Raphael Mudge Cobalt Strike

CobaltStrike Download Now Features Screenshots Training Support Cobalt Strike Media Kit Strategic Cyber, LLC loves bloggers and journalists. These materials are available for your use to tell the Cobalt Strike story to the world. If you have any questions or would like to schedule an interview, please contact us! Materials Cobalt Strike Trailer (3m46s) This video walks through a textbook penetration test with the Cobalt Strike product. Cobalt Strike Logo PSD (1716x408px) PNG (1716x408px) PNG (858x204px) Major Cobalt Strike (full-length) PSD (3248x3216px) PNG (3248x3216px) PNG (640x713px) Cobalt Strike Comic This comic shows the Cobalt Strike team executing an adaptive penetration testing process. PDF Cobalt Strike Product Specification Sheet This two-sided sheet describes Cobalt Strike, what it does, and who it is for. This document is best used to introduce Cobalt Strike to the grown-ups. PDF About Us Cobalt Strike Cobalt Strike is threat emulation software. Red teams and penetration testers use Cobalt Strike to demonstrate the risk of a breach and evaluate mature security programs. Cobalt Strike exploits network vulnerabilities, launches spear phishing campaigns, hosts web drive-by attacks, and generates malware infected files from a powerful graphical user interface that encourages collaboration and reports all activity. Strategic Cyber, LLC Founded by Raphael Mudge, Strategic Cyber LLC develops software and training for penetration testers and red teams. Its premier product is Cobalt Strike, a threat emulation suite. Raphael is a USAF veteran and the creator of Armitage for the Metasploit® Framework. Strategic Cyber LLC is based in Washington, DC. Metasploit® is a registered trademark of Rapid7 Inc. © 2012 Strategic Cyber, LLC

