Wednesday, February 12, 2020

OPNsense 20.1 “Keen Kingfisher” released

For over 5 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

20.1, nicknamed "Keen Kingfisher", is a subtle improvement on sustainable firewall experience. This release adds VXLAN and additional loopback device support, IPsec public key authentication and elliptic curve TLS certificate creation amongst others. Third party software has been updated to their latest versions. The logging frontend was rewritten for MVC with seamless API support. On the far side the documentation increased in quality as well as quantity and now presents itself in a familiar menu layout.

Download links, an installation guide[1] and the checksums for the images can be found below as well.

o Europe:
o US East Coast:
o US West Coast:
o South America:
o South-East Asia:
o Full mirror list:

These are the most prominent changes since version 19.7:

o Captive portal performance improvements
o IPsec public key authentication support
o Elliptic curve TLS certificate creation
o CARP service demotion hook
o VXLAN device support
o Loopback device support
o Extended firmware health audit checks
o Support direction and non-quick on interface rules
o Logging frontend migrated to MVC / API
o PSR 12 coding style
o Documentation for all core components
o Python 3.7 is now the default Python version
o LibreSSL 3.0 and OpenSSL 1.1.1
o Google Backup API 2.4
o jQuery 3.4.1

And here are the full patch notes against version 20.1-RC1:

o installer: welcome users as genuine 20.1 installer
o rc: revert growfs change since Nano does not grow anymore
o plugins: os-mail-backup 1.1[2]
o plugins: os-nrpe 1.0 (contributed by Michael Muenz)
o plugins: os-theme-rebellion 1.8.3 (contributed by Team Rebellion)
o plugins: os-vnstat 1.2[3]
o plugins: zabbix4-proxy 1.2[4]
o ports: ca_root_nss 3.49.2
o ports: curl 7.68.0[5]
o ports: isc-dhcp 4.4.2[6]
o ports: php 7.2.27[7]
o ports: urllib3 1.27.7[8]

Known issues and limitations:

o HardenedBSD 12.1 has been postponed to the next major release
o Legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp have been deprecated and will no longer receive updates
o To prevent stale configuration files for remote syslog we advise to setup the new targets first[9] and disable the old ones under System: Settings: Logging
o i386 has not been deprecated for the time being 

The public key for the 20.1 series is:

-----END PUBLIC KEY-----

Stay safe,
Your OPNsense team


SHA256 (OPNsense-20.1-OpenSSL-dvd-amd64.iso.bz2) = 4b15e9b3d72732d325c5eaf46ba34575d4de8cdc3e3ac1b10666c7372563be6d
SHA256 (OPNsense-20.1-OpenSSL-nano-amd64.img.bz2) = 27544a78ae03d480a483cfd2e7cfa703b60e50938a1ed188ec3ccde6c426fefe
SHA256 (OPNsense-20.1-OpenSSL-serial-amd64.img.bz2) = f93bbcbe92059c5de49f22d485da292952b48658a28d1cdaf83191e8c95c03c2
SHA256 (OPNsense-20.1-OpenSSL-vga-amd64.img.bz2) = 019a877c4b4cb96cfda62d041774a91c030c5a8ecd58f8c3fd0067c7ac392982

SHA256 (OPNsense-20.1-OpenSSL-dvd-i386.iso.bz2) = 36146d0a066d9d696433599487e2a538ee5575a6b3d631293ad9e14e5fbbc6e0
SHA256 (OPNsense-20.1-OpenSSL-nano-i386.img.bz2) = 0980f49d1b3445505fd1db27ab070886a706388d3aa16d7c8d953f279b7e3b11
SHA256 (OPNsense-20.1-OpenSSL-serial-i386.img.bz2) = 322adbafe331ef7232c08d839a6f355ee633f5a662009b1801ebad0edab03d73
SHA256 (OPNsense-20.1-OpenSSL-vga-i386.img.bz2) = 8bdd109015d7d54d382c7293bdf8fac6397a6c2e37662b73647c276e98c19d64

Het bericht OPNsense 20.1 "Keen Kingfisher" released verscheen eerst op OPNsense® is a true open source firewall and more.

