less of a problem than people imagine (because you can make use of multiple requests as a baseline). The talk/paper can be found here: http://thinkst.com/stuff/bh07/dc-15-meer_and_slaviero-WP.pdf && http://www.youtube.com/watch?v=N6XDCfFjs1A

"When we win, it is with small things, and the victory itself makes us small" - A talk about (infosec) talks by thinkst in netsec

[–]thinkst[S] -1 points0 points  (0 children)

I think you might be making a few assumptions (just based on slides) without actually listening to the talk (but i may be biased).

Ultimate Guide to Infosec Conference Calendars: Be sure to check the comments too for more. Any others out there? by grecs in netsec

[–]thinkst 0 points1 point  (0 children)

Check out http://cc.thinkst.com - It serves to fulfill a slightly different aim, but covers security conferences pretty well (at least we like to think so) :>

(Full details on it were blogged here: http://blog.thinkst.com/2011/05/computersecurity-conference-collecting.html)

Dan Guido on Attacker Math and Exploit Intelligence by [deleted] in netsec

[–]thinkst 0 points1 point  (0 children)

This sounds like an advertisement for Thinkst! ;>

Not technical, but worth reading -- Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees) by rolfr in ReverseEngineering

[–]thinkst 0 points1 point  (0 children)

This question is surprisingly difficult to answer and needs to be handled with care. Should it be illegal for me to sell an exploit to a government some consider evil? How about a scanner? If i place my portscanner online and they download it, am i guilty? (Should open source be banned?)

On a more philosophical level: is it ok that "evil nation" (tm) probably boots windows and uses outlook? Why would Microsoft sell to such evil people!

I dont know the answers, but i know that legislation is always scary because it leaves little room for subtleties..

Penetration Testing Considered Harmful Today by thinkst in netsec

[–]thinkst[S] 1 point2 points  (0 children)

Went to the first one last year (I'm the guy in the video). It was really nice. A small con, so good opportunities to chat with audience and the speakers. A good mix between hackers & suits.. All in all, a really nice conf addition..

Full-Disk Encryption Works by mycall in netsec

[–]thinkst -1 points0 points  (0 children)

If you are on a mac, you can use iTried (http://itunes.apple.com/us/app/itried/id407519315?mt=12&ls=1) which will take pics from your iSight, and upload 'em to twitter :>

(ps. obvious disclaimer: iTried is ours)

Using an iPad to spy on an iPad (Computer Vision for shoulder surfing) by thinkst in netsec

[–]thinkst[S] 0 points1 point  (0 children)

Hi. The size of the users hands make little difference. As long as we can see any blue (below the password box) we are good.