James Stanley

How to find out if your data gets stolen (URL Canary)

Fri 23 March 2018

In February I started working on a new project called URL Canary. The premise is that it helps you create custom URLs that you can store next to your private data (database backups, git repositories, executive inboxes, etc.). Then, if your data gets compromised and the attacker makes the mistake of visiting your oh-so-enticingly-named URL, you'll receive an email alert, you'll know your data has been stolen, and you can take remedial measures.

I was intending to do a better job of most of the text on the site, and add an A/B testing framework, but I lost interest in it for a few weeks, and then went on holiday. Earlier this week I decided I may as well post it to Hacker News as-is and see what people think, rather than just let it rot away. It was surprisingly popular and the comments on HN were mostly positive. So I now have some renewed interest in the project.

There was some good feedback. Most important was that I need to make it clearer what the applications of the system are. (I've added a page listing some applications).

In the last 3 days, 242 different email addresses have successfully created a URL Canary, which is a lot more than I expected.

Bitcoin Canaries

CamTin's comment on Hacker News was particularly interesting:

You might think about embedding bounties in crypto blockchains. For example, create BTC wallets that can be unlocked using a secret sitting next to (or steganographically embedded in) the secret you're trying to protect. This gives the person uncovering the secret an incentive to activate the canary. [...]

The idea there is that instead of giving a URL that the attacker can visit and retrieve something that might be interesting, at risk of exposing himself, you deliberately give the attacker the private key to a Bitcoin wallet. As long as the amount of funds in the Bitcoin wallet is chosen in reasonable proportion to the value of data that would be stolen, the attacker should find it irresistible. You then receive an alert when your Bitcoin has been spent, and you know the data is compromised.

Choosing the amount of funds "in reasonable proportion" is key, however: an attacker might not bother claiming £50 if he's looking at plaintext passwords for all Skype accounts, but the same amount for a tiny web service that only has 5 users would probably be excessive.

This idea is interesting enough that I plan to implement it myself, and I wouldn't be surprised if others do the same. Ideally people would be able to choose the amount of money they want to send, pay with a debit card, and receive a private key to place next to their data, without having to know anything at all about Bitcoin. That flies a bit too close to "selling people Bitcoin for debit card payments" (and therefore onerous regulatory requirements) for me to be comfortable, so it'll probably have to be something worse. There's definitely an interesting idea there, though.

Other projects

I'm not the first to come up with the URL Canary idea. canarytokens.org appears to have been created in 2015. There's also Uri Teller, which I think is just a fantastic name, and appears to date from 2016.

Another related project is Breach Insider by Graham Stevens. The premise here is a bit different. Instead of providing a URL which the attacker visits, inadvertently giving himself away, Breach Insider creates unique email addresses which you can insert into your user accounts table. If a Breach Insider email address ever receives an email, you get an alert: it means your users table is compromised. Additionally, if the email address shows up on pastebin, you also get an alert as it means the same thing.

And in case it's not obvious: the name "canary" comes from "canary in a coal mine", which is a way to find out if the air in a mine is unsafe to breathe. If the canary suffocates, you know the air is not safe, and you can take remedial measures hopefully before coming to any harm.

If you like my blog, please consider subscribing to the RSS feed or the mailing list:
or follow me on Twitter.

James Stanley - james@incoherency.co.uk | jesblogfnk2boep4.onion | /ipns/jes.xxx/ | [rss]