Emotet Malware Now Hacks Nearby Wi-Fi Networks to Infect New Victims
Emotet, the notorious trojan behind a number of botnet-driven spam campaigns and ransomware attacks, has found a new attack vector: using already infected devices to identify new victims that are connected to nearby Wi-Fi networks. According to researchers at Binary Defense, the newly discovered Emotet sample leverages a "Wi-Fi spreader" module to scan Wi-Fi networks, and then attempts to

FUD-free analysis: Natural language processing (NLP)

If you follow me on Medium or Twitter, you may already be aware. Still, if you don't (I assure you that you're missing out), I have been researching several technologies in preparation for an OPSEC/Anti-OSINT tool that I am crafting. I am using this tool as a means to push myself harder to learn something new that I can apply professionally. I am also doing this to be able to make a positive difference in the world. Notably, I am explicitly trying to learn Machine Learning and Natural Language Processing (NLP) in Python and R.

When we hear terms like Advanced Persistent, Next-Generation, Machine Learning, Artificial Intelligence (AI), Machine Learning (ML), Single Pane of Glass, etc. from a vendor, we typically think it's hype or FUD. Talking about the vendor FUD phrases is ironic because my blog and podcast were called Advanced Persistent Security. Often, we are correct. I set off on the journey to learn about learning to build a tool, but also to understand the technologies. I like to stump salespeople from time to time. Also, if these are the wave of the future, there is no time like the present to get acquainted.

So, NLP. What is it? In social engineering circles, it is Neuro-Linguistic Programming. Some (many, if not most) in the scientific community consider it pseudoscience. Regardless, it claims to be able to influence or manipulate people through non-verbal cues from the eyes or touching someone (cringe) or other means. That is not the NLP that I am working on learning.

Natural Language Processing, the more scientific NLP, is a marriage of various disciplines: computer science, data science (including AI and ML), and linguistics. NLP allows libraries and code to read the language as it is written or spoken by humans (naturally, hence the name). When applying slang, pidgins, and dialects, it will "learn" to recognize and respond to them.

Also adjacent to NLP is OCR or Optical Character Recognition. OCR is the means to read data from a document in a non-text format (i.e., pictures, PDF, or Word documents). Having the ability to read the data allows you to open a PDF with a script (perhaps written in Python) and read it, make sense of it, and act as scripted.

Why is this important to InfoSec, and what do we do with it? We could use this in log analysis, network monitoring, analyzing phishing emails, and my personal favorite, OSINT, to name a few. Within log analysis, NLP could be applied to gain further intelligence from logs without writing ridiculously long regular expressions (REGEX) via "learning" the context of the data and what is being sought.

This would likely be in parallel with some Machine Learning, but it is a start. From the ML perspective, it would probably need to utilize supervised or semi-supervised learning with online entry vice unsupervised or reinforcement learning. The online means that it would read the data more closely to real-time than by ingesting a defined dataset. The supervision of learning refers to telling the "machine" whether it was correct or not. In some instances of learning logs, unsupervised learning could be useful in determining indicators of compromise or adversarial TTPs based on log data in two sets: breached (event data) and non-breached data. Reinforcement training would be more applicable for tuning and improvement.

Back to NLP, the same concepts apply in network monitoring as log analysis, except it would be network traffic and PCAPs being analyzed. PCAP analysis with NLP and ML may be better suited for analyzing a user's behavior and attempting to identify when their accounts have been taken over or for insider threat predictions. However, I have reservations as to the Orwellian nature of the latter.

For phishing email analysis, the NLP portion could be used to build a large data set, a corpus, and analyze the phish to the exploit kit or threat actor that is controlling it. Such analysis could also help thwart business email compromise beyond technical controls like SPFDKIM, and DMARC.

In OSINT, it could be combined with aspects of data mining to read target's websites and employee resources to determine how an organization operates or critical terms like "Cast Member" or "Associate" as terms for employees in the cases of Disney and Walmart respectively. Depending on what is sought, it could help investigators find what they are looking for using context as opposed to just keywords.

Another innovative, FUD-free implementation of NLP would be assisting authorities and organizations like Trace Labs (who run Missing Persons CTF events [They have a Global Event on February 1, 2020]) using ML and NLP to read about the subject's patterns online, then release the code to look in various places. Each time, the accuracy could get better with successful training.

