- Quick, Free, Detection for the Masses


This is part 2 in a series of posts on our 2015 BlackHat talk, and covers our Canarytokens work.

You'll be familiar with web bugs, the transparent images which track when someone opens an email. They work by embedding a unique URL in a page's image tag, and monitoring incoming GET requests.

Imagine doing that, but for file reads, database queries, process executions, patterns in log files, Bitcoin transactions or even Linkedin Profile views. Canarytokens does all this and more, letting you implant traps in your production systems rather than setting up separate honeypots.

[Read More]

BlackHat 2015 - Bring back the HoneyPots

This year we gave a talk at BlackHat titled: Bring back the Honeypots. You can grab a quickly annotated version of the slides from [here]

As usual, we had waaaaaay more content than time (which should have been expected with about 142 slides and multiple demos) but we like to live dangerously..

The linked slides are annotated, so you should be able to gather the gist of our thoughts, but some of them (especially the demos) do require their own coverage. Over the next few days, we will aim to put out 3 quick posts to cover the three sections in the talk:

As always, shout if you have thoughts, questions or comments.

Introducing our newest creation: Thinkst Canary!

Today we are super proud to bring you our newest creation: Thinkst Canary. We have been working on it for months and it feels really good to finally have it out there.. You can check it out at:

You can watch some of the thinking behind it here:

You can watch it in action here:

The videos were made with our early prototypes. The release birds are much much prettier!

We think its insane that organizations that spent millions of dollars on cyber security took months (or years) to realize that they were breached. We think Canary fixes this elegantly and manages to do this at a super reasonable price-point. We have spent ages adding features, stripping features and making it a pleasure to use.

Even on super complex networks, it takes just 5 minutes to get up and running (with enough time to make yourself a cup of coffee). With such a low rate of effort, we believe everyone should be running Canary. Please drop us an email ( if you have any questions at all on it.

Troopers15 Keynote: The hard thing about hard things

We gave 2 talks at Troopers15 this year.

Marco & Azhar talked about Sockpuppets and Censorship 2.0.

And i gave a somewhat hand-wavy talk titled: "The hard thing about the hard things"

(Some pretty smart people seemed to like them, so its probably worth a quick watch)

If the NSA has been hacking everything, how has nobody seen them coming?

As the Snowden leaks continue to dribble out, it has become increasingly obvious that most nations  planning for "cyber-war" have been merely sharpening knives for what looks like an almighty gunfight. We have to ask ourselves a few tough questions, the biggest of which just might be: 

"If the NSA was owning everything in sight (and by all accounts they have) then how is it that nobody ever spotted them?”

[full post]

YABOTSB - Yet Another Blog on the Sony Breach ?

The Internet lit up last week over the (very public) hack of Sony Pictures. There has been no shortage of commentary on the hack, from wild accusations involving evil-nation-states, to 0-day malware more complex than STUXNET.

We believe that in all this noise, its easy to lose sight of some important lessons, and so tonight, we kicked out a ThinkstScapes Ad Hoc update on it.

This Ad Hoc issue is being made available free here:

If you aren't a ThinkstScapes subscriber, and want to be, Let us know. We offer educational discounts and will be happy to oblige.
We (almost) always treasure feedback. Drop us a note at if you have any.

Weapons of Mass Distraction: Sock Puppetry for Fun & Profit

We presented at Hack in the Box Malaysia last week on research we have been doing for the past while on Sock Puppetry.
We will post more details on the research in upcoming posts, but for now, you can grab a copy of the slides [here]

[edit] Coverage of the talk on Digital News Asia : "Censorship 2.0: Shadowy forces controlling online conversations"
[edit] Coverage of the talk on the register : "Stop and Thinkst: Is that really the Most Popular story or did haxxors Bash it out?"