Countermeasures against school shootings

Countermeasures against School Shootings December 18, 20124 Comments Recent events and especially the tragedy at Sandy Hook Elementary School have prompted many of our school security clients to contact us asking for advise on preventing an attack or mitigating the consequences of a school shooting or massacre. In this blog post, we want to share with school administrators, security professionals, parents and community leaders ideas on how to minimize the potential of such an event at your school or in your community. Altering the adversary’s motivation is close to impossible – School shooter motivations vary from insanity to revenge and even political (terrorist) motives. The ability to detect, monitor and then influence these motivations is extremely difficult even for those closest to the would-be shooter (parents, teachers, counselors, etc). Our recommendation: do not rely on early detection of the shooter using indicators that stem from his psychological profile. Instead focus your mitigation strategy on maintaining a security policy that makes it difficult for the shooter to accomplish his operational objectives. This goal is possible and simple to execute but it does require effort and commitment. Active Shooter is a security issue and not a law enforcement Issue – Police response to an active shooter situation can take five to ten minutes or more. Most active shooter incidents are already over by the time police arrive at the scene, and even if the shooting is still in progress, most of the damage has already been done. Usually, all that remains for law enforcement is to gather evidence and collect the dead. Schools should focus on prevention strategies and not devote all their attention to a response plan. Adopt a long-term security strategy – Make a long-term commitment to security. This is usually easier said than done. Most institutions only spike efforts in response to an incident out of fear or the pressure to do something. This reactive approach is ineffective. Instead, make a long-term commitment to protect your school, and the people who study and work there, from future threats. This does mean spending money, making continuous efforts to improve, and getting buy-in from everyone involved from now, forward. Understand and address the Modus Operandi of the adversary – The choice of weapon and method of operation may change. The MO of choice today is active shooter, but tomorrow it could be an “active driver” trying to run over as many people on campus grounds as possible, with his vehicle. Your security procedures and policy must address not yet popular but probable MOs. Invest in Physical Security – This is obvious, but must be stated: a school that makes it easy for outsiders to enter is extremely vulnerable to threats. Physical security measures such as gates, locks and fences are not a deterrent for a motivated adversary, but they can serve as an obstacle or delaying mechanism that can potentially save lives. Extend your security circles outward as much as possible – Many institutions try to do security from the inside-in rather from the outside-out. This results in a smaller, less effectively secured area. Extend your physical security presence – think of a ring – as far out from your school as possible. As the distance between the adversary and the target (the school and its population) increases so do your chances to prevent the attack or mitigate its consequences. Introduce Proactive Security Procedures – Most school security procedures are administrative as opposed to proactive. For example, security guards may be required to check if a person’s name appears on a list but they are rarely tasked with evaluating the intent or behavior of a person attempting to enter the school. Security officers must be trained in threat and situational assessment and in security questioning. This training allows officers to determine the true nature of the visit and the true intent of the visitor. Have armed response capabilities – Having an armed security guard on premises does not mean you have “armed response capabilities”. Most armed guards are neither trained nor experienced with tactical response to an active shooter scenario. The armed security guards must be trained in: instinctive shooting, when-to-shoot scenarios, when to stop shooting or chasing, shooting through a face-forward crowd, hand-to-hand combat, aggressiveness training and more. The shooting technique for the guard must be based on an instinctive reaction where he does not need to think, only react and attack the shooter fully neutralizing him as soon as possible. He should not call for backups (someone else will.) He should not take cover (this allows the shooter to be in control.) He should not stop to treat or evacuate the wounded (someone else will.) The guard must know how to shoot while moving fast, forcing the adversary to defend himself. This type of shooting and response requires A LOT of training to the point where the guard’s response is completely instinctive. Test your Security System – A school that does not experience incidents should not regard itself as having good security. To evaluate whether or not the security system is effective, schools must test themselves through adversary simulations or “red teaming”. Every school must repeatedly conduct surprise infiltration testing to evaluate if current security procedures and systems are effective in preventing actual threats. The tests should be used to train and build experience with the security officers and the staff. They inform the design of and changes to, procedures and policy. Designate a “Police Room” in your facility – A cost effective means for maintaining police presence at your school is to provide local law enforcement with a spot where they can take a break from their patrols, drink a cup of coffee and have a quiet place to fill out their reports. Elevated, random police presence in the school makes it harder for the adversary to plan an attack and it increases the armed response capability of the school during certain hours of the day. The critics will say “well, this all costs money.” And that’s true. But there are innovative ways (beyond government funding) to pay for an improved security program. Active shooters are on the mind of every parent in the U.S. Most parents would not object to a modest, monthly ten dollar fee that could pay for implementing and maintaining all of the solutions we discuss here. During the suicide bombing campaigns in Israel between 2002 and 2005, restaurant customers were asked to pay a .50 cent fee on every table’s bill. This money was used to pay for security guards at restaurant entrances to prevent suicide bombers from entering. If someone is willing to pay .50 cents to have a peaceful dining experience, as a parent, I’m willing to bet that .50 cents a day is a very reasonable price for your child’s security. But more than the fiscal issues, we have to be committed in terms of priorities and decisiveness. When we are, we will effectively be able to prevent, deter, disrupt, and defend against these horrible killers. For more information about specific security procedures, training and consulting to improve your school’s security, please contact us. 4 Comments on “Countermeasures against School Shootings” TK on December 18th, 2012 at 7:04 pm Excellent article. Please send it to every school in the country. Linda Weese on December 19th, 2012 at 10:52 am Really great article with excellent suggestions. Am I allowed to share it with local schools? Thank you. Linda Weese Samuel Mayhugh on December 19th, 2012 at 10:55 am I agree with your material on countermeasures. These need to be promoted. What we do not generally have are policies, procedures, and training for student and worker reporting of behavior that creates fear or anticipation of violence. This calls for accountability and responsibility of both individuals and organizations for reporting concerns prior to a belief that the person will kill others. Sam Mayhugh, Ph.D., Consultant, DHS Admin on December 19th, 2012 at 11:02 am Linda Thank you very much for the feedback. Feel free to share it with anyone. The Chameleon Team Leave a Reply

VA OIG report on encryption non-compliance

http://www.va.gov/oig/pubs/VAOIG-12-01903-04.pdf

8-character passwords not long enough

Suzanne Choney, NBC News 8-character passwords just got a lot easier to crack A password expert has shown that passwords can be cracked by brute force four times faster than was previously thought possible. It's no magician's trick. Jeremi Gosney of the Stricture Consulting Group shared the findings at the recent Passwords^12 conference in Norway, where researchers do nothing but focus on passwords and PIN numbers. What Gosney showed is that a computer cluster using 25 AMD Radeon graphics cards let it make 350 billion — that's right, billion — password attempts per second when trying to crack password hashes made by the algorithm Microsoft uses in Windows. Ars Technica reported on the finding, estimating that it would take less than six hours for the system to guess every single possible eight-character password. Gosney, in an email to the site, said, "We can attack (password) hashes approximately four times faster than we could previously." Users should take action, especially those who have been using eight-character passwords and thinking they were safe (or safer than users with fewer characters in passwords), said Infosecurity, an online magazine. It doesn't even matter if you have numbers, upper case letters and symbols — you are not in the clear. Eight-character passwords "are no longer sufficient," the magazine says, and users should come up with longer passwords to "help defeat brute forcing, and complex passwords to help defeat dictionary attacks." Dictionary attacks use pretty common words, names and places that many of us still come up with for passwords, like "LoveNewYork" or even "Jesus" because they're easy to remember. They're also incredibly easy to crack. Dmitry Bestuzhev, of Kaspersky Lab, offers these suggestions: 1. Use a different password for each different online resource. Never reuse the same password for different services. If you do, all or many of your other online accounts can be compromised. 2. Use complex passwords. This means, in a perfect scenario, a combination of symbols, letters and special characters. The longer the better. 3. Sometimes our online service providers don’t let us create really complex passwords, but try to use long passwords, with at least 23 characters in a combination of uppercase and lowercase letters. A password of 23 characters (131 bits) would be ok. That may be an ambitious undertaking, especially with the abundance of services out there that all require authentication, but it's worth striving for. Eight characters "just isn't long enough for a password these days," Sophos Labs' Paul Ducklin told NBC News in an email. "Even before this latest 'improvement' in cracking, standalone GPU (graphics processing unit)-based servers could do the job on eight-character Windows passwords in under 24 hours." And, he added, "cybercrooks with a zombie network, of course, could easily do something similar, even without GPUs." Ducklin, writing about another password-cracking presentation at the password conference, made it clear that the findings are "yet another reminder that security is an arms race." But to stay ahead all you have to do is lengthen those passwords. At least for now.