In conclusion, there is a lot of remaining research to be done about ML and NLP. There are many possible applications for the discipline, but it will be challenging to both learn and also cut through vendor hype and FUD. For me, I plan on doing more research, and I am considering pursuing a second master's degree in Data Science. From there, who knows? I might try to complete a doctorate, or I may stay happily in my home-office hacking the planet.

February 2020 security updates are available

We have released the February security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates. More information about this month's security updates can be found in the Security Update Guide.

The post February 2020 security updates are available appeared first on Microsoft Security Response Center.

How to Analyze Wi-Fi Data Captures with Jupyter Notebook

When it comes to sniffing Wi-Fi, Wireshark is cross-platform and capable of capturing vast amounts of data. Making sense of that data is another task entirely. That's where Jupyter Notebook comes in. It can help analyze Wi-Fi packets and determine which networks a particular phone has connected to before, giving us insight into the identity of the owner. Overall, data can be confusing, especially when there's a lot of it, which is both a blessing and a curse. It makes it more likely to include important patterns, but also more likely to obscure them. Looking for meaningful patterns in raw... more

ATT&CK Sightings — We Need YOU!

ATT&CK Sightings — We Need YOU!

It's been almost a year since we first started talking about ATT&CK Sightings, a pilot program to collect raw data about the prevalence of ATT&CK techniques in the wild. Our goal with this program is to help ATT&CK users better understand how techniques are used. If you're not familiar with the Sightings program already, you can learn more on our website or via this ATT&CKCon talk.

We wanted to update you on how the pilot is going and where you can plug in.

We've had a lot of good conversations with contributors and potential contributors and the goal by this point was to be publishing some insights. However, we haven't been able to convert those discussions into enough actual contributions to publish substantive sightings.

Barriers to Sharing

If you've already connected with us about sightings, regardless of whether you've been able to contribute, thank you.

We've learned so much in our discussions with potential contributors, and determined that there are two main challenges to sightings contributions:

  • Technical challenge: Even organizations adopting ATT&CK for their operations might not have their raw data tagged with ATT&CK techniques. This means it would be extra work to create tagged sightings data. We recognize it's difficult to commit to contributing when it would require manually mapping data to ATT&CK.
  • Data sharing challenge: The other challenge is about the level of comfort associated with sharing threat data and managing risk. Unlike IOCs, which are primarily about adversary infrastructure and tooling, ATT&CK Sightings can be about things that happen on an organization's internal systems and networks. This has led to some understandable concerns about the risk of sharing the data, because it could expose sensitive information that could indicate they were breached.

Overcoming Barriers

We did anticipate some of these barriers and have solutions built into the program to address them — we've also adapted some of these to address feedback. For the technical hurdle, we believe that as organizations more deeply integrate ATT&CK, it will be technically easier to contribute. For the data sharing challenge, we're happy to work with contributors to ensure they understand how we're protecting their data, both as we analyze it and as we publish the associated insights. Key program data protections include:

  • Providing contractual protections for raw data, via non-disclosure agreements with contributors;
  • Limiting access to data to just the small sightings team within MITRE;
  • Ensuring that data is anonymized as soon as possible, and when aggregated, can't be de-anonymized. (e.g., introducing noise, setting thresholds for when we publish or don't publish, and withholding data that might be subject to de-anonymization); and
  • Providing opportunity for review and feedback prior to publishing any derived insights.

Why you should share

While we've been talking about some of the roadblocks to contributing, there's also an opportunity to have a positive impact and get something back. Here are just a few reasons why you should consider sharing sightings:

  • Street cred: We'll protect any individual sighting, but contributors are providing valuable data and we absolutely want to give them credit (if they want it). You'll be named as a contributor to the ATT&CK sightings program.
  • Insider access: One thing we didn't expect is that companies want to be more open with each other and, for example, to be able to get early sightings insights and participate in calls with other contributors. We want to support that and allow those that contribute to get something out of it. We haven't figured out exactly what — getting in early is a great chance to help us shape what that means.
  • It's a good thing to do: Maybe most importantly, your contribution can help the community get better. This is a way of both giving back to the ATT&CK community and fighting back against adversaries.

