I keep a few canary accounts. Those are email accounts that I don’t use to send anything, but I use to sign up to various sites. I used to do this so I could track which conferences sold their contact databases to spammers or marketers. On my ranum.com server, I set up forwarders that push most of the flood into my inbox, which uses bayesian spam classifiers to sort out the gunk.
Typical morning, I get 800 or so new messages in my inbox, 740 or so which go directly into the junk bin. Of the remainder there are usually a dozen or two that I actually read, and a few bits of product alerts (“your new thingum needs new firmware!”)
This morning, I had a message in my inbox that was aimed at one of my canary accounts, and was nice enough to even put it in the Subject: line.
So that tells me that a certain very large social media site has leaked its email user database, which probably means its entire customer database is out there.
It’s probably Russian cyberspies up to their usual tricks: drop $1b in valuation of a great big publicly traded social media site and you’ve manipulated the US stock market!
If/when the news breaks, I get to say “I told you so.” That’s one of the few abiding satisfactions of working in information security.
This idea occurred to me a long time ago: if one were to set up a far-flung and organized set of canary accounts, it would be possible to determine who had leaked, and when. For example, I know “firstname.lastname@example.org” is now burned but what if I had three canaries on that big social media site? If I got hits on all three, I could be pretty sure the whole customer database had left the barn. Then, I suppose I could short their stock and wait a while before I contacted the media. Back in the day, I came up with a whole series of desktop stock market manipulation concepts that I am pretty sure would make money fairly reliably. Since I’m so fortunate as to be pretty employable, I can stick to the straight and narrow. For now.
The “Canary” technique is widely used in large-scale spam blocking. You set up canaries that are easily collected by grazer-bots looking for email addresses, and – when the canaries start getting messages – those messages are known to be spam because there’s no actual person who would ever receive them. The messages collected on the canaries are immediately backfed into the spam classification codex, the originating IPs get downrated, etc. Basically, it’s a spam honeypot. Honeypots are a great tactical tool for security: it’s a system that’s value is in being attacked or compromised. Between 1999 and 2002 or so, I used to teach a 3 day class for SANS with Lance Spitzner; I think we were personally responsible for the blossoming of entire sensor-webs of honeypots. I remember I was always surprised by how easy it is to get hackers to stumble into your prepared kill-zone: they’re very very self-confident. That was when I interviewed one at a conference and discovered that the hackers never even contemplate the potential that they’ll be detected: security is so bad, that being detected (let alone personally identified) is generally not a concern.