Malcolm v23.03.0 is a release with enhancements, component version updates and bug fixes.

Malcolm is a powerful, easily deployable (via Docker) network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts.

• Enhancements

  • Replace Zeek's misc/scan.zeek with ncsa/bro-simple-scan
  • terminate start and restart scripts once Malcolm has started properly (cisagov/Malcolm#240 and cisagov/Malcolm#241, thanks @Njinx)
  • minor usability improvements for ISO-installed Malcolm and Hedgehog (idaholab/Malcolm#155)
    • Added a "Configure Malcolm" menu item (under the "Internet" GTK menu with the other Malcolm stuff) and launcher on the top panel of icons in Malcolm. This runs ./scripts/install.py --configure in full screen. May look at starting this automatically on first boot in the future. (Malcolm)
    • Added Malcolm shortcut to gtk-3.0/bookmarks so it shows up in Thunar sidebar (Malcolm)
    • Added /opt/sensor/sensor_ctl shortcut to gtk-3.0/bookmarks so it shows up in Thunar sidebar (Hedgehog)
    • Have tilix from launcher panel start in /opt/sensor/sensor_ctl (Hedgehog)
  • minor tweaks to defaults for install.py --configure (enable offline-capable file scanners by default)
  • interrupt #NetBox startup import script when netbox-restore is run
  • added NetBox restore logic to reset_and_auto_populate.sh script (used mostly for demos and presentations)

• Component version updates

  • #Arkime to v4.2.0
  • OpenSearch and OpenSearch Dashboards to 2.6.0
  • Logstash from v8.4.0 to v8.6.1
  • Beats to v8.6.2
  • Zeek to v5.0.7
  • OpenSearch-Py to v2.2.0 (and remove opensearch-dsl which is now part of opensearch-py)
  • Supercronic to v0.2.2
  • Capa to v5.0.0
  • Fluent Bit to v2.0.9
  • Version updates to various Python package dependencies

• Fixes

  • last few seconds' Zeek logs prior to log rotation may be lost (idaholab/Malcolm#151)
  • in ISO-packaged Malcolm installation scripts directory, symlink netbox-backup and netbox-restore to control.py
  • improve opensearchpy connect/health check logig in pcap_watcher.py in pcap-monitor container

#Malcolm #OpenSearch #Zeek #Arkime #Suricata #PCAP #NetworkTrafficAnalysis #CyberSecurity #Cyber #Infosec #GitHub #INL #DHS #CISA #CISAgov

Did you know that a "pizza party" is a cybersecurity measure?

#cisagov recommends in its "Cross Sector Cybersecurity Performance Goals" (CPG 4.5), that "Organizations sponsor at least one ‘pizza party’ or equivalent social gathering per year that is focused on strengthening working relationships between IT and OT security personnel, and is not a working event (such as providing meals during an incident response). "

https://www.cisa.gov/cpg
#cybersecurity #infosec

Did you know that a "pizza party" is a cybersecurity measure? ...if you invite the right people of course.

#cisagov recommends in its "Cross Sector Cybersecurity Performance Goals" (CPG 4.5), that "Organizations sponsor at least one ‘pizza party’ or equivalent social gathering per year that is focused on strengthening working relationships between IT and OT security personnel, and is not a working event (such as providing meals during an incident response). "

https://www.cisa.gov/cpg

#Malcolm v6.4.3 is a minor #release containing enhancements, component version updates and bug fixes.

• Enhancements

  • Import the NetBox Device Type Library on NetBox first run to populate manufacturers, device types, models and modules
  • idaholab/Malcolm#127 have install.py --configure ask about other storage locations for PCAP, Zeek logs and OpenSearch indices
  • idaholab/Malcolm#128 have install.py --configure prompt for Arkime to manage uploaded PCAP files or not

• Component version updates

  • #Alpine Linux to v3.17 for some Docker containers' base images
  • #Filebeat to v8.5.2
  • #NetBox to v3.3.9
  • #Zeek to v5.0.4
  • #opensearch-py to v2.0.1
  • #FluentBit to v2.0.6

• Fixes

  • Fix some bad links in the documentation and other minor documentation improvements
  • Fix idaholab/Malcolm#126, suricata logs show up in Arkime as "notip" for the protocol
  • Fix idaholab/Malcolm#129, filtering by rootId in Arkime returns no results
  • Fix Docker health checks for NetBox and supporting containers
  • Fix "read-only" version of nginx.conf
  • Tweaks to install.py memory recommendations

#Malcolm and #HedgehogLinux may be obtained by pulling or building the #Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on #GitHub, but may be downloaded from https://malcolm.fyi/.

#cybersecurity #pcap #networktrafficanalysis #zeek #arkime #ICS #INL #CISAgov

I'm pleased to announce the v6.4.2 release of Malcolm. This release updates #Zeek to v5.0.3 and #OpenSearch and #OpenSearchDashboards to v2.4.0 as well as some other minor fixes and improvements. It also includes a Zeek plugin to detect vulnerability to and exploitation attempts of #CVE20223602.

See the documentation for instructions for installing Malcolm and pulling the new #Docker images, or grab the _(unofficial) ISOs.

#Malcolm #HedgehogLinux #cybersecurity #pcap #networktrafficanalysis #zeek #arkime #ICS #INL #CISAgov

One topic that comes up at least weekly in my job is Multi Factor Authentication #MFA. Often I am asked about what method is secure. Finally I can tell them #Fido2 / #WebAuthn , forget sms, voice or #TOTP ...and by the way, you can read it here #CISAgov https://www.cisa.gov/uscert/ncas/current-activity/2022/10/31/cisa-releases-guidance-phishing-resistant-and-numbers-matching

#CISAgov
has verified one of the users had their account breached even though they were using "proper multi-factor authentication (#MFA)."

https://hackread.com/hackers-breach-mfa-target-cloud-services/

#Security #CISA #Breach #Vulnerability #Cloud #InfoSec

📛 #CISAgov warning should not come as a surprise because:

⚠️900 #PulseSecure VPN servers data leaked recently.
⚠️#MicrosoftExchange server exploited in March 2020.
⚠️Hackers stole 6TB of data from #CitrixVPN in 2019.

https://t.co/5EBzgXNLYO