Showing posts from November, 2021

Building WireGate: A WireGuard front to detect compromised keys

Earlier this year we released our WireGuard Canarytoken . This allows you to add a “fake” wireguard VPN endpoint on your device in seconds. The idea is that if your device is compromised, a knowledgeable attacker is likely to enumerate VPN configurations and try connect to them. Our Canarytoken means that if this happens, you receive an alert. This can be useful at moments like national border crossings when devices can be seized and inspected out of sight. Using the WireGuard Canarytoken If all you want is to scatter a million of these WireGuard VPN configs across all devices you care about, there's no need to read this further: they’re now freely available from for anyone to grab! (Paying Canary customers will already have seen these on your private Canary Consoles). But! If you’re interested in how we built these tokens and how they manage to work reliably and safely at scale, then this post is for you. Along the way we’ll cover some of our design choices and w

A Kubeconfig Canarytoken

 Introducing the new Kubeconfig Canarytoken A while back we asked:  “What will an attacker do if they find an AWS API key on your server? ” (We are pretty convinced they will try to use it, and when they do, you get a reliable message that badness is going on). Last month we asked: “What will an attacker do if they find a large MySQLDump file on your machine? ” (We think there’s a good chance they will load it into a temp MySQL db, and when they do, you get a reliable message that badness is going on). This month, a similar question comes to the container world: “What will an attacker do if they find a good looking kubeconfig file on one of your servers?” If the answer is: “They will try to use it to access your kubernetes cluster”, then again, you will receive a high-fidelity alert that badness is happening. This quick post presents our shiny new Kubeconfig Token (which emulates a kubeconfig file, the configuration text file that ordinarily contains credentials to interact with a Kube