What's Next

We recognize the challenges and are learning from the past year and adapting our approach.

Most importantly, we want to set a target for the pilot: if we don't have sufficient contributions in hand by April 30 we'll pause the program and revisit at a later date. We need you to help us meet this deadline!

Please reach out to and we can set up a quick call to go over how to contribute.

We'll also be hosting an information session at the RSA Conference for potential contributors. The session will focus on the mechanics of contributing, addressing any concerns about sharing, and brainstorming on how to recognize contributors to make it worth their while.

2pm PST, Wednesday, February 26
Museum of the African Diaspora | 685 Mission St, San Francisco, CA 94105 | 3rd floor conference room

RSVP here!

Again — if you've already spoken to us about sightings, thank you! If not, please call, email, or attend the information session and see if it makes sense to contribute.

We're excited about the possibilities here, but the Sightings program can only have a significant impact with your help.

©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19–03281–03.

ATT&CK Sightings — We Need YOU! was originally published in MITRE ATT&CK™ on Medium, where people are continuing the conversation by highlighting and responding to this story.

Tuesday, June 4, 2019

CVE-2019-9510 flaw allows hackers to bypass Windows lock screen on RDP sessions

I found this interesting article via Newsfusion Cyber Security- I thought you might like it:

Get the app:

Sent from my iPhone

4 tips for getting the most from threat intelligence

There's no doubt that threat intelligence is critical for any company trying to build a winning security strategy, but threat intelligence alone won't provide much value. In addition to knowing about potential vulnerabilities or new emerging threats, you also need the expertise to manage the flow of information, and the means to act upon it.

To read this article in full, please click here

Best new Windows 10 security features: Windows Sandbox, more update options

With the new era of Windows as a service, Microsoft is rolling out changes to the operating system twice a year. Many of those changes will allow you to improve your security posture and offer more security choices. You no longer have to wait for a new operating system to deploy new security features.

Below is a summary of all the new security features and options in Windows 10 version 1903, which features Windows Defender Advanced Threat Protection (ATP) enhancements, more options for enterprises to defer updates, and Windows Sandbox, which provides a safe area to run untrusted software. Bookmark this article, because we will be adding new security features as Microsoft releases future Windows updates.

To read this article in full, please click here

10 penetration testing tools the pros use

Sophos Acquires Rook Security to Bolster MDR Services

British cybersecurity company Sophos has acquired Rook Security, a provider of managed detection and response (MDR) services. The privately owned Rook provides a team of cyber-threat hunters and incident response experts who "monitor, hunt for, analyze and respond to security incidents" for businesses. 

Combining Rook's services with its recently acquired DarkBytes technology platform, Sophos is planning to create re-sellable MDR services to approximately 47,000 channel partners worldwide. Addition to this, Rook's team of security investigators will be able to use Sophos' security technology and products for the company's customers. 

"Cyber-criminals are relentlessly trying to exploit organizations with techniques ranging from tried-and-true phishing emails to the more recent trend of 'hacker pen-testing' to find weaknesses in their surface area. As a result, businesses need 24-hour, seven-days-a-week monitoring and management of what is happening on their network, yet many of them do not have the expertise, can't keep up or don't have the security teams in house to optimally configure and manage security around the clock," says Joe Levy, chief technology officer at Sophos. "With MDR, Sophos' channel partners will be able to provide businesses of all sizes with expert services that continuously detect, hunt for and respond to security incidents."

J.J. Thompson, founder and CEO of Rook Security, says that the company is excited by the acquisition: "Together, we can implement faster and more effective threat detection and response capabilities to better protect businesses." 

According to a press release, Sophos is releasing no further details at this time.

Sophos has been splashing the cash in 2019 with the additional acquisition of Avid Secure earlier on in the year. The purchases were for MDR services and cloud infrastructure, bolstering the company's offering. 

Confusion Reigns as C-Suite Bemoans Lack of Security Resources

Most C-level executives believe their organization is more exposed to potential security breaches because it lacks crucial technical, financial or human resources, according to new research from Nominet.

The .uk registry, which also offers DNS security services, polled 400 C-level executives in the UK and US to reveal boardroom attitudes to security risk.

