Canaries and Cybersecurity

Anyone who’s heard me talk about cybersecurity for 5 or 10 minutes probably heard me say “you’ll eventually get hacked”. If companies with million dollar budgets can get hacked, any medium or small sized network can be penetrated. My tweet below roughly translates as: “In a world where the NSA gets hacked, they’ll easily get you dear SMB”.

Based on this understanding I’ve been spending most of my engagements on trying to uncover possible “cyber kill chain” paths in my customers’ networks so we can have the upper hand. Any hacker penetrating any network has to at least “look around” to find possibly useful information.

In short;

  • Someone will sooner or later hack into our systems and/or network
  • This “someone” will have to probe files for interesting bits of information
  • We need to discover this “someone” very quickly (e.g. before they’ve had time to steal anything)

This is exactly where the “Canarytoken” becomes useful. A canary token will allow us the be aware whenever someone touchs a specific file. Alternatively you could insert some unique values in your databases and configure whatever gateway solution you have (firewall, proxy, etc.) to block any packet that contains this value.

You can find a very easy and effective way to generate a canary token file at

StationX also provides comprehensive trainings in penetration testing which are worth checking.

Generating a canary token file and saving it on the desktop of a Windows server with the name “passwords.doc” could be the ultimate hacker clickbait.

Below are the steps that allow you to create your own “hacker alarm”

You’ll need to specify the mail address to which the alert mail will be sent and the alert test (below)

The site offers you several alternatives, I’ll be downloading the MS Word document.

One of the files is a hacker trap… the others? business as usual I guess 🙂


The trap is set and every time the document is opened a mail will be sent alerting about the activity (below)