Limits Set on E-mail Monitoring

Limits Set on E-mail Monitoring Administration Memo Seeks to Protect Whistleblowers' E-mails By Eric Chabrow, June 21, 2012. Credit Eligible The Obama administration issued a memorandum cautioning U.S. federal agencies that it could be unlawful to interfere with employees' communications, including e-mails, used to report misconduct in government. "We strongly urge executive departments and agencies to evaluate their monitoring policies and practices, and take measures to ensure that these policies and practices do not interfere with or chill employees from using appropriate channels to disclose wrongdoing," writes Carolyn Lerner, who heads the Office of Special Counsel, the federal organization charged with protecting government employees from reprisals for whistleblowing. Lerner sent the memorandum, dated June 20, to departmental and agency heads and legal counsels. Related Content Insider Threat: Emerging Risks Ron Ross on Revised Security Controls 6 Steps to Secure Big Data Using Risk to Fund Infosec Projects Graphical Look at Fed Infosec Performance Related Whitepapers Achieving FISMA Compliance: Continuous Monitoring Using Configuration Control and Log Management PCI Compliance Best Practices for Power Systems running IBM i Access Governance: Challenges and Solutions Security Solutions Guide Governing User Access: Why Provisioning-Centric Approaches Fall Short The genesis of the memorandum is an investigation by the Office of Special Counsel of the Food and Drug Administration monitoring employees who informed the special counsel, inspector general and The New York Times that the FDA had approved what the agency workers considered unsafe medical devices. According to the National Whistleblowers Center, whose lawyers represented the employees, the FDA used spyware to monitor secretly the whistleblowers' computers and other technology to gain access to their password-protected Gmail-to-Gmail communications to Congress, the Office of Special Counsel and other oversight authorities. Stephen Kohn, National Whistleblowers Center executive director, characterizes the administration's memo as a significant first step in protecting the constitutional rights of federal-employee whistleblowers. "This is the first time limits have been placed on the federal government's ability to monitor employee e-mails," Kohn says in a statement. "The targeted monitoring of whistleblowers in all government agencies ... has created a tremendous chilling effect on the willingness of federal employees to speak up about what they witness." Federal law prohibits agencies from taking actions against employees who inform the special counsel or inspector general of suspected wrongdoing in government. Lerner, in the memo, says agency monitoring designed specifically to target protected disclosure to the special counsel and IG is "highly problematic." "Such targeting undermines the ability of employees to make confidential disclosures," Lerner says, adding that this type of monitoring could be perceived as retaliation. The administration's memo strongly recommends that agencies review existing monitoring policies and practices to ensure that they are consistent with the law and Congress's intent to provide a secure channel for protected disclosures.