Although most (76%) now understand that a breach is inevitable, 90% believe they're missing something that would help mitigate cyber threats. These include advanced technology (59%), lack of budget (44%) and lack of staff (41%).

Another challenge highlighted by respondents was senior management reluctant to accept advice (46%).

In fact, knowledge and responsibility gaps at the top could be severely hampering organizations' ability to respond to such threats. There's confusion over who is responsible for breach response, with over a third of respondents (35%) claiming it's the CEO, while 32% pointed to the CISO. The vast majority of respondents (71%) also admitted to having gaps in their knowledge, especially about malware (78%).

There's also confusion over breach reporting. Although 70% said incidents are initially reported to the security team, 61% do so to the executive team and 40% to the board. A third of CEOs even claim they would fire any employee responsible for a breach, despite the admission that such incidents are inevitable.

Only half of CISOs feel valued by the board in terms of brand and revenue protection, with 18% believing the board thinks they're an inconvenience. However, over half (52%) of directors said their CISO is a "must have."

This confusion could be responsible for the moderate to high stress levels that most (91%) CISOs experience, damaging the mental health of over a quarter (27%), according to separate findings from the same research released by Nominet in February.

"This research is very much a case of 'the good, the bad, and the ugly.' It's good to see that business leaders are aligned on the fact that cyber-attacks are pretty much an inevitable part of working life. Acceptance is the first step to protection. There's also a dedication to keeping customer and client data safe," argued Nominet CEO, Russell Haworth.

"But the bad comes with the power struggle at the top, with confusion over who should actually take responsibility in case of a data breach or cyber-attack, which is detrimental to the safety and security of the business. And the ugly is how CISOs feel within their organization."

Kali Linux 2019.2 Release

Welcome to our second release of 2019, Kali Linux 2019.2, which is available for immediate download. This release brings our kernel up to version 4.19.28, fixes numerous bugs, includes many updated packages, and most excitingly, features a new release of Kali Linux NetHunter!

Kali NetHunter 2019.2 Release

Thanks to the tireless contributions from the vibrant NetHunter community led by re4son, binkybear, fattire, jmingov, jcadduono, kimocoder, and PaulWebSec, NetHunter now supports over 50 devices running all the latest Android versions, from KitKat through to Pie.
To celebrate this milestone, we have released 13 new NetHunter images for the latest Android versions of our favourite devices, including:

  • Nexus 6 running Pie
  • Nexus 6P, Oreo
  • OnePlus2, Pie
  • Galaxy Tab S4 LTE & WiFi, Oreo

These and many more can be downloaded from our NetHunter page. If you cannot find an image for your favourite device and you are interested in porting NetHunter, we would love for you to join our community and give it a crack. More information can be found at our new home on GitLab.

Tool Upgrades

This release largely features various tweaks and bug fixes but there are still many updated tools including seclistsmsfpc, and exe2hex.

For the complete list of updates, fixes, and additions, please refer to the Kali Bug Tracker Changelog.

ARM Updates

For our ARM users, be aware that the first boot will take a bit longer than usual, as it requires the reinstallation of a few packages on the hardware. This manifests as the login manager crashing a few times until the packages finish reinstalling and is expected behaviour.

Download Kali Linux 2019.2

If you would like to check out this latest and greatest Kali release, you can find download links for ISOs and Torrents on the Kali Downloads page along with links to the Offensive Security virtual machine and ARM images, which have also been updated to 2019.2. If you already have a Kali installation you're happy with, you can easily upgrade in place as follows.

root@kali:~# apt update && apt -y full-upgrade

Ensuring your Installation is Updated

To double check your version, first make sure your Kali package repositories are correct.

root@kali:~# cat /etc/apt/sources.list
deb kali-rolling main non-free contrib

Then after running 'apt -y full-upgrade', you may require a 'reboot' before checking:

root@kali:~# grep VERSION /etc/os-release

root@kali:~# uname -a
Linux kali 4.19.0-kali4-amd64 #1 SMP Debian 4.19.28-2kali1 (2019-03-18) x86_64 GNU/Linux

If you come across any bugs in Kali, please open a report on our bug tracker. We'll never be able to fix what we don't know about.