Thursday, May 7, 2009

What is a "canary account"?

A canary account is an account created in a database for the sole purpose of detecting if data has been compromised.

The term "canary account" is based on the notion of a canary detecting changes in the air quality of a coal mine to the point where it was unsafe for humans.  Think of it as a early warning system, ...

Within the context of data protection, the canary account could be monitored to make sure it had not been accessed and if the account is accessed, then you have a high likelihood that the data may have been compromised.

This is somewhat related to the notion of a "honey pot" that acts as 'bait' for attackers drawing their attention away from the real crown jewels in favor of pseudo crown jewels that have been crafted to look even more appealing to the attacker, ..

In a post by Robert Graham related to the phpbb hack earlier this year, canary accounts are mentioned as a possible means for alerting to the attack sooner:

The first is to create "canary" accounts. Create accounts that have e-mail addresses, like "". This account is not going to get any spam e-mail. When it does get its first spam, you'll know that it came from your database. When I create recommendations for clients, this is always one of the first things I suggest. (Likewise, if you are an e-commerce site, you should get dummy credit cards that only exist in your database). This won't stop you from getting hacked, but it will at least tell you when a hack has happened. (I suspect that this isn't the first time phpbb has been hacked - just the first time it's been made public).

I am not saying that canary accounts are appropriate in all cases but just trying to get you thinking of the possibilities, ..

No comments: