Splunk plus TOR = Splunkion: forwarding logs over TOR

A fun crazy experiment:

Some weekends I just pick a couple of lego blocks of technology and click them together to see what happens. I was thinking over the concept of TOR hidden services. It turns out you can run a Splunk Universal Forwarder (UF) with an outputs.conf pointing to your indexer while it listens for inputs from other UFs as a TOR hidden service. You can then make a UF running on something like a raspberrypi send it’s logs back over TOR like a dynamic vpn.

Why would you want to? Because it was neat to do. Here is how to repeat the proof of concept.

Splunk forwarding over TOR
Splunk forwarding over TOR


How do we make it work?

The Universal Forwarder TOR to Indexer Relay:

  1. Install the Splunk Universal Forwarder
  2. Install TOR:  sudo apt-get install tor
  3. Setup TOR to listen on 9997 as a hidden service by editing the /var/tor/torrc file
  4. Restart TOR:  sudo service tor restart
  5. Get the server’s .onion address: sudo vi /var/lib/tor/other_hidden_service/hostname
  6. Setup $SPLUNK_HOME/etc/system/local/inputs.conf to listen on 9997
  7. Setup $SPLUNK_HOME/etc/system/local/outputs.conf to send data to your existing Splunk Indexer. The below example is setup for SSL so replace with what yours uses.

The Remote Forwarding Log Source:

  1. Install the Splunk Universal Forwarder
  2. Install TOR:  sudo apt-get install tor
  3. Install socat:  sudo apt-get install socat
  4. Setup $SPLUNK_HOME/etc/system/local/outputs.conf to send logs to localhost:9998
  5. Ensure socat is running to bounce 9998 to 9997. This is how we torrify the Splunk forwarder to Indexer traffic. We need to use it to tunnel the Splunk TCP traffic through TOR. You will want to work up how to make that auto start on reboot and run in background. But here is the command you can run manually to test it. Note in this command you have to know the .onion address of the UF we will use as our TOR to Splunk indexer gateway on the receiving end.
  6. Set Splunk to pickup logs etc via the normal inputs.conf methods.

 Final Comments:

That is it and you have torrified Splunk forwarder to Indexer traffic. It would let you collect data from remote sources without exposing to them the actual destination address of your Indexing system.

Keep in mind that TOR itself encrypts the traffic so you could stick with the unencrypted “9997” outputs.conf style setup. Or you could still go all out and generate a new SSL Certificate Authority with ECC certificates and do all the normal certificate root and name validation that you should when setting up SSL for Splunk. If you want to learn more on how to do that come see a talk I am giving with a friend at Splunk .conf 2014 this year.


Tech Journalists – Staring into the Abyss

I make no secret I enjoy Apple products. I got into Apple products after my experience with my first iPod and deciding that I was tired of feeling like I was still at work when I was home.  All the maintenance and effort to keep Windows based products working efficiently was too much like my day job. Most of the time Apple products just work for how I use them. Sure like any product made by humans Apple can have design issues.  Like any electronic device it will fail at some point in time.  With that said I am an information security professional.  I spent several years out of college in loss prevention.  I am not a lawyer but clearly I have strong feelings on this whole situation.  And here they are.

Continue reading “Tech Journalists – Staring into the Abyss”

TwitPic – Scraping Exif Data

A couple of days ago Dr. Johannes Ullrich did a real interesting post on scraping gps data from twitpic posted photos from twitter users.  You can read the original post with graphs over at the Internet Storm Center blog. He wrote a couple of perl scripts for use with the exiftags tool.

So I was inspired to do a similar trick without the perl script and using my favorite, Exiftool by Phil Harvey.  So here comes yet another one of my automators for OSX.  You can download it in the zip below.  Just copy the imagecsv.txt to the root of your user home folder.   Then run the automator app.  You can of course edit the app in Automator to see how it works.  It will prompt you for the twitter user name of your target.  Then it goes to twitpic, scrapes their rss feed of all full sized images and runs exiftool on them.  It makes all the output in a folder on your desktop using the twitter user name.  You may alter what fields the exiftool puts to the exifdump.txt file by editing the imagecsv.txt.  It is just a print format file under the rules of exiftool setup to be tab delimited.

Just make sure you have exiftool installed or you wont get the tag dump.  You will end up just getting all the pictures scraped from the user’s rss feed.

