More sources for news and dataleaks
20 October 2017
Your keywords are now used for monitoring more sources in the categories you have already specified. On top of that, we've also added more countries. The US, UK and Netherlands were already available, and Australia, Canada and Germany are new. The newsites we monitor are typically the biggest national newspapers and some local newspaper in big cities.
We've also scoured the internet for more copy-paste sites to monitor. If you're not sure why this is useful, read up on it at
haveibeenpwnd.com/pastes. There are sites that claim they will search 90+ datadumpsites for you. That is a bold claim, so we checked it.
A lot of the the 90+ copy-paste sites listed are dead links, have errors or have the domainname for sale. For those that do work there is no API or feed with recent posts available to search them. You can post a message and directly after posting you'll get a url linking to your post. If you don't share this url openly yourself, nobody will know about the post or de data you dumped in it. The 9 remaining sites that were useful are added to ShadowTrackr, but to be honest these are mostly sites to share code. In our experience spicy datadumps are rarely found on specific code sharing sites.
We have been monitoring 10 (from today this is 19) of the bigger pastesites for months now with keywords like "botnet". About 80% of the hits we get are from pastebin.com, which is by far the largest of the dumpsites if you look at both volume and the rate at which new posts appear. It's good to look around for changes in de dumpsite landscape every now and then, but at the moment the effort is unlikely to pay off and we better use the time for other items on the todo list.
If you do miss a newsite or dumpsite that you want us to monitor, or if you want to check if your favorite site is included, please contact
support.
Update
Well, that was stupid. According to our site stats there are more visitors from India and Ireland than from Canada. Newssites from those countries are now added too.
Why you will like Canary Tokens
17 October 2017
Ever heard of
Canary tokens? These are the digital equivalent of the canaries that were used to detect gas in coal mines. The coal mine canary dies of the gas before miners do and give the miners time to save themselves. Similarly, the canary tokens you plant in your systems can give you a heads up that a hacker is snooping around. This is typically in the reconnaissance fase and you might even have a chance to prevent lateral movement or exfiltration.
As with the real life canary, you can have a really low false positive rate. Given the huge amounts of false positives leading to "alert fatigue" in security teams this is really welcome. The trick of course is that you set up your canaries in such a way that no regular user is likely to trigger them. If you have a word document named "vulnerability report" in your home directory, nobody other than you should open it. And you of course no that opening this fake document sets of a trap and you leave it alone.
If you're using the same trick to find snoopers in group directories, you better make sure that everyone in the group knows about the trap. If you're exclusively looking for evil hackers and not for internal leaks you could also consider having the directory hidden from normal users.
There are lots of different types of canaries available: fake documents, URL, trigger, DNS triggers SQL Server triggers, AWS triggers and more. You can easily expand on these with any action that you can translate in one of the existing triggers. An example is the SQL Server trigger, where a certain SQL statement will cause the database server to do a DNS lookup that in turn triggers the trap.
You can easily setup a canary token on
canarytokens.org. The server running there seems to be running a bit behind on the
github project, and we're thinking of running an instance at ShadowTrackr.com or another domain that might be a bit less of a giveway for those that monitor dns traffic. You can use ShadowTrackr to turn the webhooks that canarytokens call into push messages on your phone and log them to have an audit trail for post mortems. See this
use case for an example.
How to monitor keywords
27 September 2017
Keyword monitoring needed improvement. Recently I was confronted with a possible dataleak and wanted to monitor a few specific names and phrases in the news.
The way it worked before was that the bots checked for the word with a space before or after it in the text on newsites and copy-pastesites:
if " "+keyword in text or keyword+" " in text:
While it does a reasonable job of not matching things like "blakeywordbla", it had way to much false positives. I needed more finetuning and ended up implementing literal matches, multiple keyword matches and negative keywords.
Literal matches: "the keyword"
It works just like people are used to in Google searches. The exact words need to be present in the order specified. It triggers on
"This is the keyword you are looking for", but not on
"this keyword is not the one you are looking for".
Multiple matches: the keyword
Both "the" and "keyword" need to be present in the text in order to trigger, but the order is not important. They can easily be sentences apart, like in:
"This keyword is what you want. The other words are ignored."
Negative matches: keyword -the
Again like in Google searches, any text with the word "keyword" in which "the" does not appear at all is a match. For example:
"The keyword is not enough" doesn't match, and
"Keyword matches are very useful for finding leaked data" does.
Of course you can mix all of the above. Do note that all keyword matches are case insensitive, and that news articles from the newsfeeds that we monitor trigger both on keyword matches in the headline and the text. Datadumpsites often don't have a title and matches are on keywords in the dump itself. Here are some keyword combinations to get your creativity started:
shadowtrackr leak -water
@shadowtrackr.com
shadowtrackr password
"Tracking your online footprint"
You can add them under
Assets in the sidemenu . Happy keyword hunting! And don't forget to set push notifications to get a heads up on those really bad days.