This is the first post in a series highlighting bits from our recent BlackHat USA 2017 talk. An index of all the posts in the series is here. Introduction In this post we’ll be looking at ways to compromise your developers that you probably aren’t defending against, by exploiting the plugins in their editors. We will therefore be exploring Atom, Atom plugins, how they work and the security shortfalls they expose.Targeting developers seems like a good idea (targeting sysadmins is so 2014). …

[Update: jump to the end of the page for the series index] Late July found Haroon and I sweating buckets inside an 8th storey Las Vegas hotel room. Our perspiration was due not to the malevolent heat outside but to the 189 slides we were building for BlackHat 2017. Modifications to the slidedeck continued until just before the talk, and we’re now posting a link to the final deck. Spoiler alert: it’s at the bottom of this post. A few years …

Heres a quick, informal guide to deploying birds. It isn’t a Canary user guide and should: be a fun read; be broadly applicable. One of Canary’s core benefits is that they are quick to deploy (Under 5 minutes from the moment you unbox them) but this guide should seed some ideas for using them to maximum effect. Grab the Guide Here (No registration, No Tracking Link, No Unnecessary Drama) If you have thoughts, comments, or ideas, hit us back at …

Our MS Word and PDF tokens are a great way to see if anyone is snooping through your documents. One simply places the document in an enticing location and waits. If the document is opened, a notification (containing useful information about the viewer) is sent to you. Both MS Word tokens and PDF tokens work by embedding a link to a resource in the tokened document. When the document is opened an attempt to fetch the resource is made. This …

Introducing our Python API Wrapper With our shiny new Python API wrapper, managing your deployed Canaries has never been simpler. With just a few simple lines of code you’ll be able to sort and store incident data, reboot all of your devices, create Canarytokens, and much more (Building URLs correctly and parsing JSON strings is for the birds…). So, how do you get started? Firstly you’ll need to install our package. You can grab it from a number of places: …

We are sorry that this blog has been so quiet lately. Our Canary product took off like a rocket and we’ve had our heads down giving it our all. This month we released version-2 with a bunch of new features. You really should check it out. Since almost day one, customers have been asking for virtual Canaries.  We generally prefer doing one thing really well over doing multiple things “kinda ok”, so we held off virtualising Canary for a long …

We :heart: Slack. The elderly in our team were IRC die hards, but Slack even won them over (if for no other reason, for their awesome iOS changelogs).   Thanks to Slack integrations, its robust API and webhooks, we have data from all over filter into our Slack, from exception reporting to sales enquiries. If it’s something we need to know, we have it pushed through to Slack.   At the same time, our Canary product (which prides itself on …

As part of a talk at the ITWeb Security Summit last week, we discussed how to trigger email alerts when file signatures are validated with our Canarytokens project. Building on that alerting primitive, we can make signed executables that alert when run or signed Office documents that alert when opened.  Canarytokens is our exploration of light-weight ways to detect when something bad has happened on the inside a network. (It’s not at all concerned with leaks in that dubious non-existing …

“Communication flow in the TDS 4.2 protocol” [msdn] Our recent PyConZA talk had several examples of why Python is often an easy choice of language for us to quickly try things out. One example came from looking at network traffic of a client authenticating with Microsoft SQL Server (in order to simulate the server later). By default, we can’t see what the authentication protocol looks like on the wire because the traffic is encrypted. This post is a brief account …