CISCO ASA vuln warning

MS-ISAC ADVISORY NUMBER: 2012-045 DATE(S) ISSUED: 06/21/2012 SUBJECT: Denial of Service Vulnerability in Cisco ASA Products OVERVIEW: A denial of service vulnerability has been discovered in Cisco Adaptive Security Appliance (ASA) 5500 series appliances and ASA modules for Catalyst 6500 series switches (ASASM). Cisco ASA products provide firewall, intrusion prevention, remote access, and other services. Successful exploitation could result in denial of service conditions or a reload on the affected device. SYSTEMS AFFECTED: Cisco ASA 5500 Series Appliances running software versions prior to 8.4 (4.1), 8.5 (1.11), and 8.6 (1.3) Cisco Catalyst 6500 series ASA Service Modules running software versions prior to 8.4 (4.1), 8.5 (1.11), and 8.6 (1.3) RISK: Government: Large and medium government entities: High Small government entities: High Businesses: Large and medium business entities: High Small business entities: High Home users: Low DESCRIPTION: Cisco ASA 5500 series appliances and Cisco Catalyst 6500 Series ASA Service Modules (ASASM) are prone to a remote Denial of Service vulnerability due to the improper handling of IPv6 traffic. This issue occurs when the devices are running in transparent mode with IPv6 enabled and have system logging configured to log message ID 110003 (enabled with logging severity level 6 or higher). These settings are not enabled by default. To exploit this vulnerability, an attacker creates a specially crafted IPv6 packet that will generate log message ID 110003 and sends it to the vulnerable device. When the packet is processed, the log message is created resulting in denial of service conditions or a potential reboot of the device. Information related to log message ID 110003 can be found at hxxp://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4769354. RECOMMENDATIONS: We recommend the following actions be taken: Apply appropriate patches provided by Cisco after appropriate testing. To view a complete list of what software fixes to apply, please see hxxp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-asaIPv6 Consider disabled log message ID 110003 by issuing the "no logging message 110003 command". To view the instructions for this workaround please see hxxp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-asaIPv6 REFERENCES: Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120620-asaIPv6#@ID http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4769354 Security Focus: http://www.securityfocus.com/bid/54106 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3058

Internet Explorer vuln advisory

The following cyber advisory was issued by the New York State Office of Cyber Security (OCS) and is intended for State government entities. The information may or may not be applicable to the general public and accordingly, the State does not warrant its use for any specific purposes. OCS ADVISORY NUMBER: 2012-044 DATE(S) ISSUED: 06/12/2012 SUBJECT: Cumulative Security Update for Internet Explorer (MS12-037) OVERVIEW: Multiple vulnerabilities have been discovered in Microsoft's web browser, Internet Explorer, which could allow an attacker to take complete control of an affected system. Successful exploitation of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. SYSTEMS AFFECTED: • Internet Explorer 6 • Internet Explorer 7 • Internet Explorer 8 • Internet Explorer 9 RISK: Government: • Large and medium government entities: High • Small government entities: High Businesses: • Large and medium business entities: High • Small business entities: High Home users: High DESCRIPTION: Thirteen vulnerabilities have been discovered in Microsoft Internet Explorer. Details of these vulnerabilities are as follows: Remote Code Execution Vulnerabilities: Nine remote code execution vulnerabilities have been discovered in Internet Explorer. These are memory corruption vulnerabilities that occur due to the way Internet Explorer accesses objects in memory that have not been properly deleted. These vulnerabilities may be exploited if a user visits a web page that is specifically crafted to take advantage of the vulnerabilities. Successful exploitation of any of these vulnerabilities could result in an attacker taking complete control of the system. Information Disclosure Vulnerabilities: Four information disclosure vulnerabilities have been discovered in Internet Explorer. These vulnerabilities could be exploited if an attacker convinces a user to visit a specially crafted website which would allow the attacker to access information in other domains or Internet Explorer Zones. RECOMMENDATIONS: We recommend the following actions be taken: • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing. • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. • Remind users not to open e-mail attachments from unknown users or suspicious e-mails from trusted sources. REFERENCES: Microsoft: http://technet.microsoft.com/en-us/security/bulletin/ms12-037 Security Focus: http://www.securityfocus.com/bid/53866 http://www.securityfocus.com/bid/53867 http://www.securityfocus.com/bid/53868 http://www.securityfocus.com/bid/53869 http://www.securityfocus.com/bid/53870 http://www.securityfocus.com/bid/53871 http://www.securityfocus.com/bid/53841 http://www.securityfocus.com/bid/53842 http://www.securityfocus.com/bid/53843 http://www.securityfocus.com/bid/53844 http://www.securityfocus.com/bid/53845 http://www.securityfocus.com/bid/53847 http://www.securityfocus.com/bid/53848 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1523 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1858 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1872 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1873 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1874 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1875 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1876 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1877 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1878 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1879 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1880 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1881 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1882 Thomas D. Smith Director ________________________________________ Cyber Security • Cyber Security Home • Awareness/Training/Events • Incident Reporting • Breach Notification • Cyber Advisories • NYS Digital Forensics Work Group • Cyber Tips Newsletter • Keeping Kids Safe Online • Local Government • Policies and Resources • NY-ISAC Secure Portal GIS • GIS Home • GIS Data • Broadband Providers • NYS Broadband Map • Coordination Program • Orthoimagery • Outreach/Calendar • Street Address Mapping (SAM) • GIS Help Desk • • • privacy policy • accessibility • site map • foil • text