OSX Automator – TwitPic – ExifScrape

Trading Privacy for Services

I spotted an article today on a new service for anonymizing your phone number. It lets people you call you while to keeping your number private.  The article is “Anonymize your phone number with LetsCall.Me” over at CNet by Josh Lowensohn  The service lets you hand out a web link and folks can input their number on that page.  The service then connects them to you without them ever knowing your number.  So I have to wonder, where is the hook?  How do they intend to make money?  Every web service is about eventually making money, even indirectly.  It has to be or what is the point?

I actually read the terms of use from LetsCall.Me and find this section curious.

You also grant to LetsCall.Me the right to use your name in connection with the submitted materials and other information as well as in connection with all advertising, marketing and promotional material related thereto. You agree that you shall have no recourse against LetsCall.Me for any alleged or actual infringement or misappropriation of any proprietary right in your communications to LetsCall.Me.

Could this mean your name, number etc are eligible to be sold on a marketing list?  Keep in mind I am NOT saying they ARE doing or WILL do this.  Just that the language makes me think they COULD. I also will say I am not a lawyer.  So best ask yours if in doubt.

The trade off might suit your needs.  I know I am a Google GrandCentral user.  But that service is not open to new subscribers so maybe what LetsCall.Me offers would work for you.  Just consider the implications of any terms of use for any service when handing out information you are intending to protect.

Geo-location Sunday

Today I spent a bit playing with Yahoo’s new Fire Eagle location service. It has some pretty decent privacy controls and it is taking off fast as a junction point for location aware applications. If you sign up for Fire Eagle you can get an automatic invite to Bright Kite which has good sms and email mechanisms for updating your location. It also has decent privacy controls. Such as only close friends see your exact location and everyone else gets the city.

So I tied them together and then tied Brightkite to my twitter location. While I was doing this I was surprised to see how many of my twitter followers have their exact longitude and latitude coordinates updating from their iPhone. I would wager a lot of them did not give a real thought to the privacy concerns. Or that it tells a lot of people when you are definitely not home. Worse, imagine your kids with iPhones and twitter. Raises cyber bullying to a whole new level if the bully can go straight to where they really are.

I would recommend disabling location updates and wipe the current location. Or use something like Fire Eagle/Brightkite to mask your location to a city level where it has value to you.

Identity Tidbits

I am sure everyone who reads online articles, blogs etc has seen the talk about Facebook being used to gather data for Identity theft. I stumbled onto one little tidbit. Amazon. Would you believe that your birthdate (minus year) and email used for your Amazon account shows up publically to everyone by default?

You should log into your account. Click Yourname’s Amazon the click the “Your Profile”. Make sure to edit it and change your email and birthdate lines to show for you only. Then on the right side do the view page as seen by Everyone. I sure hope I accidently set that and it was not Default.  If it was default Amazon ought to be ashamed.

Amazon Profile

Employee Privacy

I previously posted about having to make sure we have something in place to protect employees from misuse of the new surf control deployment. Here is a sample of what I went with.

Employee records and data which includes, but not limited to, telephone use,
cell phone use, computing resource, video surveillance and Internet use, are
to be handled with the extreme sensitivity and confidentiality. Management,
or others requesting access to this type of information, must submit their
request to the Human Resource Department location for which the employee in
question is based. All HR-approved requests must be then be also approved
by the Corporate Security Officer. The appropriate local IT Department must
provide all requested data to the local Human Resources Department, who in
turn will provide this data to those initiating the information request.
In reviewing all data and record requests, the HR department must assess the
appropriateness for the individual requesting the data, as well as the
relevance of the data being requested.

There are occasions where employees are unavailable (e.g. vacation) and a
manager assigns a stand in. In these instances where no investigation is
involved the manager must submit a notification with duration or access
required to the Human Resource Department location for which the employee in
question is based. Human Resources will review the appropriateness of the
temporary access. HR-Approved requests will be sent to the local IT
Department. The IT Department will send notification of access change to HR
and the requesting manager. Access must be removed at the end of the
assigned duration and confirmation sent of the removal. If the requesting
department is HR then they must obtain approval of the Company Site manager.
If any information is discovered that relates to policy or legal violations
it must be immediately brought to the attention of Human Resources and the
Corporate Security Officer notified.

There are occasions where managers may request site entry and exit logs of
their employees for use in time and attendance tasks. This is accepted by
Company as a standard tool to ensure employees receive proper compensations.
Each site may determine its own policies concerning requesting and receiving
this information.